Comodo Internet Security found something in Avast!'s temp folder

[MaxyDawg]

Comodo Internet Security found some virus in Avast!'s temp folder. And another.
Should I be worried?

Today, while I was online, Comodo Internet Security had gotten wind from, I would guess, its Resident Shield (whatever it is that watches files being accessed) found four infected items in temp and AppData folders, three of said items appearing to be in Avast's temp folders, or something, and the other being in Opera's AppData folder. Of course I shot all four alerts to Quarantine and not just a minute ago exported a log file for your viewing pleasure. Unfortunately, the log file (which is in HTML) cna't be uploaded, so here's a cut-and-paste;

COMODO Internet Security Logs
        Date Created: 1/26/2009 7:34:15 PM
Log Scope: All The Times
Date/Time   Action   Location   Malware Name   Status
1/26/2009 4:46:48 PM   Detect   C:\Windows\Temp\_avast4_\unp54280650.tmp   TrojWare.HTML.CrashIE.A@7162   Success
1/26/2009 4:48:48 PM   Detect   C:\Windows\Temp\_avast4_\unp54280650.tmp   TrojWare.HTML.CrashIE.A@7162   Success
1/26/2009 4:49:34 PM   Quarantine   C:\Windows\Temp\_avast4_\unp54280650.tmp   TrojWare.HTML.CrashIE.A@7162   Success
1/26/2009 4:49:34 PM   Detect   C:\Windows\Temp\_avast4_\unp10894333.tmp   TrojWare.HTML.CrashIE.A@7162   Success
1/26/2009 4:49:37 PM   Quarantine   C:\Windows\Temp\_avast4_\unp10894333.tmp   TrojWare.HTML.CrashIE.A@7162   Success
1/26/2009 4:49:37 PM   Detect   C:\Windows\Temp\_avast4_\unp132339247.tmp   TrojWare.HTML.CrashIE.A@7162   Success
1/26/2009 4:49:38 PM   Quarantine   C:\Windows\Temp\_avast4_\unp132339247.tmp   TrojWare.HTML.CrashIE.A@7162   Success
1/26/2009 4:49:40 PM   Detect   C:\Users\Max\AppData\Local\Opera\Opera\profile\cache4\opr02WD1   TrojWare.HTML.CrashIE.A@7162   Success
1/26/2009 4:49:44 PM   Quarantine   C:\Users\Max\AppData\Local\Opera\Opera\profile\cache4\opr02WD1   TrojWare.HTML.CrashIE.A@7162   Success
End of The Report

As the report shows, there were more files than I thought were infected. I'll run a full scan, but is it just coincidence that there was something that infected Avast's stuff but the other program (Comodo) caught it first?

[DavidR]

This is where avast unpacks files so they can be scanned, hence the unp bit at the start of the file name, a whole bunch of numbers followed by the .tmp file type. These are normally cleared out after completion of the scan. Why that didn't happen is not known, see below.

However, your use of the Comodo Internet Security effectively means you have two resident AVs installed and that is simply a no, no.

Conflict between resident AVs:
Such as what has happened above, the unp123456.tmp files remaining when they should have been removed, could come about because the second AV hooks those files as they are unpacked to be scanned and avast effectively can't remove them.

Worse still resident scanners can be more of a problem than this at worst they could lock your system.

So you really need to make a decision which resident AV you which to have on your system and remove the other.

[Vladimyr]

Even if CIS was your only on-access AV, it's "good" at flagging False Positives. However it's best not to assume.
To be sure the files are safe, upload them to jotti or virustotal for multiple "second opinions".

[MaxyDawg]

I'm going to disable Comodo, but can I delete those temp files then? If they were supposed to be removed anyway, would it hurt anything? They're already in Quarantine with Comodo, and nothing seems to have gone awry yet... And what about what's in Opera's AppData folder?

[Vladimyr]

Everything about those files indicates that you can safely delete them from the COMODO quarantine.
To be super-cautious you could restore them and then add them to the the avast! Virus Chest (see image) before uninstalling COMODO AV.
Disabling isn't enough. You need to uninstall the AV part of CIS from Add/Remove Programs. (see attached CIS images)

[silvertones]

This is very similar to an issue I'm having and reported in the forums under" Is anyone having this problem" however for me it is PC Tools Spyware Doctor that is flagging these unp******.tmp files as malware. My temp files are not being deleted either. SD flags Avast's webshield at 2 times so far. When I try to post a message on the PC Tools forum and when I try to log into this forum. The time this started happening is about the same.
When I tried to post this message SD flagged Avast's webshield.I have to put an exception for both sites into the Webshield customize section.
BTW Spyware Doctor is flagging the Avast unp*******.tmp files as:

3/30/2009 8:07:25 AM:793    
IntelliGuard: System Event Blocked
Threat Name - Adware.Adsponsor
Details - Spyware Doctor has blocked an application attempting to access a file.
Risk Level - Low
Infection - C:\WINNT\TEMP\_AVAST4_\UNP181347045.TMP

[DavidR]

That is where avast unpacks the files that it going to scan, hence the unp file prefix and the .tmp file type. Once avast has scanned them they would be deleted. However it looks like the interference form Spyware Doctor blocks that action as it would effectively lock the file. So basically you have a conflict between the two scanners.

Why would you put an exception into the web shield when it is SD doing the detection, you should exclude ashWebSv.exe (the web shield) in SD. It would probably be advisable to also exclude the _avast4_ folder too.

[lukor]

One scanner blocks the other one from accessing the files. Not only can this cause one antivirus to detect temp files of the other one, but it also prevents one antivirus to correctly recognize the files as infected (since the other one - Comodo here - blocks all access to the virus, or deletes it completely - but as it may be just extracted temp file, it would get deleted anyway). If one antivirus (avast here) would be doing other good things when the virus is detected - such as terminating the download, or deleting an attachment from email - this actions wouldn't get executed which effectively ruins all.

So, this is why running two resident scanners at the same time is a bad idea. Moreover frequently your computer can deadlock or bluescreen

[DavidR]

In this particular case it isn't comodo but Spyware Doctor a resident anti-spyware (not anti-virus) that is causing the clash.

Whist two resident AVs has always been frowned upon, nothing much has been said of resident anti-spyware, but there will always be some areas of crossover on detections.

[sta_minghia]

In this particular case it isn't comodo but Spyware Doctor a resident anti-spyware (not anti-virus) that is causing the clash.

Whist two resident AVs has always been frowned upon, nothing much has been said of resident anti-spyware, but there will always be some areas of crossover on detections.

i m running avast and  Spyware Doctor (could that cause me some problem?)
thank you Giovanni

[DavidR]

Basically what I said in Reply #6 and what lukor stated in Reply #7.

In light of this I would suggest you consider excluding the _avast4_ folder from scans in Spyware Doctor.

[silvertones]

First you all  need to understand that Avast and SD have always co existed quite nicely. I've been using the 2 together for over a year with no issues.Many of the folks on the PC Tools forums also prefer Avast to PC Tools AV.  You may not believe this .I found the answer. At the same time this started happening I remember that Firefox had updated to v 3.0.8. I removed all of the exclusions from Avast and tried things with IE and everything worked as it should. I then uninstalled firefox 3.0.8 and installed 3.0.7 and all is well. I'm going to download the complete file of 3.0.8 instead of the letting it do an auto update. i've had problems before with Firefox and their auto update.This indeed is queer but the truth is in thr pudding as they say. Maybe someone has thoughts on this.

[silvertones]

I quit. I don't know what's going on. It's doing it now with 3.0.7
BTW I did try having the web shield on the Global Action list of SD and that didn't help.
You can't put folders on the global action list only files and seeing as the temp files come and go.........

PS I really do appreciate all of the help!

[abhinashh]

This is where avast unpacks files so they can be scanned, hence the unp bit at the start of the file name, a whole bunch of numbers followed by the .tmp file type. These are normally cleared out after completion of the scan. Why that didn't happen is not known, see below.

However, your use of the Comodo Internet Security effectively means you have two resident AVs installed and that is simply a no, no.

Conflict between resident AVs:
Such as what has happened above, the unp123456.tmp files remaining when they should have been removed, could come about because the second AV hooks those files as they are unpacked to be scanned and avast effectively can't remove them.

Worse still resident scanners can be more of a problem than this at worst they could lock your system.

So you really need to make a decision which resident AV you which to have on your system and remove the other.

[silvertones]

Spyware Doctor did an update an hour ago and the problem has disappeared. Coincidence ?