Confused by malicious file / intrusion reports

Can someone tell me what’s happened here and whether my computer’s infected please, Comodo’s complexity has got the better of me.

I’m using the free firewall with Defense+ Version 5.3.181415.1237, Avast free antivirus 6.0.1000, on an XP SP3 32bit system and Firefox 3.6.16 browser, all up to date. A few days ago (10th April) I clicked on a link to a website and got a popup warning from Comodo. I immediately closed the suspect tab, and I’m afraid I didn’t record what the warning said, I assumed comodo had blocked any damage from being done. Since then I didn’t think anything more about it, until 16th April, when I opened Comodo and saw that the summary screen said “Comodo has blocked 33 intrusions”. The details are in the attached Defense+ Events export log “Defense+Events.pdf”, also showing some records of what I did since:

After I opened the website 10th April, I am confused that it reports this “0.4377…exe” file as being scanned and found malicious many hours later, but that I’ve had no popup warnings since, and it isn’t obvious to me what action Comodo took about this file. I am concerned that it is listed in my Temp folder and appears not to have been deleted, and why it was showing up during defrags on 13th and 16th, (which I didn’t run manually, and wasn’t aware was scheduled). The two notifications on my Comodo summary screen below “Defense+ has blocked…”, state “0 unrecognised files…partially limited” and “0 applications… sandboxed”. I looked in my Temp folder as listed in the attached event log, and searched the disk for the file “0.4377…”, nothing found. I even booted up in safe mode and deleted the Temp folder, which was recreated and shown as empty after a normal reboot. An Avast scan showed nothing. I then downloaded and ran Comodo CCE (17th April), which came up with the results shown on the attached screen dump “img006.jpg”. I hit clean for all the threats listed, including Citrix which I have deliberately installed. I don’t know if the other high ‘Threats’ are the same or different problems, or false results. I ran defrag on 21 April, and “0.4377…exe.” is still showing up as shown in the log.

The only other thing I can add is that “0.4377…exe.” shows up in the registry under the following branches:
HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\2\HIPS\Policy\0\Rules\0\Blocked\0
HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro\Configurations\2\HIPS\Quarantined Files\0
under “DeviceName” and “Filename”.
This indicates to me I should be able to find it in a Comodo quarantine or similar (and delete it), but I can’t.

So I am now thoroughly confused as to whether this computer is infected, clean, or what to do to remove any remaining dodgy files and stop further warnings. Comodo may the best for security, but when you do have a problem, it is to me just too user unfriendly and unhelpful.

Can anyone shed any light on this?



[attachment deleted by admin]

Your D+ logs show that the .043… file got created from a Java program. The CCE shows malware in the Java cache. Please remove that and see if that helps.

Since you removed the file it either return and hopefully the above helps. I am not sure why D+ still registers the file. May be it is hidden. Try running the following scanners to check for malware:
Hitman Pro
Malwarebytes Anitmalware
Super Antispyware.

Also let checkdisk check your hard drive: Check Disk - chkdsk | Vista Forums . This is just in case the file was removed but due to an error in the file system it is still seen in the file table.

The citrix program is most likely a false positive. Please inform Comodo about this. Either from the GUI of by making a post in AV False Positive/Negative Detection Reporting.

I cleaned the Java cache, ran the 3 scanners, all reported clean (apart from a few tracking cookies). Checkdisc found and cleaned up a few minor issues. CCE now reports no threats found, and defrag does not cause the intrusion report in Defense+ any more, so I’m guessing that’s it, but I will keep an eye on comodo and run all the scanners regularly, especially over the next few days. Citrix false positive reported. Thanks for your help.