Impossible To Remove Comodo Internet Security Free Even With Batch Script

Hi there,

I am on Seven x64 on an Acer 5920G.

After uninstalling CIS Free I started having malfunctions with some applications which either did not work at all or appeared filrewalled even when no firewall was active.

Windows Event Viewer reported the following error “Event 7026: The following boot-start or system-start driver(s) failed to load: cmdGuard, cmdHlpIn” so I went into Device Manager and uninstalled the 2 drivers.

Even after this the error was still present so I tried the batch script from your forums and all it achieved is make it impossible for my PC to connect over the Internet and Windows to not recognize my current security suite at all.

Can you please tell me how to remove your product and get my system back as it was?

Thank you

The problem with Windows Security Center I think that’s what you are referring to here, does not necessarily mean CIS is not properly uninstalled. It can be solved by doing the following:
Open a command prompt by clicking Start → Run. Type cmd and click OK.

In the command prompt window, type NET STOP WINMGMT /Y and press ENTER.

Type REN %WINDIR%\SYSTEM32\WBEM\REPOSITORY REP.OLD and press ENTER.

Type EXIT and press ENTER to close the window.

Restart the system. Windows should start normally, but you may be prompted to restart the system once more to complete the changes caused by resetting the core repository. You may also need to restart once more if Windows Security Center still does not detect your security product.

Does the above do the trick? If you want I can give you an instruction on how to manually remove the last vestiges of CIS.

Keep us posted.

Hi Eric and thanks for your help,

No, I am not referring to Windows Security Centre.
Not as my main problem anyway.

I had the Windows Security Centre problem plus no Internet connection after I used the batch script from Ragwing.
So I had to revert back with System restore and now I don’t have the Windows Security Centre problem and my Internet connection is restored so that script is definetely not for me or my system.

I am still back to square one though with CIS leftover files and drivers that ■■■■■■■ my system and I don’t know how to get rid of them.

As I wrote Windows Event Viewer keeps reporting the following error “Event 7026: The following boot-start or system-start driver(s) failed to load: cmdGuard, cmdHlpIn” even after I went into Device Manager and uninstalled the 2 drivers and rebooted like suggested elsewhere.

Also the registry is full of CIS keys and entries which might or might not be doing something but I cannot manage to make my system work as it used to.

I don’t know if it can help but I run Hijackthis and there are loads of entries referring to Services with an “unknown owner”.
If needed I can copy the report here.

Many thanks

Just to clarify, is your problem with CIS 3 (Comodo Internet Security V3.X) or KIS2010 (Kaspersky Internet Security 2010), as written in the topic title?

Ewen

Hi Ewen,

It’s Comodo Internet Security Free: sorry but I am trying so many things I am getting all confused
I have updated the topic title, thank you.
Anway the 2 drivers that keep popping up belong to Comodo so that was right

Here are two ways of manually removing left overs of CIS:

Uninstall CIS and reboot. Then run [url=http://system-cleaner.comodo.com/]Comodo System Cleaner[/url] to get rid off registry keys.

Then delete the Comodo folders under Program Files, Program Files\Common Files, C:\Documents and Settings\All Users\Application Data\ .
For Vista/Win7
Users%username%\appdata\local, Users%username%\appdata\roaming\ and \Users%username%\appdata\local\virtual store

To be even more thorough open Device Manager and set it to show hidden devices under menu option View. Then see if there are Comodo driver(s) left in non Plug and Play drivers. If so select the driver → click right → uninstall and reboot.

Now delete the following:
C:\boot.ini.comodofirewall (this file may not exist).
WARNING: Do not mistakenly remove the original “boot.ini”.
C:\WINDOWS\system32\drivers\cmdGuard.sys
C:\WINDOWS\system32\drivers\cmdhlp.sys
C:\WINDOWS\system32\drivers\inspect.sys
C:\WINDOWS\system32\guard32.dl

a. HKEY_CURRENT_USER\Software\ComodoGroup\CFP and HKEY_CURRENT_USER\Software\ComodoGroup\Comodo Internet Security
b. HKEY_LOCAL_MACHINE\SOFTWARE\ComodoGroup\CDI\1 *
*(If you have other Comodo products installed, delete only the values
for CFP)
c. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\cmdAgent
d. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services
\cmdGuard
e. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdHlp
f. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Inspect
g. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
\cmdAgent
h. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services
\cmdGuard
i. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdHlp
j. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Inspect
k. KEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services
\cmdAgent
l. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services
\cmdGuard
m. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdHlp
n. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Inspect
o. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdAgent
p. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdGuard
q. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdHlp
r. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
\Inspect
s. HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro
t. HKEY_USERS\S-1-5-21-1202660629-746137067-2145843811-1003\Software\ComodoGroup\CFP
u. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDAGENT *
v. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDGUARD *
w. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDHLP *
x. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_INSPECT *
y. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDAGENT *
z. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDGUARD *
aa. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDHLP *
bb. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_INSPECT *
cc. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDAGENT *
dd. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDGUARD *
ee. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_CMDHLP *
ff. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_INSPECT *
gg. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDAGENT *
hh. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDGUARD *
ii. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDHLP *
jj. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_INSPECT *
kk. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CFP_Setup_3.0.14.276_XP_Vista_x32
ll. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CFP_Setup_3.0.14.276_XP_Vista_x64
mm. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CFPLog
nn. HKEY_CURRENT_USER\Software\Local AppWizard-Generated Applications\CPFFileSubmission
oo. HKEY_LOCAL_MACHINE\SYSTEM\Software\Comodo\Firewall Pro

*Note: It may not be possible to remove these “LEGACY” keys. If you cannot delete them, leave them in the registry. However, I have subsequently found that you MAY be able to remove these keys in Safe Mode by using a third-party registry tool. To permanently remove them may also require modifying the Permissions for each key. See: https://forums.comodo.com/help_for_v3/comprehensive_instructions_for_completely_removing_comodo_firewall_pro_info-t17220.0.html;msg119226#msg119226

Second method (a more general approach):

We are gonna take a look to see if there are some old drivers of your previously uninstalled security programs are still around. Go to Device Manager --> View --> show hidden devices --> now look under Non Plug and Play drivers --> when you see a driver that belongs to your previous security programs click right --> uninstall ---> reboot your computer.

When the problem persists make sure there are no auto starts from your previous security programs. Download Autoruns and run it.

This program finds about all auto starts in Windows. This tool can therefore seriously damage Windows when not handled properly. After starting go to Options and choose to hide Windows and Microsoft entries, to include empty locations and then push F5 to refresh.

Now check all entries to see if there are references to your previous security program. When you find them untick them. After unticking reboot your computer and see what happens.

Now you should be good to go

Hi EricJH,

I have spent all evening carefully deleting the registry keys and drivers as per your instructions apart from the legacy ones which require Safe Mode.

Well after I reboot I end up again without Internet connection like when I used the batch script from Ragwing.
The only difference is that I do not have that problem with Windows Security Centre which wasn’t a major issue anyway.
I have tried to launch the Windows’ “Troubleshoot Network Problems” but it cannot even identify the problem thus it doesn’t even attempt a solution.
So I rolled back to where I was.

Are those instructions specific for Seven or for previous version of Windows?
Maybe this is why they do not work?
I am just guessing.

Anyway what can we try now?

Thank you

All right so while someone comes up with more suggestions I have tried the unistallation instructions from EricJH one step at a time.
So remove one key and than reboot (which is a very nice way to spend my Sunday btw).

Anyway I found out that if I remove C:\WINDOWS\system32\drivers\inspect.sys or even just disable it with Autoruns I lose my Internet Connections.
So I guess it’s this process that is messing things up: if I keep it many applications don’t work at all or appear firewalled if I remove it I loose connection completely.

I also found out that the same driver appears in another location:
C:\Windows\System32\DriverStore\FileRepository\inspect.sys
In this same directory there are other 3 files: inspect.cat (this one has a digital signature that belongs to Comodo), inspect.ini, inspect.PNF

The content of the inspect.ini is this:

";-------------------------------------------------------------------------
; inspect.inf – Comodo NDIS LWF Driver.
:
: Copyright (c) Comodo Inc. All rights reserved.
;-------------------------------------------------------------------------
[version]
Signature = “$Windows NT$”
Class = NetService
ClassGUID = {4D36E974-E325-11CE-BFC1-08002BE10318}
Provider = %Comodo%
DriverVer = 05/16/2008,1.0
CatalogFile = inspect.cat

[Manufacturer]
%Comodo%=COMODO,NTx86,NTia64,NTamd64

;For Win2K

[COMODO]
%inspect_Desc% = Install, inspect

;For WinXP and later

[COMODO.NTx86]
%inspect_Desc%=Install, inspect

[COMODO.NTia64]
%inspect_Desc%=Install, inspect

[COMODO.NTamd64]
%inspect_Desc%=Install, inspect

;-------------------------------------------------------------------------
; Installation Section
;-------------------------------------------------------------------------
[Install]
AddReg=Inst_Ndi
;Characteristics=0x40028 ; NCF_LW_FILTER | NCF_NOT_USER_REMOVABLE | NCF_HIDDEN
Characteristics=0x40000 ; NCF_LW_FILTER
NetCfgInstanceId=“{208D67BB-EF7E-4183-8341-580548FB2E4D}”
Copyfiles = inspect.copyfiles.sys

[SourceDisksNames]
1=%inspect_Desc%,“”,

[SourceDisksFiles]
inspect.sys=1

[DestinationDirs]
DefaultDestDir=12
inspect.copyfiles.sys=12

[inspect.copyfiles.sys]
inspect.sys,2

;-------------------------------------------------------------------------
; Ndi installation support
;-------------------------------------------------------------------------
[Inst_Ndi]
HKR, Ndi,Service,“inspect”
HKR, Ndi,CoServices,0x00010000,“inspect”
HKR, Ndi,HelpText,%inspect_HelpText%
HKR, Ndi,FilterClass, compression
HKR, Ndi,FilterType,0x00010001,0x00000002
HKR, Ndi\Interfaces,UpperRange,“noupper”
HKR, Ndi\Interfaces,LowerRange,“nolower”
HKR, Ndi\Interfaces, FilterMediaTypes,“ethernet, wan”
HKR, Ndi,FilterRunType, 0x00010001, 0x00000001 ;this filter must run before any protocol can bind to the below miniport

;-------------------------------------------------------------------------
; Service installation support
;-------------------------------------------------------------------------
[Install.Services]
AddService=inspect,inspect_Service_Inst

[inspect_Service_Inst]
DisplayName = %inspect_Desc%
ServiceType = 1 ;SERVICE_KERNEL_DRIVER
StartType = 1 ;SERVICE_SYSTEM_START
ErrorControl = 1 ;SERVICE_ERROR_NORMAL
ServiceBinary = %12%\inspect.sys
LoadOrderGroup = NDIS
Description = %inspect_Desc%

[Strings]
COMODO = “COMODO”
DriverHash = “08002E325BE10318”
Inspect_Desc = “COMODO Internet Security Firewall Driver”
inspect_HelpText = “COMODO Internet Security Firewall Driver”

I have not removed any of these files since they were not mentioned in the instructions but I thought about mentioning them.

The question is: how to get rid of it without losing my Internet connection?

I hope anyone can come up with some help since I use this PC for work and it’s the only one I have.

Many thanks.

Inspect.sys is the packet filter driver that is at the very core of CIS. Disabling the start up with Autoruns and rebooting should normally not result in the loss of your internet connection.

Do you have other security apps? Try disabling them temporarily to see if that helps. Do you have other programs that interfere with networking like Net Limiter? Try disabling them temporarily.

After uninstalling and cleaning when you look at the properties of your Network Connection do you see the Comodo Internet Security Firewall Driver mentioned or not? I attached a screenshot of what it looks like with CIS still installed.

[attachment deleted by admin]

Hi EricJH,

At the moment I am using Kaspersky Internet Security 2010 (hence the previous confusion).

No it doesn’t.

No nothing else

You’ll have to tell me how to get this property window in Seven since bloody Microsoft must have removed it or hidden it somewhere since I have spent an hour trying to get it.

Thank you.

Hi again,

I found out the properties of my Network Connection and the Comodo Internet Security Firewall Driver was mentioned and ticked.
So I unchecked it and than managed to uninstall it from Windows drivers and Device Manger.
Even after rebooting it still appears in Network Connection properties though albeit uncheked.

Fortunately I have got back Internet connections without Comodo drivers installed and almost all my applications seem to work (not all yet though).

I also still have the legacy registry keys (haven’t tried to delete these ones yet) and all the files in C:\Windows\System32\DriverStore\FileRepository
(inspect.cat (this one has a digital signature that belongs to Comodo), inspect.ini, inspect.PNF and nspect.sys)
The files in the FileRepository are impossible to delete even in safe mode or trying to modify permissions.

Forget about the Legacy Key; they are a pain to remove and don’t cause harm.

Just out of curiosity. How did this problem arise? Did you have CIS installed first, then uninstalled and rebooted and then installed KIS? Or was it different?

Hi EricJH,

I will leave the legacy keys than.
What about the Comodo files in C:\Windows\System32\DriverStore\FileRepository?

As for what happened since it was not a major problem like a system not booting I did not noticed it at first.
Anyway I unistalled Comodo, than tried Norton IS but did not like it so removed it (cleaning with their cleaning up utility) and installed Kaspersky IS.

Anyway I haven’t finished sorting everything out yet since some applications probably need to be reinstalled.

I guess you could delete them when not using CIS anymore. I must say I never clean out the driverstore repository and cannot guarantee it won’t cause anything bad.

Hi EricJH,

The Comodo folder in Driverstore is impossible to remove in any way so this too will have to stay.

Finishing to sort things out I found in the Device Manager - Network Adapters a new device called Teredo Tunnelling Pseudo Interface which has the yellow triangle on “This device is not working properly because Windows cannot load the drivers required for this device. (Code 31)”.

I am positive this is a new thing and was wondering if it might be a remnant of the Comodo installation and what is it about since I do not do any tunnelling.

Many thanks

That is not true. I just tested it.

Teredo Tunnel is to support IPv6 under Vista/Win7. I don’t know why it is failing. It may be worth troubleshooting but my initial estimation is it may not be related to CIS. CIS does not support IPv6. But then again, I could be wrong about it not being related…

I will ask other mods to take a look at this topic as well. Your problem is not your average usual problem.

Hi EricJH,

What are you referring to?
You quoted yourself.

If you were referring to Driverstore entries how did you remove them?

Yes thank you I will wait for their opinion on this.

I am positive I did not even had this entry before.
There were only Broadcom Netlink and Intel Wireless Wi-Fi

I quoted myself because what I wrote in the above is not true. I will strike a line through it.

If you were referring to Driverstore entries how did you remove them?

Wasn't referring to this.

Yes thank you I will wait for their opinion on this.

I am positive I did not even had this entry before.
There were only Broadcom Netlink and Intel Wireless Wi-Fi

Vista and Win 7 will always have the IPv6 section. When it is enabled you won’t see it in Device Manager in the main tree. Only when you would open the Network Adapters section you would have seen the IPv6 “device”.

Yes I agree.
What solved my problem was untick Comodo firewall entry in the Internet Connection properties like you adviced.

I know it’s not in the main tree infact I specified Device Manager - Network Adapters.
I am still quite positive I never had this entry in the Network Adapters section and certainly not with a malfunctioning sign.

I’ll wait for the admin’s reply although since IPv6 is still not adopted this shouldn’t cause too much trouble.
When I’ll have time I’ll try to unistall and reistall the device.

my problem is with my opendns,well now that i’ve installed comodo it took care of the dns and my whole network is malfunctioning. Comodo can get passed all this hassle and possibly bad reputation especially from angry customers that if You would have clearly stated what Comodo does for you,and where yopu might have, well actually not might have issues with you WILL have issues with , like networking with dns , unistalling is a mojor issue ,and then the buddy geek , i personally dont want a 24/7 ‘assistance’, if understand that in real terms it sounds more like you took Over my pc NOT you caring for my glitches & security .
I liked the browser to bits ,with the sandbox and the whole design ,the ssl stuff . but i DONT like surprises no SIR.
so formatting and reinstaling win for the last time because of Your pro duct.
keep up the great work and remember to put a BIG sign , watch out for how much Security you REALLY WANT/need?
thankx