Backdoor

Backdoor.PcClient.TEV removal instruction

Malware Removal

The Backdoor.PcClient.TEV is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware - Review 2020

GridinSoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend to use GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the TRIAL period.
6-day free trial available.

What Backdoor.PcClient.TEV virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Dynamic (imported) function loading detected
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Terminates another process
  • Possible date expiration check, exits too soon after checking local time
  • Enumerates running processes
  • Unconventionial binary language: Chinese (Simplified)
  • Unconventionial language used in binary resources: Chinese (Simplified)
  • The binary contains an unknown PE section name indicative of packing
  • The executable is compressed using UPX
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Deletes its original binary from disk
  • Attempts to stop active services
  • Installs itself for autorun at Windows startup
  • Installs itself for autorun at Windows startup
  • Creates known PcClient mutex and/or file changes.
  • Uses suspicious command line tools or Windows utilities

How to determine Backdoor.PcClient.TEV?


File Info:

name: 5543EE4784FB5F7C22C7.mlw
path: /opt/CAPEv2/storage/binaries/e3251c796fc7cbae271241a7c5a76b7789a7c04f7cd85af1f6947824454fbbce
crc32: F8ADE933
md5: 5543ee4784fb5f7c22c70fe6a63b1651
sha1: b91f40a9648883f68610e44a75dde6ac2e458813
sha256: e3251c796fc7cbae271241a7c5a76b7789a7c04f7cd85af1f6947824454fbbce
sha512: eff5b02bc35dcb8458ee00badf5438b8a602e2b30acb9fef7a4db79e6b29444663754c9a8e44275dd29ad77702eab24ef0908bb401c8ac1601a2aaba8981d061
ssdeep: 3072:UHFXk0s+Sien/VtTBfITRur5ZvNTeiP0ZDdmR:Ul0P+XS/VtTBwRur5Zt4
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T179A39E52E78484F2E091153064EBD33AFB3669B5037D5747A783FE2918A7523EA31387
sha3_384: d869b4e0eba999ecd943770eee71e1a2e67a138b20e1ab0a0ec95a08ef83a93a0274670aadd68cc91e26adade7802660
ep_bytes: 558bec6aff684021400068501f400064
timestamp: 2008-10-18 05:44:13

Version Info:

Comments:
CompanyName: Microsoft Corporation
FileDescription: Generic Host Process for Win32 Services
FileVersion: 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
InternalName: svchost.exe
LegalCopyright: ? Microsoft Corporation. All rights reserved.
LegalTrademarks:
OriginalFilename: svchost.exe
PrivateBuild:
ProductName: Microsoft? Windows? Operating System
ProductVersion: 5.1.2600.2180
SpecialBuild:
Translation: 0x0804 0x04b0

Backdoor.PcClient.TEV also known as:

BkavW32.AIDetect.malware1
Elasticmalicious (high confidence)
CynetMalicious (score: 100)
FireEyeGeneric.mg.5543ee4784fb5f7c
CAT-QuickHealBackdoor.Agent.18945
McAfeegeneric!bg.evs
CylanceUnsafe
VIPREBackdoor.PcClient.TEV
Sangfor[ARMADILLO V1.71]
CrowdStrikewin/malicious_confidence_100% (D)
K7GWTrojan ( 004bcce41 )
K7AntiVirusTrojan ( 004bcce41 )
BaiduWin32.Backdoor.Agent.er
VirITTrojan.Win32.Agent.SQP
CyrenW32/Hupigon.P.gen!Eldorado
SymantecTrojan Horse
tehtrisGeneric.Malware
ESET-NOD32Win32/Agent.DKR
APEXMalicious
ClamAVWin.Trojan.Xyligan-9793034-0
KasperskyTrojan-Spy.Win32.Zbot.wtyo
BitDefenderBackdoor.PcClient.TEV
NANO-AntivirusTrojan.Win32.Agent.zvsh
MicroWorld-eScanBackdoor.PcClient.TEV
AvastWin32:RootkitX-gen [Rtk]
TencentBackdoor.Win32.Agent.dbz
Ad-AwareBackdoor.PcClient.TEV
EmsisoftBackdoor.PcClient.TEV (B)
ComodoBackdoor.Win32.Agent.~AQG@5f5i4
DrWebTrojan.MulDrop.23267
ZillyaBackdoor.Agent.Win32.5875
TrendMicroBKDR_PCCLIE.SMA
McAfee-GW-EditionBehavesLike.Win32.AutoRun.nh
Trapminemalicious.high.ml.score
SophosML/PE-A + Mal/Mdrop-EN
SentinelOneStatic AI – Malicious PE
GDataBackdoor.PcClient.TEV
JiangminBackdoor/Agent.blxq
WebrootW32.Backdoor.Gen
AviraBDS/Agent.aixh
MAXmalware (ai score=87)
Antiy-AVLTrojan/Generic.ASBOL.8D8
ViRobotBackdoor.Win32.Agent.108032.C
ZoneAlarmTrojan-Spy.Win32.Zbot.wtyo
MicrosoftTrojanDropper:Win32/Venik.B!dha
AhnLab-V3Backdoor/Win32.Nbdd.R2022
BitDefenderThetaAI:Packer.669C8D141F
ALYacBackdoor.PcClient.TEV
VBA32BScope.Trojan.MulDrop
MalwarebytesRiskWare.SpySoft
TrendMicro-HouseCallBKDR_PCCLIE.SMA
RisingDownloader.Agent!1.9E59 (CLASSIC)
YandexTrojan.GenAsa!FS+o4ezA2F0
IkarusTrojan-Dropper.Agent
MaxSecureTrojan.Malware.300983.susgen
FortinetW32/Nbdd.FB!tr.bdr
AVGWin32:RootkitX-gen [Rtk]
Cybereasonmalicious.784fb5
PandaGeneric Malware

How to remove Backdoor.PcClient.TEV?

Backdoor.PcClient.TEV removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

Leave a Comment