POSSIBLE Trojware in AVAST! .tmp File

[wendy k. walker]

Hi All,

It has been a long time since I've used these forums and I'm not too sure where this topic should go, so I'm asking "if this is the wrong forum would one of you Moderator Types please move it to the right forum, and let me know where to look to find it again?"

I am running Windows XP, Home Edition, with SP3 and all updates installed, and have been using COMODO Internet Security for my Anti Virus and Firewall, and up until about a month ago all seemed to be working well.

Then all of a sudden I started having problems. The first thing that caught my eye was when I had opened the user interface and noticed that the Virus Signature Database was reporting that it hadn't been updated since 5 Jan 2010.

Those updates are supposed to be automatic every time that the program is started. Yet all of my attempts at getting them installed have failed, almost instantly, except when I booted into Safe More With Networking, at which time the program updated automatically.

However, I was unable to run a virus scan as the system gave me a notice saying that there was no such interface.

When I booted back into normal mode the program was once again indicating that it hadn't been updated since 5 Jan 2010.

After a lot of hair pulling, and cussing, trying to work the kinks out, the program finally tells me that it had updated, BUT at the same time it also tells me that the firewall is no longer running.

Back tracking a bit here, during all of this I had been able to run a full system scan, in normal mode, which found a couple of TROJANS and a few other things, which I had quarantined for a week or so, then deleted. None of which had helped with my problem.

So I decided to give AVAST! a try and downloaded a Trial copy of AVAST! Internet Security, Version 5.0.677 and turned COMODO off for awhile.

On the first full system scan AVAST! found a couple of Low level items, which I moved to the Chest. I ran daily scans for a week and AVAST! showed a clean report on all of them.

Then I had restarted my machine, failed to notice that COMODO had also started, and had started a full system scan with AVAST!. Several minutes into the scan the COMODO Firewall posted a big red warning saying:

Trojware.Win32.adware.NirCmd.A@424028 C:\Windows\temp\_Avast5.\unp2278865004.tmp

had been found.

I quarantined it with COMODO.

I understand that having ,ore than one AV program running at the same time is not the best way to go, however, my inquisitive nature won the day and I've been running both programs, at the same time, for the past several days now, just to see what would happen.

Avast! finds nothing to report when I run a scan, but COMODO keeps picking up a repeating series, of the same Trojan, when I run a scan with it.

Also, EVERY time I scan with AVAST! the COMODO Firewall Alerts to that same Trojware that is seemingly hiding out in that .tmp file connected to AVAST!

Anyone have any thoughts as to what might be going on here? ANY information would be appreciated, as I am about of nerve pills, and have almost no hair left to pull out.

Thanks for ANY help or info on this.

Wendy   

[Tarq57]

Hi Wendy.

Your surmise about not running more than one resident AV is correct. This will be causing the problem of the Comodo detections whenever an Avast scan is run. Such detections can not and should not be relied on to provide anything meaningful at all.

I don't know why your Comodo definitions may not have updated, it's been a while since I used any Comodo products. (Last time I did I had a bit of a job removing the low level legacy drivers and, frankly, it put me off.)

If it was Avast not updating, one thing I would suggest is checking that the system date and time are correct, and set to update automatically.

What I would do is remove Comodo. Remove it via the control panel>add/remove programs. Following a reboot, run the tool available just over halfway down the page here (it's under para 3, uninstallers for other programs, Comodo firewall pro.), reboot, and see how things are then.

An alternative that I wouldn't go for myself, if you want to keep Comodo, would be to uninstall Avast, and run the removal tool. That would be found on the page I linked, a bit nearer the top.

You are fortunate not to have had any lockups or other problems with the system. It's possible that if you encountered any real malware, the two AV's would fight over it and lock up the system. During such an event, the last thing you want to do is a cold shut down. This interference and associated problems can occur even if one of the AV's is disabled. One of them needs to be uninstalled.

Carry out a demand scan with MBAM (free version avail here- the blue download button) and post the scan report if anything was found. Do this after uninstalling the AV you aren't going to keep.

[ImWarm]

That's why you don't have 2 AVs, they detect each other as viruses and cause more problems.

[CraigB]

Being that you have been running these two av's on the same system with some detections from both sides i would suggest downloading the uninstallers for both programs and a fresh copy of avast, delet both av's with reboot's inbetween and run the uninstallers for both of them with reboot's inbetween and then run something like ccleaner which will clean up all the left overs. Now your safe to reinstall the avast that you downloaded earlyer. If you choose to reinstall comodo firewall you should add avast to the exclusions list in comodo and add comodo to the avast exclusions as well, hope this help's you If you install the internet security version of avast dont install comodo firewall.

[DavidR]

@ wendy k. walker
What you are experiencing are classic AV conflicts.

The _avast5_ temp folder is where avast unpacks/copies files so that they can be scanned and you are suffering the classic conflict between two AV, as when avast is moving a file there to scan it comodo is locking it so it can be scanned, this prevents avast from scanning it.

The unp999999999.tmp file format (unp----.tmp) are the files avast is moving unpacked files there to be scanned. Once avast has scanned them (if no detections) it clears the contents of that temp folder and comodo could also be preventing that.

At worst it causes duplication of scanning resulting in higher resource use and at worst it can lock up your system. This conflict can happen at any time as the two AVs have low level drivers to hook files so they can be scanned and these can conflict, if this happens during boot it could lock you out of your system.

So you have to uninstall one of them and you might guess which one we will recommend

[YoKenny]

As wendy's signature indicates:
Don't Tell Me Anything That You Don't Want The Whole World To Know, Because The Only Secrets I Keep Are My Own.

I guess she wants to keep secrets and not say what her system specifications are in her siganture so that helpers can provide meaningful assistance.

[SafeSurf]

To be fair YoKenny, she did provide most of her system specifications in her first post, however it would be nice to see it in the Signature for easy scanning to help OP's.

@ wendy k. walker,  I agree with the other posters in the conflict of running the two AV's.  I think craigb's suggestion is your best option to be thorough.  Just remember that you cannot run the Comodo IS with Avast, but you can run the Comodo FW (without AV) with Avast.

Let us know if you have any additional questions.  Thank you.

[wendy k. walker]

Hi Everybody,

First I want to say "Thanks" to all of you for your input, and then reply yo each of you in turn.

Hi Tarq57

Thanks for the link, I'll give it a read after I get off of here.

Double checked my systems date and time, just now, and they are correct at the moment, and COMODO has always been set to do the automatic update thing as I am too lax in the brain pan *meaning lazy* to remember to do all of that in a daily basis.

I do agree that one of the AV's needs to be uninstalled, however, I'm going to hold off on doing that just yet.

I have MBAM and SAS, both are the free versions, and I run them regularly.

I always get rid of the garbage that they detect, but it all seems to have a way of coming back after a reboot, no matter if it is a hot or cold reboot.

Needless to say that the exact same thing keeps happening when I run a scan with COMODO, and all of that was going on before I installed AVAST!

Heck, when I would check the logs in COMODO I would find that it had been Detecting, and Quarantining, the same TROJAN 14 to 16 times A SECOND...! And that was AFTER I had already deleted that little sucker several times in a row.

Anyway, that was when I decided to give AVAST! a go. The first run of AVAST! picked up a couple of low level threats, which I got rid of, but the next several runs all came back clean.

It wasn't until after I had had AVAST! running for several days that the COMODO firewall started alerting on that Trojware thing.

So I came over here to see if anyone else might have ran into that little bugger while scanning with AVAST!

Next:

Hi ImWarm, Thanks for your input.

That's why you don't have 2 AVs, they detect each other as viruses and cause more problems.

I Know, said so in my post too, but I had to give something a try, so, having used AVAST! Free a couple of years ago, I decided to give AVAST! a go and see what would happen anyway.

Next:

Hi craigb, Thanks for your input.

I'm seriously think about giving what you guys have all been suggesting a go.

But before I do, I'd like to know if there is a way to just shut one of the two down without completely uninstalling it?

If there is I would like to give them each a go, one at a time, and see what the heck they might find.

Next:

Hi DavidR, Thanks for your input.

First off, as my inquisitive nature has grabbed me by the rump here, every time that I have ever seen your Avatar I have had the urge to ask you, "Have you ever been a Trooper, or do you just like that Avatar Boo?" *I guess you know you don't have to answer that if you don't want to.* 

Now down to business.

What you are experiencing are classic AV conflicts.

I'm not too sure that ALL of it was being caused by the AV's beating each other up over who got to do what first.

I mean I can agree with you on the last part. The part where COMODO's firewall seems to have started ratting out AVAST! for harboring an EVIL entity, sure that could be correct, but 99% of my troubles had began weeks before I gad ever installed AVAST!.

I agree with everything else that you said though, and YES  I have a feeling I know which one you would get rid of.

Next:

Hi YoKenny, Thanks for your input.

*cringing in fear, and laughing*

I guess she wants to keep secrets and not say what her system specifications are in her siganture so that helpers can provide meaningful assistance.

If you could walk me through the steps of how to find all that system stuff..., I'll be more than happy to add it to my signature.

But right now all I know for sure is, 1.) that I actually rescued this box from a pile of trash on the side of the road, and 2.) the information that I included in my OP.

Next:

Hi SafeSurf, Thanks for your input.

To be fair YoKenny, she did provide most of her system specifications in her first post, however it would be nice to see it in the Signature for easy scanning to help OP's.

   

Thanks for sticking up for me, and like I said to YoKenny, if someone could tell me where to look to find that system info stuff I'll be more that happy to include it in my signature.

Now, one last thing before I go guys, can any of you tell me how to set my login time on this site so that my session doesn't get timed out before I can post a reply?

I mean other than checking the keep me logged in forever box.

It seems to me that there use to be an option that would allow you to stay logged in for 2 or 4 hours before your connection got timed out.

But now I'm having to do the select all\copy thing so that as soon as I hit post reply I can log back in and past this into the reply box, and get it posted real quick, and that's a drag.

Thanks to all of you for your input.

Wendy K. Walker

[SafeSurf]

Hi Wendy,

Here is how to write your Signature:

- Please go to PROFILE on the top of the main forum page > Modify Profile > Forum Profile Information > Signature.   Enter information about your system like the Operating System (OS), RAM, browser, security software, what version and product of Avast and firewall you use and other items you wish to mention.  See my signature or others as an example.  The purpose of this is so that we can offer pertinent advice. 

I don't know why you are getting timed out on the forum.  Check the upper right corner on the main forum page to make sure it is the correct date and time with a "+" mark next to it.  You mentioned already checking off always being signed in, which is fine. 

As for the uninstall/install:  The reason craigb and I both suggested it was because sometimes a product can get corrupted with having the two AV's.  You can certainly try uninstalling one product to see if it works fine and see what happens.  If it doesn't work, then do the complete uninstall/reinstall route.

Did I answer all your questions?  I'm trying to type quickly before you time out.

[SafeSurf]

I'm seriously think about giving what you guys have all been suggesting a go.

But before I do, I'd like to know if there is a way to just shut one of the two down without completely uninstalling it?

If there is I would like to give them each a go, one at a time, and see what the heck they might find.

To clarify the above, you cannot turn one of the above off while leaving the other on in your machine since the one your turned off is still really in your machine (drivers are running, etc.).  That is why we are all recommending that you do the uninstall.    I know it's not what you wanted to hear, but we've all had to do it at some time or another.

[Tarq57]

To clarify the above, you cannot turn one of the above off while leaving the other on in your machine since the one your turned off is still really in your machine (drivers are running, etc.).  That is why we are all recommending that you do the uninstall.  Tongue  I know it's not what you wanted to hear, but we've all had to do it at some time or another.

+1.
I know from your lengthy reply above you are concerned about possible malware as reported by Comodo multiple times, but with more than one confliction program on the box you have no baseline to work with that is meaningful.

Once one of them has been removed, it becomes meaningful to then attempt to diagnose malware problems, and we can link you to tools to run that will create logs you can post. Gurus (and me) will look at them and offer further advice as required/indicated.

But without uninstalling one of the AV's, all bets are off. It would be like trying to diagnose the disease a lying, self harming child has. (OK, poor analogy, but close enough.)

[CraigB]

What SafeSurf said 

[YoKenny]

if someone could tell me where to look to find that system info stuff I'll be more that happy to include it in my signature.

Go to Control Panel then System

How to view system information in Windows XP
http://www.helium.com/items/502712-how-to-view-system-information-in-windows-xp

[Nesivos]

Running two AVs programs

What I would say.

Its like trying to have two significant others in your life.

1.  There are bound to be conflicts
2.  They could very well indicate that the other is a virus
3.  This will cause you immense grief in your life and possibly even cause it to crash

Not recommended at all.

In fact I would go so far as to say that even having files from two AV programs on your computer especially in the Registry could cause a number of undesired consequences.

[DavidR]

Hi Everybody,

First I want to say "Thanks" to all of you for your input, and then reply yo each of you in turn.

<snip>
Hi DavidR, Thanks for your input.

First off, as my inquisitive nature has grabbed me by the rump here, every time that I have ever seen your Avatar I have had the urge to ask you, "Have you ever been a Trooper, or do you just like that Avatar Boo?" *I guess you know you don't have to answer that if you don't want to.* 

Now down to business.

What you are experiencing are classic AV conflicts.

I'm not too sure that ALL of it was being caused by the AV's beating each other up over who got to do what first.

I mean I can agree with you on the last part. The part where COMODO's firewall seems to have started ratting out AVAST! for harboring an EVIL entity, sure that could be correct, but 99% of my troubles had began weeks before I gad ever installed AVAST!.

I agree with everything else that you said though, and YES  I have a feeling I know which one you would get rid of.
<snip>

You're welcome.

Yes I served for almost 12 years in the Parachute Regiment and after that several other branches of the UK Military and did a little over 2700 parachute descents in all, military and the majority Sport Parachuting. Those days are over now though

Well I can't speak about your troubles prior to avast (though adding another AV is likely to complicate matters), my comments are related to the detection of a file avast had unpacked for scanning, locked and scanned by another installed AV.