babe.the-killer.exe - is this spybot s&d???
Ok, I learned the trick of using "netstat -b 5 > activity.txt" and I saw a LOT!!! of "babe.the-killer.exe"... I ran a google search and a lot of places say that this is from Spybot's immunization feature... is this true? I couldn't find anything on this site... Should it be running with: firefox, iTunes, AppleMobileDeviceService???
hello,
babe.the-killer.exe is not part of the Immunization by Spybot Search & Destroy.
If you see this in you netstat log file, it means that the named exe is connecting to the internet.
Under remoteaddress you can view where it connects to.
Spybot S&D Immunization enters
as blocked sites.Code:babe.the-killer.bz www.babe.the-killer.bz
Please create a complete Spybot S&D log file and attach it to your next post or email it to detections-at-spybot.info (replacing -at- with @).
To get such a log you will need to switch Spybot S&D into advanced mode, then
- navigate to Tools - View Report
- make sure that all checkboxes are marked
- click the green view report button
- export your report to a text file
Yep, but reverse lookup of 127.0.0.1 should not reveal the domain of blocked sites, but "localhost" instead.
Please check this post and let me know whether your hosts file contains this first localhost entry or not (oh, the hosts file is usually located at c:\windows\system32\drivers\etc\hosts, seems I forgot to mention that in the other post).
Just remember, love is life, and hate is living death.
Treat your life for what it's worth, and live for every breath
(Black Sabbath: A National Acrobat)
it does not have the first localhost line, and here is my log file: I had to make it a zip to meet size requirements.....
Your Spybot S&D log does show any traces of an exe named babe.the-killer.exe. This basically means that it does not use the most common ways to get started automatically.
Please attach your netstat log to your next post, if it is too long you can shorten it to a couple of sections where babe.the-killer.exe is listed.
Yodama, I guess you're on the wrong track... that's most probably a broken reverse lookup
dajjhman, could you open the hosts file in a text editor again (first, open its properties in Windows Explorer and uncheck the "readonly" option) and add that line at the top?
Explanation: netstat works with IP addresses; when you specify -a, it does a reverse lookup to see which domain belongs to these IP addresses; 127.0.0.1 means your computer; the immunization feature redirects bad domains to your computer so that they won't get reached; without the standard localhost entry, a reverse lookup for any of the standard local services as well would reveal the first other domain linked to 127.0.0.1.
Just remember, love is life, and hate is living death.
Treat your life for what it's worth, and live for every breath
(Black Sabbath: A National Acrobat)
dajjhman:
You could try restoring Microsoft's sample HOSTS file and then adding Spybot's Hosts file again:
- To restore your HOSTS file with Microsoft's sample HOSTS file (which contains a "127.0.0.1 localhost" entry – See Note #1):
- Download HostsXpert from the following site:
- Funkytoad.com -fast, functional and free - Home
http://www.funkytoad.com/
The page for HostsXpert is:
- Funkytoad.com -fast, functional and free - HostsXpert v4.1
http://www.funkytoad.com/content/view/13/31/
The direct download URL for HostsXpert.zip is:
- After downloading HostsXpert.zip, unzip (extract) the content of the file into a known location.
- Execute HostsXpert.
- If the first button in the left hand pane is "Make Writeable?", click on the button.
- Click on the "Restore MS Hosts File" button.
- When you receive the following confirmation dialog click "OK".
Code:Confirm Press OK to Restore Microsofts original Hosts File [OK] [Cancel]- Add Spybot's Hosts file as follows:
- Spybot 1.3, 1.4 or 1.5:
- Go into Spybot – Search & Destroy > Mode > Advanced mode > Tools > Hosts file.
- Click the "Add Spybot-S&D hosts list" button.
- Spybot 1.5 only:
- Go into Spybot > Immunize.
- Right click on the right hand pane and select "Deselect all".
- Scroll down to the bottom of the right hand pane and under Windows check "Global (Hosts)".
- Click the "Immunize" button at the top of the right pane (the button with large green plus sign)?
_______________
Note #1: Microsoft's sample HOSTS file:
Code:# Copyright © 1993-1999 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a "#" symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host # 127.0.0.1 localhost
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
ok, I checked to see if the hosts file was read only, it was not so I added the line. netstat does not show babe.the-killer anymore... kind of funny about the timing of this SINCE I JUST GOT DEFRAUDED BY SEVERAL THOUSAND DOLLARS! what a freaking coincidence... just curius, is there a reason that my hosts file should not have needed that hostxpert to modify it?...and just for reference (not sure it is necessary, but after seeing that local hosts are still popping up in netstat, here is the log before the first line was added and after)... Thanks for all of your help!... now I just gotta get rid of all of the other extraneous processes on my computer ; - )
No, updating the HOSTS file manually is fine.Originally Posted by dajjhman
Getting an answer is one thing, learning is another.
Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.
I am not sure if we are having a similar issue but at around the same time I immunized by computer, my network detected "babe.the-killer.bz" and shut off my internet connection. Could this be a false positive?
This has happened to me twice already. Both times were on fresh installs of Windows XP. I haven't really installed anything other than Symantec antivirus, zonealarm firewall, webroot spy sweeper, adaware, Spybot... at the time of detection. Subsequent "sweeping" of my computer using various "anti" softwares detected nothing (NOD32, symantec, spybot, spy sweeper, AVG, trojan hunter, windows malware removal tool, etc). Buffled, I gave up and went on to reformat and reinstall a fresh copy of XP. Second time around, I reinstalled everything mentioned above except Spybot. After 3 days... all was well. So I proceeded to install Spybot and got all the updates but didn't immunized my machine. After another day, I proceeded to immunize my computer... that's when babe.the-killer.bz showed up again!
his time, babe.the-killer.bz was detected at the same time as when I immuniz
Posting Permissions
Reply With Quote
