puzzled - tough security issue

[Aspman]

If you've reformatted and it still happens.
You stuck on a bunch of antispyware etc and it still happens (as long as the antispyware isn't actually spyware itself I didn't recognise some of those names)
you've mailed from another computer and it still happens (might be wrong there I'm losing the plot a bit)

It is possible that the problem is at the other end? Does it happen when you email any address or just your friend?
On your friends PC. Are you sure that machine(s) is clean?

Check with the law before you do anything, everything you do has the potential to ruin any evidence.

Some general thoughts:

You work machine is possibly compromised. Have you spoken with your IT department?

Got private things to send/say to your friend? Write a letter/text/phone but don't use the PC.

Send **** everywhere by email, email the pope, billy gates anyone stupid. If nothing else it'll piss off your snooper and they might get bored for a while.

[jinxy]

To who ever queried ALG.exe
Aplication layer gateway==ligit,
Provides support for application level protocol plug-ins and enables network/protocol connectivity. If this service is disabled, any services that explicitly depend on it will fail to start.

I think Tiger is onto something with, msmsgrs.exe : http://www.sophos.com/virusinfo/anal...2sdbotadn.html

Not only this but it was mentuned this started with a mass mailer?
There is an entry in your hyjackthis log, which refers to a possible infection. I have not got time to dig it up right now.

But I would ask, in what order, after your re-format and clean install did you bring XP upto patch level.

[Spyrus]

Tiger and TH13 both had excellent advice. I don't think i would waste my time looking at safe mode, download a bootable distro cd. Since you might not know what this is look into something like Knoppix There is a download link and loads of directions on how to use this....

Essentially download image, burn image to cd, leave cd in computer, restart computer, boot from cd

You now have a linux OS with full internet capability etc. Once you are in this environment people are negelcting to inform you to change your passwords again on your email accounts. or Create a new email account and email your friend, or misc ppl information that would normally intrigue your friendly peeping tom.

If your friend doesn't receive any updates on your activity then you know that its related to you windows box and something is causing your issues. You need to make sure you reset your passwords to something not obvious use randomness if you need to (eg: i4dJ3$) then you know its not going to be something that s/he can guess.

Once you invest your time in trying this method report back to us and let us know whats happening. You may consider not wasting your time talking with your local police and placing a call you your local FBI office. They should be able to assist you with this.

[thehorse13]

Just for fun, I would drop to a command line and do a tasklist /SVC and look at what all the svchost processes are doing.

[foxyloxley]

You didn't mention names, BUT, if the girls surname is Gates then a fully functioning MS rootkit cannot be ruled out

and seriously, reduce PC load to minimum, get a fresh cell, don't save numbers to SIM ......
use that for a while .........

as for suspects :
if you eliminate the impossible, then those that are left, no matter how improbable, are more than likely to contain the culprit.

try to think of who stands to gain from this

motive always has the same trio

ability to do it
time to do it
desire to do it

any ideas yet

and as for sleephack

[dalek]

Didn't see this mentioned, so I will, download the Rootkit revealer

See what you come up with.

How RootkitRevealer Works

Since persistent rootkits work by changing API results so that a system view using APIs differs from the actual view in storage, RootkitRevealer compares the results of a system scan at the highest level with that at the lowest level. The highest level is the Windows API and the lowest level is the raw contents of a file system volume or Registry hive (a hive file is the Registry's on-disk storage format). Thus, rootkits, whether user mode or kernel mode, that manipulate the Windows API or native API to remove their presence from a directory listing, for example, will be seen by RootkitRevealer as a discrepancy between the information returned by the Windows API and that seen in the raw scan of a FAT or NTFS volume's file system structures.

Can a Rootkit hide from RootkitRevealer?
It is theoretically possible for a rootkit to hide from RootkitRevealer. Doing so would require intercepting RootkitRevealer's reads of Registry hive data or file system data and changing the contents of the data such that the rootkit's Registry data or files are not present. However, this would require a level of sophistication not seen in rootkits to date. Changes to the data would require both an intimate knowledge of the NTFS, FAT and Registry hive formats, plus the ability to change data structures such that they hide the rootkit, but do not cause inconsistent or invalid structures or side-effect discrepancies that would be flagged by RootkitRevealer.

Is there a sure-fire way to know of a rootkit's presence?
In general, not from within a running system. A kernel-mode rootkit can control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system data performed by RootkitRevealer, can be compromised. While comparing an on-line scan of a system and an off-line scan from a secure environment such as a boot into an CD-based operating system installation is more reliable, rootkits can target such tools to evade detection by even them.

The bottom line is that there will never be a universal rootkit scanner, but the most powerful scanners will be on-line/off-line comparison scanners that integrate with antivirus.

[Eyecre8]

A couple things that came to mind while reading the posts.

-Trevoke, you had me laughing with the Dr. Jeckly comment, I was thinking of Fight Club though

-Possible conduits into your machine for reinfection (IPOD)? Has storage capabilites. Are there any files other than music stored on it? Are there any other external devices such as Palms devices that you hook up that might carry a malicious payload?

-I read early on in the post someone asked if you updated the firmware on your router. I am not sure if you responded to that. Have you ever used a custom firmware upgrade on the router? I have seen quite a few out there and also read about some that are shady. Also, regarding the router, I know this sounds basic, but is it safe to assume you don't have the Remote Management option enabled?

-Not sure if you answered this, has anyone checked your female friends computer for infection?
What do you use as your mail client? Still use web mail? Outlook/Express? If so, disable the preview pane option. (thinking about the attacker using his female friends computer to send malicious files to him)

-I am most concerned that you said you run a web server from your laptop? What kind of web hosting do you do from a laptop? I think that needs to be investigated a bit more. What applications do you have running with the web server? (Shopping carts, add-in modules, applets, php pluggins) We had a client whose website got defaced due to not updating a PHP module/add-in, they reimaged the server, and loaded the same old version of php and didn't update it to the latest version as instructed, sure enough they got defaced within a week

[dalek]

This article may help you with the problem you are having, it references Email and Hacking.



http://net-security.bitpipe.com/deta...16987_280.html

To get it without filling out all of the crap, if you are using Firefox, disable javascript, then click on "Get this now" and then the "Submit" button to get the 7 page PDF document

[killerbeesateme]

Chiming in.... I would say run a live-cd as well. However, i think you could do a little bit of active espionage while your at it. Your NTFS partitions will be read only, so go ahead and snoop around your NTFS partition, hda1 most likely, and check for anything obviously weird. i.e. files that you can't see in windows. Go ahead and follow everyone elses advice after that, testing for the software possibility. Does your linksys log anything? any recurring themes in the logs? like time, port, source address? Did you check your windows Event Viewer for anything strange? Since you've tried all the obvious, now you've got to look at stupid ****.

I would say though, that due to the time involved, its probably not your average run of the mill dooshbag. I'd say this person has to be connected to either you or your friend. Most likely an ex-boyfriend or an ex-girlfriend. Someone has it out for you, and really only you. Although, it could always be some dooshbag who you don't know.

Another suggestion I have, is get yourself an old crap computer like a Pentium 1 or 2 in its original configuration and install an IPCop box instead of your linksys. You'll get much better logging function, plus it has an IDS built in so you could get some clues as to how he's doing what he's doing. Look for patterns. It's going to be in the patterns somewhere. Also have the authorities clone your hard disk image. It will preserve their evidence, and then you can reformat your drive and really piss the guy off. He'll have to ACTIVELY recover his position. At this point, if you installed the IPCop box, have an idea of what he did. I would also suggest keeping ethereal nabbing packets the whole time. Play with the guy. Dick with him. Make him want to **** you over and then he'll get stupid.

Although, before you start dickin with some unknown person on the web, consider the consequence of him living down the street and murdering you and your friend. Oh, and taking obscene pictures of you two having double necropheliac hanky panky after. Oh, and then selling those pictures to some fetish site somewhere.

[Relyt]

After his secret was out Samson fell asleep with his head in Delilah's lap.

No offense intended ropester, and of course I could be wrong, but sometimes we can’t see the forest because of the trees. Take a look at what you are experiencing.

”Anyway if i even so much as look at somebody online on a dating site as an example…she'll get ane mail about from this person with all kinds of threats ands so forth.”

“I've obviously had to try and stop any kind of web surfing that would provoke him to send her more stuff and its very hard, even the simplest stuff can do it.”

“If i send a mail out where i write to a female friend he seems to zero in on these and use the information that is sent back to me or sent from here.”

“…this person thought they were women and wrote to my friend again threatening her saying i was upto this and that with these 2 people which clearly i wasnt.”

“I still dont know what exactly is being sent to her but all i do know is that it is pretty scary stuff and i want it to stop.”

“She reported it to me after i had formatted my machine that he/they were angry.”

Offer her a wedding ring and see if it quits. If it does, run like hell because it’s Glenn Close.