Downloader.Small.58.AG

Guess what. I found a Trojan on my PC this morning in IE tempoary internet folder. AVG found it, but Avast seemed to miss it!!

Could the UDP scan have been something to do with the Trojan?

I guess it could be… it’d be nice to confirm, that’s for sure.

What was the trojan you found? And were you able to remove it?

LM

Can’t remember the name off the top of my head (at work at the moment) but I’ll post it when I get home. It was in a file called ‘click1’. I tried googling the name but not alot of info could be found.

I usually use FF but sometimes use IE when FF is having problems displaying or running something.

I’m just a bit worried, as I’ve been using my online banking services.

I haven’t deleted it, but it been flagged by AVG. I’m temped just to delete it.

If AVG can’t clean it, at least quarantine it, flag it to be blocked in the firewall, upload it to http://www.virustotal.com/en/indexx.html or http://virusscan.jotti.org/ (some online site) for analysis), etc. You want to make sure you’re protected. Watch your bank accounts for changes.

It’s always possible that it’s a false positive; it does happen! That’s the problem with deleting files… they can be legit, and some malware uses the same filenames as legit ones, so it can be confusing.

LM

Hi. Its called ‘Downloader.Small.58.AG’.

Can AVG delete it safely? In the Virus Vault there are action buttons ‘Wipe’ and ‘Heal’. I’ll have to read the AVG help and see which one to press, if any.

How can I go about blocking it on Comodo?

UK_DUDE, in AVG, Wipe = Delete, Heal = Disinfect/Clean. The Vault is the Quarantine; if it’s in there you should be okay with it for the time being.

As far as how to block it in Comodo, this is what you’d do:
If the ■■■■■■ has an executable file, you’ll set an Application Monitor rule for it as the application. “Skip” the parent. Block. Protocol TCP/UDP. Any Destination IP/Port. Leave Miscellaneous empty. OK.
If the ■■■■■■ doesn’t have an executable (like it’s a .dll or something), add it to Component Monitor. You’ll have to navigate to the path once the Add window opens. Then set it to Block. Press the Apply button.

Reboot computer.

Now, if indeed AVG has quarantined it (which sounds like, if it’s in the Vault), you may not be able to access the file to add rules in CFP (shouldn’t be able to, anyway!). If you can, that’s kinda scary about AVG’s quarantining! However, that’s okay. If you can’t get to the file, it should be locked up where it is, and contained.

Do make a note of the filename and path, and keep an eye out for CFP to give you an alert that it’s trying to use another application to get out (part of the Application Behavior Analysis).

LM

PS: I separated this aspect of your issue from the original post (here: https://forums.comodo.com/index.php/topic,7376.msg53831.html#msg53831 ), and moved it here for better, more appropriate coverage.

Much appreciated LittleMac. Thanks for separating the thread. Makes sense.

Well I’ve just wiped the two viruses that were in the Vault (had a trojan from a few months ago that seemed to come from a freeware net metering program). I hope they’ve been deleted from my PC.

I’ve also had another flood attack this evening. I managed to get Battlefield 2 working by forwarding some TCP/UDP ports and it seemed to happen when I was online playing BF2. (:SAD)

Arghh PC’s their really doing my head in at the moment. :-[ :-[ :stuck_out_tongue: Why is there so much nastiness in cyberspace? ???

Have you followed up with any online scans?

There are others; those are just three…

Not being resident scanners, they can be a little more effective at times, and not be vulnerable to malware disabling them. There’s also some resources here: https://forums.comodo.com/index.php/topic,4845.0.html

LM

Because it’s easy for the malware creators to spread them and they have too much time on their hands (:NRD)

Comodo will only detect and block the actions of the trojan at the network level if it attempts to connect out, for example. I thought trojans connect out, but why didn’t this one? There were no reports of an alert. Is it either a lousy trojan or a false positive? (or a cunning new one that can leak through CFP? :o)