puzzled - tough security issue

[ropester]

Also regards to the stuff about being 'fishy'...let me explain some more, basically my friend and I have been great for friends for several years and we are not dating. We wrote a hell of a lot of mails to each other in that time, again i was nieve in using webmail so much and that account was hacked and the mails were sent out to lots of people These were personal mails between myself and her. This is where someone somewhere has obviously read them and lost the plot completely. It could be anybody! This guy? seems to want us to stop talking completely. Btw this isnt one of her friends or one of mine we've gone through everybody with a fine toothcomb. Anyway if i even so much as look at somebody online on a dating site as an example (not login, register or talk with anyone), she'll get ane mail about from this person with all kinds of threats ands so forth. I've obviously had to try and stop any kind of web surfing that would provoke him to send her more stuff and its very hard, even the simplest stuff can do it..

When i said about the email being full of unrelated stuff i meant the following.

If i send a mail out where i write to a female friend he seems to zero in on these and use the information that is sent back to me or sent from here. I dont know which because i have very little information on what he is actually writing. The authorities are keeping all the information held until they get more information on the culprit. This is equally frustrating for me because i want this stop as much as my friend this is way beyond me and my knowledge about how some weirdo can be snooping my system like this...

Anyway when i said i had sent an email from work to here, i sent 2 words in it and on the surface you could think they were women names (very very loosely related) and they were infact real estate developers.....this person thought they were women and wrote to my friend again threatening her saying i was upto this and that with these 2 people which clearly i wasnt.
The fact that they got hold of the information after it had arrived here which only i knew about tells me it has to be something on here, given the fact they seem to get information from all kinds of other activity aswell.
This particular example cant be keylogging unless he has installed something at work which he may or may not of done, i think its very unlikely given its got about 100$ million dollars worh of secrutiy and a 24/7 dedicated IT team monitoring that stuff..

Anyway hopet he extra information is useful, i am all out of ideas apart from the webpage thing which like i said previously i will give a try...

[thehorse13]

From any machine not your own, go out and setup a gmail account. DL and burn a unix based live CD and then conduct your tests again using the Live CD and the gmail account. Smart money says that if he has something local, it will be useless when you boot from your live CD and you'll know right away where the problem is. This is only half the battle. Once you know where the problem is, you have to discover the root cause. In your case, how does he continue planting things on your host. Truthfully I haven't seen too many people skilled enough to maintain an operation like this long term without getting caught.

I hinted to the advice Tiger gave but stopped short of telling you to sniff traffic on your own. If the police IT people are involved, it should have been the first thing they did. If not, get some new police IT people. The point is that they should be versed in collecting forensic data in a way that can be used in court, not you.

Also, the dude is simply using random proxy servers which is a very common technique. This is why the IP always changes. Again, the police have the facilities needed to follow the chain back to the source if they choose to do so. There are very few international ISPs that do not cooperate. Hopefully he didn't use boxen from those regions.

Anyway, resolution to this issue is close at hand. Do the right thing and work with the authorities since you decided to involve them. You have the advice needed to continue from those who responded in this thread. Act on it. Report back.

--TH13

[ropester]

Re: dynamoos post

Limksys router is compromised? Dont know that...i changed the password a little while back and it appeared to make no difference. One thing is it does disconnect from time to time and send me some ip data with packets dropped....?
Sygate has tons of ports turned off aswel, only the critical ones are left from what i can tell.

Telnet service is disabled

Physical security has not been compromised

No root kits installed i did check this when reading up around the subject ages ago..

no idea what a tempest-style snoop is!!!

Anyway i'm on windows xp pro sp2 - i am losing hope in windows so many security flaws its scary, maybe i should just goto a mac or something to surf and do some work on, some what of an expensive way with no guarantees that'll fix the prob i guess esp if he is just monitoring packets and doesnt have anything on my system..

[ropester]

Here is my hijack this log...again apologies for the sheer weight of anti-spyware etc stuff going on, just desperation...

Logfile of HijackThis v1.99.1
Scan saved at 7:33:39 AM, on 11/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\PivX\PreEmpt\loadsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\GhostSurf 2005\DeleteSvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GhostSurf 2005\Proxy.exe
C:\Program Files\PivX\PreEmpt\PreEmptST.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PivX\PreView\preview.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
C:\Program Files\GhostSurf 2005\Protector.exe
C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Simon\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.ca/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:7212
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\GhostSurf 2005\SCActiveBlock.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [Aluria Security Center] C:\Program Files\Aluria Security Center\SecurityCenter.exe /minimize
O4 - HKLM\..\Run: [GhostSurf Reminder] "C:\Program Files\GhostSurf 2005\Privacy Control Center.exe" reminder
O4 - HKLM\..\Run: [GhostSurfDelSatellite] "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\system32\mdm.exe
O4 - Startup: Anapod Manager.lnk = C:\Program Files\Red Chair Software\Anapod Explorer\anamgr.exe
O4 - Startup: Protector.lnk = C:\Program Files\GhostSurf 2005\Protector.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\GhostSurf 2005\Scheduler daemon.exe
O4 - Global Startup: GhostSurf proxy.lnk = C:\Program Files\GhostSurf 2005\Proxy.exe
O4 - Global Startup: PreEmpt.lnk = C:\Program Files\PivX\PreEmpt\PreEmptST.exe
O4 - Global Startup: PreView.lnk = ?
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1119804189432
O18 - Protocol: aim - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: shell - {3050F406-98B5-11CF-BB82-00AA00BDCE0B} - C:\WINDOWS\System32\mshtml.dll
O23 - Service: AL_ADSService - Unknown owner - C:\PROGRA~1\ALURIA~2\AL_ADS~1.EXE (file missing)
O23 - Service: Aluria Security Center Spyware Eliminator Service (ASCService) - Unknown owner - C:\PROGRA~1\ALURIA~2\ascserv.exe
O23 - Service: Deepsight Extractor (DeepsightExtractor) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorService.exe
O23 - Service: DeepSight Extractor Service for NPF03 (ExtractorServiceNPF03) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF03.exe
O23 - Service: DeepSight Extractor Service for NPF04 (ExtractorServiceNPF04) - Unknown owner - C:\Program Files\Symantec\DeepSight Extractor\ExtractorServiceNPF04.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld-nt.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: PreEmpt (qfcoresvc) - PivX Solutions, Inc. - C:\Program Files\PivX\PreEmpt\loadsvc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Tenebril Inc. - C:\Program Files\GhostSurf 2005\DeleteSvc.exe

[Tiger Shark]

*Cough*

Why are you running a webserver on this box?

[Cemetric]

*Cough* Why are you running a webserver on this box?

What Tiger Shark said (damn smallband).

Also you have some spyware isues to take care of "partypoker.exe" ?!

C.

[ropester]

i make websites - but this stuff was happening before the webserver was installed anyway?

[ropester]

well partypoker was actually installed only a couple of days ago but ive uninstalled it , typical it leaves something behind. I will get rid of what it has left..

[morganlefay]

Off topic

*Cough* Why are you running a webserver on this box?

Man...your slick Tiger....

Welcome back

MLF

[foxyloxley]

and you need to 'sterilise' the post too

left details in ............
you never know who else is lurking on AO
it COULD be where he learnt everything he knows