How do I remove a virus that has blocked IE and will not allow off-site AV Scans?

Thank you for the quick response.  

I already am running Norton AV and have it on CD -- though am thinking of switching since it failed to catch this virus and it seems this one was well versed in how to make it think it wasn't there.   Is this somthing that will survive the f-disk? Will this infect my data files? This is the server machine on my network and holds all my data for my business. .it also acts as my cash register. Would waiting a few weeks hurt anything or does it just affect executable files? We close for the season in a few weeks and if I can put it off until then it would be nice.

Oh.. if I send an e-mail from this machine will it contain the virus?

Thanks!

Is going to websites the ONLY problem you have got in the machine ?

What error message do you get going to websites ?

Can you check emails using email client and connect to yahoo and MSN messenger , this to check that you have internet access and only websites is the issue ?

Try running this fix to see if it would help solve the issue
http://www.spychecker.com/program/winsockxpfix.html  -- Should work for windows 2000 aswell .

Post back how it goes

Dan:  I'm definately comfortable scrapping the machine.. i've done it several times as I've had several viruses in the last 2 years.

I'm not going to connect it back up to the network.. that's insane.  This machine will run my business software as a stand alone -- I guess I should have been more specific.. will running it as a stand alone grind it to a halt in the next 2 weeks if I do NOT reboot it?  (unless of course the power goes off).. I'm a leave-the-machines on kinda gal.

I'm going to try to burn it to cd but the cd burner in this machine is finicky and i've been putting off replacing it since I can just backup my data to the other machine on the network if necessary. That's why I asked about e-mailing the data files to my other machine.

Sunray -- the error message on IE is:  The page cannot be displayed.  However.. in the address line.. it changes to http://auto.search.msn.com/response.asp?MT=www.tomcoyote.org/hjt&srch=5&prov=gogl&utf8.   -- I've been hijacked haven't I?

Yes, I can check e-mails (outlook express). I also have Ad Aware Pro, but am running the freeware on the infected machine..I just downloaded it and haven't installed it on the entirenetwork yet.  will that do the same as spychecker?

Also -- This machine has 2 hard drives in it -- I have 2 files that keep coming up on Norton as containing hacktool.hidewindow  They will not delete or quarantine.. so I sent them to the 2nd harddrive as there is practically nothing on it and I didn't want them to further screw things up on the C: drive.  I probably should have scrapped the machine when I found those. They are related to the msdtc.exe running in the task manager... but I was able to isolate the hacktool files and quarrantine them on the 2nd hard drive. Proabaly didn't do any good, huh?

Unfortuantely, I'm just the "by necessity" IT gal in my own small business. Learning every day.. but still a long way to go. I guess i know enough to get myself into some real trouble..lol

Thanks for the help.

OH -- one more question.. Whats up with Norton that I have all these problems? Should I switch to a less known-- i.e. less targeted AV software?

I'm doing the spychecker now.. just for kicks and will post results when I can.

Unicrom -- my 2nd machine is a laptop-- but -- I guess I could use my daughter's machine to do this. Hers also has the AdAware Pro on it.. fully updated so I could run that as well. I'll give it a try on Monday when the store's closed and see if it works..

Thanks!

Good Luck
Let us know how it goes.

RMULLINS:

I tried that today.. it works as far as running norton again will get me. It only finds the 2 mscmd.exe hacktool.hidewindow files that I have isolated on the secondary hdd.  Won't let me delete them (which is why I isolated them on the 2nd HDD) -- but still can't use explorer.

I can check e-mail with outlook express.

I can access the internet as ftp-style as indicated above.

Can anyone tell me how to delete those hacktool files?  I'd like to get them off the 2nd hardisk before I put all my datafiles on there and clean the c drive or take it out to run the av off the other machine as unicrom recommended.  But I can't do that till Monday.

Thanks.

First, regarding the files you wish to delete. Do you mean that NAV can't delete them?  Have you tried deleting them yourself (from command prompt or windows explorer)?  If you've tried to delete them manually and still can't, check for a running process with the name of those files (to see the processes, press ctrl-shift-esc to pull up task manager and look at the running processes; you can also start task manager by right clicking an empty space on the taskbar and selecting it). If you find it in the process list, end the process(es) and try to delete them again.

It's also possible that it could be running in one of the svchost.exe processes.  If that still doesn't work, provide more info....  Like what messages do you get when you try and delete them.

Next, the 'explorer' issue:
I assume you mean that you can't get to sites using Internet Explorer (IE)?  Explorer is the shell / file management tool, etc. That is very different from IE. I'll assume you mean IE.

Have you tried accessing other sites from your web browser, like google or experts-exchange?

Can you not visit any sites at all? or just not some of the virus mfg sites?  It is very possible that the virus added entries to your hosts file, causing the names of some sites to resolve to a loopback address (such as 127.0.0.1), meaning that your browser is simply asking your computer to provide the page rather than going out to the internet.  
You should check your hosts file (C:\Winnt\System32\Drivers\Etc\Hosts) to see if the virus put entries in there. You can safely remove all lines from here (unless you have specifically put some entires in the file). As an alternative, simply rename the file to something like hosts.old, restart, and then see if your system works properly.

I hate to state the obvious, but you do have the machine connected back to the network now, right (I mean to test your browser and such)? Your system needs to be able to access the DNS server you have in your IPConfig to resolve the names.

To help with troubleshooting, it's handy to turn off automatic searching in IE. To turn off automatic IE searching, open browser and goto Tools->Options->Advanced Tab and select the radio button 'Do not search from the address bar'.

To make sure that your system is resolving addresses correctly, we can use NSLookup (it is likely that this is fine since you are able to get e-mail). If you are still having problems with your browser after doing what I stated, go to a command prompt and type 'nslookup www.google.com' and post the results back here (along with the message(s) in your browser when you go to 'http://www.google.com' and I'll help you.

Hello Everyone!

Thanks so much for all of your help on this issue. The plot has taken a twist, howevever.

Over this week, we had a power failure and the computer restarted.  Voila... it's like nothing was ever wrong. IE is working fine.. I updated Norton (more than once) -- Have scanned it and Norton finds nothing, except the 2 hacktool files on the 2nd Hdd.  As far as deleting them goes -- poof.. I renamed them and deleted them through windows explorer. Re-ran norton and they are truly gone as well.

Have I been lured into a false sense of security?

I'm going to run the trojan removal tools Dan/Lobo recommend above.. just in case..

I'm more confused than ever..
(although happy the computer is now cooperating)..
Dare I try connecting it to the LAN?
Right now its connected only to the wireless network that connects it to the DSL.

I'll post again after I run the trojan removal tools.

Well, I've decided to just wait a couple weeks and see what happens. I can always blow away the drive and since things are working now.. I can wait until the store closes and then do what I have to.  Thanks to everyone for all of their help!

PS -- Trend Micro's Housecall and the TR Software both came up clean. -- go figure.