shuts down mcafee and explorer

I did everything you said and it seems to have worked... that is, I can open everything, the files are deleted, the registry seems clean, the host list is ok, etc.

However, Internet Explorer is not working (I'm using Netscape right now)... when I run it a window comes up that says "Internet Explorer has Encountered a Problem and Must Close..."

I hadn't run Trendmicro's scan because it wouldn't allow me to. I will do it now and see what happens.

Also, I'd like to know which Antivirus and Firewall programs you suggest... I know that I shouldn't have more than one, so does that mean if I delete McAfee and install something else I'll be ok? I don't really trust McAfee anymore!

Thank you so much... seems we've made real progress now!

 

Ok... Explorer is working again for some reason...

I did the scan at HouseCall and it came up clean!

Seems everything worked then, right? Is there something else to check?

Oh, I'm still curious which software you suggest...

Thanks again!

 

Thank you so much, really... I thought I was going to end up having to reformat, which would have sucked! Your help was priceless! I wish I could pay you, but...

Anyways, thanks again!

Hopefully I won't need your help again, but if I do, I'll come straight here! I'll also recommend this site to as many people as I can!

Peace!

 

HI, I have been using Mcafee for a while and have had no trouble. It automatically updates itself. I wondered whether the antivrus program that was used is current and updating. I found the Mcafee is very zealous sometimes to a fault.

I found this thread very interesting and appreciate the work that went into it. It is not easy to do something in remote mode.

 

I am having this problem right now. After a few unsuccessful google searches, I apparently hit the right combination of keywords and found this thread.

I was about ready to format and upgrade to WinXP, but I appreciate all the effort that went into this thread, and I'm going to try the stuff in it just to see if it works for me. I'll let everyone know later tonight or tomorrow hopefully.

This is an ugly sucker. I did have the symptoms of Tibick, (msview, svcnet.exe), however I got rid of these and the symptoms persist. Furthermore, Tibick by itself doesn't list many of the symptoms below. It does say (on symantec's site at least) that it is capable of updating itself, so perhaps I had a very advanced form of it that not many people know about yet. Regardless, it is a nasty bugger. I may reformat anyway just because I'm not yet convinced that we know or have found all the things that it does. Here is the behavior I've observed so far - I'm currently running Windows 2000 SP4:

• Typical symptoms of Tibick, though I'm using Windows 2000, so I'm not sure how the "System Restore" stuff affects me. I haven't gotten into my registry yet, but I successfully deleted c:\winnt\system32\svcnet.exe and the c:\winnt\system32\msview folder and its contents without even going into safe mode.
• Regedit & Regedt32 won't launch. A dialog pops and instantly disappears again, giving me no hope of reading what it says. Unlike other viruses that cause this behavior, copying the file to a new name (blah.exe) does not help.
• Task Manager will launch, but the processes tab is completely blank (see attached GIF). The applications and performance tabs look more-or-less normal.
• Access to virus-related and some other web sites return 404 error, while other pages come up fine. (I do have bogus entries in my hosts file, as mentioned earlier in this thread, and am nearly certain that this is the cause for this issue.)
• Google searches containing the word "virus", or accesses to other pages containing the word "virus" (in their title bar?) will immediately close Internet Explorer.
• All dialogs in McAfee VirusScan (with latest 10/6/2004 updates) immediately close. I do not find apvxdwin.exe anywhere on my system.
• I'm not yet sure of this, but it seems to be intercepting and somehow altering the console output of the "netstat" command. It's hard to nail this one down in words, but the output is sometimes blank and other times not, and it just isn't responding like it normally does.

I have a file that is infected with what appears to be Tibick, so I put it on a memory stick and took it to work. I unplugged my test machine from the network and then copied the infected file to the test machine and ran it. Sure enough, svcnet.exe and an msview folder showed up, and slowly the virus replicated itself until after 3 - 5 minutes I had 326 files in the msview folder. I didn't experience any of the other problems on the test machine. Regedit ran fine, as did the processes tab of IE. I shortly afterwards just used ghost to reimage the PC.

I'm not sure if my home PC has a second virus, or if Tibick just didn't have the opportunity to update itself on my test machine due to lack of network connection. Regardles, I'm not real impressed with McAfee anymore. It didn't catch the Tibick-infected file on my home or work computer, despite having "on-access scanning" enabled both places. One of the things I learned from this thread is that there are free anti-virus programs out there that are considered to be better than McAfee / Norton.

That's my initial $0.02. As mentioned, I'll post again if I can actually get rid of the damn thing with the instructions mentioned here. Thanks to all involved.

 

Hm, wasn't expecting the image to get inlined like that, but oh well.

Wanted to also mention that in addition to my system not having "apvxdwin.exe", I also do not have "syssrv.exe". I have not yet had the opportunity to run HijackThis, but will try this next.

 

Ok. Here's an update from home now that I've fought with this one hand-to-hand a little bit.

1. Clearing out the hosts file was a good start.
2. As mentioned, the processes tab is blank. Luckily I'm probably a little more savvy than your average joe, and I have a couple of command-line utilities: "ps.exe" and "kill.exe", which function on a Windows system very much like their UNIX counterparts.
3. After killing processes called "chkinit.exe" & "rmctrl.exe", I managed to get back into the processes tab of task manager. This also seems to have disabled the behavior of IE closing browser windows with the word "virus" in their title bars.
4. Now I can get to Trend Micro and run their free online scan. The first time I ran it, it detected "malware.WORM_AGOBOT.LZ" in memory and removed it. I believe this is an alias for Gaobot.lz.
5. Now when I run regedit, it doesn't immediately close anymore, but it says, "Registry editing has been disabled by your administrator." I'm like, hey, I'm a f#@%ing administrator. So I googled that one and ran across a useful VBS script that fixes me right up.
6. Ran HijackThis, fixed all lines referencing "chkinit.exe", "rmctrl.exe", "svcnet.exe".

Without doing step 6 and deleting the corresponding EXEs, all symptoms returned after reboot. I hope the addition of step 6 does the trick, will be back shortly to report.

 

I hate that 5 minute edit rule.

Anyway, all seems fixed after the reboot, and here's the attachment I forgot in my previous message. Note it is a VBS script. I just copied it out of a web site, but if you're paranoid either examine it carefully before running, or don't run it, I don't care. Let's face it, if you're considering running it, you're probably near the edge of reformatting anyway, so you may as well give it a whirl.

Thanks to all who posted.

 

Culprit of infection: DragonballZ Budokai Crack (350bytes or so I think)
I'm certain that's how my nephew thrashed my PC thanks to the boys needing a 'cheat code' & a scripting browser-jacker through game***s.com

I pinpointed the precise moment of when jacked->execution->complete-seisure of my PC took place, thanks to several of my program logs along with finding the scripting game***s.com in my IE history. This smooth & sinister creature managed to elude current versions of every one of my brick & mortar defenses; Norton Corporate 7.60.926, ZoneAlarm Pro 5.1.033, AVG 6.0.778, SpySweeper, Spybot, PestPatrol Corporate & Adaware 6 Pro that were set to automatically update & install all new DEF's as released. Had ONE of them caught it prior to a reboot I might have (generally not my luck) been lucky enough to have nipped it before it plagued my PC. Unfortunatly it wasn't until shortly after an occasional reboot that I noticed my Norton was disabled in my task bar and after trying to enable it, ZAP, AVG, Norton, etc. all crashed.

Moments later while trying to initiate AVG and Norton through start/program files failed & then attempting to browse C: to initiate them resulted in instant closures, the epiphany draped in the mother-of-all-migraines slapped me square in the forehead. All I could do is *sigh* and listen to my graphics instructer/colleague recite over & over in my head..."Save or Pray. Save and get paid...." upon realizing I hadn't mirrored or ghosted my drive since May, and had about 38g of my Grandparents Oooooold photo's/etc stored on here that I was editing into DVD's for christmas gifting. Including this whole summer of my digitals that I'd never got around to printing, much less burning

I'll warn ya now, if your NOT infected with this little bugger, don't even try to examine this [expletive] on a PC you give a hoot about. Mine was one helluva vicious mutation that creates a .Default Admin in HKU_USERS and tranfers your Admin rights over to it (which it encrypts/locks you out) with no possible way that I could find to edit or restore the registry since I was no longer admin and couldnt run any command's. It shut down then deleted all .exe code of all anti-virus, firewall, etc., installed & prevented installation/execution of any new programs. It also uses any outbound prog you have (running or not) to act as a server doing [expletive]-if-I-know-what when it got out.

Since I couldn't double click on anything in my pc to track the little [expletive] down (including any antivirus, firewall, anti-spy & other folders it infected or wrote strings to), I found that I could highlight and rename folder/objects to gain access to them (the only loophole I found in it's IQ). By doing that I was able to print out my logs from AVG, ZAP, DrWatson, & AdAware 6's Process Watch & LSP Explorer Plugins that logged it's progress as it executed. Those Adaware plugins were the only things I could run to see what was currently in my processes since it blanked out the Task Manager and (of course) blocks you from closing tasks....even blindly. (Yep, I tried that too )

It also READS what the [expletive] you are looking at and either closes, shuts down, or cancels loading of anything that includes/contains the words antivirus or virus as well as every [expletive] name, make, model or manufacturer of antivirus & firewall. Including (if you manage to fight it to the point you can get your browser back up, it kills it at precisely 10min of connectivity) all searches, links, web executables, etc of anything either. It's like the [expletive] was alive and would KILL any & everything it portrayed as a threat to it's survival.

ZAP logged it's outbound's to these IP's: 65.24.0.163 & 24.95.80.41 (at the same time) about 25-40x for each in 2min before it corrupted ZAP, shut it down and then deleted ZAP's .exe's (as well as all of my other antivirus & firewalls at essentially the same time). I tracked both of those IP's to a Columbus, OH RoadRunner account and Googled the first one to this results. As much as curiosity enjoys teasing this cat, having experienced getting injected with the Saddam.Kak worm a few years back (doing the exactly this), I'll pass on dejavu' of this creature and leave it to you curious folks

After sending a friend of mine to this thread he linked me to a renamed self extracting .exe of Reglite he hosted and I found it had attached itself to no less then 50+ strings in my registry. Apparantly infecting or coding itself into every prog that's used for instant message, email, p2p, ping, update, download, wma, IE, Netscape, firewall, etc. on my OS drive that I had installed and created a CHKINI.EXE and svcnet.exe in system32 I found by searching for modified &/or created files in the specified time period. HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER software values were removed first & made inaccessible.

I fought the [expletive] thing for a week before reluctantly throwing down my sword and zero'ing my drive. I cussed like a sailor as I ran ahead of it burning off 38g of irreplaceble files and emptied a 5th of aged bourbon as I stacked up the 130 or so CD's & DVD's of my data

It seems to have started out as W32.Tibick and mutated into a Tibick(svcnet.exe)-Novarg-BgBear-Melissa+gawd-knows-what-else variant that I've yet to find any publications on. While my infliction didn't create a msview and propagate, I've no doubt it'll most likely be the boon of serious net-heads. This is the only virus that's ever whipped my backside and forced me to reformat. The creator of this is either one brilliant [expletive] or it's ability to mutate is bloody [expletive] amazing...

The publications that I could find that was vaguely similiar to this variant was here. Allthough many of the posts looked to be about the beginning of W32.Tibick, on towards the bottom of the page harry349 looks to have encountered the baby of what this monster is/has become.

If this [expletive] continues to mutate/propagate I'll seriously be setting aside my daily pocket change for an external drive or resurrecting one of my old pc's strictly for my gnuetella, p2p and warez mingling...seeing as how McAfee and Symantec's brilliant idiots haven't managed to recognize, DEF or publish it's mutation &/or variants since discovery of Tibick this August.

This is definatly the hairy-clawed-little-[expletive] a grudge carrier would gift to his/her nemesis
Expecially since there are no DEF's or engines that will catch and eradicate it's mutation right now

Many thanks to MajorGeeks & chaslang for troubleshooting this enough that google indexed this board out of the 40 (90% non-english) results indexed.
Great big *Hugs & Kisses* to harry349 for intelligently detailing & weeding many of the issues I encountered with my little bundle of nuisance. Looks like you're as determined as I was to win the battle...I threw in the towel, broke out the bourbon and reformatted in the end. LoL!~

Brighter side: I've found a nice little forum I'm sure to frequent

 

I had the same problem...
I tried to solve the problem by doing the same things as harry but i coulndt figure out how to use ps.exe and kill.exe.
So i tried some other things most didnt work but 1 did.
I downloaded Security Task Manager with that program i could end the processes harry was talking about: chkinit.exe & rmctrl.exe.
When ended i could use my virus scanner again and killed the virusses. Thanks for this thread it realy helped.