Unusual behavior by Avira after trojan detection

Discussion in 'other anti-virus software' started by channel_zero, Apr 6, 2010.

Thread Status:
Not open for further replies.
  1. channel_zero

    channel_zero Registered Member

    Joined:
    Mar 10, 2010
    Posts:
    4
    Hi! I've been looking over a lot of threads in this forum, and they have been very helpful--this seems like a terrific forum! I recently had a scary brush with some trojans and would greatly appreciate any help that y'all could provide.

    Yesterday, I accidentally opened a malicious .exe file--which spawned at least two trojans that my antivirus (Avira AntiVir) notified me about. Regrettably, by accident, I clicked "Allow" (see below)--thinking I was allowing my antivirus take care of them, when instead I was allowing the trojans access to my computer...

    Virus or unwanted program 'TR/Downloader.Gen [trojan]'
    detected in file 'C:\Windows\SysWOW64\eventcrreate.exe.
    Action performed: Allow access
    Date/Time: 4/4/2010, 7:56:16 PM

    Virus or unwanted program 'TR/Downloader.Gen [trojan]'
    detected in file 'C:\Windows\SysWOW64\rdrleakkdiag.exe.
    Action performed: Allow access
    Date/Time: 4/4/2010, 7:56:16 PM


    I caught my mistake, though, and immediately had Avira run a scan, which re-detected them, however, Avira ran into problems trying to quarantine them:

    The file 'C:\Windows\SysWOW64\rdrleakkdiag.exe'
    contained a virus or unwanted program 'TR/Downloader.Gen' [trojan]
    Action(s) taken:
    An error has occurred and the file was not deleted. ErrorID: 26003.
    The file could not be deleted!
    Attempting to perform action using the ARK library.
    The file could not be copied to quarantine!
    The driver could not be initialized.
    The file could not be selected for deletion after the restart. Possible cause: Access is denied.
    Date/Time: 4/4/2010, 7:57:07 PM

    The file 'C:\Windows\SysWOW64\eventcrreate.exe'
    contained a virus or unwanted program 'TR/Downloader.Gen' [trojan]
    Action(s) taken:
    An error has occurred and the file was not deleted. ErrorID: 26003.
    The file could not be deleted!
    Attempting to perform action using the ARK library.
    Access to the rootkit scan was denied.
    The file could not be selected for deletion after the restart. Possible cause: Access is denied.
    Date/Time: 4/4/2010, 7:57:07 PM


    After finishing the scan with these two error messages indicating that the file could not be selected for deletion after restarting, Avira (still?) gave me a message about needing to restart to quarantine the trojans. So, I clicked "Yes" to restart, and after that, I restarted again into Safe Mode and ran a full system scan with Avira, which came up with nothing:

    Scan ended [The scan has been done completely.].
    Number of files: 782724
    Number of folders: 32307
    Number of malware: 0
    Number of errors: 0
    Date/Time: 4/4/2010, 9:41:43 PM


    Wondering what happened to the two trojans, I looked in Avira's quarrintine, and -what do you know- there they were! A couple hours later, at 11:24:20 PM, I also completed a scan using Spybot - Search & Destroy, which detected a Fraud.Sysguard malware in my registry (this is the first time in a long time that Spybot has detected anything other than tracking cookies, so I'm thinking that this is connected in some way?).

    Since then, I've run another full scan using Avira AntiVir, run more Spybot scans, installed COMODO Firewall, run a Windows Defender scan, and a Hitman Pro scan... They haven't turned up anything.

    So, anyways, this is the first time a trojan has gotten this far on my poor new computer, and I'm feeling kinda paranoid--my question is: am I safe now? Why did Avira say it could not delete the file after restart, and then still told me to restart to remove them, and then the two trojans magically appeared in quarantine--is that fishy? Secondly, if the trojans are safely quarantined now, for the period of time that they were allowed access in my computer, should I worry about changing the passwords I have saved in Firefox for various websites (like my e-mail, ebay, amazon), etc.?
     
  2. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
    Id recommend downloading MBAM and running that in safe mode as well just to double check. In my experiences it has top notch detection so what ever Spybot has missed MBAM will surely pick up on.
     
  3. 0strodamus

    0strodamus Registered Member

    Joined:
    Aug 23, 2009
    Posts:
    1,047
    Location:
    United Surveillance States
    I would highly recommend using a boot CD to scan your system with. Your AV of choice offers one here. Of course, you should burn the CD from a clean system. Good luck!

    EDIT: Another is Dr. Web LiveCD. I haven't tried this one myself, but am going to as soon as the download is done! ;)
     
    Last edited: Apr 8, 2010
  4. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,188
    Location:
    USA
Loading...
Thread Status:
Not open for further replies.