Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crashes/freezes, trojans/possible rootkit. Suspected 'backdoor.pcclient.tcb'


  • This topic is locked This topic is locked
2 replies to this topic

#1 Raysk8s

Raysk8s

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 18 January 2009 - 12:28 AM

Hi guys, first off I hope my title isn't too improper, theres just so many issues I'm not sure which to pinpoint, I can't really say "I have this, how do I fix it". Its more, these are my symptoms heres my information, help please >_< lol.

Secondly [And I'm not too tech savvy so I hope this is the info you're looking for]
I'm running a dell dimension 8400, windows xp home edition service pack 3, Pentium 4 cpu 3.20 GHz, 1.00 gb of ram...

I'll try to give a brief rundown of whats going on [long process, been trying to fix it for a few days]
Admittedly I downloaded something I shouldn't have been trying to download[It wasn't via a p2p program, I think you guys semi-refuse help if thats the cause], I was using spyware terminator as my firewall, it blocked a few things from the file [I knew I had made a mistake pretty fast] but it didn't stop it all because my computer has had trouble ever since.

First scans I ran I couldn't delete certain files [were in use] even in safe mode, I ended up deleting the file "c:\windows\system32\abbfcedfe.dll" that was apparently a virus/related to a virus with a program called unlocker.
My problems didn't stop though, for a while I couldn't run SBs&d or bitdefender, or malwarebytes [found mbam on your website] but I found out if I rename the .exe I could install/run the programs, so I've been able to scan my computer with all of those programs, I've also used CCleaner and Eausing Free registry cleaner and even though they have apparently removed or quarantined things, my issues still persist.

Issues being-My log in has not been working right, I think its sort of fixed now, but before all of the scans the screen would either not load to show the accounts at all, or freeze completely after choosing one of the accounts to log in with.

A few times I had to go into the boot menu [I think thats it, the f8 thing] and choose "use last known good configuration" and that at least got me into my account.

IE freezes my computer completely.
Firefox doesn't display pages/images correctly, I had to have my girlfriend create an account here for me because of the image verification, it doesn't show up at all. Nor could I follow the appropriate steps and do a search before I post this [also requires image verification]

Bitdefender suspected a 'backdoor.pcclient.tcb' in one of my firefox profiles cache's, I found it and deleted it, and recently deleted the entire profile in attempts to fix it.

I've also ran RemoveIT Pro [most updated version] which is the scan that alerted me to the 'abbfcedfe.dll' thing in the first place [it couldn't remove it].

So in short, nothing is really running properly, scan programs I've had to rename to get them to work, ie freezes me completely, firefox images are messed up.

Some things I've written down [from various searches] that I wanted to look for were things like. "c:\ttdhe.exe" and "c:\dxsxsq.exe" "win32.unknown.randomx" "sys32.rtdrvmon" "xdtuxhue.default" "spria.dll"

I've tried to be thorough but theres so much I've seen and I don't quite now how to make sense of it all [where you awesome guys come in]
Also, firefox was crashing when I searched for HijackThis and some other free virus removals [from cnet and stuff]the first few times, I've only recently been able to download it, still couldn't run it until I renamed it. Perhaps Mbams scan helped that some.



From what I understand I'm supposed to copy paste the dds text which is essentially a HJT log so you don't need a HJT log, so heres that. Please let me know if you need more information/clarification or if I've overlooked a rule in posting.





DDS (Ver_09-01-07.01) - NTFSx86
Run by Ray ferro at 19:59:02.03 on Sat 01/17/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.286 [GMT -8:00]

AV: Twister AntiTrojanVirus 2005 *On-access scanning disabled* (Outdated)
AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Nexon\MapleStory\npkcmsvc.exe
C:\Program Files\Registry Defragmentation\RegManServ.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\VERIZO~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\WINDOWS\System32\wudfhost.exe
C:\WINDOWS\System32\rsvp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Ray ferro\Desktop\dds.scr
C:\WINDOWS\System32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
uStart Page = hxxp://www.myspace.com/
mSearch Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = 127.0.0.1
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\windows\system32\twex.exe,
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: MSN Search Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: MSN Search Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\msn toolbar suite\tb\02.05.0001.1119\en-us\msntb.dll
TB: Nation Wallpapers Toolbar: {f6b40d73-1671-4a2f-bd6f-b1dd69e0f9a0} - c:\program files\infospace\nationwallpapers\NationWallpaperToolbar.dll
TB: {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - No File
EB: Nation Wallpapers Toolbar: {f6b40d73-1671-4a2f-bd6f-b1dd69e0f9a0} - c:\program files\infospace\nationwallpapers\NationWallpaperToolbar.dll
uRun: [Steam]
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpywares.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [IAAnotif] c:\program files\intel\intel application accelerator\iaanotif.exe
mRun: [ATIPTA] c:\program files\ati technologies\ati control panel\atiptaxx.exe
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [CTDVDDet] c:\program files\creative\sbaudigy2\dvdaudio\CTDVDDet.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [Dell AIO Printer A920] "c:\program files\dell aio printer a920\dlbkbmgr.exe"
mRun: [Motive SmartBridge] c:\progra~1\verizo~1\smartb~1\MotiveSB.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SpywareTerminator] "c:\program files\spyware terminator\SpywareTerminatorShield.exe"
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
mRun: [UnlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
dRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WBSrv - c:\progra~1\stardock\object~1\window~1\wbsrv.dll
AppInit_DLLs: avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rayfer~1\applic~1\mozilla\firefox\profiles\276tl4rr.default\
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\all users\application data\nexonus\ngm\npNxGameUS.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-1-16 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-1-16 26824]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [2007-6-21 141312]
R4 avg8emc;AVG Free8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2009-1-16 875288]
R4 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-16 231704]
R4 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-1-16 76040]
S1 80694e42;80694e42;c:\windows\system32\drivers\80694e42.sys --> c:\windows\system32\drivers\80694e42.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.sys [?]
S3 IMMDRV;IMMDRV;c:\program files\filseclab\twister\immdrv.sys [2006-9-27 209904]
S3 npkycryp;npkycryp;\??\c:\nexon\maplestory\npkycryp.sys --> c:\nexon\maplestory\npkycryp.sys [?]
S3 XDva020;XDva020;\??\c:\windows\system32\xdva020.sys --> c:\windows\system32\XDva020.sys [?]
S3 XDva090;XDva090;\??\c:\windows\system32\xdva090.sys --> c:\windows\system32\XDva090.sys [?]
S3 XDva190;XDva190;\??\c:\windows\system32\xdva190.sys --> c:\windows\system32\XDva190.sys [?]
S4 I80seprtrta;I80seprtrta; [x]

=============== Created Last 30 ================

2009-01-16 23:45 <DIR> --d-h--- C:\$AVG8.VAULT$
2009-01-16 23:31 94,208 a------- c:\windows\system32\ppc.dat
2009-01-16 23:24 76,040 a------- c:\windows\system32\drivers\avgtdix.sys
2009-01-16 23:24 10,520 a------- c:\windows\system32\avgrsstx.dll
2009-01-16 23:24 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2009-01-16 23:24 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-01-16 23:24 <DIR> --d----- c:\program files\AVG
2009-01-16 23:24 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-01-16 23:09 4,958,588 -------- c:\windows\{00000004-00000000-00000002-00001102-00000004-10031102}.BAK
2009-01-16 00:34 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2009-01-16 00:33 <DIR> --d----- c:\program files\SUPERAntiSpyware
2009-01-16 00:33 <DIR> --d----- c:\docume~1\rayfer~1\applic~1\SUPERAntiSpyware.com
2009-01-14 19:28 <DIR> --d----- c:\program files\Trend Micro
2009-01-14 08:16 <DIR> --d----- c:\docume~1\rayfer~1\applic~1\Malwarebytes
2009-01-14 08:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-14 08:12 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-14 02:25 81,984 a------- c:\windows\system32\bdod.bin
2009-01-14 02:20 <DIR> --d----- c:\docume~1\alluse~1\applic~1\BitDefender
2009-01-14 02:19 <DIR> --d----- c:\program files\common files\Softwin
2009-01-14 00:48 <DIR> --d----- c:\program files\Unlocker
2009-01-14 00:08 142,096 a------- c:\windows\system32\drivers\tmcomm.sys
2009-01-13 19:12 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner
2009-01-13 02:52 2 a------- C:\-393093349
2009-01-13 00:19 82 a------- c:\windows\forminfo.ini
2009-01-13 00:18 13 a------- c:\windows\system32\WinVid.crc
2009-01-12 23:35 <DIR> --d----- c:\program files\ExtraWebcam
2009-01-08 01:02 <DIR> --d----- c:\docume~1\rayfer~1\applic~1\ZoomBrowser EX
2009-01-08 01:00 <DIR> --d----- c:\docume~1\rayfer~1\applic~1\CameraWindowDC
2009-01-08 01:00 <DIR> --d----- c:\docume~1\rayfer~1\applic~1\CANON INC
2009-01-08 00:00 <DIR> --d----- c:\docume~1\alluse~1\applic~1\ZoomBrowser
2009-01-07 23:39 <DIR> --d----- c:\program files\common files\Canon
2009-01-06 17:55 208,744 a------- c:\windows\system32\muweb.dll
2009-01-06 17:55 268,648 a------- c:\windows\system32\mucltui.dll
2009-01-06 17:55 27,496 a------- c:\windows\system32\mucltui.dll.mui
2009-01-05 23:25 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-01-05 21:59 <DIR> --d----- c:\program files\Infospace

==================== Find3M ====================

2008-12-12 22:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 02:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 02:57 333,952 -------- c:\windows\system32\dllcache\srv.sys
2008-12-10 00:12 410,984 a------- c:\windows\system32\deploytk.dll
2008-11-10 12:23 243,840 a------- c:\windows\system32\ZuneWlanCfgSvc.exe
2008-11-10 12:23 60,032 a------- c:\windows\system32\ZuneBusEnum.exe
2008-11-10 12:09 73,728 a------- c:\windows\system32\ZuneUsbTransport.dll
2008-11-10 12:09 18,944 a------- c:\windows\system32\ZuneTcp2Udp.dll
2008-11-10 12:09 57,344 a------- c:\windows\system32\ZuneRegUtil.dll
2008-11-10 12:09 12,800 a------- c:\windows\system32\ZunePTDNS.dll
2008-11-10 12:09 310,272 a------- c:\windows\system32\ZuneNetProxy.dll
2008-11-10 12:09 145,920 a------- c:\windows\system32\ZuneMTPZ.dll
2008-10-24 03:21 455,296 -------- c:\windows\system32\dllcache\mrxsmb.sys
2008-10-23 04:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-23 04:36 286,720 -------- c:\windows\system32\dllcache\gdi32.dll
2001-09-28 16:00 164,864 a------- c:\program files\UNWISE.EXE
2006-11-29 03:44 848 a--sh--- c:\windows\system32\KGyGaAvL.sys
2006-04-24 17:00 707,242 ---sh--- c:\windows\system32\klkkj.ini2
2008-08-19 15:51 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008081920080820\index.dat

============= FINISH: 20:01:10.29 ===============





Thanks in advance to anyone who helps me.
And thanks also out to Pandy[and tiger] for helping me get this far.

Attached Files



BC AdBot (Login to Remove)

 


#2 Raysk8s

Raysk8s
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:14 PM

Posted 28 January 2009 - 05:28 AM

After a lot of reading & tinkering and poking around my computer, I've managed to fix my computer issues.

Swept a lot of nasties out, but it was a lot of "UAC-------.log/dll" in the end keeping me frusterated.
Kaspersky got rid of it after a lot of scans.

Anyway, you guys can close this thread.

Thanks for the forums, a lot of good information.

See you around [in better circumstances hopefully, lol]

Edited by Raysk8s, 28 January 2009 - 05:28 AM.


#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:03:14 AM

Posted 28 January 2009 - 10:23 AM

Thanks for informing us. Good luck.

This Topic is closed.

Should you need it reopened, please contact a Forum Moderator. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users