Application Agent not running

stateofdesign · May 31, 2009, 1:45am

Running Xp home, 32bit, installed spybot S&D, SuperAntiSpyware real time protection

Recovering from a major malware invasion. Was using Trend Micro pc-cillian but after switching emails and never seeing the alert that my anti-virus software was about to expire (thus leading to major invasion), moved over to COMODO

When I went to run the install for COMODO, it warned me that Trend Micro firewall is still running, but searching through control panel it wasn’t listed. I did a search for “trend micro” and deleted all files found. Ran the install again fro COMODO and received the same message about TM running still. Ignored it since I believed it wasn’t running the firewall. Am I wrong?

Ran a diagnostics and when App Agent said it couldn’t repair, i copied the log. I’ve attached the results.

Any help would be very much appreciated. Your program came very highly recommended. Thanks very much.

[attachment deleted by admin]

riggers · May 31, 2009, 5:41pm

First off we need to try and get rid of Trend Micro which i`ve heard can be extremely tough to remove.

Remove Comodo, you could use Revo uninstaller http://www.revouninstaller.com/ be careful don`t re-boot when it tells you to, then make sure just the bolded items are checked for removal (registry)
Then re-boot.

Try re-installing Trend-Micro application and then uninstall it using Revo.

If all else fails you could try this Download Center | Trend Micro , i have never used it so cannot vouch for it`s usefullness.

Also Have a look in Task Manager to see if any Trend processes are running, kill em if they are, also try booting into “Safe Mode” and looking for associated stuff.

Couple of articles Support | Trend Micro Help Center
Support | Trend Micro Help Center

Matt

stateofdesign · June 1, 2009, 5:23am

Matty, you my friend are the man!

I followed your steps. Although, Revo did not find any remnants of Trend Micro, reading through the last link you provided I was able to find a page that listed a program from TM to remove it complete from the CPU.

I re-installed COMODO, restarted, updated the virus definitions and after one more restart, everything works perfectly. You can close this issue out.

Thanks again for everything. I have a piece of mind that I have not had in 8 days since realizing I was infected (ok, a guarded piece of mind. Still, better than the feeling I had yesterday. ;D )

stateofdesign · June 1, 2009, 11:06pm

Well, I spoke too soon.

Turned on the CPU this afternoon and same Application Agent message isn’t running as before. I ran diagnostics and it told me there were no problems w/ the installation.

So, what’s the next step?

Again, many thanks for your help…

Citizen_K · June 2, 2009, 10:19pm

Could you try a clean install of CIS using the following (forget the part about the Legacy keys; they are too much work).

Uninstall CIS and reboot. Then run [url=https://forums.comodo.com/comodo_system_cleaner_fileregistryprivacy_cleaner/comodo_system_cleaner_116494436_released-t37631.0.html]Comodo System Cleaner[/url] to get rid off registry keys.
Then delete the Comodo folders under Program Files, Program Files\Common Files, C:\Documents and Settings\All Users\Application Data\ .
For Vista/Win7
Users%username%\appdata\local, Users%username%\appdata\roaming\ and \Users%username%\appdata\local\virtual store

To be even more thorough open Device Manager and set it to show hidden devices under menu option View. Then see if there are Comodo driver(s) left in non Plug and Play drivers. If so select the driver → click right → uninstall and reboot.

Now delete the following:
C:\boot.ini.comodofirewall (this file may not exist).
WARNING: Do not mistakenly remove the original “boot.ini”.
C:\WINDOWS\system32\drivers\cmdGuard.sys
C:\WINDOWS\system32\drivers\cmdhlp.sys
C:\WINDOWS\system32\drivers\inspect.sys
C:\WINDOWS\system32\guard32.dl

a. HKEY_CURRENT_USER\Software\ComodoGroup\CFP and HKEY_CURRENT_USER\Software\ComodoGroup\Comodo Internet Security
b. HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\CDI\1 *
*(If you have other Comodo products installed, delete only the values
for CFP)
c. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\cmdAgent
d. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\cmdGuard
e. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdHlp
f. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Inspect
g. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
\cmdAgent
h. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
\cmdGuard
i. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdHlp
j. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Inspect
k. KEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services
\cmdAgent
l. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services
\cmdGuard
m. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdHlp
n. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Inspect
o. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdAgent
p. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdGuard
q. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdHlp
r. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\Inspect
s. HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro
t. HKEY_USERS\S-1-5-21-1202660629-746137067-2145843811-1003\Software\ComodoGroup\CFP
u. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDAGENT *
v. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDGUARD *
w. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDHLP *
x. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_INSPECT *
y. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDAGENT *
z. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDGUARD *
aa. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDHLP *
bb. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_INSPECT *
cc. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDAGENT *
dd. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDGUARD *
ee. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDHLP *
ff. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_INSPECT *
gg. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDAGENT *
hh. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDGUARD *
ii. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDHLP *
jj. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INSPECT *
kk. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CFP_Setup_3.0.14.276_XP_Vista_x32
ll. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CFP_Setup_3.0.14.276_XP_Vista_x64
mm. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CFPLog
nn. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CPFFileSubmission
oo. HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro

*Note: It may not be possible to remove these “LEGACY” keys. If you cannot delete them, leave them in the registry. However, I have subsequently found that you MAY be able to remove these keys in Safe Mode by using a third-party registry tool. To permanently remove them may also require modifying the Permissions for each key. See: https://forums.comodo.com/help_for_v3/comprehensive_instructions_for_completely_removing_comodo_firewall_pro_info-t17220.0.html;msg119226#msg119226

Now you should be good to go