I have a fully updated comodo Firewall + AV set to Paranoid / On Access with sandbox enabled and someone gained remote access of my computer.

I had not clicked on any links, or even browsed to any webpages. The only application that was executed on the machine was Steam.exe (gaming service) and HL2.exe (Counter-Strike Source).

I was playing a game, and the next thing I know, I am no longer in control of my keyboard and mouse. So I alt+f4 out of the game, mouse and keyboard still going crazy. Someone was remote controlling my machine, and Comodo had no idea.

I’m curious how such an obvious threat could make it through the Comodo firewall without even prompting me as to weather or not it should be blocked / sandboxed.

Anybody with any insight please let me know what you think. Because I no longer feel any sort of security from using Comodo.

:frowning: ??? :frowning:

Sounds like you are infected with a rootkit.

Can you please scan your system with Gmer and maybe a few other rootkit scanners?



I will run the suggested rootkit scanners to see what it may be.

I am just curious how the rootkit made it past Comodo. And how the firewall allowed the RAT through?

Had this not been so blatant, I could have very well had valuable information compromised.

I hope that you have changed the setting for unrecognized files from “Partially Limited” to “Untrusted” because it offers better protection.

Before we can draw any conclusions we need to find out that it is that is active on your system.
Let’s see what the scanners come up with.

or a malwarebytes scan can fix this problem … malwarebytes > all backdoors.

I won’t be around the machine for about 6 hours.

Fully updated MalwareBytes found absolutely nothing on a full scan.

I updated MalwareBytes definitions and re-ran a full scan, 0 infected items.

Gmer however found the following:

GMER - http://www.gmer.net
Rootkit scan 2011-02-09 17:12:31
Windows 6.1.7600  
Running: m0zts23f.exe

---- Registry - GMER 1.0.15 ----

Reg  HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272ac4b5b                      
Reg  HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272ac4b5b (not active ControlSet)  

---- EOF - GMER 1.0.15 ----

Look like anything that would relate to my issue?

Also, Gmer does not have an option to remove these rootkits, and rootrepeal/rootkitbuster are not 64-bit compatible, and I am on Win 7 x64 Ultimate.

Thanks for your help. Having a mod respond to my thread within 20 minutes is pretty impressive =)

Hi questionmark425,

If you can find the file,you can submit through this link:Comodo Firewall | Get Best Personal Firewall Software for $29.99 A Year we can go to have a look at it.

Thanks and Regards,

I have seen those BTHPorts before I’m almost sure they are False Positives.

In the current state I can’t say I’d trust the machine, next best bet is to analyze it with a bootable DVD equipped with tools to find malware offline.

Are you familiar with those?

Maybe you can dump your MBR to a file an upload it to virustotal to verify if any of those find malware in your Master Boot Record. The tool I normally use for that is found here: http://red.boot-land.net/mbrwhisky.html – Please be careful with it as you can kill your disk with it.

Only use it to save the MBR to file of the disk that shows “ACTIVE”.

I did a little more troubleshooting to see if I could figure anything else out.

It must have been profile specific, because I created a new user account in safe mode, booted back up and logged in to the new user account and nothing happened. When logged in to the affected user account, random keystrokes would happen rapidly.

That (the keystrokes) is what led me to believe someone had remote access to my machine initially. However the random keystrokes continued even with no network/bluetooth connectivity (I pulled my BT Dongle and Ethernet cable out of my machine and rebooted).

So, It was some kind of odd infection that just hammered out random keystrokes constantly to keep you from doing anything. I haven’t seen anything like that yet.

But, I keep all of my data on a Buffalo RAID5 NAS unit that I only connect to the network when files are needed. The only data I keep on the single HDD inside of my PC is Windows 7 and my games (Easily re-downloadable via Steam) so I nuked the drive with DBAN and reinstalled Windows.

All is now good after the reinstall (obviously =D). I just didn’t have the time to chase this any longer, and as I didn’t lose any data it was a no brainer at this point to reformat.

I am still curious about if anyone has heard of malware that just types random keystrokes repeatedly? It was new to me.

Thanks for your help! I doubt this infection was the fault of Comodo. It was probably malicious code embedded inside of a previously trusted .exe if I wasn’t prompted by Comodo.

You guys here in the forum are awesome, and Comodo was the first thing I installed after my reformat.

Thanks again!


Thanks for the compliment ;D
Good to hear that you have a well though setup and where able to get back to business quick :-TU

Hope you stay clear from further keyboard trouble…