cis update downloaded trojan

on 8/1/09 at about 4pm C.I.S updated automatically while doing this AVG popped up with a warning that comodo had downloaded trojan horse SHEUE2.HLT in c:\windows\system32\userint.exe how was this possible?

Are you running AVG and CIS AV? That’s not really advisable

yes and have done for over 2 years with no problem

sorry the trojan is SHEUR2.HLT my mistake oops

That’s not advisable. One AV could detect antother ones definitions for example.

haha that reminds me of when Avira detected and deleted parts of Clamwin at a friends house.
2 on access is overkill, use on demand and maby put some effort in making your computer safe otherways.

I have no clue why it would download a virus, it sure would be possible, but my guess it that it was a signature somehow getting mistaken for the real deal.

Are you talking about CAVS 2.0 next to AVG and now CIS next to AVG ?
I would find it extremely unlikely that CIS downloaded this, what other programs did you have active during that time ? IM/Browser/Torrent/email etc ?

Do you have a screenshot of the logging showing Comodo downloaded this ?

And i have to agree on the 2 active scanners:

And the name suggests something like HEUR, could be Heuristics and those have a higher FP rate than signatures…

Are you sure it’s not userinit.exe but really userint.exe ? the first one is a legit name the second not !

hi yes it is userinit.exe and no i didnt get a screenshot it was just a avg popup alerting me that comodo was trying to download trojan and what would i like to do to remove it .

Can you try to find something of this in the AVG logfiles ?

when avg popped up with the warning i wrote it down here goes
PROCESS NAME c:\program files\comodo\comodo internet security\cmdagent.exe
PROCESS ID 1696 hope that helps

I can’t be sure but i fear a false positive from AVG, can you also post your system specs also:

CIS Version AVG version
Other Security Software(s) installed
Any other info that could be relevant.

hi ronny
running windows xp media version 2002 sevice pack 2
cis version 3.5.56968.437
avg version 8.0.176
windows firewall
comodo memory firewall
comodo verification engine
comodo launch pad
trend micro ru botted

2 AVs and 2 firewalls? that is overkill

I won’t call it overkill but it’s not recommended by all AV’s there is a technical reason for that.

A virus scanner needs to intercept a lot of low level system stuff and if you have 2 installed they will both register to windows that they need let’s say every “file read” action filtered through them, now having 2 will make them fight about who’s first etc.

Also having Windows Firewall active next to CIS Firewall is not recommended.

My advice would be to disable windows firewall and let CIS Firewall handle that, and i would uninstall one of the 2 AV’s. If you would like to do a second opinion scan you can run Clamwin next to an other AV that scanner is pure passive has no real-time hooks so it cannot interfere with a real-time scanner.
Or have some online scanner like TrendMicro’s Housecall or Kaspersky Free Virusscan scan your system once a month.