AntiVirus reports Heur.Dual.Extensions

Hi; :slight_smile:
I am getting an “Anti virus Alert” window popup every couple of hours or when I open the current user folder:

The “Anti virus Alert” window displays the virus Heur.Dual.Extensions" on file C:\users\test\AppData\Local\temp\NEWXXXX.tmp.exe.

After the"Anti virus Alert" pops up, I select “quarantine” and “Remove” and get a Windows warning telling me that "windows can not access the specified Device, Path or File : C:\users\test\AppData\Local\temp\NEWXXXX.tmp.exe

The name of the executable file is never the same except for the “NEW” and the “.tmp.exe”. The “XXXX” can be any combination of numbers and letters.

My guess is that I have some illicit program creating these files in the \temp\ folder and then trying to execute them. Fortunately for me, it doesn’t have the right permissions to execute the scripts.

I am Running the latest Comodo free version with the latest virus database. I have ran a full scan a couple of times and it shows no problems.

My system is:
model SR5610F
AMD Athlon 64 X2 Dual Core Processor 4800+ 2.5Ghz
3 GB Ram
32 Bit Operation system
Windows vista Home Premium Service pack 1
I am Administrator
I am also using Avast Antivirus software.IAvast reports no problems)
~137 GB free hard drive space.
I keep Vista updated with the latest Microsoft Windows updates.

Could someone please give me some insight on how to stop this problem?

John :slight_smile:

I am have an almost identical situation. Any info would be very much appreciated.


Thanks for reporting.Could you please submit the detected file at Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year.


Hi Haja;
Thanks for the reply. I will upload a copy of the file to Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year

Alos one additional piece of information that I have noticed is that the “Anti virus Alert” window pops up at exactly 5 minutes after each hour. So it appears that it is not as random as I thought it was.

Any ideas on how to track it down?


Hi fuzzy1home,

You can check the path of detected file on the alert window along with detection name. You can submit respective file via submission form along with detection name. Also, you can post a snapshot of the virus alert window here to give us more insight of the situation.


The alert, you’re getting doesn’t mean, that the file contains a virus. You can see this, because the name starts with “Heur”, which means that the heuristics found something “unusual”.
In this case (Heur.Dual.Extensions): Two extensions at a file, where the last extension is “exe”.

This may be dangerous, think for example for a virus coming with the name “document.txt.exe” and a text file icon. Windows hides known extensions by default, so this would appear as “document.txt”. An unexperienced user may think he’ll open a simple document (the experienced one wonders, why the txt extension isn’t hidden - or more probably doesn’t hide known extensions…), while in fact he’s executing an application.

You can easily trigger the alert by yourself by creating a new file and name it “x.y.exe” for example.

To be sure about the files, you should analyze the files on VirusTotal or submit it to COMODO, but I think you shouldn’t overreact on this alert, since two extension may also be used for various other reasons. In this case probably, to show it’s a temporary executable for one session (.tmp.exe)
If I had to guess, I’d vote for an installer or updater creating these files.

Hi Everyone;
Thanks for the help.
After much key puching I tracked it down in the windows Task scheduler. is updated at exactly 5 minutes after every hour. Once I disabled it the problem went away. If I execute it at C:\Program Files\\UpdateTask.exe the virus warning returns.
So I guess using is out of the question.javascript:void(0);


Hi fuzzy1home,

If you encounter anymore of these alerts, please submit detected file at Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year in order to verify this issue.