A possible way for hackers to get past the Comodo Firewall

We were hacked into about four weeks ago. I used Avira’s Internet Security software which has a firewall in it and thought we were safe. WWW.MajorGeeks.com helped me to get rid of the hacker and they also pointed me at their list of software to use. After reading the Matusco(spelling?) firewall listing I was appalled to find that Avira was down at the bottom in the “Not Recommended” area (like 3rd from the bottom). So I dumped the Avira firewall and installed the Comodo Free Firewall. It has helped quite a bit although there are still some problems I am dealing with.

The thing is - yesterday (and again today) I am getting a message that says that the Comodo Firewall can not start but everything is ok. I let Comodo run the diagnostic and that is when it comes back and says that everything is ok. The thing is - Comodo does not come up and run. And if you try to start it manually - it refuses to run. Instead, you have to re-install Comodo Firewall and then it works for about a day. (Remember I said that Comodo refused to come up yesterday too.) It seems to me that if, for some reason, Comodo can not come up and run - that that is a major concern. I am thinking that whatever reason Comodo can not come up and run - that information should be shown rather than just a “Comodo can not start” message.

I say this because this same Hacker went into the registry and mucked around with it on another system so PHP would not run on that system. If the registry has been hacked on this system (the one where Comodo won’t come up and run) - then that should be a major concern of Comodo. The optimum solution would be to make Comodo auto-reinstall itself and then try again to run. That is what I am doing manually but it would be better if Comodo did this itself.

When Comodo would not come up and run - that system did not want to let me surf the net. However, there was internet traffic even though I wasn’t doing anything else. This would indicate to me that I’ve still got something going on with my system. After re-installing Comodo and rebooting the system - I can do anything I want on the internet and there is very little internet traffic. Again, it makes it look (to me) as if someone has done something to my system.

None of the programs (ie: SUPERAntiSpyware, Avira, Malwarebytes, Avast!, Stinger, TDSKiller, etc…) say there is a problem. RogueKiller has found Hijack entries on the system and has dealt with them. ComboFix once said (months ago) there was a Rootkit on the system - but it is not finding problems now.

Anyway, the possible way that I am seeing for hackers et al to get around this is to make it so the system won’t allow Comodo to come up and run. Which is what it seems like is happening on my system. I’m uploading the dump Comodo did when it said there was nothing wrong.

[attachment deleted by admin]

There may be something wrong with your installation. Please reinstall Comodo Firewall by following the advice I give in this post. I realize you’ve already installed it many times, but my method also has you run programs to remove any remnants (including those from Avira) which may be interfering with the current installation of Comodo Firewall.

Also, please follow the advice I give in my article about How to Know If Your Computer Is Infected and let me know what you find. It’s always good to double check and make sure there isn’t still any malware hanging around.

Thank you.

I have finished the first part and Comodo is now coming up properly. I also had to re-install Avira though. When I had finished with Comodo, Avira did not want to come up. Now both are working. I already had Revo Uninstaller and love it! It is the best thing I ever found for removing software. I had no idea Visual Studio put in over 8000 entries into the registry. Oh well - live and learn I guess! :slight_smile:

The thing that has turned the tide with the hacker and the virus/malware he installed is WPA2. I had been thinking we needed to switch over to WPA2 from WPA for a while now but just never got around to doing it. Well, only a few days after resetting all of the passwords on the routers I got on one morning to find someone who’s id was “Steven-iPhone” (See attachement). Don’t know who this person was but he was busy mucking around with my e-mail server again. In desperation I rebooted the router and immediately switched it to WPA2. I think everyone should read the Wikipedia article about WEP, WPA, and WPA2 and why you want WPA2. In any event, I changed the key to a new key using WPA2 and the hacker hasn’t been able to get back on yet. I’ve also gone in and removed all of the changes this Steven guy did to my e-mail server. Now at night I have a script that auto-changes the router’s keys to a different key each time and then around 5:00am it switches it back to the current key. I can change this at any time so I can have a new router key each day if I want it. I would use AutoIt to do this but SUPERAntiSpyware now thinks AutoIt is installing the TROJAN/Gen.Bifrose agent. I even completely removed AutoIt, downloaded it again, and re-installed it. SUPERAntiSpyware still thinks it is malware. I sent in a false-positive report. Hopefully they will get this corrected soon. When they do - I’ll make a script that will log in to each system and modify it so I can switch keys on all systems and both routers in about five minutes.

Thanks for the help! Later!

[attachment deleted by admin]