Unusual behavior by Avira after trojan detection

Hi! I’ve been looking over a lot of threads in this forum, and they have been very helpful–this seems like a terrific forum! I recently had a scary brush with some trojans and would greatly appreciate any help that y’all could provide.

Yesterday, I accidentally opened a malicious .exe file–which spawned at least two trojans that my antivirus (Avira AntiVir) notified me about. Regrettably, by accident, I clicked “Allow” (see below)–thinking I was allowing my antivirus take care of them, when instead I was allowing the trojans access to my computer…

[i]Virus or unwanted program ‘TR/Downloader.Gen [trojan]’
detected in file 'C:\Windows\SysWOW64\eventcrreate.exe.
Action performed: Allow access
Date/Time: 4/4/2010, 7:56:16 PM

Virus or unwanted program ‘TR/Downloader.Gen [trojan]’
detected in file 'C:\Windows\SysWOW64\rdrleakkdiag.exe.
Action performed: Allow access
Date/Time: 4/4/2010, 7:56:16 PM[/i]

I caught my mistake, though, and immediately had Avira run a scan, which re-detected them, however, Avira ran into problems trying to quarantine them:

[i]The file ‘C:\Windows\SysWOW64\rdrleakkdiag.exe’
contained a virus or unwanted program ‘TR/Downloader.Gen’ [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26003.
The file could not be deleted!
Attempting to perform action using the ARK library.
The file could not be copied to quarantine!
The driver could not be initialized.
The file could not be selected for deletion after the restart. Possible cause: Access is denied.
Date/Time: 4/4/2010, 7:57:07 PM

The file ‘C:\Windows\SysWOW64\eventcrreate.exe’
contained a virus or unwanted program ‘TR/Downloader.Gen’ [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26003.
The file could not be deleted!
Attempting to perform action using the ARK library.
Access to the rootkit scan was denied.
The file could not be selected for deletion after the restart. Possible cause: Access is denied.
Date/Time: 4/4/2010, 7:57:07 PM[/i]

After finishing the scan with these two error messages indicating that the file could not be selected for deletion after restarting, Avira (still?) gave me a message about needing to restart to quarantine the trojans. So, I clicked “Yes” to restart, and after that, I restarted again into Safe Mode and ran a full system scan with Avira, which came up with nothing:

Scan ended [The scan has been done completely.].
Number of files: 782724
Number of folders: 32307
Number of malware: 0
Number of errors: 0
Date/Time: 4/4/2010, 9:41:43 PM

Wondering what happened to the two trojans, I looked in Avira’s quarrintine, and -what do you know- there they were! A couple hours later, at 11:24:20 PM, I also completed a scan using Spybot - Search & Destroy, which detected a Fraud.Sysguard malware in my registry (this is the first time in a long time that Spybot has detected anything other than tracking cookies, so I’m thinking that this is connected in some way?).

Since then, I’ve run another full scan using Avira AntiVir, run more Spybot scans, installed COMODO Firewall, run a Windows Defender scan, and a Hitman Pro scan… They haven’t turned up anything.

So, anyways, this is the first time a trojan has gotten this far on my poor new computer, and I’m feeling kinda paranoid–my question is: am I safe now? Secondly, if the trojans are safely quarantined now, for the period of time that they were allowed access in my computer, should I worry about changing the passwords I have saved in Firefox for various websites (like my e-mail, ebay, amazon), etc.?

That is strange and because of this i have no confidence that now your system is clean. These trojans may have hidden some malicious units on your computer. Probably that is why recent scans did not reveal anything. Nevertheless, you may try to scan with CureIt. In the past it was detecting for me malware species not detected by other on-demand scanners (not advertising, but solely own using experience).

...if the trojans [b]are[/b] safely quarantined now, for the period of time that they were allowed access in my computer, should I worry about changing the passwords I have saved in Firefox for various websites (like my e-mail, ebay, amazon), etc.?
Main concern would be if trojans damaged system in that way or another (NOT leaving something malicious on system) and/or if trojans have successfully done their job (left something malicious on system) and "died a natural death".

In such cases i usually reinstall systems, because don’t have enough knowledge to fix (severe) damage to system and/or make completely sure there is no something malicious hidden “deep inside” in system.

Other than that, i don’t have anything (useful) to say.

Thanks so much for the reply, but booo–essentially, you’re saying that I can’t really sleep easy, with confidence that my computer is secure, unless I format and reinstall, yeah?

:frowning:

I don’t know if you’ve already read this but I think this guide should be useful:
What You Need To Know About Removing Infections and Securing Your Computer

If you’re paranoid you can scan with each program in the basic programs section and I would especially suggest you scan with GMER. If none of these find anything else then I believe you can finally sleep easily with complete confidence that your computer might not be infected. ;D

Oie, haha, okay. So, you’re saying that I should do scans using the programs listed below, plus GMER?

Comodo Cloud Scanner
Hitman Pro
A-Squared Free
Malwarebytes Anti-Malware
SuperAntiSpyware Free Edition

Also, should I run them in normal or Safe Mode?

Yep. You did say you wanted to be sure.

I think it might be a better idea to run them in safe mode, but I’m not sure.

Also, don’t forget to watch out for false positives.