Suspected Outlook Address Book Hijack

Hi, I'm new so please be gentle. ;-)

I have found your site to be very very helpful so far. I am a Mac user, but my kids have a Dell running Microsoft 2000, which seems to have become more and more infected. I've followed all of your advice that I can (for some reason, I was unable to disable System Restore - I tried to follow your advice, and there was no "performance tab" where you said it should be ...).

I've downloaded AVG, Zone Alarm, Microsoft Anti-Spyware, Spyware Blaster, Spybot S+D, Ad-aware SE Personal, CCleaner, AVERT Stinger, CWShredder, Kill2Me, HSRemove, about:BUSTER. I did online scan at Trend Micro and ran Stinger in Safe mode.

The pop-ups seem to be gone - THANK YOU!!! However, I'm still having two major problems:

1: my daughter's e-mail address isn't working. When I send her an e-mail, she doesn't get it and I get back an error from Mailer Daemon that says "the following addresses failed:" and lists an address from my daughter's address book (which she has now deleted). Other of her friends have said they have been getting her mail too ...

2: occasionally I get a screen that says it is trying to configure Microsoft Office 2000. It tries, then stops almost at the end and says "The feature you are trying to use is on a CD-Rom or other removable disk that is not available."

I have also downloaded Hijack This! and can give you my log if it would help.

Thanks in advance ...

Ann

 

Hi, I've realized something since my first post.

My second problem occurs when I do a search for files and folders from the start menu. First it says "Windows Installer" then "Configuring Microsoft Office 2000" - even if I click "cancel" it retries like 5 or 6 times.

Hope that helps.

Ann

 

Here is some more information that I've discovered since my last post, don't know if it's helpful, but thought I should include it:

1) the Installer problem only occurs on one of the Users for this computer - the Administrator. It happens right after clicking on Search for Files and Folders - before you even enter something to search for.

2) I've run Hijack This and submitted the log to your Hijack This Analysis link, a couple of things were found and fixed, but the problems I mentioned are still there.

3) One of the Users on the system, "Megan" seemed to have the most problems, so we removed this user a week ago. However, I'm sure many of the files and folders associated with that user are still in the computer. This is the user for whom the Outlook Address Book was infected.

4) I have downloaded AVG onto this computer, but it still has an outdated version of Norton on it. I see that I should probably delete it - how do I do that?

5) Occasionally something pops up saying "Import Wizard" and asks if I want to import some things from Internet Explorer. I always click "don't import anything" - but what is this and can I get rid of it?

Again, thanks in advance --

Ann

 

I keep reading things on your site and then trying them, hopefully I didn't create any new problems. Clearly I am not a very patient person, sorry! I know you have more than enough people to help, and I will wait my turn. ;-)

Here is what I've done since the last posting:

1. Deleted Norton, using add/delete programs in the control panel (duh). However, at the end of the uninstall, Spybot came up saying it detected a System Startup Global Entry "value added" VcCleanup.exe. I wondered if this was part of CCleaner, but denied it anyway. What was it?

2. Ran HijackThis again, this time had it reviewed by Help2Go. They recommended I remove two items, which I did:
O4 - Global Startup:Microsoft Office.lnk = c:\program Files\Microsoft Office\Office\OSA9.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jrel.5.0_01\bin\jusched.exe

I was hoping the first one might remove the "install office" problem but it didn't.

I then followed the advice on Help2Go, which suggested I reboot and run Windows UPdate. When I reboot (and this wasn't the first time I've seen this), ZoneAlert came up with three messages in a row as follows:
- Task Scheduler Engine trying to act as a server, MSTask.exe
- Generic Host Process for Win32 Services trying to act as a server, svchost.exe
- Services and Controller App wants to accept connections from the internet, services.exe
I disallowed all of them.

Then Spybot said System Startup Global Entry "value deleted" DXDllRegExe. I didn't know what this was, I denied it.

One of the Windows Updates was for the Windows Media Player. Mid-way through, it said there was an error and I would need to re-boot and re-install, but it continued to load up and seems fine. Under the privacy options for it, I unclicked everything about receiving things from the internet, just in case...

After that, I rebooted again. Everything seems fine (other than those ZoneAlert and Spybot messages, which I continue to deny), but the Installer and Address Book problems continue ...

Sorry I'm so long-winded, but I'm going on the assumption that there's no such thing as too much information.

 

Hi again,

Over the past week, I've been continuing to try things to fix this computer. After not hearing anything from this site for over a week, I finally went to my "next to worst case" option (worst case being wiping the hard drive). Via Windows Explorer, I deleted all of the files belonging to the former user "Megan." This seemed to fix the problem of Windows Professional 2000 trying to Install on every search. I think we must have messed around with her files and deleted something important ... Phew!

Then I went in to remove my daughter's earthlink e-mail address, only to find that she had turned the settings to "enable forwarding" to several of her friends' addresses!! Once we disabled that, she was able to get mail and her friends didn't get it. Doh!!

So these problems didn't turn out to be virus-related after all!!

Thank you for this website - it was very helpful getting rid of the many viruses we DID have, and hopefully we will now be protected from future infection.

(PS, my problems with Zone Alert (another thread) just got worse and worse, so I ended up uninstalling it and installing Sygate instead. So far, so good).