Solved Legit Folder Or Malware?

[Pebble]

Going through my system today I came across a folder named Key-Base, Inside was a folder named 27b48b2c.054, Inside were 2 files:


CODE.PK_
CODE.PKD


The path is C:/ProgramData/Key-Base/27b48b2c.054


Both folders and the 2 files are hidden.


Any help appreciated.

 

[Snick]

Program data is a hidden folder

Right-click the folder and scan with your AV & malwarebytes

Same with the files

Upload the folder and files to Virus Total which scans with many avs

Googling for Key-Base and C:\ProgramData\Key-Base I found this

How to remove Trojan.agent.cn? Please help! - Resolved ...

forums.malwarebytes.com › topic › 120366-how-to-re...
Jan 2, 2013 - C:\Program Files (x86)\Norton PC Checkup 3.0\PCCU.exe. C:\Program Files ... If you wish to scan all of them, select the 'Force scan all domains' option. ... 2013-01-01 02:31:37 -------- d-sha-r- C:\ProgramData\Key-Base.
Snick

 

[file3456]

If this is malware, it proves my point that anti-virus is crap for polymorphic malware and they serve to be nothing but overbloated code bloat. I say this because I see you're running the GRU Kaspersky Internet Security 2015.

GRU (G.U - Wikipedia.)

Kaspersky Internet Security - Wikipedia

Bloomberg - Are you a robot?

Homeland Security Bans Feds From Using Kaspersky Software | Fortune

Trump signs into law U.S. government ban on Kaspersky Lab software - Reuters

Bet you or many readers here never knew this.

 

[file3456]

And use Tor with a non-five eyes jurisdiction VPN like Proton VPN or VPN.AC. I pay for my VPN with Monero. Bitcoin is flawed. Research Monero if you want to know about it. If so, you can turn Bitcoin into Monero and send it to your 'My Monero' wallet from here. Easy Crypto Exchange of Bitcoin & 10+ coins – Evonax

I have used that site twice and can vouch for it. At first I processed a few dollars to check its legitimacy. Then latter on I sent some $55 worth of Bitcoin through it and I got Monero in my 'My Monero' wallet. From there I paid for my VPN.

Anyway, I saw you run Tor and had to chime in on that. It's useless without a good, reputable, non-five eyes jurisdiction VPN.

You may be interested in my posts here and here.

 

[Pebble]

Updated Kaspersky Total Security and a full scan before cleanup & defrag. Nothing found.
I appreciate that Kaspersky may be 'spying' but if it found Statnet and is able to block it... Cool! I don't mind an 'enemy state' spying on me, But I do resent my own country or ally spying on me.

 

[file3456]

Did you scan that file at Virus Total?

Can I has your phone number, bank account number, etc? You don't mind the spying, right? LOL

What kind of HDD do you have? You never defrag an SSD.

 

[Bree]

Going through my system today I came across a folder named Key-Base, Inside was a folder named 27b48b2c.054, Inside were 2 files:

CODE.PK_
CODE.PKD

The path is C:/ProgramData/Key-Base/27b48b2c.054

PKD stands for Public Key Directory (or Data). C:\ProgramData\Key-Base\<number-string>\CODE.PKD is typically the registration data for software that uses a licence protection system.



An example (in the original German) here: Hinweis Giveaway of the Day - kostenlose Programme - Seite 458

Google Translate version:

This creates the registration data in:
C: \ ProgramData \ Key-Base \ 27b48b2c.052 \ CODE.PK_ + CODE.PKD (files are hidden, so not visible) Save them!

Google Translate


Another example:

...can you (when program is registered with keygen) backup license folder "Key-Base" or only keyfile "CODE.PKD" and "CODE.PK_", delete license folder/file, restore from backup and start SpeedCommander as registered?

SpeedCommander Pro 17.50.9100 - Software Updates - nsane.forums

 

[Snick]

Further research

Keybase
keybase.io
Keybase is for keeping everyone's chats and files safe, from families to communities to companies. MacOS, Windows, Linux, iPhone, and Android.

Keybase is a key directory that maps social media identities to encryption keys in a publicly auditable manner. Additionally it offers an end-to-end encrypted chat and cloud storage system, called Keybase Chat and the Keybase Filesystem respectively.

May or may not be part of a Trojan

 

[Pebble]

Thank's Snick, I could find load's on KeyBase folder but nothing on Key-Base. The 'random' sub-folder name made me think I was infected. Done a full scan and nothing was detected, So I'm going to leave the folder as it is.