B2K.exe und cmd.exe beim Systemstart

#1 Hallöchen,

ich habe seit einiger Zeit das Phänomen, das nach dem Systemstart (WinXP) eine B2K.exe in Verbindung mit der cmd.exe startet und permanent im Hintergrund verbleibt. Beim Suchen nach b2k.exe findet sich nichts.
Auch ein scan mit allen mir bekannten Spyware-Scannern findet nichts.

Hijackthis findet diesen Eintrag:

Code

O23 - Service: services (AppToService_services) - Basta Computing  - c:\recycler\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\B2K.EXE

....ich kann ihn fixen, aber nach neustart ist er wieder da.

Wenn ich im Taskmanager die cmd.exe beende, beendet sich auch die B2K.exe.

Kann jemand helfen, mir sagen dass das so sein muss, oder das ich einen Trojaner, Virus oder sonstwas habe und wie ich es wieder wegbekomme? :-)

Gruss
Frankö

#2 ServiceFilter.zip
http://virus-protect.org/artikel/tools/ServiceFilter.zip

- entzippen
- doppelklick auf die datei ServiceFilter.vbs
- versions-nummer bestätigen
- scannen
- öffnen von wordpad oder editor erlauben
- POST_THIS.TXT abkopieren
__________
MfG Sabina

rund um die PC-Sicherheit

#3 Huhu,

hier das post_this.txt

The script did not recognize the services listed below.


Unknown Service # 3
Service Name: AppToService_services
Display Name: services
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}\b2k.exe /sys "exe.bat" /absname:"services" /directory:"c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}" /show:2 /startup:a
State: Running
Process ID: 1928
Started: Wahr
Exit Code: 0
Accept Pause: Falsch
Accept Stop: Wahr

#4 1.
Download Registry Search by Bobbi Flekman
http://virus-protect.org/artikel/tools/regsearch.html
und doppelklicken, um zu starten. in: "Enter search strings" (reinschreiben oder reinkopieren)

{21ec2020-3aea-1069-a2dd-08002b30309d}

in edit und klicke "Ok".
Notepad wird sich oeffnen -- kopiere den Text ab und poste ihn.

gleiches mit:

b2k.exe
exe.bat
AppToService_services
Basta Computing

------------------------------------------------------------
2.
http://virus-protect.org/artikel/tools/agentransack.html
eingeben in suche:

recycler
b2k.exe
exe.bat

poste die Reporte
__________
MfG Sabina

rund um die PC-Sicherheit

#5 Danke schonmal für die Hilfe. Hier die Reporte.

1. regsearch {21ec2020-3aea-1069-a2dd-08002b30309d}

Code

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 04.08.2006 13:56:57 for strings:
;  '{21ec2020-3aea-1069-a2dd-08002b30309d}'
; Strings excluded from search:
;  (None)
; Search in: 
; Registry Keys  Registry Values  Registry Data  
; HKEY_LOCAL_MACHINE  HKEY_USERS  


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\DefaultIcon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\InProcServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21EC2020-3AEA-1069-A2DD-08002B30309D}\ShellFolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ControlPanelInMyComputer]
"ValueName"="{21EC2020-3AEA-1069-A2DD-08002B30309D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\Handlers\MSSHAudioDevHandler]
"InitCmdLine"="::{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\::{21EC2020-3AEA-1069-A2DD-08002B30309D}\\::{640167b4-59b0-47a6-b335-a6b3c0695aea}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideMyComputerIcons]
"{21EC2020-3AEA-1069-A2DD-08002B30309D}"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\Controls]
@="{21EC2020-3AEA-1069-A2DD-08002B30309D}"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppToService_services]
; Contents of value:
;   c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}\b2k.exe /sys "exe.bat" /absname:"services" /directory:"c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}" /show:2 /startup:a 
"ImagePath"=hex(2):63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,7b,32,31,45,43,32,30,\
  32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,30,38,30,30,32,42,33,\
  30,33,30,39,44,7d,5c,42,32,4b,2e,45,58,45,20,2f,73,79,73,20,22,65,78,65,2e,\
  62,61,74,22,20,2f,41,62,73,4e,61,6d,65,3a,22,73,65,72,76,69,63,65,73,22,20,\
  2f,44,69,72,65,63,74,6f,72,79,3a,22,63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,\
  7b,32,31,45,43,32,30,32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,\
  30,38,30,30,32,42,33,30,33,30,39,44,7d,22,20,2f,73,68,6f,77,3a,32,20,2f,53,\
  74,61,72,74,75,70,3a,41,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AppToService_services]
; Contents of value:
;   c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}\b2k.exe /sys "exe.bat" /absname:"services" /directory:"c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}" /show:2 /startup:a 
"ImagePath"=hex(2):63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,7b,32,31,45,43,32,30,\
  32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,30,38,30,30,32,42,33,\
  30,33,30,39,44,7d,5c,42,32,4b,2e,45,58,45,20,2f,73,79,73,20,22,65,78,65,2e,\
  62,61,74,22,20,2f,41,62,73,4e,61,6d,65,3a,22,73,65,72,76,69,63,65,73,22,20,\
  2f,44,69,72,65,63,74,6f,72,79,3a,22,63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,\
  7b,32,31,45,43,32,30,32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,\
  30,38,30,30,32,42,33,30,33,30,39,44,7d,22,20,2f,73,68,6f,77,3a,32,20,2f,53,\
  74,61,72,74,75,70,3a,41,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppToService_services]
; Contents of value:
;   c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}\b2k.exe /sys "exe.bat" /absname:"services" /directory:"c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}" /show:2 /startup:a 
"ImagePath"=hex(2):63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,7b,32,31,45,43,32,30,\
  32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,30,38,30,30,32,42,33,\
  30,33,30,39,44,7d,5c,42,32,4b,2e,45,58,45,20,2f,73,79,73,20,22,65,78,65,2e,\
  62,61,74,22,20,2f,41,62,73,4e,61,6d,65,3a,22,73,65,72,76,69,63,65,73,22,20,\
  2f,44,69,72,65,63,74,6f,72,79,3a,22,63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,\
  7b,32,31,45,43,32,30,32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,\
  30,38,30,30,32,42,33,30,33,30,39,44,7d,22,20,2f,73,68,6f,77,3a,32,20,2f,53,\
  74,61,72,74,75,70,3a,41,00

[HKEY_USERS\S-1-5-21-790525478-1580436667-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\HideMyComputerIcons]
"{21EC2020-3AEA-1069-A2DD-08002B30309D}"=dword:00000001

[HKEY_USERS\S-1-5-21-790525478-1580436667-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\DUIBags\ShellFolders\{21EC2020-3AEA-1069-A2DD-08002B30309D}]

; End Of The Log...

2. regsearch b2k.exe

Code

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 04.08.2006 14:01:41 for strings:
;  'b2k.exe'
; Strings excluded from search:
;  (None)
; Search in: 
; Registry Keys  Registry Values  Registry Data  
; HKEY_LOCAL_MACHINE  HKEY_USERS  


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppToService_services]
; Contents of value:
;   c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}\b2k.exe /sys "exe.bat" /absname:"services" /directory:"c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}" /show:2 /startup:a 
"ImagePath"=hex(2):63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,7b,32,31,45,43,32,30,\
  32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,30,38,30,30,32,42,33,\
  30,33,30,39,44,7d,5c,42,32,4b,2e,45,58,45,20,2f,73,79,73,20,22,65,78,65,2e,\
  62,61,74,22,20,2f,41,62,73,4e,61,6d,65,3a,22,73,65,72,76,69,63,65,73,22,20,\
  2f,44,69,72,65,63,74,6f,72,79,3a,22,63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,\
  7b,32,31,45,43,32,30,32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,\
  30,38,30,30,32,42,33,30,33,30,39,44,7d,22,20,2f,73,68,6f,77,3a,32,20,2f,53,\
  74,61,72,74,75,70,3a,41,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AppToService_services]
; Contents of value:
;   c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}\b2k.exe /sys "exe.bat" /absname:"services" /directory:"c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}" /show:2 /startup:a 
"ImagePath"=hex(2):63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,7b,32,31,45,43,32,30,\
  32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,30,38,30,30,32,42,33,\
  30,33,30,39,44,7d,5c,42,32,4b,2e,45,58,45,20,2f,73,79,73,20,22,65,78,65,2e,\
  62,61,74,22,20,2f,41,62,73,4e,61,6d,65,3a,22,73,65,72,76,69,63,65,73,22,20,\
  2f,44,69,72,65,63,74,6f,72,79,3a,22,63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,\
  7b,32,31,45,43,32,30,32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,\
  30,38,30,30,32,42,33,30,33,30,39,44,7d,22,20,2f,73,68,6f,77,3a,32,20,2f,53,\
  74,61,72,74,75,70,3a,41,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppToService_services]
; Contents of value:
;   c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}\b2k.exe /sys "exe.bat" /absname:"services" /directory:"c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}" /show:2 /startup:a 
"ImagePath"=hex(2):63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,7b,32,31,45,43,32,30,\
  32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,30,38,30,30,32,42,33,\
  30,33,30,39,44,7d,5c,42,32,4b,2e,45,58,45,20,2f,73,79,73,20,22,65,78,65,2e,\
  62,61,74,22,20,2f,41,62,73,4e,61,6d,65,3a,22,73,65,72,76,69,63,65,73,22,20,\
  2f,44,69,72,65,63,74,6f,72,79,3a,22,63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,\
  7b,32,31,45,43,32,30,32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,\
  30,38,30,30,32,42,33,30,33,30,39,44,7d,22,20,2f,73,68,6f,77,3a,32,20,2f,53,\
  74,61,72,74,75,70,3a,41,00

[HKEY_USERS\S-1-5-21-790525478-1580436667-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"D:\\download\\B2K.EXE"="Runs regular applications as Windows services"

; End Of The Log...

3. exe.bat

Code

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 04.08.2006 14:03:41 for strings:
;  'exe.bat'
; Strings excluded from search:
;  (None)
; Search in: 
; Registry Keys  Registry Values  Registry Data  
; HKEY_LOCAL_MACHINE  HKEY_USERS  


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppToService_services]
; Contents of value:
;   c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}\b2k.exe /sys "exe.bat" /absname:"services" /directory:"c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}" /show:2 /startup:a 
"ImagePath"=hex(2):63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,7b,32,31,45,43,32,30,\
  32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,30,38,30,30,32,42,33,\
  30,33,30,39,44,7d,5c,42,32,4b,2e,45,58,45,20,2f,73,79,73,20,22,65,78,65,2e,\
  62,61,74,22,20,2f,41,62,73,4e,61,6d,65,3a,22,73,65,72,76,69,63,65,73,22,20,\
  2f,44,69,72,65,63,74,6f,72,79,3a,22,63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,\
  7b,32,31,45,43,32,30,32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,\
  30,38,30,30,32,42,33,30,33,30,39,44,7d,22,20,2f,73,68,6f,77,3a,32,20,2f,53,\
  74,61,72,74,75,70,3a,41,00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AppToService_services]
; Contents of value:
;   c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}\b2k.exe /sys "exe.bat" /absname:"services" /directory:"c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}" /show:2 /startup:a 
"ImagePath"=hex(2):63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,7b,32,31,45,43,32,30,\
  32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,30,38,30,30,32,42,33,\
  30,33,30,39,44,7d,5c,42,32,4b,2e,45,58,45,20,2f,73,79,73,20,22,65,78,65,2e,\
  62,61,74,22,20,2f,41,62,73,4e,61,6d,65,3a,22,73,65,72,76,69,63,65,73,22,20,\
  2f,44,69,72,65,63,74,6f,72,79,3a,22,63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,\
  7b,32,31,45,43,32,30,32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,\
  30,38,30,30,32,42,33,30,33,30,39,44,7d,22,20,2f,73,68,6f,77,3a,32,20,2f,53,\
  74,61,72,74,75,70,3a,41,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppToService_services]
; Contents of value:
;   c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}\b2k.exe /sys "exe.bat" /absname:"services" /directory:"c:\recycler\.{21ec2020-3aea-1069-a2dd-08002b30309d}" /show:2 /startup:a 
"ImagePath"=hex(2):63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,7b,32,31,45,43,32,30,\
  32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,30,38,30,30,32,42,33,\
  30,33,30,39,44,7d,5c,42,32,4b,2e,45,58,45,20,2f,73,79,73,20,22,65,78,65,2e,\
  62,61,74,22,20,2f,41,62,73,4e,61,6d,65,3a,22,73,65,72,76,69,63,65,73,22,20,\
  2f,44,69,72,65,63,74,6f,72,79,3a,22,63,3a,5c,72,65,63,79,63,6c,65,72,5c,2e,\
  7b,32,31,45,43,32,30,32,30,2d,33,41,45,41,2d,31,30,36,39,2d,41,32,44,44,2d,\
  30,38,30,30,32,42,33,30,33,30,39,44,7d,22,20,2f,73,68,6f,77,3a,32,20,2f,53,\
  74,61,72,74,75,70,3a,41,00

; End Of The Log...

4. AppToService_services

Code

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 04.08.2006 14:05:42 for strings:
;  'apptoservice_services'
; Strings excluded from search:
;  (None)
; Search in: 
; Registry Keys  Registry Values  Registry Data  
; HKEY_LOCAL_MACHINE  HKEY_USERS  


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_APPTOSERVICE_SERVICES]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_APPTOSERVICE_SERVICES\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_APPTOSERVICE_SERVICES\0000]
"Service"="AppToService_services"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppToService_services]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppToService_services\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_APPTOSERVICE_SERVICES]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_APPTOSERVICE_SERVICES\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_APPTOSERVICE_SERVICES\0000]
"Service"="AppToService_services"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_APPTOSERVICE_SERVICES\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_APPTOSERVICE_SERVICES\0000\Control]
"ActiveService"="AppToService_services"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AppToService_services]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AppToService_services\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AppToService_services\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AppToService_services\Enum]
"0"="Root\\LEGACY_APPTOSERVICE_SERVICES\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPTOSERVICE_SERVICES]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPTOSERVICE_SERVICES\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPTOSERVICE_SERVICES\0000]
"Service"="AppToService_services"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPTOSERVICE_SERVICES\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPTOSERVICE_SERVICES\0000\Control]
"ActiveService"="AppToService_services"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppToService_services]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppToService_services\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppToService_services\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppToService_services\Enum]
"0"="Root\\LEGACY_APPTOSERVICE_SERVICES\\0000"

; End Of The Log...

5. Basta Computing

Code

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.1.0

; Results at 04.08.2006 14:07:45 for strings:
;  'basta computing
basta computing
basta computing
basta computing
basta computing'
; Strings excluded from search:
;  (None)
; Search in: 
; Registry Keys  Registry Values  Registry Data  
; HKEY_LOCAL_MACHINE  HKEY_USERS  


; End Of The Log...

agentransack folgt
gruss
frankl

#6 1. leere den papierkorb

2 poste das log von agentransack
__________
MfG Sabina

rund um die PC-Sicherheit

#7 hm, bin mir jetzt nicht sicher, weils keine txt datei ausgibt :-(
poste das mal so:

recycler: C:\RECYCLER (19.07.2006 16:53:40)

b2k.exe: C:\RECYCLER\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\B2K.EXE (44 KB, 21.07.2004 05:22:58)
C:\WINDOWS\Prefetch\B2K.EXE-2AC97F34.pf (8 KB, 04.08.2006 01:23:14)


exe.bat: C:\RECYCLER\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\EXE.BAT (1 KB, 26.07.2004 06:05:56)

Papierkorb geleert

gruss
frank

#8 0.
Den folgenden Text in den Editor (Start - Zubehör - Editor) kopieren und als listen.bat mit 'Speichern unter' auf dem Desktop. Gebe bei Dateityp 'Alle Dateien' an. Du solltest jetzt auf dem Desktop diese Datei finden. --> die listen.bat doppelt klicken--> kopiere den Text, der erscheint

Zitat

cd\
dir "C:\RECYCLER\.{21EC2020-3AEA-1069-A2DD-08002B30309D}" >>files.txt
dir "D:\download" >>files.txt
notepad files.txt

1.
mal sehen, ob die virenscanner es erkennen:

virustotal
Oben auf der Seite --> auf Durchsuchen klicken --> die Datei mit korrektem Pfad einkopieren) --> Doppelklick auf die zu prüfende Datei --> klick auf Submit... jetzt abwarten
http://www.virustotal.com/flash/index_en.html

C:\RECYCLER\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\B2K.EXE
C:\RECYCLER\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\EXE.BAT
D:\download\B2K.EXE


poste die reporte

------------------------------------------------------------------------------------------
2.
Avenger
http://virus-protect.org/artikel/tools/avenger.html
kopiere rein:

Zitat

registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_APPTOSERVICE_SERVICES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AppToService_services
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_APPTOSERVICE_SERVICES
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AppToService_services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_APPTOSERVICE_SERVICES
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppToService_services

Files to delete:

C:\RECYCLER\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\B2K.EXE
C:\RECYCLER\.{21EC2020-3AEA-1069-A2DD-08002B30309D}\EXE.BAT
D:\download\B2K.EXE

Klicke die gruene Ampel
das Script wird nun ausgeführt, dann wird der PC automatisch neustarten

**
poste das log vom avenger, was erscheint

3.
poste dieses log
http://virus-protect.org/artikel/tools/combofix.html
__________
MfG Sabina

rund um die PC-Sicherheit

#9 muss hier kurz eines bemerken.... die b2k.exe im downloadverzeichnis habe ich gestern dort hineinkopiert. ich wollte mir die datei mit einem editor anschauen.

listen.bat :

Code

Volume in Laufwerk C: hat keine Bezeichnung.
 Volumeseriennummer: 0181-1009

 Verzeichnis von C:\RECYCLER\.{21EC2020-3AEA-1069-A2DD-08002B30309D}

19.07.2006  16:53    <DIR>          .
19.07.2006  16:53    <DIR>          ..
21.07.2004  05:22            45.056 B2K.EXE
30.05.2006  13:06                 5 boot.ini
01.06.2006  00:44             1.098 config.dll
01.05.2005  20:48               352 config.sys
27.02.2005  19:52            82.777 convertxdccfile.exe
19.10.2003  11:12             6.656 cygcrypt-0.dll
07.07.2003  03:46            68.016 CYGREGEX.DLL
16.01.2005  18:16         1.140.617 CYGWIN1.DLL
26.07.2004  06:05                23 EXE.BAT
30.05.2006  13:06               156 io.sys
30.05.2006  12:53               156 io.sys~
21.07.2004  05:22               232 IRO.BAT
              12 Datei(en)      1.345.144 Bytes
               2 Verzeichnis(se),  1.016.143.872 Bytes frei
 Volume in Laufwerk D: hat keine Bezeichnung.
 Volumeseriennummer: 0604-4024

 Verzeichnis von D:\download

04.08.2006  14:46    <DIR>          .
04.08.2006  14:46    <DIR>          ..
02.07.2006  20:11        12.930.200 188.exe
03.07.2006  00:32        16.715.512 189.exe
17.06.2006  00:11        36.138.952 6-5_xp-2k_dd_ccc_wdm_enu_32464.exe
01.07.2006  01:05    <DIR>          Abendwind-Launcher_v150
01.07.2006  01:04             7.023 Abendwind-Launcher_v151.rar
30.07.2006  18:36        11.795.448 antivir_workstation_win7u_de_h.exe
20.06.2006  10:41        22.377.352 archlord_orc_race_movie.zip
02.07.2006  23:13           245.760 AspiChk.exe
02.07.2006  23:14           518.186 Aspi_v472a2.exe
16.07.2006  20:07         7.973.874 Azureus_2.4.0.2_Win32.setup.exe
04.08.2006  01:22            45.056 B2K.EXE
19.07.2006  19:37        13.817.440 bitdefender_free_v8.exe
19.07.2006  19:01        18.080.856 bitdefender_std_v9.exe
27.07.2006  11:46           339.099 CleanUp451.exe
26.06.2006  21:30             4.620 conf.inc.php
30.06.2006  15:58    <DIR>          cpu-z-135
30.06.2006  15:57           421.384 cpu-z-135.zip
30.06.2006  02:46    <DIR>          directx-dx9uninstaller
30.06.2006  10:56            33.221 directx-dx9uninstaller(2).zip
30.06.2006  02:46            33.221 directx-dx9uninstaller.zip
30.06.2006  11:03        35.050.768 directx_9c_Jun05sdk_redist.exe
01.07.2006  01:14             5.418 dolloader-177+.zip
30.06.2006  11:07    <DIR>          dxchaos
25.06.2006  03:09       578.004.902 EVE_3913a.exe
30.07.2006  15:09    <DIR>          f-bot
30.07.2006  15:09         6.017.867 f-bot.zip
10.07.2006  17:12         3.829.760 fritz.box_fon_wlan_7170.29.04.06.image
15.06.2006  00:02         7.933.840 gimp-2.2.11-i586-setup-1.exe
26.06.2006  20:47         7.911.542 gimp-2.2.11-i586-setup-1.zip
16.07.2006  13:09         4.983.528 GoogleVideoPlayerSetup.exe
08.05.2006  14:50         9.548.288 gs853w32.exe
13.06.2006  19:36         5.135.928 gtk+-2.8.18-setup-1.exe
26.06.2006  20:48         5.112.338 gtk+-2.8.18-setup-1.zip
03.08.2006  11:29         1.729.785 homegallery-1-4-8.exe
01.07.2006  21:19         1.455.872 installspeedfan428.exe
13.07.2006  10:57        37.518.744 iTunesSetup(2).exe
19.06.2006  16:06        37.311.488 iTunesSetup.exe
16.07.2006  20:09           247.608 jre-1_5_0_07-windows-i586-p-iftw.exe
01.07.2006  01:14    <DIR>          loader
25.07.2006  14:16         1.351.680 mirc617.exe
03.08.2006  20:09        11.058.086 mwav.exe
11.07.2006  12:33         1.149.820 p95v2414.zip
26.06.2006  21:44    <DIR>          phpWCMS-HeaderBilder-Basis-2004-07-22
26.06.2006  21:43            15.382 phpWCMS-HeaderBilder-Basis-2004-07-22.zip
29.06.2006  22:11         7.520.627 pxe.exe
23.07.2006  15:29         4.730.740 ratDVDSetup-0.78.1444.exe
04.08.2006  14:08    <DIR>          regsearch
04.08.2006  13:54           227.840 regsearch.zip
23.06.2006  17:41           547.075 resysinfo_setup.exe
15.06.2006  02:29       430.198.501 Rise_and_Fall_Demo.exe
17.06.2006  11:57        18.368.661 scribus-1.3.3.2-win32-install(2).exe
02.07.2006  01:50         3.223.798 seatoold_de.exe
04.08.2006  01:13    <DIR>          ServiceFilter
04.08.2006  01:06            13.518 ServiceFilter.zip
11.07.2006  12:32        60.881.034 SpellForce_Patch_v152a.exe
27.07.2006  12:43         5.037.072 spybotsd14.exe
31.08.2005  15:41         9.061.488 SpySweeperScanOnly.exe
23.06.2006  17:47           677.382 sswitchxp14.exe
30.06.2006  22:42    <DIR>          tcpview_240
30.06.2006  22:41            84.739 tcpview_240.zip
11.07.2006  19:17         6.318.376 Thunderbird Setup 1.5.0.4.exe
16.06.2006  13:11    <DIR>          titan_quest_demo
29.06.2006  10:52           360.401 TR1_606.sla
19.06.2006  21:37           923.648 winter32.exe
19.07.2006  15:40         1.039.452 wrar351d.exe
04.08.2006  14:10    <DIR>          XP-Suche
04.08.2006  14:09           637.509 XP-Suche.zip
              55 Datei(en)  1.446.701.709 Bytes
              14 Verzeichnis(se),    696.537.088 Bytes frei

Rest folgt

Virustotal dauert ca ne stunde pro datei.

melde mich wieder.

gruss
frank

#10 das ist eine eigenartige Geschichte...mal sehen, was die virenscanner meinen..aber wahrscheinlich: nichts.

eine datei von 21.07.2004 (oder das Datum ist gefaelscht...)

Zitat

21.07.2004 05:22 45.056 B2K.EXE
26.07.2004 06:05 23 EXE.BAT

recycler: C:\RECYCLER (19.07.2006 ) - wurde erst am 19.7.2006 erstellt...........

------------------------------------------------------------------------
Verzeichnis von C:\RECYCLER\.{21EC2020-3AEA-1069-A2DD-08002B30309D}
07.07.2003 03:46 68.016 CYGREGEX.DLL
16.01.2005 18:16 1.140.617 CYGWIN1.DLL

Zitat

http://www.auditmypc.com/process/cygregex.asp
http://www.spywaredb.com/remove-iroffer/
If your computer has the dll 'cygregex.dll' on it, your pc could be infected with a trojan known as 'vmz'.

cygregex.dll is considered to be a security risk, not only because antivirus programs flag vmz trojan as a trojan, but also because other sites consider it a Trojan as well

__________
MfG Sabina

rund um die PC-Sicherheit

#11 Ich weiss auch nicht warum, aber eigenartige Geschichten sind in Sachen PC bei mir Programm :-)

Ständig habe ich irgendwelche Probleme die vor mir nie ein Anderer hatte ^^.

Ich kann nichtmal genau sagen seit wann ich diese Sache schon habe. Habe in der letzten Zeit das Problem, dass sich 3D-Spiele sehr merkwürdig verhalten, sobald sie angezeigt werden (also nicht, wenn sie im Hintergrund laufen sondern nur wenn sie auch wirklich "zu sehen" sind.)
Auf der Suche nach diesem Phänomen stiess ich dann auf diese ominöse b2k.exe und mache mir seitdem Gedanken was es ist und wie ich es wegbekomme.

Naja, mal schauen was draus wird.

Gruss
Frank

#12 eigenartig von Grund auf ist:

Verzeichnis von C:\RECYCLER\.{21EC2020-3AEA-1069-A2DD-08002B30309D}
anscheinend am 19.07. erstellt - dazu ein aktiver Dienst.

du musst alles scannen, (mit virustotal, was in dem ordner vorhanden ist)
+
poste dieses log
http://virus-protect.org/artikel/tools/combofix.html
+
Kopiere diese 4 Textdateien ab . (rechtsklick mit der Maus -> den Text markieren -> kopieren -> einfügen) Sie sind nach Datum geordnet. (kopiere nur die letzten 3 Monate ab)
http://virus-protect.org/datfindbat.html
__________
MfG Sabina

rund um die PC-Sicherheit

#13 virustotal (etwas verspätet...war zum grillen eingeladen :-) )

b2k.exe

Complete scanning result of "b2k.exe", received in VirusTotal at 08.05.2006, 00:01:08 (CET).

Antivirus Version Update Result
AntiVir 6.35.1.0 08.04.2006 no virus found
Authentium 4.93.8 08.04.2006 no virus found
Avast 4.7.844.0 08.04.2006 no virus found
AVG 386 08.04.2006 no virus found
BitDefender 7.2 08.04.2006 Application.Tool.Apptoservice.A
CAT-QuickHeal 8.00 08.04.2006 no virus found
ClamAV devel-20060426 08.04.2006 no virus found
DrWeb 4.33 08.04.2006 no virus found
eTrust-InoculateIT 23.72.87 08.04.2006 no virus found
eTrust-Vet 12.6.2324 08.04.2006 no virus found
Ewido 4.0 08.04.2006 no virus found
Fortinet 2.77.0.0 08.04.2006 AppToService
F-Prot 3.16f 08.04.2006 no virus found
F-Prot4 4.2.1.29 08.04.2006 no virus found
Ikarus 0.2.65.0 08.04.2006 no virus found
Kaspersky 4.0.2.24 08.05.2006 no virus found
McAfee 4822 08.04.2006 potentially unwanted program Tool-AppToService
Microsoft 1.1508 08.04.2006 no virus found
NOD32v2 1.1692 08.04.2006 no virus found
Norman 5.90.23 08.04.2006 no virus found
Panda 9.0.0.4 08.04.2006 no virus found
Sophos 4.08.0 08.04.2006 no virus found
Symantec 8.0 08.04.2006 no virus found
TheHacker 5.9.8.186 08.04.2006 no virus found
UNA 1.83 08.04.2006 no virus found
VBA32 3.11.0 08.04.2006 no virus found
VirusBuster 4.3.7:9 08.04.2006 no virus found

Aditional Information
File size: 45056 bytes
MD5: ab28be7460e6d5fc1826b7913e72c87d
SHA1: b438ebb7f8b1e46693cfdf69ce32a28eab52d477

==============================================

exe.bat

no virus found
no virus found
no virus found
........

==============================================

CYGREGEX.DLL

no virus found
no virus found
no virus found
........
rest ist in arbeit

#14 jetzt ist nur noch die frage, wozu dieser Dienst da ist.
"Service"="AppToService_services"
und warum er sich befindet in: C:\RECYCLER

wenn der Rechner keine weiteren Probleme macht, lebe damit, wenn nicht, wende den Avenger an
__________
MfG Sabina

rund um die PC-Sicherheit

#15 also hälst du das ganze nicht für eine backdoor oder sonstwas gefährliches?

Ich werde auf jeden fall noch den rest des verzeichnisses scannen und danach das avenger anwenden.

Dir auf jeden Fall vielen Dank!
Du hast mich verblüfft, welch vielseitige Möglichkeiten für so eine Problemsuche bestehen.

Gruss
Frank