Is my system safe? Allowed trojans access... :( Please help!

Hi! I've been looking over a lot of threads in this forum, and they have been very helpful--this seems like a terrific forum! I recently had a scary brush with some trojans and would greatly appreciate any help that y'all could provide.

Yesterday, I accidentally opened a malicious .exe file--which spawned at least two trojans that my antivirus (Avira AntiVir) notified me about. Regrettably, by accident, I clicked "Allow" (see below)--thinking I was allowing my antivirus take care of them, when instead I was allowing the trojans access to my computer...

Virus or unwanted program 'TR/Downloader.Gen [trojan]'
detected in file 'C:\Windows\SysWOW64\eventcrreate.exe.
Action performed: Allow access
Date/Time: 4/4/2010, 7:56:16 PM

Virus or unwanted program 'TR/Downloader.Gen [trojan]'
detected in file 'C:\Windows\SysWOW64\rdrleakkdiag.exe.
Action performed: Allow access
Date/Time: 4/4/2010, 7:56:16 PM

I caught my mistake, though, and immediately had Avira run a scan, which re-detected them, however, Avira ran into problems trying to quarantine them:

The file 'C:\Windows\SysWOW64\rdrleakkdiag.exe'
contained a virus or unwanted program 'TR/Downloader.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26003.
The file could not be deleted!
Attempting to perform action using the ARK library.
The file could not be copied to quarantine!
The driver could not be initialized.
The file could not be selected for deletion after the restart. Possible cause: Access is denied.
Date/Time: 4/4/2010, 7:57:07 PM

The file 'C:\Windows\SysWOW64\eventcrreate.exe'
contained a virus or unwanted program 'TR/Downloader.Gen' [trojan]
Action(s) taken:
An error has occurred and the file was not deleted. ErrorID: 26003.
The file could not be deleted!
Attempting to perform action using the ARK library.
Access to the rootkit scan was denied.
The file could not be selected for deletion after the restart. Possible cause: Access is denied.
Date/Time: 4/4/2010, 7:57:07 PM

After finishing the scan with these two error messages indicating that the file could not be selected for deletion after restarting, Avira (still?) gave me a message about needing to restart to quarantine the trojans. So, I clicked "Yes" to restart, and after that, I restarted again into Safe Mode and ran a full system scan with Avira, which came up with nothing:

Scan ended [The scan has been done completely.].
Number of files: 782724
Number of folders: 32307
Number of malware: 0
Number of errors: 0
Date/Time: 4/4/2010, 9:41:43 PM

Wondering what happened to the two trojans, I looked in Avira's quarrintine, and -what do you know- there they were! A couple hours later, at 11:24:20 PM, I also completed a scan using Spybot - Search & Destroy, which detected a Fraud.Sysguard malware in my registry (this is the first time in a long time that Spybot has detected anything other than tracking cookies, so I'm thinking that this is connected in some way?).

Since then, I've run another full scan using Avira AntiVir, run more Spybot scans, installed COMODO Firewall, run a Windows Defender scan, and a Hitman Pro scan... They haven't turned up anything.

So, anyways, this is the first time a trojan has gotten this far on my poor new computer, and I'm feeling kinda paranoid--my question is: am I safe now? Secondly, if the trojans are safely quarantined now, for the period of time that they were allowed access in my computer, should I worry about changing the passwords I have saved in Firefox for various websites (like my e-mail, ebay, amazon), etc.?

 

Hi again--I have just followed the "READ & RUN ME FIRST. Malware Removal Guide" steps that you posted above to the tee. Attached to this post should be all the requested logs.

I'll look forward to your response! Thank you so much for your time and consideration on this, I appreciate it so much--this has been quite nerve-wracking.

 

I just noticed that one of the MG logs includes my network adapter's MAC address, and I feel uncomfortable with having that posted on the internet. I have attached a new MGlogs.zip file to this post, with the MAC address on the log in question "X"-ed out. Could the MGlogs.zip file please be removed from my previous post?

I still, of course, look forward to your analysis and response about all the logs! Thank you so much again!

 

That's it!? Yay! Thank you so much for your time and response!

Sorry about this--I did read that, and I don't go for any of that stuff. This was an old file from a friend's computer (i.e. "from The Equalizer") that I didn't even realize I had on my computer. It's gone now.

I was able to delete these two job files, but...

...when I click on "Local Settings" (the folder has a little shortcut arrow in the corner) it says that the file is not accessible and that access is denied. Alternately, if I use the drop-down explorer tree that's on the left-hand side of Windows 7 explorer windows it gives me a different error (see attached screenshot). I get these same errors for other files there that have the little shortcut arrow in the corner of their icons (like the "Start Menu" one), too, by the way.

 

Okay, I found that the "Local Settings" shortcut points to C:/Users/Ben/AppData/Local and the Temp folder with the remaining files to delete that you specified are there.

I was able to delete all of them except A9R5531.tmp--there was no A9R5531.tmp in the folder. There is, however, a A9R5AF8.tmp. I tried deleting that file, but it gave me this error message: "The action can't be completed because the file is open in Firefox," and when I close Firefox, the file disappears (and I do have hidden files set to visible).

What should I do?

P.S. Every time I reopen Firefox, it shows up again in the Temp folder with a different name--now it's "A9R6DDC.tmp."

 

Yup--everything's good, and actually, after you posted this, I decided to try just uninstalling and reinstalling Firefox, and that .tmp file in the Temp folder isn't showing up anymore! Thank you SO much for your help--it's a wonderful service that you offer here.

One last question, about, re: "How to Protect yourself from malware!"--I have COMODO Firewall installed, with Defense+, which is described as this:

Defense+ for proactive monitoring of internal systems and processes
Defense+ is an advanced Host Intrusion Prevention System (HIPS) that proactively monitors systems and system processes to prevent system changes such as rootkit installations, inter-process memory injections, key-loggers and more. HIPS technology is driven by an extensive white list database (with nearly one million applications and growing) which identifies trusted applications and prevents untrusted applications from being introduced onto the computer. - Comodo Press Releases

Would this be considered a Realtime-blocking AntiSpyWare tool?

If yes, since I just should have one--I'm considering disabling the Defense+ part of the COMODO Firewall, since I have AntiVir Personal Edition already installed (as it is also the antivirus I use).

Would AntiVir Personal Edition be sufficient for both antivirus and realtime-blocking antispyware, or would you recommend that I purchase and use SUPERAntiSpyware for my Realtime-blocking AntiSpyWare tool in addition to having AntiVir Personal Edition as my antivirus tool?