Security Issue: Remote Access Trojan In Need of Being Blocked!

I am currently using Comodo Firewall and so far it has been working great and I know how powerful it could be because I have kicked myself off from the internet and certain things because of it lol but I am dealing with an issue concerning Remote Access. Appearently I have a particular relative that is constantly remoting into my computer and I am assuming its due to a program that was downloaded on her computer that is somehow bypassing the firewall and this has been going on for months and I need to ask to anyone that knows how to permantley block her out from the computer because she is maliciously and delibrately invading my privacy and I am not going to put up with it anymore and I have port 3389 blocked among some other remote ports (not to mention both Remote Desktop and Remote Access is turned off from the comptuer resource as well as UPNP, etc) and we do share the same router which is a DLINK-601 and Cable modem so anyone has any suggestions I am all ears… :wink:

What firewall are you referring to here? Your firewall, hers or both?

and this has been going on for months and I need to ask to anyone that knows how to permantley block her out from the computer because she is maliciously and delibrately invading my privacy and I am not going to put up with it anymore and I have port 3389 blocked among some other remote ports (not to mention both Remote Desktop and Remote Access is turned off from the comptuer resource as well as UPNP, etc) and we do share the same router which is a DLINK-601 and Cable modem so anyone has any suggestions I am all ears… :wink:
What makes you think your relative is having access to your computer? Apparently there are access attempts logged but they only mean it was blocked and not that the other computer has access to yours.

If you have access to her computer you can check what program is generating the traffic using these instructions: http://www.corrupteddatarecovery.com/Port/3358tcp-Port-Type-mpsysrmsvr-mpsysrmsvr.asp .

I am referring to my firewall with Comodo. Well she has before and our rooms are right next to one another and anything that I do or go on at the exact moment I hear her giggling maliciously like she knows exactly what it is I am doing and I even heard her confess once of doing it in other words. Um I’ve read that remote access blocks outsiders for coming through but I do believe she has downloaded an illegal sort program on her computer because she has no life just to break through the firewall and invading my space. I did use Stealth Ports constantly were it gives you the option to block all inbound connections but I am suspecting she somehow using the modem to do it I am not for sure but are there any configurations with Comodo that could block all that out? The firewall events say that they have blocked a Protocol ICMPV6 In but what is that exactly? Thanks EricJH for replying back to me.

Do you know their IP address?

Just a thought. You’re both on the same network, sharing the same router; your relative doesn’t need access to your PC to see anything you do.

ICMPv6 is the Internet Control Message Protocol version 6. This is part of the IPv6 protocol suite, which is the eventual replacement for the current IPv4 protocol stack. If you’re using Windows 7, this is enabled by default, your router also supports this.

No I don’t what I did was put her host name into the firewall though would getting her IP address help the situation?

Well she has Windows 7 I believe and I am using Vista Home Premium. My only concern is that she is not “ABLE” to remote into this computer what-so-ever because I am very fond of my personal stuff such as S.Security infor, emails and things like that. I mentioned about the ICMPv6 that shows up in my firewall as being an incoming block but I doubt that is what is blocking her. I was thinking she somehow using the Cable Modem but I am not for sure so I was just wondering if anyone has been able to successfully block remote access from their comptuers using comodo firewall.

so I was just wondering if anyone has been able to successfully block remote access from their comptuers using comodo firewall.

For remote access to work there needs to be a ‘server’ process, listening for inbound connections, running on the PC that’s being remotely accessed. In the case of Windows Remote Desktop Protocol, that process is svchost. In the case of other remote access solutions, a similar process will be required. In addition, if you’ve installed the full CIS suite, with the default options, you would also have to create a firewall Global rule to allow inbound connections, as the default rule set for the full installation, is configured to block all unsolicited inbound connections. If you haven’t installed the full suite, you can run the ‘Stealth Ports Wizard’ with third option:

Block all incoming connections and make my ports stealth for everyone

This will configure your Global firewall rules as seen in the image, which also blocks all unsolicited inbound connections.

With regard to emails and other data that traverses the ‘wire’ between your PC and the outside world, unless it’s encrypted, it can be seen and read, especially when the the person wishing to do this is on the same network.

Vista, like Windows 7 also has IPv6 enabled, but the firewall will only register IPv6 traffic - including ICMPv6 - if you’ve enabled IPv6 filtering, which is found under Firewall/Firewall behaviour Settings/Enable IPv6 Filtering. On Ipv6 networks, ICMPv6 is common and very noisy

[attachment deleted by admin]

Well thats the thing I have everything related to remote access and remote desktop turned off and even I have done the Stealth Port method but I believe the relative I am speaking of is using something illegal or a hacking remote program to access my computer to view what I am doing as a matter of speaking I have seen her IP address show up on the Firewall multiple times when I first installed the firewall now all of a sudden its not showing up and I know for a fact that is what is happening (pathetic I know) but I need it to stop. On the firewall I have blocked remote ports her host name but for some reason that particular person is still able to access the computer mainframe so my question is would Svchost be crediable to block or protect in the Defense section or any other immediate major firewall blocks that will knock her permenantly.

I sincerely doubt your ‘relative’ is accessing your PC remotely, particularly if you have the settings I’ve indicated above. As I’ve said before, there’s no need for them to access your PC to see what you send and receive over the network. Also, don’t forget, this person has physical access to your PC, so whatever is being done, may not even involve the network.

There is one small possibility, as this person does have physical access to your PC, they may have installed a keylogger or something similar. but I would have hoped, assuming it’s enabled, that Defense+ would have found this. You can always run something like Spyshelter for a second opinion.

I have seen her IP address show up on the Firewall multiple times when I first installed the firewall now all of a sudden its not showing up and I know for a fact that is what is happening (pathetic I know) but I need it to stop.

As you’re on the same network I’d expect to see some sign of activity from other devices that share it with me, even if it’s only NetBIOS broadcasts. The fact that you saw this address once and not now, may simply be due to a configuration change, either something you’ve done, or something your ‘relative’ has done. If you open a command prompt and type arp -a, I’m sure you’ll see the addresses of the router, your ‘relatives’ PC and any other devices that have an IP address on your LAN. Just because you see an IP address in your firewall logs, doesn’t mean it’s doing something malicious.

On the firewall I have blocked remote ports her host name but for some reason that particular person is still able to access the computer mainframe

Perhaps you could share with us your firewall Application and Global rules. You can post screen shots when you post a reply. just click additional options.

so my question is would Svchost be crediable to block or protect in the Defense section or any other immediate major firewall blocks that will knock her permenantly.

Unless you know what you’re doing, I’d suggest leaving system processes like svchost alone, you could easily block your Internet and LAN connectivity completely. You would be better off posting your current configurations and letting someone here guide you, assuming it’s necessary.

Is your network zone set to “home network” (which means it is a trusted network)? Have you tried setting the home network to “public network”?

Go to Firewall > Network Security Policy > Network Zones > Double-click on Home Network, check “public network”.

This is my 2 cents and I also agree with the previous posters that the “relative” could be viewing your traffic through the modem/router.

Yes I do believe the modem is the issue but I would think that could be an illegal program considering the vast majority of the remote features on the computer I disabled. Can Comodo Firewall protect the modem I don’t think it could but just in case it does anyone here know how?

From you earlier post:

and we do share the same router which is a DLINK-601

Assuming you have the ability, change the administrative/user logon credentials to the router. Unless the modem is more than just that, it’s unlikely it’s playing any part in the ability of your relative to ‘see’ what you’re doing.

CIS is not designed to provide security for devices such as routers, these devices typically have enough by way of options for this. If you don’t have the manual for your router, you can get it from http://www.dlink.com/DIR-601. Have you given ant thought to sharing your firewall configuration with us?

Here are som screenshots of the firewall setup (including the host name) but like the last below poster mentioned that my relative is using the cable modem to remote into the computer even though everything that is related to the issue is disabled. I am going to post my computer firewall image as well for you to observe. And if she is remoting by modem how can put a stop to that?

[attachment deleted by admin]

Can you explain what you mean by "my relative is using the cable modem to remote into the computer " I thought your relative was in the next room to you?

Taking your images one by one:

First the Global rules:

Every block rule you have for inbound connections below the second block rule:

Block and Log IP In From MAC Any To MAC Any Where Protocol is Any

is redundant, as the firewall processes the rules from the top down. Basically, when the firewall is making a determination about allowing or blocking a connection, it starts at the first rule and works it’s way down. the first rule that matches the criteria is used and no further processing takes place. So, unless you need to specifically block the outbound portions of those rules, you don’t need them.

The mstsc.exe rule:

Mstsc.exe is the component of Remote Desktop responsible for making outbound connections. Svchost.exe is the component responsible for receiving the inbound connections. With that in mind, unless you want to block your ability to use Remote Desktop for outbound connections, you don’t need these rules. if you’re not using RD, simply remove mstsc.exe from Application rules.

The Blocked Zone rule:

The first part of the rule - 192.168.0.101 - is fine. This will block connections to and from that IP address. Unfortunately, the second part of the rule - 192.168.0.101/224.0.0.252 - includes an class C address (192) with a multicast address (224) if you wanted to block the entire subnet, you should use:

192.168.0.1/255.255.255.0

But I would advise against doing that, as you will prevent yourself from being able to access the router and thus the Internet.

The Windows Firewall dialogue:

Making changes to the Windows firewall via this dialogue box is redundant, as the Windows firewall is disabled when you install CIS.

Yeah the person I am referring too is the next room but I was just speculating about the modem (as of now anyway).

So what you are saying in Global move the important rules to the top that needs to be used more often and the lesser ones to the bottom?

Okay I kind of figured about the comptuer’s firewall because when I installed Comodo it disabled it but I went ahead and enabled it anyway just in case because they say it doesnt interfer with Comodo in anyway like some other firewall programs do.

and I went ahead and deleted the mstsc from the NS Policy because I thought that would’ve made a difference. Thanks again for your input Radaghast.

The modem is just a device that allows your PC(s) to make connections with a server run by your ISP and hence the Internet. The key device on your LAN is your router. This is allows any device on the LAN side, to operate in what’s typically referred to as a private network and to ‘route’ all requests not destined for something on the LAN, to the modem for delivery to the Internet. Conversely, when a packet arrives from the Internet, it’s delivered to your router via the modem, the router then determines which device on the LAN to forward the information to. So, if your relative is ‘spying’ on you, it’s not via the modem, it’s via the Network on the LAN side of the router.

So what you are saying in Global move the important rules to the top that needs to be used more often and the lesser ones to the bottom?

Sort of. Think about it this way. Lets say you want to allow all communication to and from other devices on your LAN but you want to block everything else.

The first rule would be - Allow everything out if it’s going to the LAN
The second rule would be - Allow everything in if it’s coming from the LAN

These two allow connections to and from the LAN, Now:

The third rule would be - Block Everything else from anywhere and to anywhere

So, if something is being sent to, or received from, the LAN, it’s allowed. The first two rules tell us this, however, when a request is received that’s for somewhere outside the LAN (the Internet say), the firewall looks at the first two rules and because they don’t match, rejects them. It then looks at the third rule, where it sees it has to drop the packet because nothing else is allowed. it doesn’t matter if you create rules under this third block rule, because they’ll never be seen.

Okay I kind of figured about the comptuer's firewall because when I installed Comodo it disabled it but I went ahead and enabled it anyway just in case because they say it doesnt interfer with Comodo in anyway like some other firewall programs do.

It’s really not a great idea to have two firewalls running simultaneously. Regardless of what you may have read, they will almost certainly interfere with one another. My advice, disable the Windows firewall and concentrate on CIS

and I went ahead and deleted the mstsc from the NS Policy because I thought that would've made a difference. Thanks again for your input Radaghast.

Your welcome.

Ok that makes sense clears my head on that issue thanks.

So is it safe then to to disable windows firewall because i have comodo? Im your opinion or expertise? So in the rules section if i put block incoming ip first before the otehr rules in GLOBAL then that will keep anything related to remote access to communicate with my computer from another? Thanks again you’ve eased my mind and have been a big help ;D

No worries :slight_smile:

So is it safe then to to disable windows firewall because i have comodo? Im your opinion or expertise?

You really don’t need both, CIS will do everything the Windows firewall can and more.

So in the rules section if i put block incoming ip first before the otehr rules in GLOBAL then that will keep anything related to remote access to communicate with my computer from another? Thanks again you've eased my mind and have been a big help ;D

The easy answer to this is, in Global rules delete the first Global block rule - the one to port 6881 and delete everything after the second block rule. You’ll end up with the rules in the image below. However, there maybe a caveat to this and it concerns port 6881. This port is usually associated with bittorrent. So, my question is, do you use bittorrent? If so, we’ll need to make some adjustments.

[attachment deleted by admin]

No I don’t need it as long as I keep this computer secured from any remote access intrusions thats all that matters to me at this moment everything else comes second.

I had one other question about Firewall Events its says Windows Opeating System Blocked IN ICMPV6 constantly what is that>? If you know. Is that the attemps of someone trying to get in?