How do I remove a virus that has blocked IE and will not allow off-site AV Scans?

I have been working on this forum trying to trouble shoot my machine. From information I have learned here I went off site on the infected machine to trendmicro. The scan found DOS.AGOBOT.GEN -- I deleted it. Was able to then access my NOrton LiveUpdate.. which I did. Then it prompted me to reboot -- what was I thinking.. but I did.

Now I can't even access any website on the internet.

I did look into the hosts file but it is empty.

It doesn't seem to be letting me do anything else. I'm running WIN2K on 2 computer network that I disconnected the minute I found the virus. The machine is functional except that it is slow and wont' let me update. I've also sent e-mails that contain viruses from this machine unbeknownst to me.. until now.

Who is Participating?
If you want to update NAV but can't browse, there is an easier solution. FTP the NAV update file for the most current definitions and run it. It will update NAV and you don't need a web browser. This is the method I use to update my definition files daily (via a scheduled task).

Simple method is to ftp (via command line) the update file from Semantec (found in the stuff below). You can just run that .exe without the switches I am using to extract the files and it will update your defs.

Here are some batch files I use. All I have to do is call NAVGo.cmd: (you may need to slightly modify these files. Put them in C:\NavUpdate to reduce changes. You can view what was done in log.txt. Note: be careful of the text wrapping that occurs on this site when I copied and pasted the commands)

NavUpdate.cmd >> Log.txt

ECHO --- Update on %date% @ %time% ---
DEL /q C:\NAVUpdate\Expanded\*.*
DEL /q "C:\NAVUpdate\symcdefsi32.exe"
FTP -n -i -s:C:\NAVUpdate\NAVUpdateFTPGet.txt
"C:\NAVUpdate\symcdefsi32.exe" /q /extract "C:\Program Files\Common Files\Symantec Shared\VirusDefs\Incoming\"
@ECHO --- Process Complete on %date% @ %time% ---

USER anonymous
cd public/english_us_canada/antivirus_definitions/norton_antivirus/static
lcd C:\NAVUpdate
get symcdefsi32.exe

This ought to do it.
While you could clean it, I would highly, highly recommend wiping the machine and installing a clean OS.

If you really want to clean this then I would suggest downloading an AV program (your choice) and burn it to a CD and then install it on the infected machine. I would still advise you to install a clean copy. That is the most surefire way to get rid of a virus.
theentwivesAuthor Commented:
Thank you for the quick response.  

I already am running Norton AV and have it on CD -- though am thinking of switching since it failed to catch this virus and it seems this one was well versed in how to make it think it wasn't there.   Is this somthing that will survive the f-disk? Will this infect my data files? This is the server machine on my network and holds all my data for my business. .it also acts as my cash register. Would waiting a few weeks hurt anything or does it just affect executable files? We close for the season in a few weeks and if I can put it off until then it would be nice.

Oh.. if I send an e-mail from this machine will it contain the virus?

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Ok, I will answer your questions in order:

Fdisk - If you do fdisk /mbr a few times it probably won't. Then format the drive.

Data files - Most viruses only attack executable files. Some attack Word files. Unfortunately I couldn't find your specific virus or that isn't the right name for it. Otherwise I would tell you what it attacks.

Waiting a few weeks - Yes, it will seriously hurt things if you connect it back up to the network. You never, EVER connect an infected machine back up to the network. If the infected machine has a CD burner in it you could burn all your data to disk and then format and reinstall. You could also use and external hard drive to hold all the data. Do NOT connect it back to the network though. Bad idea.

Email from infected machine - It may or may not contain the virus. It really depends on the virus that has infected the machine and what it does.

My advice still stands. You really need to blow that machine away (after getting your data off of it) and load a fresh OS and AV software on it. Then reinstall your programs and import your data back in. If you aren't comfortable doing this then you might find a computer service company that does these sorts of things. It probably won't be cheap, but how expensive would it be to lose your data? Anyway, that is just my advice.
Is going to websites the ONLY problem you have got in the machine ?

What error message do you get going to websites ?

Can you check emails using email client and connect to yahoo and MSN messenger , this to check that you have internet access and only websites is the issue ?

Try running this fix to see if it would help solve the issue  -- Should work for windows 2000 aswell .

Post back how it goes

theentwivesAuthor Commented:
Dan:  I'm definately comfortable scrapping the machine.. i've done it several times as I've had several viruses in the last 2 years.

I'm not going to connect it back up to the network.. that's insane.  This machine will run my business software as a stand alone -- I guess I should have been more specific.. will running it as a stand alone grind it to a halt in the next 2 weeks if I do NOT reboot it?  (unless of course the power goes off).. I'm a leave-the-machines on kinda gal.

I'm going to try to burn it to cd but the cd burner in this machine is finicky and i've been putting off replacing it since I can just backup my data to the other machine on the network if necessary. That's why I asked about e-mailing the data files to my other machine.

Sunray -- the error message on IE is:  The page cannot be displayed.  However.. in the address line.. it changes to   -- I've been hijacked haven't I?

Yes, I can check e-mails (outlook express). I also have Ad Aware Pro, but am running the freeware on the infected machine..I just downloaded it and haven't installed it on the entirenetwork yet.  will that do the same as spychecker?

Also -- This machine has 2 hard drives in it -- I have 2 files that keep coming up on Norton as containing hacktool.hidewindow  They will not delete or quarantine.. so I sent them to the 2nd harddrive as there is practically nothing on it and I didn't want them to further screw things up on the C: drive.  I probably should have scrapped the machine when I found those. They are related to the msdtc.exe running in the task manager... but I was able to isolate the hacktool files and quarrantine them on the 2nd hard drive. Proabaly didn't do any good, huh?

Unfortuantely, I'm just the "by necessity" IT gal in my own small business. Learning every day.. but still a long way to go. I guess i know enough to get myself into some real

Thanks for the help.

OH -- one more question.. Whats up with Norton that I have all these problems? Should I switch to a less known-- i.e. less targeted AV software?

I'm doing the spychecker now.. just for kicks and will post results when I can.
If you have 2 hard drives in it then I would suggest moving your data files to the 2nd hard drive when you format and reinstall on the primary hard drive. If you can, run fdisk /mbr a coulple of times from a DOS/Win9x boot disk before reinstalling and that should take care of anything on in the Master Boot Record.

As for running for the next 2 weeks as a stand-alone, the answer is a very definative "maybe". It may work or it may not. You really can't tell when it comes to viruses. If you know what all your machine was infected with then we could go through the virus databases out there and see what all they do and give a little better answer.

The error message you are getting may actually be spyware and not a virus. I have actually had something similar where IE's autosearch would send me to a random page instead of returning search results. Not sure how to fix that since I just blew the machine away. Sorry.

As for Norton, I really don't like it. It was good until Symantec bought them. I think it has gone downhill from there. Same for McAfee since they were bought by Network Associates. That said, I think McAfee is the better of the two at the moment and I would probably go with McAfee 8.x if I had a choice. I am assuming that you have a recent version of Norton and that it is up-to-date with the latest virus definitions.

Simple solution that i would do is get the HDD that has virus on it and take it out of machine then get another machine that has a fully update antivirus program updated on it ..

Plugged the infected HDD on the secondary IDE port.. If this means unplugging CD-ROM's and such, this is not a problem they can be plugged back in after..  
A power port will need to be put into HDD As well

Now boot the computer in SAFE MODE. To do this hit [F8] like every 2 seconds until a menu appears.

When menu appears choose ….  Start computer in “SAFE MODE.”

Once computer is loaded get the antivirus programs to do a full scan virus scan on the infected HDD,

It will find and delete or quarantine the file.


More likely so as you have your HDD in another machine on it secondary port on “safe mode”  (Nothing will load from your HDD to infect the other machine this way)

If this doesn’t work i have other ideas.  

Been removing viruses from a dozen HDD’s every day for like 3 years with one computer. So I personally find it to be the easiest way.

Good Luck
 P.S. would write some more (maybe wrote too much) buts its almost 1 AM and i am moving house and am sooo freaking tired :)

*HDD = Hard Disc Drive (Hard Drive)

Good Day

theentwivesAuthor Commented:
Unicrom -- my 2nd machine is a laptop-- but -- I guess I could use my daughter's machine to do this. Hers also has the AdAware Pro on it.. fully updated so I could run that as well. I'll give it a try on Monday when the store's closed and see if it works..


Good Luck
Let us know how it goes.
theentwivesAuthor Commented:

I tried that today.. it works as far as running norton again will get me. It only finds the 2 mscmd.exe hacktool.hidewindow files that I have isolated on the secondary hdd.  Won't let me delete them (which is why I isolated them on the 2nd HDD) -- but still can't use explorer.

I can check e-mail with outlook express.

I can access the internet as ftp-style as indicated above.

Can anyone tell me how to delete those hacktool files?  I'd like to get them off the 2nd hardisk before I put all my datafiles on there and clean the c drive or take it out to run the av off the other machine as unicrom recommended.  But I can't do that till Monday.

Hi Theentwives,

If the trojan is not allowing you to log into any antivirus website, try logging into this place and download TrojanRemover. This tool is designed specifically to deal with trojans like Agobot. If it won't let you get to the website let us know and I'll download it and post it to my webspace for you.

Good Vibes!

First, regarding the files you wish to delete. Do you mean that NAV can't delete them?  Have you tried deleting them yourself (from command prompt or windows explorer)?  If you've tried to delete them manually and still can't, check for a running process with the name of those files (to see the processes, press ctrl-shift-esc to pull up task manager and look at the running processes; you can also start task manager by right clicking an empty space on the taskbar and selecting it). If you find it in the process list, end the process(es) and try to delete them again.

It's also possible that it could be running in one of the svchost.exe processes.  If that still doesn't work, provide more info....  Like what messages do you get when you try and delete them.

Next, the 'explorer' issue:
I assume you mean that you can't get to sites using Internet Explorer (IE)?  Explorer is the shell / file management tool, etc. That is very different from IE. I'll assume you mean IE.

Have you tried accessing other sites from your web browser, like google or experts-exchange?

Can you not visit any sites at all? or just not some of the virus mfg sites?  It is very possible that the virus added entries to your hosts file, causing the names of some sites to resolve to a loopback address (such as, meaning that your browser is simply asking your computer to provide the page rather than going out to the internet.  
You should check your hosts file (C:\Winnt\System32\Drivers\Etc\Hosts) to see if the virus put entries in there. You can safely remove all lines from here (unless you have specifically put some entires in the file). As an alternative, simply rename the file to something like hosts.old, restart, and then see if your system works properly.

I hate to state the obvious, but you do have the machine connected back to the network now, right (I mean to test your browser and such)? Your system needs to be able to access the DNS server you have in your IPConfig to resolve the names.

To help with troubleshooting, it's handy to turn off automatic searching in IE. To turn off automatic IE searching, open browser and goto Tools->Options->Advanced Tab and select the radio button 'Do not search from the address bar'.

To make sure that your system is resolving addresses correctly, we can use NSLookup (it is likely that this is fine since you are able to get e-mail). If you are still having problems with your browser after doing what I stated, go to a command prompt and type 'nslookup' and post the results back here (along with the message(s) in your browser when you go to '' and I'll help you.
Danny ChildIT ManagerCommented:
If you start your machine in **Safe Mode**, you should be able to find these files and delete them.  Once deleted, you can even create FOLDERS in the SAME location as the files, with the same name.  Then, when the pc starts up, any virus process that tries to recreate them will fail, as the OS won't let it create a file with the same name as that folder.  This works as long as the virus doesn't use random file names........

mscmd.exe seems linked to the Delsha virus - removal info here:

hacktool.hidewindow seems to be a trojan that lets others onto your pc:

msconfig can be handy to stop processes running too.

I had a win 98 pc recently with a similar issue, but it was the MyDoom virus, plus Swen, plus CoolWWWSearch spyware that were the cause.  Once I got rid of each of them, w98 was totally shot - wouldn't launch any apps at all, but I reinstalled it over the top, and it was then fine, with all my data and apps intact.  

Danny ChildIT ManagerCommented:
and SpyBot came in handy too - free!

cwshredder was needed to get rid of CoolWWWsearch, if that helps.
Danny ChildIT ManagerCommented:
and finally, you can get norton updates downloaded so that you can fit them onto a floppy or cd and then move them to the dodgy machine
theentwivesAuthor Commented:
Hello Everyone!

Thanks so much for all of your help on this issue. The plot has taken a twist, howevever.

Over this week, we had a power failure and the computer restarted.  Voila... it's like nothing was ever wrong. IE is working fine.. I updated Norton (more than once) -- Have scanned it and Norton finds nothing, except the 2 hacktool files on the 2nd Hdd.  As far as deleting them goes -- poof.. I renamed them and deleted them through windows explorer. Re-ran norton and they are truly gone as well.

Have I been lured into a false sense of security?

I'm going to run the trojan removal tools Dan/Lobo recommend above.. just in case..

I'm more confused than ever..
(although happy the computer is now cooperating)..
Dare I try connecting it to the LAN?
Right now its connected only to the wireless network that connects it to the DSL.

I'll post again after I run the trojan removal tools.
I would still recommend blowing it away and reinstalling. That is the ONLY sure way to know it is clean. If you really don't want to do that then you might try installing a 2nd AV software (McAfee for instance) and Anti-Spyware software (PestPatrol or SpySweeper) and run thorough scans on the machine. If both AV software packages and the Spyware packages come up clean then you might be ok. Either way, I would like to know how it goes for you. Thanks for the update.
theentwivesAuthor Commented:
Well, I've decided to just wait a couple weeks and see what happens. I can always blow away the drive and since things are working now.. I can wait until the store closes and then do what I have to.  Thanks to everyone for all of their help!

PS -- Trend Micro's Housecall and the TR Software both came up clean. -- go figure.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.