some kind of keylogging malware?


i don’t know if i actually have a problem but i have a concern, and i’m not comfortable using my computer at the moment

i have comodo security as my firewall/AV and yesterday had a comodo defense popup saying that :

firefox.exe could not be recognized and is about to access the keyboard directly. accessing the keyboard directly allows an application to read the pressed keys or simulate the key strokes

i’ve never had this before

i don’t like the sound of this and i’m not really happy using my computer for banking or other logins, if anyone could advise i would be very grateful

Could you please post your firewall and d+ configuration at the time this pop-up showed up? Though I haven’t used Comodo firewall in a while, as i recall, anything above clean pc mode will produce this alert, although I believe Safe mode now should recognize firefox.

EDIT: Oh and firefox add-ons, too, if you have any.

are you using a nightly version of firefox?

yes they’re both on safe mode

add ons: better privacy, ghostery and x notifier

computer been set up like that for almost a year, never seen this before

thank you

i’m sorry i don’t know what that is, i just use regular firefox

As I see it, it’s probably an issue on the firewall/d+ rules. I suggest that this thread be moved to CIS help forum section. At this point, all I can suggest with regard to this issue is that you take the following precautions:

1.) Check the location of the firefox.exe. It should be in C:\Program Files\Mozilla. Any other place outside the directory is a potential risk. I recommend checking the shortcut path to make sure no other program piggybacks.
2.) Scan it with a malware scanner. I recommend Dr. Web Free Scanner (although I have had certain issues downloading this a month ago) and the usuals: Hitman Pro and Malwarebytes.
3.) If it turns up clean, then you’re gonna have to check the firewall/d+ rules. At this point in time, referring to the forums for further help would be a great idea.

thank you

i have run scans with malwarebytes, spybot and comodo av already and will check out the others, thank you

please could you tell me how to check the location? i’m pretty clueless

EDIT: i think i found firefox.exe, i right clicked on the desktop shortcut and hit properties.

it is not in C:\Program Files\Mozilla, it is in C:\Program Files(x86)\Mozilla, there is no mozilla folder in C:\Program Files, is this right for windows 7?


I don’t think it is.

Usually with keylogging you have second winlogon.exe running. Check if not it’s not.

Spainach_12 is right. That makes a lot of sense.

i’m sorry seany do you mean you don’t think it’s ok or you don’t think it’s right?

i just turned on the laptop computer in question and checked task manager, there is 1 instance of winlogon.exe (whatever that is) running, is that ok?

aslo do you know if it is ok that my firefox.exe is in a different folder than [b]C:\Program Files\Mozilla[/b]

it is in [b]C:\Program Files(x86)\Mozilla[/b], there is no mozilla folder in my C:\Program Files, I am using windows 7 on the computer in question does this sound wrong?

many thanks

I mean it’s safe. If you have one winlogon.exe you are fine. You are not being keylogged. Yes it is normal in a 64 bit system Windows 7.

thank you sir

However, there does seem to be something wrong with your Defense+ rules.

Can you please let us know what changes (if any) you have made to the default configuration?
Also, when you run the diagnostics do they find any problems?

Thank you.

i don’t know i can’t remember changing anything really

by diagnostics do you mean when i scan? nothing comes up

thank you

Hi manmoon,
Chiron means running the diagnostics utility built into Comodo Internet Security under More in the GUI.

ok thanks cptsticks,

i ran diagnostics and it says’s it did not find any problems with the installation

chiron i don’t know what i’ve changed i may have messed with it when i installed it but that was ages ago, i run regular scans and update regularly but don’t do much else

Hello guys,

Just adding some thoughts re: the matter

1st, manmoon, it is always beneficial to post more info about your system rather then find out “several posts later” that you are running x64 platform

As for the location of Fox & comments by spainach_12… I simply do not get that
You can have the default location as in your case (C:\Program Files(x86)\Mozilla) for x64
the default location (C:\Program Files\Mozilla) for x86 system
At the same time you can install betas/night builds/portable versions in different locations of the same system & that will not interfere with your current stable version residing within the default folder. Run whichever version you want whenever you want

Then, I cannot be sure since I’m using mentioned addon, but there are some angry discussions regarding “x notifier”

What I mean is you may try to run your fox 16.0.2 (hope you have the latest) in SafeMode without any extensions. Have you tried that?

Finally, indeed please post all rules concerning Fox as suggested above by helpers


By the looks of it, it’s a problem with the rules. The location is safe.

Oh, regarding the location? It’s just to find out if the firefox that was launched was indeed the browser and not malware that named itself firefox.exe. I had one about 5 mos. ago that pretended to be chrome. It named itself chrome.exe and launched the browser, but it’s really a spyware that launches the browser as part of its code. I found out about it when I was wondering why Chrome was taking an unusually long time to launch itself and Windows firewall alerting me of it when I’ve already made rules for it. Thought it was a bug until I checked the shortcut and saw another chrome in a different folder (found in the C:\Users\Application Data\ and C:\Users\Local Settings). Ran it in BSA and found out it was malware. I thought maybe a variant for firefox also exists.


maybe i should have given more info i didn’t realize it

i don’t know to be honest if i have a x64 or what, it’s windows 7,

i also don’t know which folder firefox should be in or what x86 is, i’m very sorry and i have to say i’m pretty confused i’m not claiming anything that you should “not get” i’m just saying where i found the firefox

x notifier changed from webmail notifier itself the other day, i was worried about it but it also changed on my other pc (xp) and on 2 other peoples pc’s as well and i read it had changed and was ok, i didn’t think it was a problem

like i said before i’m just running normal firefox no special builds just the addons i said

i just need some help with this thing tbh if i understood/knew it all i wouldn’t need to ask

That’s alright. No one’s claiming anything. To see if it’s x86 or x64 just right click on the My Computer icon and select properties. You should see by the bottom of the window that appears if it’s x86 or x64.