is normal?

2 months ago i was a victim of a keylogger named “netspy 2.6” i reinstall my windows and now i use comodo firewall + nod32 5.
I want to know how to find out if the keylogger is still active in my pc.

The firewall bloked something, it is normal?(see the attach picture).

[attachment deleted by admin]

To make sure that your computer is clean please read my article about How to Know If Your Computer Is Infected

If it comes up clean then you have nothing to worry about.

As to the pic, I’m sorry but I don’t have the technical understanding of the firewall to interpret that. Hopefully somebody else can lend some clarity.

i try, no malware finde.

that ip is not mine , is not a website what can be?

Is this your internet service provider?

IP address:
Server Location:
Bucharest, Bucuresti in Romania
Romania Data Systems

no, i don’t think so…

[attachment deleted by admin]

I would think this is normal firewall blocking but usually this would not be logged. You must have a block and log rule which you could change to block only by deselecting the log option.

Keep an eye on active connections for any unauthorised inward connections.

i instaled zemana antilogger, nothing found.

What about defense +? is normal to show like:

[attachment deleted by admin]

Please check out that wuauclt file using the methods I suggest in How to Tell if a File is Malicious.

That’ll tell you for sure if there’s anything to worry about.

By the way, how exactly do you have CIS configured? My advice for how most people should configure CIS, unless you have special requirements, is given in How to Install Comodo Firewall.

Please let me know if you have any questions.


Are you on a direct connection to the web? Typically a dial up or cable connection with no router present?

The first firewall log you posted is clean when you are on a direct connection (no router). You are simply seeing the firewall at work blocking unsolicited incoming traffic. When there is no program listening to that traffic CIS will log WOS blocks it.

Before commenting on the second Firewall log I need to know if you are on a direct connection to the web or not. If you are, the same answer applies for incoming traffic; nothing to worry about.

The D+ logs are worrysome because Microsoft files never get flagged because they are trusted.

That either means one of the Microsoft signatures was removed from the Trusted Vendor List either by accident like after a crash or by user. Did remove one or more Microsoft signature from Trusted Software Vendor list? I have 24 entries for Microsoft in the TSV. See image.

Or it means those Microsoft files were changed. To check if they were changed check the signatures of the files with Sigcheck. Download this zip archive and unpack it to C:\Program Files\SysinternalsSuite\ . When done run sigcheck.reg to add it to the registry.

When this is done navigate to the system32 folder, look up and select the logged files, click right and choose Signature from the context menu. A black command box will pop up. See if it is signed or not.

[attachment deleted by admin]

yes i am conected directly to internet, no router.
About the ip’s blocked by firewall one of the ip’s belongs to one of my friends whit i was talking on skipe.
I think i was blocking something few days ago, because when i stop the comuter it take 3-4 minutes to turn off
(sorry for my english)
Update: i set up the firewall and the d+ like in the tutorial and i recived something(see attach) is not my ip !?

[attachment deleted by admin]

In your situation it is best to let CIS block all unsolicited incoming traffic. The internet is a noisy place as you are noticing. The Global Rules that you are using make sense when behind a router. Then the router will block those incoming requests and you will only get alerted for traffic from the other people on your local network.

Run the Stealth Ports wizard and choose the third option Block all incoming connections and make my ports stealth for everyone.

Now you won’t be alerted anymore for unsolicited incoming traffic.