firewall keeps downloading .tmp file

Comodo Internet Security - CIS Install / Setup / Configuration Help - CIS
#1

Since the latest update to the standalone free Comodo firewall (version 8.4.0.5076), every time my computer is started up it tries to download a temporary file. The filename is of the format XXXX.tmp, where XXXX appears to be 4 hexadecimal digits. Each time, the XXXX is different. Since there is no information on this file, or any indication of where it is coming from, I’ve selected “cancel” each time.
After a full backup of my computer OS and data, I downloaded one instance of this file to a USB stick. Examining it with a hex editor, I find that it links back to Comodo. There’s a goo.gl link to an abbreviated URL, which I find is a Comodo URL with the text “buy?”.
I’m assuming this is some Comodo advertising for an upgrade. However … the file is never, ever used. I never see any ad, and every day the computer downloads another “XXXX.tmp” file.
I run Windows 7 x64 Pro. Saturday I updated by girlfriend’s Comodo … and it now does the same thing; she’s running Windows 7 x64 Home.
It’s not really a bug … but it’s certainly a nuisance. I’m sure most users would be greatly distressed to continually get a file download notice, without any information about what the file is or where it came from.

#2

More information … the goo.gl URL which is embedded in the file is: https ://goo.gl/ldD0j6
If I go ahead and run that link, it takes me here: Shopping Cart

Someone’s got a coding problem … Comodo keeps downloading an ad, but never uses it. Instead, files just keep piling up.

Broke the obfuscated link, as such links are not allowed on the forum (§8.10). JoWa

#3

To what folder is it downloaded? Are you running the Firewall in Custom Policy Mode by any chance? I am wondering what it is. If it is a message from Message Center.

#4

I’m running the Firewall in default mode.
If I click on “save”, it asks me where to save it. The first time, I put it on a USB stick so I could examine the file … at that time, I had no idea what this file was or who it came from. After I saw it was from Comodo, I went ahead and clicked “save” and put it in the Downloads folder so Comodo could use it to show me the “upgrade opportunity” and quit trying to download the file at every startup. But it never showed me that ad or web page. Only by following the URL embedded in the file did I get to the page listed.
The file is in the “temp” folder. This morning, the file was apparently downloaded to the “temp” folder (on my computer, E:/temp) while I was out of the room after startup … a file “253B.tmp” with size of 54KB is in the temp folder. When I returned a little while ago, the dialog box was open asking me if I wanted to “save” or “cancel” the file; I selected “cancel”, and a file “8D15.tmp” is shown in the “temp” folder with a size of 0KB.
Looking at the file “253B.tmp”, it indeed has the URL link to Comodo.
Even though I’ve (almost) always selected “cancel”, looking through the “temp” folder I see that the same file (with a different filename always of the form “XXXX.tmp” and a size of 54KB) was downloaded every day since July 11. On July 5 and 6, the file was also duplicated in the “My Documents” folder.
I also have other files of the form “XXXX.tmp” with a size of 28KB that downloads every day … for an even longer time frame … but I don’t see any ANSI strings in the file to try and determine what does.

The fragment from the temp file sending me to the Comodo page is:

<img style=“display:block;border:0;” src=" data:image/png;base64

As I said, it’s not a major issue for me, just a nuisance. But my girlfriend would have been very scared to continually get a file download dialog box with no information about what it was or who it was from. Fortunately, I had looked at it first and could tell her not to worry, just click “cancel”. Although apparently the file still downloads anyway.

-Tim

#5

Hi, I have been trying to look up info on this *.tmp issue. I also downloaded this file just to try and decypher it. And yes, I found reference to “https://goo.gl/ldD0j6”. I did a whois on “goo.gl” and it comes back with:

Domain Name: goo.gl
Domain ID: Imp619-GL
WHOIS Server:
Referral URL:
Updated Date: 2013-12-02T19:11:52.689Z
Creation Date: 2005-06-22T02:00:00.000Z
Registry Expiry Date: 2015-01-01T03:00:00.000Z
Sponsoring Registrar: MarkMonitor
Domain Status: ok
Domain Status: clientRenewProhibited
Domain Status: clientTransferProhibited
Domain Status: clientUpdateProhibited
Domain Status: clientDeleteProhibited
Registrant ID: 4738-GL
Registrant Name: Google Inc.
Registrant Street: 1600 Amphitheatre Parkway
Registrant City: Mountain View
Registrant State/Province: CA
Registrant Postal Code: 94043
Registrant Country: US
Registrant Phone: +1.6303300100
Registrant Phone Ext:
Registrant Fax: +1.6506188571
Registrant Fax Ext:
Registrant Email: dns-admin@google.com
Name Server: ns1.google.com
Name Server: ns2.google.com
Name Server: ns3.google.com
Name Server: ns4.google.com
DNSSEC: unsigned
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I can paste the txt contents here if you like. Or even rename it to *.something and upload it.
It does have html tags and other references to PNG I don't want to rename it to an html to see what it does.
I even tried 'base64' decoding the txt... no luck.

As to the folder that it DLs to, it asks and defaults to 'my documents' with the provided "65.tmp" filename. Otherwise, I just found and deleted in my 'local settings\temp\', 8.tmp 65.tmp, & 779.tmp. Same format text in the files. Each one has reference to "goo.gl".

I will continue the paste that Injinnius started though... It is the last div section in the files... 
~~~~~this starts right like this: base64,iVBORw   etc. ~~~~~~~~~~~~~~~~~~~~
,iVBORw0KGgoAAAANSUhEUgAAAOUAAAAYCAIAAACKp62GAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAACBtJREFUeNrsWk1sG0UU/iaY8t82odAW1BacFvoDtMihEqpUDjgHegEOiThyIb1wd25c7RtXIiEulEMsUCWkcoglhBC0KHHFf3sgbgX9pbTmr5Ta6wzzJl5717vzZtabJqnEarWanZ83b9588+a9NyMwJ+HyCMCt4i1p/v/z/6OfDFoaTAjgSYTTiEBNhH9loJow05FxlIPNOx1FKwepBRMw1+wpNf0ibqSm1SUi3MZSEwaZCEOdWE4QoWySLSLSMA3cNMDY8Qoz8yZsMHJDZIrhBrMwfY1XF+0IG3PMmK2ZS668XcC3PBuIu1jSP8J5gvpgIOVArDWFE/Q1XnmNyCwLfiSMkujRkYgjyyx3wfIDdpm6t+XnG+ZRSzZnCedVmPUlkvcLFgl9L04YNslEwvdzMmimXtYyYiGs4CPN5sryD8eRFF8t/YhWcNaWupfkeE20rfDWj2QXeqz9xNvEMJunDgyPbcTEFuSHKF1vonQWpTPO5lrcSBXB6b2o3cDICSLYztyE6WdQvozxb9jxprcfGJWZ0iKyzgKjUIXbvmQwozPw0pk1t9r9TzSLjrKLBetmwlbnGbwTxR3ID2L0K0vb4k4UhjF5GqX5SJn2DbL3oLCVKgQzsQBOU7gZc0sycKOm6MNAT2/O2ihk0HBw9oVBsTORgWi1qK8aLYKti9gKsQYuTySSKD5J3/J5jM9q+D6K4m7kNyC/HpUr7Aa34KOwEbHUfV92Yiumaqhd1z+e36ph9pRj7f6ku7C0BTRgkzwfDmI6SmQbMNCKGOXaHpB97SPCHMFxMQwcLXqrPdCfng63HduC7H2o1jH+RTunfIaAlRtE/Z82sFSFd0aQ30jpymUcrhL+rr2MwTUa7ntQ2IGho2HiGpqKrGpb3IXx4zq/g1d/Z1NkJ7KUUARLpwjZ6pl+nrga/QyVX+l3/hB9h49RE1VZNSmdxuS3Di6vNDs67lu5e1woNjSZ1MAwu2Jav/IjiS6dWAUW65Za4cWrED5Yy+ghE4cGhZG9W6PwYkhHludR7pgHd2HmBWTvb/8q1M4cxPDRCMONMKsamrU/iXJhN1nGlUs+XlXpTao89xJyQ+0Wi0tCaeWpn1C5QHjNrUXlHPKbqIgqrEHtL2Tv1dyeD1gUzOhcdjlHA5rZZpmoIgwAA2vOGfA2QCL29NvQb9NPN/30YqIRyOz8Nvx001CtGS6y5jcidLwwD81wv40w58HMHia9ALVG+PUCe3qQQqDrwk4Ca+k7iPfoVWBSv0rPDR2hTPVMVikd06kWd+lrwllxn0/Zt1/HHiGwqqLhD4nsIimFbFVU+YXSSsGrJrl1qGsdn39Ia/319EsVmuHRNeNG1zMjXrhJI/z1IgSbgaJmRNrRNyi3RliYPdPUMyleHJwi8PD9LeFgTTIGjTW6ZlKBVrs+6Zq22hKxK7sVwKvSea8it6FdoqA2OYv8Zo2kp+nt+mSZCNZ7GPBdq/rfmDqF4n5MbEf9ZhevBEdQUe2qBv1xjG1Ddi3p+9o1wnHuQaqmeq9eQfYBrYmblKl+291ZT7l4gZimycWo7S84I9gtURpC8n6dgP1q3VWZ01HBmvPSvDvAfFInWNsLDofAMHuBPdtf0GfvoSARY+L7MQQq6mDdi9BvdQ2D0hzGHkdhL4GyQ1ZBkAyGerftIpoH76Ccys+Y2EO7v1o8pZOE4/wWgrIyTlRR2/bgY3z85s47tS5elDT7iIzkTdg1+TaBSTfHX9NEet1dWmlb1pIVsbTFItweQozyuoYx+TklRj7Q2nQExQO+46/ZGP2ovU2Hulswx6fCoavSLKYPYWJX199a7JfMYr/tovdWv045VWXsKjduHwFUpdWr4Ft4Vvtwl/ylZXXSrcEZF4/efct1CfWkOCjx8SocfEbhfBKb6OqMdFug0uZRwtkFjqzjstqRDyC7DjOvYPxj1P/VtuMGH1gtVM4i9zDBd7RMKlDVHHuC8NfFa489gIjaVr38iMoe5Ld19Wv1oo52PUVFtT9Q2E+UVaL2m/aoasCLGNtOORUd3FWMqV/1pSLHqzOmLdgxOAMbheW9OpMJ7WLpA/t9nLusjufwJ5h5jcB07c1QfvUCAav0JQE0tzFUqkCj9BwFvIDiQULb0Ntx9qvsbveTn2Lu9a5+Lf+A6nPIbcL8G12ypRN+YOEqar8jux7l0zpHUHf5x2jxxNjKt/RZhl7cuhggQbQCPlrs22J/vYijx9BpRRxJz60h37uXpEJcNaXARt5FJXAAq5Suyil/T6XKYRo90i1VevHwMVTPU9HUXDu/fiMiilZA0eqc6jlMnQyA2MPo+9RRxyxRZKdmu+xVav6a8bq/9E0k9jSCavXVS8t57lrJBiLwlnS6hMV7hTCf9cd6rLAddVjva1otHseLpya30sFX5RxzsH4eY1kuVXDGxLD10rCLnF1ELVhvzHq+YJi7DG1MzI1j5mzJanAIt+vPic63YL5YaJot/tCOCa4xK40P4vAnGiYJI+GF9JTBGel2mdNqp7qfODoef7JuTOD+K69yRMKIBnP+xDtYpoNv5lDRxatdnugMHLQ7HGId/LWNPoIz0i2AyIdarTEHaV7qwoFt0x4VkGSm7d5Ggc//wlwqHUpj60vD11QTZtUo3bp2H0uwF9MAeziRrCT7zkyEWpcZ7GBiga3A82aVv0zCs5nagGugdKl8wFtBTfbVUKRGQB91VjwqIlYrY27PwLLyKlcHNXk7zdBSrvn0YSmxGvC6+ti6PRT8ishNpuBHpuZTrrDc/hNgAOrFusF1hzTLAAAAAElFTkSuQmCC"  ></a></div>

~~~~~~~~~~~~~~~~~~
Then it goes on to /div 3 times and then end of file.

Not having a burner system that I can just open this file in a browser... I don't want to dig in any further.

Thanks in advance for your help!

\\\Kevin..............................
#6

FYI … the goo.gl is a “URL shortener”. If you put in the shortened URL “Shopping Cart” it will take you to the longer URL which goes to the Comodo page.
To check where it leads to without actually going there, put the URL “Shopping Cart” in the address bar, and append a + (plus sign) or a “.info” to the end of that URL … it will give you the link it points to, who owns it, and other stats.
I examined the file with Neo Hex Editor and found the URL within the file. Then I checked to see where it pointed to. At least since I know it’s coming from Comodo, I’m not nervous about it now … just that I’m getting unnecessary .tmp files in my “temp” directory ever day! (Happens even if I don’t tell it to save.)
Also … I’m not sure this is a “installation/configuration” topic. I’ve been using Comodo firewall for years, on a number of computers. This issue has only happened since the latest firewall update, on 2 different computers running Windows 7 x64 (one Home, one Pro). No change to the configuration.

#7

Can you see if Show messages from COMODO Message Center is enabled? If it is enabled try disabling it and see if the download of the .tmp file stops.

#8

HI. Thanks the response Eric.
I just disabled what you suggested. Rebooted. The file has not tried to d/l as of yet… Whereas, it probably would of by now. I’l turn that on n off over the next day and report back.

Thanks again!

#9

Eric - I’ve disabled that item, and I haven’t seen evidence of any .tmp file downloaded in the past week. I do see the same filename format listed each day, but with a 0KB file size.
I still don’t understand why the firewall would keep downloading a file and then not actually use it … but other than using up a little memory it didn’t appear to do any harm, so no big problem.
I’ve still got my girlfriend’s computer to check out. I’ll post if I learn anything new.
Thanks.
Tim

#10

Hi again Eric, ;D

It seems that you are absolutely right about why we are getting those files. I turned off that selection. Ran for a while, rebooted, ran for a while, and did that process a few times. Then just yesterday, I turned that selection back on, gave it a while and then I rebooted. Not too long after I was back on again, the d/l req came back. I cancelled as I have been.

So, I turned that selection back off. Been through another reboot just now… no d/l !!! It would of shown up sometime as I was typing this.

This is a great fix for this situation. 8) :-TU

THANKS again!!

\\ Kevin…

#11

You’re welcome. Glad I could be of help for you. :slight_smile: