Solved

How do I remove a virus that has blocked IE and will not allow off-site AV Scans?

Posted on 2004-09-25
19
193 Views
Last Modified: 2010-04-12
I have been working on this forum trying to trouble shoot my machine. From information I have learned here I went off site on the infected machine to trendmicro. The scan found DOS.AGOBOT.GEN -- I deleted it. Was able to then access my NOrton LiveUpdate.. which I did. Then it prompted me to reboot -- what was I thinking.. but I did.

Now I can't even access any website on the internet.

I did look into the hosts file but it is empty.

It doesn't seem to be letting me do anything else. I'm running WIN2K on 2 computer network that I disconnected the minute I found the virus. The machine is functional except that it is slow and wont' let me update. I've also sent e-mails that contain viruses from this machine unbeknownst to me.. until now.

Help!
0
Comment
Question by:theentwives
  • 6
  • 4
  • 3
  • +4
19 Comments
 
LVL 3

Assisted Solution

by:DanGilbertTX
DanGilbertTX earned 140 total points
ID: 12151809
While you could clean it, I would highly, highly recommend wiping the machine and installing a clean OS.

If you really want to clean this then I would suggest downloading an AV program (your choice) and burn it to a CD and then install it on the infected machine. I would still advise you to install a clean copy. That is the most surefire way to get rid of a virus.
0
 

Author Comment

by:theentwives
ID: 12151881
Thank you for the quick response.  

I already am running Norton AV and have it on CD -- though am thinking of switching since it failed to catch this virus and it seems this one was well versed in how to make it think it wasn't there.   Is this somthing that will survive the f-disk? Will this infect my data files? This is the server machine on my network and holds all my data for my business. .it also acts as my cash register. Would waiting a few weeks hurt anything or does it just affect executable files? We close for the season in a few weeks and if I can put it off until then it would be nice.

Oh.. if I send an e-mail from this machine will it contain the virus?

Thanks!
0
 
LVL 3

Assisted Solution

by:DanGilbertTX
DanGilbertTX earned 140 total points
ID: 12152067
Ok, I will answer your questions in order:

Fdisk - If you do fdisk /mbr a few times it probably won't. Then format the drive.

Data files - Most viruses only attack executable files. Some attack Word files. Unfortunately I couldn't find your specific virus or that isn't the right name for it. Otherwise I would tell you what it attacks.

Waiting a few weeks - Yes, it will seriously hurt things if you connect it back up to the network. You never, EVER connect an infected machine back up to the network. If the infected machine has a CD burner in it you could burn all your data to disk and then format and reinstall. You could also use and external hard drive to hold all the data. Do NOT connect it back to the network though. Bad idea.

Email from infected machine - It may or may not contain the virus. It really depends on the virus that has infected the machine and what it does.


My advice still stands. You really need to blow that machine away (after getting your data off of it) and load a fresh OS and AV software on it. Then reinstall your programs and import your data back in. If you aren't comfortable doing this then you might find a computer service company that does these sorts of things. It probably won't be cheap, but how expensive would it be to lose your data? Anyway, that is just my advice.
0
 
LVL 49

Expert Comment

by:sunray_2003
ID: 12152179
Is going to websites the ONLY problem you have got in the machine ?

What error message do you get going to websites ?

Can you check emails using email client and connect to yahoo and MSN messenger , this to check that you have internet access and only websites is the issue ?

Try running this fix to see if it would help solve the issue
http://www.spychecker.com/program/winsockxpfix.html  -- Should work for windows 2000 aswell .

Post back how it goes

0
 

Author Comment

by:theentwives
ID: 12152368
Dan:  I'm definately comfortable scrapping the machine.. i've done it several times as I've had several viruses in the last 2 years.

I'm not going to connect it back up to the network.. that's insane.  This machine will run my business software as a stand alone -- I guess I should have been more specific.. will running it as a stand alone grind it to a halt in the next 2 weeks if I do NOT reboot it?  (unless of course the power goes off).. I'm a leave-the-machines on kinda gal.

I'm going to try to burn it to cd but the cd burner in this machine is finicky and i've been putting off replacing it since I can just backup my data to the other machine on the network if necessary. That's why I asked about e-mailing the data files to my other machine.

Sunray -- the error message on IE is:  The page cannot be displayed.  However.. in the address line.. it changes to http://auto.search.msn.com/response.asp?MT=www.tomcoyote.org/hjt&srch=5&prov=gogl&utf8.   -- I've been hijacked haven't I?

Yes, I can check e-mails (outlook express). I also have Ad Aware Pro, but am running the freeware on the infected machine..I just downloaded it and haven't installed it on the entirenetwork yet.  will that do the same as spychecker?

Also -- This machine has 2 hard drives in it -- I have 2 files that keep coming up on Norton as containing hacktool.hidewindow  They will not delete or quarantine.. so I sent them to the 2nd harddrive as there is practically nothing on it and I didn't want them to further screw things up on the C: drive.  I probably should have scrapped the machine when I found those. They are related to the msdtc.exe running in the task manager... but I was able to isolate the hacktool files and quarrantine them on the 2nd hard drive. Proabaly didn't do any good, huh?

Unfortuantely, I'm just the "by necessity" IT gal in my own small business. Learning every day.. but still a long way to go. I guess i know enough to get myself into some real trouble..lol

Thanks for the help.

OH -- one more question.. Whats up with Norton that I have all these problems? Should I switch to a less known-- i.e. less targeted AV software?

I'm doing the spychecker now.. just for kicks and will post results when I can.
0
 
LVL 3

Assisted Solution

by:DanGilbertTX
DanGilbertTX earned 140 total points
ID: 12152453
If you have 2 hard drives in it then I would suggest moving your data files to the 2nd hard drive when you format and reinstall on the primary hard drive. If you can, run fdisk /mbr a coulple of times from a DOS/Win9x boot disk before reinstalling and that should take care of anything on in the Master Boot Record.

As for running for the next 2 weeks as a stand-alone, the answer is a very definative "maybe". It may work or it may not. You really can't tell when it comes to viruses. If you know what all your machine was infected with then we could go through the virus databases out there and see what all they do and give a little better answer.

The error message you are getting may actually be spyware and not a virus. I have actually had something similar where IE's autosearch would send me to a random page instead of returning search results. Not sure how to fix that since I just blew the machine away. Sorry.

As for Norton, I really don't like it. It was good until Symantec bought them. I think it has gone downhill from there. Same for McAfee since they were bought by Network Associates. That said, I think McAfee is the better of the two at the moment and I would probably go with McAfee 8.x if I had a choice. I am assuming that you have a recent version of Norton and that it is up-to-date with the latest virus definitions.
0
 

Assisted Solution

by:Unicrom
Unicrom earned 100 total points
ID: 12152654
HI

Simple solution that i would do is get the HDD that has virus on it and take it out of machine then get another machine that has a fully update antivirus program updated on it ..

Plugged the infected HDD on the secondary IDE port.. If this means unplugging CD-ROM's and such, this is not a problem they can be plugged back in after..  
A power port will need to be put into HDD As well

Now boot the computer in SAFE MODE. To do this hit [F8] like every 2 seconds until a menu appears.

When menu appears choose ….  Start computer in “SAFE MODE.”

Once computer is loaded get the antivirus programs to do a full scan virus scan on the infected HDD,

It will find and delete or quarantine the file.

JOB DONE

More likely so as you have your HDD in another machine on it secondary port on “safe mode”  (Nothing will load from your HDD to infect the other machine this way)

If this doesn’t work i have other ideas.  

Been removing viruses from a dozen HDD’s every day for like 3 years with one computer. So I personally find it to be the easiest way.


Good Luck
 
 P.S. would write some more (maybe wrote too much) buts its almost 1 AM and i am moving house and am sooo freaking tired :)

*HDD = Hard Disc Drive (Hard Drive)

Good Day

Unicrom
0
 

Author Comment

by:theentwives
ID: 12152919
Unicrom -- my 2nd machine is a laptop-- but -- I guess I could use my daughter's machine to do this. Hers also has the AdAware Pro on it.. fully updated so I could run that as well. I'll give it a try on Monday when the store's closed and see if it works..

Thanks!


0
 

Expert Comment

by:Unicrom
ID: 12153020
Good Luck
Let us know how it goes.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 3

Accepted Solution

by:
rmullins earned 150 total points
ID: 12153078
If you want to update NAV but can't browse, there is an easier solution. FTP the NAV update file for the most current definitions and run it. It will update NAV and you don't need a web browser. This is the method I use to update my definition files daily (via a scheduled task).

Simple method is to ftp (via command line) the update file from Semantec (found in the stuff below). You can just run that .exe without the switches I am using to extract the files and it will update your defs.

Here are some batch files I use. All I have to do is call NAVGo.cmd: (you may need to slightly modify these files. Put them in C:\NavUpdate to reduce changes. You can view what was done in log.txt. Note: be careful of the text wrapping that occurs on this site when I copied and pasted the commands)

Navgo.cmd
============================
NavUpdate.cmd >> Log.txt
============================

NavUpdate.cmd
============================
@ECHO OFF
ECHO --- Update on %date% @ %time% ---
@ECHO ON
DEL /q C:\NAVUpdate\Expanded\*.*
DEL /q "C:\NAVUpdate\symcdefsi32.exe"
FTP -n -i -s:C:\NAVUpdate\NAVUpdateFTPGet.txt
"C:\NAVUpdate\symcdefsi32.exe" /q /extract "C:\Program Files\Common Files\Symantec Shared\VirusDefs\Incoming\"
@ECHO --- Process Complete on %date% @ %time% ---
============================

NavUpdateFTPGet.txt
============================
open ftp.symantec.com
USER anonymous
nobody@spammer.com
cd public/english_us_canada/antivirus_definitions/norton_antivirus/static
lcd C:\NAVUpdate
bin
get symcdefsi32.exe
quit
============================

This ought to do it.
0
 

Author Comment

by:theentwives
ID: 12155329
RMULLINS:

I tried that today.. it works as far as running norton again will get me. It only finds the 2 mscmd.exe hacktool.hidewindow files that I have isolated on the secondary hdd.  Won't let me delete them (which is why I isolated them on the 2nd HDD) -- but still can't use explorer.

I can check e-mail with outlook express.

I can access the internet as ftp-style as indicated above.

Can anyone tell me how to delete those hacktool files?  I'd like to get them off the 2nd hardisk before I put all my datafiles on there and clean the c drive or take it out to run the av off the other machine as unicrom recommended.  But I can't do that till Monday.

Thanks.
0
 
LVL 17

Assisted Solution

by:Lobo042399
Lobo042399 earned 50 total points
ID: 12156470
Hi Theentwives,

If the trojan is not allowing you to log into any antivirus website, try logging into this place and download TrojanRemover. This tool is designed specifically to deal with trojans like Agobot. If it won't let you get to the website let us know and I'll download it and post it to my webspace for you.

http://www.simplysup.com/tremover/details.html

Good Vibes!

Lobo
0
 
LVL 3

Expert Comment

by:rmullins
ID: 12157463
First, regarding the files you wish to delete. Do you mean that NAV can't delete them?  Have you tried deleting them yourself (from command prompt or windows explorer)?  If you've tried to delete them manually and still can't, check for a running process with the name of those files (to see the processes, press ctrl-shift-esc to pull up task manager and look at the running processes; you can also start task manager by right clicking an empty space on the taskbar and selecting it). If you find it in the process list, end the process(es) and try to delete them again.

It's also possible that it could be running in one of the svchost.exe processes.  If that still doesn't work, provide more info....  Like what messages do you get when you try and delete them.

Next, the 'explorer' issue:
I assume you mean that you can't get to sites using Internet Explorer (IE)?  Explorer is the shell / file management tool, etc. That is very different from IE. I'll assume you mean IE.

Have you tried accessing other sites from your web browser, like google or experts-exchange?

Can you not visit any sites at all? or just not some of the virus mfg sites?  It is very possible that the virus added entries to your hosts file, causing the names of some sites to resolve to a loopback address (such as 127.0.0.1), meaning that your browser is simply asking your computer to provide the page rather than going out to the internet.  
You should check your hosts file (C:\Winnt\System32\Drivers\Etc\Hosts) to see if the virus put entries in there. You can safely remove all lines from here (unless you have specifically put some entires in the file). As an alternative, simply rename the file to something like hosts.old, restart, and then see if your system works properly.

I hate to state the obvious, but you do have the machine connected back to the network now, right (I mean to test your browser and such)? Your system needs to be able to access the DNS server you have in your IPConfig to resolve the names.

To help with troubleshooting, it's handy to turn off automatic searching in IE. To turn off automatic IE searching, open browser and goto Tools->Options->Advanced Tab and select the radio button 'Do not search from the address bar'.

To make sure that your system is resolving addresses correctly, we can use NSLookup (it is likely that this is fine since you are able to get e-mail). If you are still having problems with your browser after doing what I stated, go to a command prompt and type 'nslookup www.google.com' and post the results back here (along with the message(s) in your browser when you go to 'http://www.google.com' and I'll help you.
0
 
LVL 23

Assisted Solution

by:DanCh99
DanCh99 earned 60 total points
ID: 12161905
If you start your machine in **Safe Mode**, you should be able to find these files and delete them.  Once deleted, you can even create FOLDERS in the SAME location as the files, with the same name.  Then, when the pc starts up, any virus process that tries to recreate them will fail, as the OS won't let it create a file with the same name as that folder.  This works as long as the virus doesn't use random file names........

mscmd.exe seems linked to the Delsha virus - removal info here:
http://www.pestpatrol.com/pestinfo/t/trojan_win32_delsha.asp

hacktool.hidewindow seems to be a trojan that lets others onto your pc:
http://securityresponse.symantec.com/avcenter/venc/data/hacktool.hidewindow.html

msconfig can be handy to stop processes running too.

I had a win 98 pc recently with a similar issue, but it was the MyDoom virus, plus Swen, plus CoolWWWSearch spyware that were the cause.  Once I got rid of each of them, w98 was totally shot - wouldn't launch any apps at all, but I reinstalled it over the top, and it was then fine, with all my data and apps intact.  

0
 
LVL 23

Assisted Solution

by:DanCh99
DanCh99 earned 60 total points
ID: 12161949
and SpyBot came in handy too - free!
http://www.safer-networking.org/en/mirrors/index.html

cwshredder was needed to get rid of CoolWWWsearch, if that helps.
0
 
LVL 23

Assisted Solution

by:DanCh99
DanCh99 earned 60 total points
ID: 12161970
and finally, you can get norton updates downloaded so that you can fit them onto a floppy or cd and then move them to the dodgy machine

http://www.symantec.com/avcenter/download/pages/US-N95.html
0
 

Author Comment

by:theentwives
ID: 12200726
Hello Everyone!

Thanks so much for all of your help on this issue. The plot has taken a twist, howevever.

Over this week, we had a power failure and the computer restarted.  Voila... it's like nothing was ever wrong. IE is working fine.. I updated Norton (more than once) -- Have scanned it and Norton finds nothing, except the 2 hacktool files on the 2nd Hdd.  As far as deleting them goes -- poof.. I renamed them and deleted them through windows explorer. Re-ran norton and they are truly gone as well.

Have I been lured into a false sense of security?

I'm going to run the trojan removal tools Dan/Lobo recommend above.. just in case..

I'm more confused than ever..
(although happy the computer is now cooperating)..
Dare I try connecting it to the LAN?
Right now its connected only to the wireless network that connects it to the DSL.

I'll post again after I run the trojan removal tools.
0
 
LVL 3

Assisted Solution

by:DanGilbertTX
DanGilbertTX earned 140 total points
ID: 12201410
I would still recommend blowing it away and reinstalling. That is the ONLY sure way to know it is clean. If you really don't want to do that then you might try installing a 2nd AV software (McAfee for instance) and Anti-Spyware software (PestPatrol or SpySweeper) and run thorough scans on the machine. If both AV software packages and the Spyware packages come up clean then you might be ok. Either way, I would like to know how it goes for you. Thanks for the update.
0
 

Author Comment

by:theentwives
ID: 12203036
Well, I've decided to just wait a couple weeks and see what happens. I can always blow away the drive and since things are working now.. I can wait until the store closes and then do what I have to.  Thanks to everyone for all of their help!

PS -- Trend Micro's Housecall and the TR Software both came up clean. -- go figure.

0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Join & Write a Comment

Suggested Solutions

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Is your company's data protection keeping pace with virtualization? Here are 7 dynamic ways to adapt to rapid breakthroughs in technology.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now