ComboFix won't run because of AVG - AVG isn't installed.

Basically what the title says. I try to run Combofix and it says it can't run because AVG 2011 is installed. However, I've uninstalled AVG before running Combofix AND run the AVG removal tool from AVG's site. So there is no trace of AVG on the computer, yet Combofix still won't run.

ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them. If some of ComboFix's files are removed by AVG, it will not perform its routines properly and the developer has determined this can cause damaging or "unpredictable results". This is an issue with AVG and since it cannot be effectively disabled before running ComboFix, the developer has chosen not to allow his tool to run until AVG is uninstalled first in order to avoid any possilbe issues.

With that said, please note the message text in blue at the top of this forum.

No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. When issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment. Please read the pinned topic ComboFix usage, Questions, Help? - Look here.

As a general policy, Bleeping Computer does not offer advice on how to run ComboFix unless we asked someone to run it or there is a problem with the computer caused by running it. This is because people should not be using ComboFix without being advised to do so by a trained expert who is assisting a member deal a malware issue on that system. Further, more information is needed by using tools like DDS, OTL, RSIT which create comprehensive logs with specific details about a computer's system, files, folders and registry keys which may have been modified by malware infection BEFORE deciding if ComboFix should be used.

If you need assistance with a malware infection that requires using ComboFix, please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".

• If you cannot complete a step, then skip it and continue with the next.
• In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
• When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.

Yes, thank you for the reply. I am a malware removal expert, been doing it for years, so thank you for the warning but I know what I am doing and I understand the risks.

However, back to my actual problem. AVG is NOT installed, I have run the AVG removal tool just to make sure, and ComboFix still insists that AVG is installed. How do I get around that?

I've also re-installed AVG and Un-Installed it again and ComboFix is still saying AVG is installed. I understand the reasoning behind detecting AVG and not running, I've seen the bad things that happen when AVG is left running when Combofix is run, but in this instance a bypass would be nice when it is certain that AVG is not actually installed.

I am a malware removal expert

Then you should have no problem asking sUBs as he provides assistance to all trained experts in the private forum areas where questions related to ComboFix can be asked.

This might be dredging up an old topic, but it is still a very pertinent one, and not wanting to open a new thread I feel this is the best place to speak on the matter.

If you do not wish to hear me rant, skip to the last paragraph which highlights the intended purpose of my post, the rest is just me engaging in debate over the policies of this forum and of combofix as a software. I do not wish to offend anybody, I just know I am not alone in my feelings and wish to make my argument available.

First off, I understand the need for an explicit warning against running a scan while AVG is installed. If you do not properly disable the software, then you will open your computer to possible harm from the same utility you seek to help it. On the other hand, there are certainly many users who are more than capable of shutting AVG off without uninstalling it, and quite frankly I feel that AVG is one of the best anti-viruses on the market right now. Kaspersky and a few others have their runnings in the antivirus race, but AVG does a very good job at detecting infections and holding true to user friendliness (have fun turning off features of Norton, McAfee and F-Secure, three of the least user friendly antivirus tools out there) and to force a user to uninstall a good piece of software to use your tool is both inconvenient and non user-friendly.

Not only this, but this tool, which is claimed to be kept so very secret to maintain its ability to detect malware and to thwart those who would use program secrets to disable its usefulness. So it seems to be counter-intuitive that there be NO method for bypassing AVG is installed errors, as all a rootkit need to do is emulate part of an AVG installation to prevent combofix from being able to run. People who write these softwares go to great lengths to make them work and keep them from being removed, so far as to append code to the master boot record and circumvent driver signatures. So it is not a stretch what-so-ever that writers of these softwares need only emulate enough of AVG's service to stop combofix from running to render it unusuable, and the creator of combofix would be non-the-wiser because his minions of "malware removal experts" tote the generic message of "do not run this software of your own accord" and "the author of Combofix does not wish it to be discussed so as to prevent malware writers to circumvent its operation."

Quite frankly I feel as though (and this is my opinion to be interpreted at your own discretion, without the intent of offending) the idea of not running this software except at the discretion of a "Malware Removal Expert" is a leading the sheep to pasture move. There are plenty of people who are capable of running this tool of their own accord and interpreting what they will of the logs, and I believe it is important that the user have fair warning of the consequences of their actions, but that to tell people not to do something because they're not an expert trained and certified when the program is mostly automated is a bit of an insult to those who just need solutions to their problems.

Also, I make it a point to run security on my computer very frequently, doing Malwarebyte's scans and the like about every other week as a PREEMPTIVE MEASURE. This has so far kept my computer clean of any really nasty viruses. I know for a fact that I have run combofix scans on computers which for all intensive purposes appeared to be running fine and have found rootkits and malware. I wish you would rethink your repeated display of touting the message "you are not an expert, you should not run this software unless you are or consult one" and actually help the people who start these threads. If the creator of this tool is really so intent on keeping this tool in his inner circle, he should not make the download readily available except by request TO these "Malware Removal Experts". If he makes this assertion because he wants his due credit for his work, then he should open his tool for donations.

To the point, I took the time to sign up and post today because preventing the user from running the software with AVG installed is a security risk, and it should be capable of being over ridden, or there will likely be malware which use this feature to disable Combofix's functionality even when AVG is not installed, likely by making it appear installed. One could probably do so now simply by using the same means that causes Newtekie1 to be unable to run the software despite having uninstalled AVG.

Perhaps it isn't my place to say any of that, but, somebody has to cause I know many people feel the same way I do.

Welcome to BC arcanewulf

Your points are noted and I will attempt to address them.

The issue is that AVG (and other anti-virus programs) are detecting ComboFix as malware. Certain embedded files that are part of legitimate programs or specialized fix tools such as Combofix may at times be detected by some anti-virus and anti-malware scanners as "malware" (virus/trojan) when that is not the case. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may automatically remove them. Normally this is avoided by temporarily disabling the anti-virus until the tool has been run but this has not worked successfully with AVG. Further AVG is aware and as the vendor it's up to them to stop targeting ComboFix as malware. Until then, sUBs is not going to make himself liable when he knows serious issues can occur if he allows ComboFix to be used while AVG is installed and as the developer, that is his decision to make.

As for using ComboFix under trained supervision, again that is the policy of its creator who has the right to set such criteria if someone wants to run his tool just like any other security vendor. Keep in mind that when dealing with malware infection using ComboFix is only one part of the disinfection process. Preliminary scans from other tools like DDS, RSIT and GMER should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows planning an strategy for effective disinfection and a determination if using ComboFix is necessary. ComboFix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware which scan individual drives or different folders on a computer for viruses.

As for the warning, it's not that ComboFix is dangerous, but that it is a powerful tool and complex tool. When issues arise due to malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment.

Even if used by following this authorized guide: A guide and tutorial on using ComboFix, something could go awry and leave the user facing issues they do not know how to correct or deal with. Trained helpers know what to do in most situations and can provide further instructions as to how one should proceed. If not, they have access to the tool's developer and other experts. Someone not trained and not using the tool under guidance may end up staring at a computer that no longer will boot normally.

Thanks for the reply, I was a little bit heated when I wrote that. I agree to the creators warning not to use the software, but I think that the community should be a little more tolerant to those of us who like taking a little risk, as some of us understand that a worst case scenario is a repair install of windows and accept that going into the situation.

I really don't want to go through the hassle of uninstalling AVG, running the scan, and then reinstalling it and running updates and the like, and it's frustrating that there isn't a little button there that says "I assume all responsibility, just go ahead, ignore AVG".

And I would appreciate if someone would at least ask the author of the software if he has thought about viruses posing as AVG to keep combofix from running. I was more or less just worried he may have overlooked this possibility in his decision on the matter. If it is still his intentions then that's fine, I just didn't want this to be an unknown security vulnerability.

Sorry for the short story, and hopefully I calm down before I make such a post next time.

You're welcome.

We certainly understand your frustration. But at least now you have an understanding why sUBs does things his way. sUBs is by no means unapproachable. I have always found him to be open to suggestions and listening to concerns but safety of the user is a priority and in the end all decisions are up to him.

well after reading this forum and getting pretty annoyed with everyone saying "Well you should be more educated" I got combofix working...

heres the hot tip - go to program files and delete the folder called "AVG"

thats about it.

I too reinstalled and ran the removal tool, also ran RevoUninstaller.... but a simple folder delete did it.

That may have worked for you but I have to caution others as that is not the proper method to remove AVG or most other anti-virus programs. If you just delete the folder, the program would still be listed in Add/Remove as an orphan entry along with all it's associated registry entries. To remove it and the leftovers, you would either have to edit the registry or use a third party utility.

The correct way to remove AVG 2011 is through its program folder via Start > All Programs or by using Add/Remove Programs or Programs and Features in Vista/Windows 7.

An alternative way is to download and run the latest AVG installation file. When the AVG Installer windows appears choose the option to Remove and click Continue to allow the AVG 2011 uninstaller to run. Restart the computer when done.

If the above does not work, folks can download and use AVG's uninstall/cleanup utility (AVG Remover) provided in the AVG 2011+9.0+8.x Uninstall/Re-Install Instructions or use Opswat AppRemover.

I also created an account to say this.

I think the frustration comes not from refusal to answer, but that the answer is the same regardless of the question.

Here was what was said;

I too reinstalled and ran the removal tool, also ran RevoUninstaller.... but a simple folder delete did it.

And here is your response.

That may have worked for you but I have to caution others as that is not the proper method to remove AVG or most other anti-virus programs. If you just delete the folder, the program would still be listed in Add/Remove as an orphan entry along with all it's associated registry entries. To remove it and the leftovers, you would either have to edit the registry or use a third party utility.

......... and so on

He stated he did remove AVG, and used several different methods to do so and yet Combofix still reported it as installed, then he deleted the folder and it worked.

The point is, he had already done what you responded with. I have been a lurker on this site for years and as much as I think it's a great site, there are too many canned responses which look like the responder didn't even read the post it was responding to.

I agree and understand that people need to be cautious, but it's also true that you can be over cautious. Answering the question, "Why does Combofix see AVG as installed, when it isn't" doesn't suggest anything other than, "Why is the AVG uninstaller and AVG removal tool not work properly and what did it miss?" It's not tacit approval to go ahead and just run Combofix, it's just helping someone with a dilemma.

My 2 cents. Please don't respond to this with either a canned response, or another condescending, let us tell you why we won't answer your insignificant queries post, because those are infuriating.

It is not unusual after uninstalling an anti-virus in order to install a replacement, that replacement will not install because it detects remnants of the previous one. Anti-virus software components insert themselves into the operating systems core making it more difficult to fully remove. Even the vendor's uninstall instructions do not always work so they will provide special removing tools for those cases. Even then, there are times when everything is not removed after using these tools and users still have issues trying to install a replacement so they are forced to contact the vendor support for further assistance.

ComboFix detects what it detects based on what the developer deems necessary. If an anti-virus does not remove itself completely and leaves remnants behind so ComboFix detects, that is not the fault of sUBs.

My replies are written not only for the OP but other members who might read the topic. Most of our members are novice users and a novice reading rknell's posting might assume removing the folder was all that was necessary. These are public forums that anyone can read or misread without asking for clarification or registering for help. As such I provided a caution to anyone else as to the proper way of uninstalling a program.

And I agree 100% that caution is warranted.

I am not indicating you or any other particular person is at fault here, but a great many times I have seen caution is replies exercised to the point of rendering the reply completely useless.

Just to re-iterate, I love this site, and I have been using it for years now, but occasionally replies to specific questions go unanswered in the name of caution. I have had a couple of other techs I worked with that I've sent to this site come back and tell me it's useless because they couldn't ever get a straight answer to a question.

Sometimes its helpful to get directly to the point and be very specific...short and simple Some OPs write topics that try to cover too much without specifics and helpers find themselves having to read into them.

We encounter thousands of users each with different abilities to use the English language and many who use it instead of their primary language. Same with the staff here so sometimes miscommunication or misunderstanding by both Helper and/or OP result in not always getting the answer one is seeking.

In other cases, the forums are extremely busy and there are not enough volunteer staff members to answer everyone in an expeditious manner. Rather than leave folks without any answer, sometimes we reply with an answer that is more general rather than specific so we can help as many folks as we can. But as you point out, doing that can be a drawback so we rely on the OP to follow up with a more direct question.

Anyway, thanks for the feedback. I hope I addressed your concerns but I don't want to hijackthis this thread. I'm glad you like BC and recommend it to others.