Clean-Up Tool for Comodo Internet Security (OLD)

[languy99]

in my opinion instead of having a script just use revo uninstaller set to moderate, that will remove anything that is left over from comodo, be it registry keys or files. I have used it to remove comodo over a dozen times to test it and it has always removed everything and comodo has always reinstalled just fine.

[Alan Borer]

I disagree.

I used RevoUninstaller to launch the Comodo built in removal, and to supplement with a few extra remnants that it found.  After this I used the CFP 3 File+Registry Cleaner.bat

I noticed "inaccessible" amongst all the many errors that flashed across the command window,
and immediately recognised that something that was told to go had chosen to stay.

Only I saw that, nothing else saw it or warned me, instead I was told
"All remains of Comodo Internet Security should now be gone!"

I cancelled various echo off commands and configured a CMD shell with a tremendous display memory and eventually found that after running the script many times it was still getting inaccessible errors when deleting various
"HKEY_LOCAL_MACHINE\SYSTEM\* ControlSet * \Services\Inspect".

I then launched RegEdit and took ownership of those keys, then I ran the script and they gave no more trouble.

The existing script uses REG.EXE to delete keys, and ignores any permissions issues
Regseeker will search for targets and delete and pretend success, ignoring permissions issues.
I do not know if RevoUninstaller failed to detect the ...\Inspect key, or if it too assumes that keys will go when they are told to.

This is why I am slightly tweaking an existing script - every deletion will be tested and if it failed the target will be logged, after which it will be very easy to manually seize authoririty over what was stuck.

Regards
Alan

[Alan Borer]

I would realy appreciate advice upon repairing the registry with the commands

Code: [Select]

NET STOP WINMGMT /Y
cd "%windir%\system32\wbem\"
RD /S /Q "Repository"
NET START WINMGMT /Y

The existing scripts do this.  Why ?  What has caused damage that merits repair ?
Is damage caused by the script deleting things ?
Does the initial removal built into Comodo do damage ?

I am very reluctant to perform this.

Three months ago I used the removal script and afterwards the Application event log showed Wimngmt errors for each of 4 off ".NET Framework" *.MOF files.

I rebooted several times with no further errors and hoped that Windows had succeeded in recovering.
I installed the latest C.I.S. and a few days later I noticed that 50 new *.MOF files had appeared in the repository, and dberr.txt error messages were accumulating at 30 minute intervals.  The new *.MOF files were created at the same time as the Winmgmt errors.

I was told I had a corrupt registry and it needed repairing, and I was told how to repair it. But I still have problems.

I am going to restore an image of C:\ before it was damaged, and repeat WITH MUCH GREATER CARE the removal of the old Comodo.  Now that I am enhancing the clean-up script I see it includes the repository repair commands, and think this could be what broke Windows.

I now realise that when I repeatedly ran the script a dozen times trying to identify what was inaccessible, that each time I was rebuilding the repository.
It is far too much of a coincidence that after rebuilding 12 times it is now broken ! ! !

The rebuild does take some time, so some of the dozen script launches were so close together that the rebuild may have been aborted either before it started or in mid-process.

If I do rebuild the repository I will ensure it is only done the once and allowed plenty of time to complete,
but before I do a rebuild I would like to know why I need to, and what benefit I will get, and what risks I run if I refrain

Regards
Alan

[Ronny]

This command is used to clean out left over registrations for the Security Center entries like Firewall and AV.

It could be that CIS is uninstalled but that the registration for Security Center is still active... this command cleans out and rebuilds the repository that keeps that information.

[Alan Borer]

Thank you

May I safely assume I do not need to rebuild the repository unless :-
I receive system event log errors referring to the Security Centre ; or
I fail to achieve a new install of Comodo because it thinks the old one is still installed ?

Regards
Alan

[Ronny]

Thank you

May I safely assume I do not need to rebuild the repository unless :-
I receive system event log errors referring to the Security Centre ; or
I fail to achieve a new install of Comodo because it thinks the old one is still installed ?

Regards
Alan

Hi Alan,

If your current Security Center does not show any "comodo" stuff installed and/or inactive etc then you can skip this part of the process.

[Alan Borer]

Thank you

After starting the Security Centre service I could see the centre reporting A.V. by Comodo and Firewall by Comodo, so hopefully when I un-install the old version of Comodo I will immediately see these reports blanked out.
I have now disabled the Windows Security Centre service so that Comodo may continue to protect me without interference.

I noticed that the Security Centre failed to indicate who provided Defense+ or HIPS.
Microsoft seem to be unaware of such things.
I guess Comodo are playing in the Professional league of security protection,
whilst Microsoft are merely apprentice players in the amateur league ! ! !

Again, many thanks, I feel I am now "good to go"

Regards
Alan

[Alan Borer]

REGISTRY KEY ERRORS - CLEAN-UP SCRIPT TARGETS DO NOT EXIST

I am about to release a clean-up script with error detection and reporting capability that immediately shows any files or registry keys that need manual intervention to overcome permission issues.

This lists all the items that it intends to delete, and if authorised will then delete them, after which it will show anything that refused to go away.

With a fully functional working Comodo 3.13, the initial LIST stage shows that out of 143 registry key targets, only 44 are available for deletion - there are 99 which do not exist whilst Comodo is installed.
38 Registry keys are not present because I declined the offer of the Ask Toolbar

61 Registry keys are not present.
I am concerned that 61 keys have been wrongly spelt,
and because of a spelling error they will remain behind and cause future problems.
e.g.
...\CLSID\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}  should that be spelt
...\CLSID\{FD04B231-DA4B-4daf-81E4-DFEE4931A4AA}  ?

I would appreciate advice upon whether all the following 61 items are correctly spelt,
or whether a slight adjustment is appropriate.

Regards
Alan

Code: [Select]

"HKEY_CURRENT_USER\Software\CFP"
"HKEY_CURRENT_USER\Software\ComodoGroup\CFPSkin"
"HKEY_CURRENT_USER\Software\AppDataLow\AskBarDis"
"HKEY_CURRENT_USER\Software\AskBarDis"
"HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}"
"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu\Programs\COMODO"
"HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CPFFileSubmission"
"HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\SafeSurf"
"HKEY_LOCAL_MACHINE\SYSTEM\Software\SafeSurf"
"HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\CDI\13"
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdAgent"
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdGuard"
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdHlp"
"HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Inspect"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\COMODO Firewall Pro"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\COMODO Firewall Pro"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\COMODO SafeSurf"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AskSBar Uninstall"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ask Toolbar_is1"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\COMDOO SafeSurf"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Help Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Help Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B15FD82E-85BC-430d-90CB-65DB1B030510}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0D4B238-DA4B-4daf-81E4-DFEE4931A4AA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0702a2b6-13aa-4090-9e01-bcdc85dd933f}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{08993A7C-E764-4172-9627-BFB5EA6897B2}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{128A6C66-AC6A-4617-8268-AB7F47B7215E}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{201f27d4-3704-41d6-89c1-aa35e39143ed}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3041d03e-fd4b-44e0-b742-2d9b88305f98}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{528B5866-2BA6-42ce-8F74-39FB23B49767}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{571715D7-3395-4DF0-B43C-784836209E60}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{622fd888-4e91-4d68-84d4-7262fd0811bf}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B004FD67-F058-49e6-96DA-99237A82133C}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{b0de3308-5d5a-470d-81b9-634fc078393b}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C94E154B-1459-4A47-966B-4B843BEFC7DB}"
"HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{EC1D2C70-8CDE-4013-BE72-2B08A2C54B6B}"
"HKEY_CLASSES_ROOT\CLSID\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}"
"HKEY_CLASSES_ROOT\CLSID\{B15FD82E-85BC-430d-90CB-65DB1B030510}"
"HKEY_CLASSES_ROOT\CLSID\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}"
"HKEY_CLASSES_ROOT\CLSID\{F0D4B238-DA4B-4daf-81E4-DFEE4931A4AA}"
"HKEY_CLASSES_ROOT\CLSID\{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}"
"HKEY_CLASSES_ROOT\CLSID\{0702a2b6-13aa-4090-9e01-bcdc85dd933f}"
"HKEY_CLASSES_ROOT\CLSID\{08993A7C-E764-4172-9627-BFB5EA6897B2}"
"HKEY_CLASSES_ROOT\CLSID\{128A6C66-AC6A-4617-8268-AB7F47B7215E}"
"HKEY_CLASSES_ROOT\CLSID\{201f27d4-3704-41d6-89c1-aa35e39143ed}"
"HKEY_CLASSES_ROOT\CLSID\{3041d03e-fd4b-44e0-b742-2d9b88305f98}"
"HKEY_CLASSES_ROOT\CLSID\{528B5866-2BA6-42ce-8F74-39FB23B49767}"
"HKEY_CLASSES_ROOT\CLSID\{571715D7-3395-4DF0-B43C-784836209E60}"
"HKEY_CLASSES_ROOT\CLSID\{622fd888-4e91-4d68-84d4-7262fd0811bf}"
"HKEY_CLASSES_ROOT\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}"
"HKEY_CLASSES_ROOT\CLSID\{B004FD67-F058-49e6-96DA-99237A82133C}"
"HKEY_CLASSES_ROOT\CLSID\{b0de3308-5d5a-470d-81b9-634fc078393b}"
"HKEY_CLASSES_ROOT\CLSID\{C94E154B-1459-4A47-966B-4B843BEFC7DB}"
"HKEY_CLASSES_ROOT\CLSID\{EC1D2C70-8CDE-4013-BE72-2B08A2C54B6B}"
"HKEY_USERS\S-1-5-21-1417001333-329068152-839522115-1003\Software\CFP"
"HKEY_USERS\S-1-5-21-1960408961-839522115-1957994488-500\Software\AppDataLow\AskBarDis"
"HKEY_USERS\S-1-5-21-1960408961-839522115-1957994488-500\Software\Microsoft\Internet Explorer\SearchScopes\{CF739809-1C6C-47C0-85B9-569DBB141420}"


[HeffeD]

I realize you're talking about registry keys here, but I'd love it if a clean up script would delete the sfi.dat file.

[Alan Borer]

My version applies the options /F /A when deleting files, so has a better chance of removing write protected files.

The big benefit is that any file or key, and any inaccessible path that may harbour files, will be reported as FROZEN if it cannot be cleaned, and that identifies the files and keys the user needs to take ownership over so they can be manually purged.

When Push comes to Shove, I would be prepared to manually take down SFI.DAT with CACLS,
but I would fear horrendous consequences if my script were to include such an action.

I have not yet had any SFI.DAT aggravation, but if it will not go quietly that suggests to me that Comodo is still actively protecting its files, and perhaps my script will then get quarantined as malware ! ! !

Below is the output showing how my code presents the results when the target list is just a few items to which for test purposes I have caused various access problems.

N.B. the test script makes two attempts at removing folder "COMODO_TEST_0" and file "comodo_test.txt".  They are both declared frozen because my debug test starts a CMD.EXE instance with current directory at COMODO_TEST_0 so Windows will not allow its removal, and it spends a few seconds doing PING redirected into "comodo_test.txt" so that file is also protected.  The main script delays a bit longer until PING is done and the new instance of CMD.EXE closes, after which these two items are no longer frozen and can be killed.

Incidentally, "HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\Alan\Test2" is frozen because I added a sub-key and took ownership and write protected it against everyone.

I have thought of and tested against everything evil I can think of,
but experience has taught me that Windows has always got more evil gotchas up its sleeves !

Regards
Alan

Code: [Select]

----  KILL Comodo Files and REG_Keys ; 21:42:18.65  ----
KILL ?  Y(es) / N(o) :- Y

Access is denied.
Needs Manual Intervention, Code 5 - Permissions Issues ?
FROZEN "C:\Documents and Settings\suzanne\"

ABSENT "C:\Documents and Settings\suza\"

VALID  "C:\DOCUME~1\Dad\LOCALS~1\Temp\ZAP_CFP"
 SEEKING FILES ...
The process cannot access the file because it is being used by another process.
 ++ FROZEN  "COMODO_TEST_0" [RD /S  /Q]
C:\DOCUME~1\Dad\LOCALS~1\Temp\ZAP_CFP\comodo_test.txt
The process cannot access the file because it is being used by another process.
 ++ FROZEN  "comodo_test.txt" [DEL /F /A]
ABSENT  "comodo_test.lst" [DEL /F /A]
KILLED  "comodo_test.txt" [DEL /F /A]
KILLED  "COMODO_TEST_0" [RD /S  /Q]

 SEEKING REGISTRY KEYS
Error:  Access is denied.
 ++ FROZEN:- "HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\Alan"
Error:  Access is denied.
 ++ FROZEN:- "HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\Alan\Test2"
KILLED:- "HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\Alan\Test3"

PATHS    :- VALID = 1; FROZEN = 1;             ABSENT = 1
FILES    :- FOUND = 0; FROZEN = 2; KILLED = 2; ABSENT = 1
REG_Keys :- FOUND = 0; FROZEN = 2; KILLED = 1; ABSENT = 1
NEED FIX :- FOUND = 0; FROZEN = 5; KILLED = 3;

 ----  SHOW Comodo Files and REG_Keys ; 21:43:32.20  ----
SHOW ?  Y(es) / N(o) :- Y


[HeffeD]

I have not yet had any SFI.DAT aggravation, but if it will not go quietly that suggests to me that Comodo is still actively protecting its files, and perhaps my script will then get quarantined as malware ! ! !

Oh, it goes quietly when CIS is uinstalled. It's just that it's left there after the uninstaller finishes its business. Isn't that the point of the clean-up tool, to get rid of everything the uninstaller leaves behind?

[Alan Borer]

I have added C:\WINDOWS\system32\drivers\SFI.dat as a removal target

Regards
Alan

[rcurtice]

  when I try to download this clean up tool I get all sort of adware and no download

[Ronny]

Please look for this link, i think the ads are because it's a "sponsored" link site...
(and this is not an official Comodo Tool, the OP decided to host it there)

[attachment deleted by admin]

[Alan Borer]

I have almost finished testing my version on myself, and then I will post on this forum.

I expect to post before CIS version4 comes out of Beta ! ! !

I am aiming for tomorrow.

Regards
Alan