How do I remove a virus that has blocked IE and will not allow off-site AV Scans?

Posted on 2004-09-25
Last Modified: 2010-04-12
I have been working on this forum trying to trouble shoot my machine. From information I have learned here I went off site on the infected machine to trendmicro. The scan found DOS.AGOBOT.GEN -- I deleted it. Was able to then access my NOrton LiveUpdate.. which I did. Then it prompted me to reboot -- what was I thinking.. but I did.

Now I can't even access any website on the internet.

I did look into the hosts file but it is empty.

It doesn't seem to be letting me do anything else. I'm running WIN2K on 2 computer network that I disconnected the minute I found the virus. The machine is functional except that it is slow and wont' let me update. I've also sent e-mails that contain viruses from this machine unbeknownst to me.. until now.

Question by:theentwives
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
  • 3
  • +4

Assisted Solution

DanGilbertTX earned 140 total points
ID: 12151809
While you could clean it, I would highly, highly recommend wiping the machine and installing a clean OS.

If you really want to clean this then I would suggest downloading an AV program (your choice) and burn it to a CD and then install it on the infected machine. I would still advise you to install a clean copy. That is the most surefire way to get rid of a virus.

Author Comment

ID: 12151881
Thank you for the quick response.  

I already am running Norton AV and have it on CD -- though am thinking of switching since it failed to catch this virus and it seems this one was well versed in how to make it think it wasn't there.   Is this somthing that will survive the f-disk? Will this infect my data files? This is the server machine on my network and holds all my data for my business. .it also acts as my cash register. Would waiting a few weeks hurt anything or does it just affect executable files? We close for the season in a few weeks and if I can put it off until then it would be nice.

Oh.. if I send an e-mail from this machine will it contain the virus?


Assisted Solution

DanGilbertTX earned 140 total points
ID: 12152067
Ok, I will answer your questions in order:

Fdisk - If you do fdisk /mbr a few times it probably won't. Then format the drive.

Data files - Most viruses only attack executable files. Some attack Word files. Unfortunately I couldn't find your specific virus or that isn't the right name for it. Otherwise I would tell you what it attacks.

Waiting a few weeks - Yes, it will seriously hurt things if you connect it back up to the network. You never, EVER connect an infected machine back up to the network. If the infected machine has a CD burner in it you could burn all your data to disk and then format and reinstall. You could also use and external hard drive to hold all the data. Do NOT connect it back to the network though. Bad idea.

Email from infected machine - It may or may not contain the virus. It really depends on the virus that has infected the machine and what it does.

My advice still stands. You really need to blow that machine away (after getting your data off of it) and load a fresh OS and AV software on it. Then reinstall your programs and import your data back in. If you aren't comfortable doing this then you might find a computer service company that does these sorts of things. It probably won't be cheap, but how expensive would it be to lose your data? Anyway, that is just my advice.
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

LVL 49

Expert Comment

ID: 12152179
Is going to websites the ONLY problem you have got in the machine ?

What error message do you get going to websites ?

Can you check emails using email client and connect to yahoo and MSN messenger , this to check that you have internet access and only websites is the issue ?

Try running this fix to see if it would help solve the issue  -- Should work for windows 2000 aswell .

Post back how it goes


Author Comment

ID: 12152368
Dan:  I'm definately comfortable scrapping the machine.. i've done it several times as I've had several viruses in the last 2 years.

I'm not going to connect it back up to the network.. that's insane.  This machine will run my business software as a stand alone -- I guess I should have been more specific.. will running it as a stand alone grind it to a halt in the next 2 weeks if I do NOT reboot it?  (unless of course the power goes off).. I'm a leave-the-machines on kinda gal.

I'm going to try to burn it to cd but the cd burner in this machine is finicky and i've been putting off replacing it since I can just backup my data to the other machine on the network if necessary. That's why I asked about e-mailing the data files to my other machine.

Sunray -- the error message on IE is:  The page cannot be displayed.  However.. in the address line.. it changes to   -- I've been hijacked haven't I?

Yes, I can check e-mails (outlook express). I also have Ad Aware Pro, but am running the freeware on the infected machine..I just downloaded it and haven't installed it on the entirenetwork yet.  will that do the same as spychecker?

Also -- This machine has 2 hard drives in it -- I have 2 files that keep coming up on Norton as containing hacktool.hidewindow  They will not delete or quarantine.. so I sent them to the 2nd harddrive as there is practically nothing on it and I didn't want them to further screw things up on the C: drive.  I probably should have scrapped the machine when I found those. They are related to the msdtc.exe running in the task manager... but I was able to isolate the hacktool files and quarrantine them on the 2nd hard drive. Proabaly didn't do any good, huh?

Unfortuantely, I'm just the "by necessity" IT gal in my own small business. Learning every day.. but still a long way to go. I guess i know enough to get myself into some real

Thanks for the help.

OH -- one more question.. Whats up with Norton that I have all these problems? Should I switch to a less known-- i.e. less targeted AV software?

I'm doing the spychecker now.. just for kicks and will post results when I can.

Assisted Solution

DanGilbertTX earned 140 total points
ID: 12152453
If you have 2 hard drives in it then I would suggest moving your data files to the 2nd hard drive when you format and reinstall on the primary hard drive. If you can, run fdisk /mbr a coulple of times from a DOS/Win9x boot disk before reinstalling and that should take care of anything on in the Master Boot Record.

As for running for the next 2 weeks as a stand-alone, the answer is a very definative "maybe". It may work or it may not. You really can't tell when it comes to viruses. If you know what all your machine was infected with then we could go through the virus databases out there and see what all they do and give a little better answer.

The error message you are getting may actually be spyware and not a virus. I have actually had something similar where IE's autosearch would send me to a random page instead of returning search results. Not sure how to fix that since I just blew the machine away. Sorry.

As for Norton, I really don't like it. It was good until Symantec bought them. I think it has gone downhill from there. Same for McAfee since they were bought by Network Associates. That said, I think McAfee is the better of the two at the moment and I would probably go with McAfee 8.x if I had a choice. I am assuming that you have a recent version of Norton and that it is up-to-date with the latest virus definitions.

Assisted Solution

Unicrom earned 100 total points
ID: 12152654

Simple solution that i would do is get the HDD that has virus on it and take it out of machine then get another machine that has a fully update antivirus program updated on it ..

Plugged the infected HDD on the secondary IDE port.. If this means unplugging CD-ROM's and such, this is not a problem they can be plugged back in after..  
A power port will need to be put into HDD As well

Now boot the computer in SAFE MODE. To do this hit [F8] like every 2 seconds until a menu appears.

When menu appears choose ….  Start computer in “SAFE MODE.”

Once computer is loaded get the antivirus programs to do a full scan virus scan on the infected HDD,

It will find and delete or quarantine the file.


More likely so as you have your HDD in another machine on it secondary port on “safe mode”  (Nothing will load from your HDD to infect the other machine this way)

If this doesn’t work i have other ideas.  

Been removing viruses from a dozen HDD’s every day for like 3 years with one computer. So I personally find it to be the easiest way.

Good Luck
 P.S. would write some more (maybe wrote too much) buts its almost 1 AM and i am moving house and am sooo freaking tired :)

*HDD = Hard Disc Drive (Hard Drive)

Good Day


Author Comment

ID: 12152919
Unicrom -- my 2nd machine is a laptop-- but -- I guess I could use my daughter's machine to do this. Hers also has the AdAware Pro on it.. fully updated so I could run that as well. I'll give it a try on Monday when the store's closed and see if it works..



Expert Comment

ID: 12153020
Good Luck
Let us know how it goes.

Accepted Solution

rmullins earned 150 total points
ID: 12153078
If you want to update NAV but can't browse, there is an easier solution. FTP the NAV update file for the most current definitions and run it. It will update NAV and you don't need a web browser. This is the method I use to update my definition files daily (via a scheduled task).

Simple method is to ftp (via command line) the update file from Semantec (found in the stuff below). You can just run that .exe without the switches I am using to extract the files and it will update your defs.

Here are some batch files I use. All I have to do is call NAVGo.cmd: (you may need to slightly modify these files. Put them in C:\NavUpdate to reduce changes. You can view what was done in log.txt. Note: be careful of the text wrapping that occurs on this site when I copied and pasted the commands)

NavUpdate.cmd >> Log.txt

ECHO --- Update on %date% @ %time% ---
DEL /q C:\NAVUpdate\Expanded\*.*
DEL /q "C:\NAVUpdate\symcdefsi32.exe"
FTP -n -i -s:C:\NAVUpdate\NAVUpdateFTPGet.txt
"C:\NAVUpdate\symcdefsi32.exe" /q /extract "C:\Program Files\Common Files\Symantec Shared\VirusDefs\Incoming\"
@ECHO --- Process Complete on %date% @ %time% ---

USER anonymous
cd public/english_us_canada/antivirus_definitions/norton_antivirus/static
lcd C:\NAVUpdate
get symcdefsi32.exe

This ought to do it.

Author Comment

ID: 12155329

I tried that today.. it works as far as running norton again will get me. It only finds the 2 mscmd.exe hacktool.hidewindow files that I have isolated on the secondary hdd.  Won't let me delete them (which is why I isolated them on the 2nd HDD) -- but still can't use explorer.

I can check e-mail with outlook express.

I can access the internet as ftp-style as indicated above.

Can anyone tell me how to delete those hacktool files?  I'd like to get them off the 2nd hardisk before I put all my datafiles on there and clean the c drive or take it out to run the av off the other machine as unicrom recommended.  But I can't do that till Monday.

LVL 17

Assisted Solution

Lobo042399 earned 50 total points
ID: 12156470
Hi Theentwives,

If the trojan is not allowing you to log into any antivirus website, try logging into this place and download TrojanRemover. This tool is designed specifically to deal with trojans like Agobot. If it won't let you get to the website let us know and I'll download it and post it to my webspace for you.

Good Vibes!


Expert Comment

ID: 12157463
First, regarding the files you wish to delete. Do you mean that NAV can't delete them?  Have you tried deleting them yourself (from command prompt or windows explorer)?  If you've tried to delete them manually and still can't, check for a running process with the name of those files (to see the processes, press ctrl-shift-esc to pull up task manager and look at the running processes; you can also start task manager by right clicking an empty space on the taskbar and selecting it). If you find it in the process list, end the process(es) and try to delete them again.

It's also possible that it could be running in one of the svchost.exe processes.  If that still doesn't work, provide more info....  Like what messages do you get when you try and delete them.

Next, the 'explorer' issue:
I assume you mean that you can't get to sites using Internet Explorer (IE)?  Explorer is the shell / file management tool, etc. That is very different from IE. I'll assume you mean IE.

Have you tried accessing other sites from your web browser, like google or experts-exchange?

Can you not visit any sites at all? or just not some of the virus mfg sites?  It is very possible that the virus added entries to your hosts file, causing the names of some sites to resolve to a loopback address (such as, meaning that your browser is simply asking your computer to provide the page rather than going out to the internet.  
You should check your hosts file (C:\Winnt\System32\Drivers\Etc\Hosts) to see if the virus put entries in there. You can safely remove all lines from here (unless you have specifically put some entires in the file). As an alternative, simply rename the file to something like hosts.old, restart, and then see if your system works properly.

I hate to state the obvious, but you do have the machine connected back to the network now, right (I mean to test your browser and such)? Your system needs to be able to access the DNS server you have in your IPConfig to resolve the names.

To help with troubleshooting, it's handy to turn off automatic searching in IE. To turn off automatic IE searching, open browser and goto Tools->Options->Advanced Tab and select the radio button 'Do not search from the address bar'.

To make sure that your system is resolving addresses correctly, we can use NSLookup (it is likely that this is fine since you are able to get e-mail). If you are still having problems with your browser after doing what I stated, go to a command prompt and type 'nslookup' and post the results back here (along with the message(s) in your browser when you go to '' and I'll help you.
LVL 23

Assisted Solution

by:Danny Child
Danny Child earned 60 total points
ID: 12161905
If you start your machine in **Safe Mode**, you should be able to find these files and delete them.  Once deleted, you can even create FOLDERS in the SAME location as the files, with the same name.  Then, when the pc starts up, any virus process that tries to recreate them will fail, as the OS won't let it create a file with the same name as that folder.  This works as long as the virus doesn't use random file names........

mscmd.exe seems linked to the Delsha virus - removal info here:

hacktool.hidewindow seems to be a trojan that lets others onto your pc:

msconfig can be handy to stop processes running too.

I had a win 98 pc recently with a similar issue, but it was the MyDoom virus, plus Swen, plus CoolWWWSearch spyware that were the cause.  Once I got rid of each of them, w98 was totally shot - wouldn't launch any apps at all, but I reinstalled it over the top, and it was then fine, with all my data and apps intact.  

LVL 23

Assisted Solution

by:Danny Child
Danny Child earned 60 total points
ID: 12161949
and SpyBot came in handy too - free!

cwshredder was needed to get rid of CoolWWWsearch, if that helps.
LVL 23

Assisted Solution

by:Danny Child
Danny Child earned 60 total points
ID: 12161970
and finally, you can get norton updates downloaded so that you can fit them onto a floppy or cd and then move them to the dodgy machine

Author Comment

ID: 12200726
Hello Everyone!

Thanks so much for all of your help on this issue. The plot has taken a twist, howevever.

Over this week, we had a power failure and the computer restarted.  Voila... it's like nothing was ever wrong. IE is working fine.. I updated Norton (more than once) -- Have scanned it and Norton finds nothing, except the 2 hacktool files on the 2nd Hdd.  As far as deleting them goes -- poof.. I renamed them and deleted them through windows explorer. Re-ran norton and they are truly gone as well.

Have I been lured into a false sense of security?

I'm going to run the trojan removal tools Dan/Lobo recommend above.. just in case..

I'm more confused than ever..
(although happy the computer is now cooperating)..
Dare I try connecting it to the LAN?
Right now its connected only to the wireless network that connects it to the DSL.

I'll post again after I run the trojan removal tools.

Assisted Solution

DanGilbertTX earned 140 total points
ID: 12201410
I would still recommend blowing it away and reinstalling. That is the ONLY sure way to know it is clean. If you really don't want to do that then you might try installing a 2nd AV software (McAfee for instance) and Anti-Spyware software (PestPatrol or SpySweeper) and run thorough scans on the machine. If both AV software packages and the Spyware packages come up clean then you might be ok. Either way, I would like to know how it goes for you. Thanks for the update.

Author Comment

ID: 12203036
Well, I've decided to just wait a couple weeks and see what happens. I can always blow away the drive and since things are working now.. I can wait until the store closes and then do what I have to.  Thanks to everyone for all of their help!

PS -- Trend Micro's Housecall and the TR Software both came up clean. -- go figure.


Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cursor typing problems 5 50
Robocopy - migrate user shares access denied 6 1,533
website 1 321
Windows 2012 R2 DC compatibility Windows 2000 Servers and Windows XP 9 612
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
This article summaries thoughts and ideas from two years of sustained use. It provides good reasoning to make the jump to Windows 10.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below.…

735 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question