oh no!! trojan attack that won't leave me alone!

ok, so i've done the 'read me' thread and the 'xp cleaning procedure' (i'm new to this site/removing malware) and now what do i do?

(rewind): i came to the site because i have a trojan virus. It came via (mums) email and so managed to open up without detection - the email automatically downloaded it without giving the option not to. It has since stopped access to that usernames outlook account, though emails can still be recieve by outlook express as this does not seem to be affected. all other users have access to their normal outlook.

HOWEVER, after disabling our access to this, we tried the solution centre on microsoft's own website. this did not work, and the virus spread to the Internet Explorer of my own username. at first, it would not let me use google - the site would say it was 'awaiting reply' and flicker between 'connecting' and 'www.google.com' i was only able to access the internet because i had it set up to open 2 tabs to begin with (the second being facebook). after about 5/6 times using the internet in this way, it decided i would not be allowed to do this :'( so i went through another (the 1st) username and used the interent to reach microsoft solution centre even though it had failed before. i can now access the internet using the 'no add ons' system tool

previously to finding the site:
we have tried MBAM - first run after email disaster = 27 infections, 3 of which were trojans :O did the quarantine and remove action, but unfortunately i removed the log (sorry!!)
-second run after internet fell apart today = 4 infections, 1 of which was a trojan did the quarantine and remove action, still have log (attached: log1.txt) i ran again immediately after to check my handywork = no infections (attached log2.txt)

have also run 'spybot s&D' and 'stopZILLA' before finding your site...

Your process of removal:
SAS: 8 infections=
3 Trojan.Agent/Gen < im guessing this is the more relevant outcome
5 adware tracking cookies

MBAM: 1 object infected: Trojan.vundo (attached log3.txt)

Combofix: we couldnt remove avg free, so just ran it anyway (pc was screwed as it was, more damage couldnt really make it worse we thought)
also ran RootRepeal, not really sure how that worked i didnt really understand the program, but tried to follow your instructions. it said 'done' at the end and i didnt know what to do from there so i closed it (will run again if you want me to try).

What I know about the system: operating - Windows XP 32 bit
IE 8, Windows 2007, Before process: less that 500 MB free space. After: 2GB

Thank you soo much so far i hope you can fully solve these questions for me:

1. after we deleted the trojans the 1st time, why do we keep getting more back?
2. how do we get rid of them good and proper?
3. how can i regain my internet access? (with add ons - i already tried reinstalling)
4. What do we do about the email account it came in through as we still cannot reach outlook on this username? It seems extremely likely that the email containing the trojan has not gone away, and will reopen if we regain access. the error box suggests re installing outlook, but have not tried this yet, do you think this would work?
5. Will our laptop be ok? we have a wireless internet connection and don't know whether the virus will spread via this, but there seems to be no problems there yet.

i will add the other attachments (combofix, SAS and RR not sure if i made 1 for RR but will have a look in the application data files and find out) in the morning :zzz If you need any other info, i will try to help, but can't guarantee i'll know what you're on about
thanks again, alice

 

the other logs...

 

thank you very much for your reply tim, but unfortunately, i am none the wiser :'(

does this mean i should run the virus checkers on other user accounts, or that we don't actually have a virus? and btw, its quite creepy that you were able to work that out :confused

about the email bit, which email folder? if it relies on being able to access the email program (outlook) how would you do it, because we cannot load outlook on the username where the email came through, we keep getting error messages ('cannot start Microsoft Office Outlook. Cannot open the Outlook window'). regarding the 'email folder': not sure what you mean, but im 99% certain the message is in the 'delete' folder as it got moved out of the inbox.

thank you again xx
alice

 

opening in safemode didn't help will run the scans today and post logs in a bit. if i did decide to uninstall office and reinstall, would the other users lose their email inboxes/contacts?

heres a link to the software thread that i started http://forums.majorgeeks.com/showthread.php?p=1505557#post1505557

 

logs from the other users...

not surprised theres nothing in the top 2 logs as this user account hasn't been used for months. the bottom 2 were the account where the virus originally came in, the mbam log is from the first time we ran it (the one i thought i deleted the log for), SAS from today. the mbam from today for this account is copied below so i dont have to post 3 messages tonight.

-------------------------------------------------------
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

03/07/2010 18:41:36
mbam-log-2010-07-03 (18-41-36).txt

Scan type: Quick scan
Objects scanned: 170899
Time elapsed: 9 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

more logs!!
top 2: my brother the person i thought would be most likely to contract the virus as he uses the internet and downloads the most cr*p (usually) was surprised at the results.
bottom 2: mbam and sas from my sister, evidently its been to her area. i also found a random mbam log here from 2008 which i assume is irrelevant


regarding the emails, i'm busy tomorrow so if i dont have a reply on the other thread on monday ill backup the contacts and emails from users and uninstall outlook

thank you

alice

 

Have run through the final steps and found we already had a couple of the protection methods in place. Have also designated everyone to limited accounts apart from the account that generally isnt used. this account is now also password protected to reduce temptation from other users to switch their own accounts back to administrator :-D that'll annoy my bro i bet lol.

do i need to post in software or somewhere else able not being able to use IE with add-ons or can you help with that as well?

as to malware, i thinks its sorted thank you so much for your help :-D

alice