How is my ex-girlfriend getting my emails and other info??

Hi, I've got a situation that I need some expert advice on. My ex-girlfriend, who is Russian and lives in Russia (while I now live in Germany), has been able to read emails I've sent to friends and current women I'm dating.

My friends have also told me that they've sent me emails to one of my secondary email accounts, but I haven't received any of them.

The crazy woman (I'm being nice here) has called and read back, word for word, emails I've sent. She was also able to read messages I had sent to people on Myspace. And, she implied having other information I had stored in my computer, but I'm not certain if this is true.

What I'd like to know is:

1. How is she obtaining this information?
2. What measure can I take to stop her?
3. How can I catch her "in the act" so I can seek legal action?

I've read through about six pages of threads here that I thought were similar (such as https://www.wilderssecurity.com/showthread.php?t=147850 and https://www.wilderssecurity.com/showthread.php?t=136079 but it didn't seem like they were applicable to this situation.

Some information that might be useful:

- I'm on a Dell Inspiron 6000 laptop with Firefox 2.0 as my default browser - I'm using the Noscript extension
- use a Wi-Fi connection...not sure if my landlord has a firewall on his router, but the connection is encrypted...also, while I still lived in Russia, I used a regular dial-up modem on a different laptop and she was still able to get info
- firewall: Comodo Firewall Pro
- antivirus: Kaspersky Antivirus 6.0
- other security software: AVG Anti-Spyware, Spybot S&D with Tea-Timer, Windows Defender, Ad-Aware SE personal, Sandboxie (recently installed, haven't used often yet)
- I lived with this woman for a year and she had access to both laptops

I'm so paranoid now that I've resorted to using Tor/Privoxy/Vidalia (via the Tor button on Firefox), plus I installed CCleaner and use it after every browsing session.

After reading about Anti-Hook and other rootkit scanners, I was tempted to install it, but I don't have the knowledge to take advantage of its features.

I thought doing a full re-install of my OS would help, but that wouldn't solve problem #3. Even if I did, I'm still not sure it would solve the first two problems. I remember once, she made an off-hand remark that "people can get into any system, all they need is your email address." She and her friends are skilled computer programmers with far too much time on their hands!

HELP!!!



(Hell hath no fury like a woman scorned...

 

What email service and email program do you use? Is it possible the settings of either have been adjusted to where your email is CC or BCC (blind cc) to her email address?

 

Hello,

You are in a very annoying situation. She can have access to your emails in various ways :
- a rootkit and/or keylogger is installed on your computer
- she knows your email accounts passwords
- or both

About the rootkit/keylogger posiibility, if you want to be 100% sure that you haven't one, after someone had physical access to it, is to format your hardrive and wipe/re-initialize the MBR. Hardware keyloggers, as far as I know, requires physical access to remove them and retrieve the logged information. Thus I doubt you have it, but If you want to check, "undo" (not sure of the word) your keyboard and check inside it.

Then disconnect from the network, install your system, eventually read guides to secure Windows such as this one http://www.firewallleaktester.com/docs/Securing Windows.pdf and install your security softwares. Then, and only then, connect to the Internet to install your updates.

The next step is to change ALL of your online passwords, email accounts, forum accounts, bank accounts, etc... Replace them with strong passwords, using for instance a password manager such as Keepass Password Safe to generate them : http://keepass.info/

Keep us informed.

Regards,
gkweb.

 

I use Yahoo. I hadn't thought of that. Is that something I can just edit in my profile? Even if she was doing this, how would she have gained access to my myspace account. I didn't start that until AFTER I left Russia

 

I am not a techi, so If I were in this situation and my laptop was a few years old, I would consider the anolog approach and upgrade to a new laptop, reinstall everything rather than move info from the old computer to the new, and then get a new ISP with all new passwords and email carrier. We need a new toy once in a while anyway,right?

 

She had access to your pc's, so you need to change all security to do with your Internet usage. Most of these have already been listed by other posters.

It's possible your wireless connection is involved so contact the vendor and find out how to reset the user id on it, it is often set to "admin" as a default and the password is "password".

You main risk is $ loss via id theft. Change all bank account numbers and credit card numbers and notify the credit bureau monitoring services if you have that.

You need to phone your ISP asp to change all account passwords, id's every thing. She probably set them to forward copies of everything you send/receive to her! Find out how to remove those settings.

In the meantime tell your friends to make personal arrangements with you by phone!

Change your phone number as well.... a real mess for sure!

Moral? Give no one access to your PC's.

 

Annoying situation, indeed! Thanks for the feedback, gkweb. If I understand you correctly, I would have to physically take my laptop apart to check if a keylogger exists. That would void my warranty,though, and as you said, I doubt that this is the case.

About the passwords, I kick myself for using such weak passords in the past. I'm a bit wary of programs that manage passwords, though. My thinking is, if there's a program that manages them, then someone has figured out that program and can get into my files. Hence, I'm back where I started. Are they secure and reliable?

One reply from one of the threads mentioned in my intitial post struck me as interesting, and I was surprised that no one followed up on this. Here it is. It's from the "Security breach question" thread:

The idea that I am connecting to her or her friends first makes me wonder. Is there ANY possibility that this could be the case? Even with the use of a proxy? And what does it mean to "honeypot" somebody??

I sometimes find that the cpu is doing something that I'm not aware of because the green indicator light is blinking like crazy. I look up what processes are running in Task Manager, but my paranoia still makes me wonder if it's not some malicious program phoning home to Mother Russia! I know software exists that monitor the ports being used. What are some good ones that are currently free? And can I use the information from this software as "proof" of her illegal activity? If not, any suggestions?

I'm not, mind you, asking for instructions on how to break into HER system or anything of the sort. This whole situation just PI$$E$ me off and while my primary goal is to have a secure system, I'd still like to see her punished for her activities.

 

Wow, that's a frustrating situation. If I were in your shoes, I'd:

1) Inspect your hardware to ensure that there are no hardware keyloggers installed. Most hardware keyloggers are simple devices that are attached externally. I suppose it's possible to have an internal hardware keylogger but I've not seen any such devices and I'd be very surprised if your girlfriend had something like that (which would probably be a proprietary device - particular to the hardware into which it was inserted).

2) Inspect your network to ensure that there are no mysterious devices attached anywhere on your network

3) Turn off your wireless networking

4) Check your router's configuration to ensure that it's not forwarding your traffic anywhere. Generally speaking, your router shouldn't have any settings that point it at any static IP address. It should obtain the addresses for name servers, etc, that it uses, dynamically (with DHCP).

5) Backup your critical files.

5.5) Completely disable your network. Disconnect physically. Ensure that your wireless adapter is off.

6) Do a full wipe. Reinstall your OS and apps from scratch. In the future, when you access any of the files that you backed up in step 5, make sure that you never run any backed up content that is executable. I'd also suggest that after you've re-installed your OS fresh that you take the opportunity to install a good sandboxing product in addition to some decent AV product. That way, you can be sure that you can easily roll back your machine to a clean/known state.

6.5) Ensure that all service packs/updates are applied

7) Enable your network. Enable your wireless networking with the highest level of encryption possible and a new encryption key. Avoid using WEP.

8 ) Change all of your passwords on all online accounts

9) Sign up for some type of identify-theft monitoring/prevention program

Her remark about being able to use your email credentials to break into your system is simply wrong (she's intentionally misleading you). Physical access to your machine and/or network is all she needed.

Or, you could just take advantage of this opportunity and mess with her head. Strategically inject interesting information in your email traffic. As to catching her in the act, well, that's a lot harder than cleaning up the mess.

 

Is she such a computer wizard or is her new boy-friend doing this to you ?

 

the best form of defence is attack swamp her with viruses you'll need to learn some hacking yourself using an unused phone line ie on the weekend when offices are closed you can change your connection to to be seen as if its coming from offices phone line get a loan of say 6 comps and have them all attack at once until it frys her comp google it to find out how this should get you started <Snipped>

~ Link to hacker's advice site removed. Please refer to our Terms Of Service. Thank you. - Menorcaman ~

 

culla,just what a security forum needs,a link to get started hacking.Great job,lmao!

 

hey i'm an anarchist and believe in an eye for an eye

 

Eye for eye,sounds a bit more on the religious side.

 

humanian Buddhist

 

Update: I followed the advice to check my email service/program. I found that my settings WERE CHANGED!!!

There were dozens of people that were placed on a block list, some of whom are close friends and others who were recent acquaintances, and ALL of whom I was wondering why they suddenly stopped writing.

More troubling, I also stumbled upon a setting which, as I understand it, allowed "the user" to remain logged in to "other" services of the user's account, even if I had signed off. This option was activated without my knowledge. I say "stumbled upon" because I can't find that setting again. I admit being too PO'd to be thinking clearly.

To reply to previous posts:
- grnxnm, thanks for the detailed reply. As you and Escalader pointed out, I need to really look into my wireless set up. I think that's my biggest vulnerability at this point. (this will be difficult since I'm fairly certain my landlord won't want to change any of his settings, even if I explained the situation to him...the only info I have is the password, which I had to beg for)

- ErikAlbert, yes, she knows her stuff. Are you suggesting that only a man can have such technical savvy? Be careful, some female posters here may take exception to that.

- culla, after what I found last night, I'm SOOO tempted to follow your advice. I'll take the high road for now, though (but I'll keep you and your post in mind if I change my mind! )

 

ustravel,

Just a few comments:

• While the advice regarding wireless is generically appropriate - disable it if you're not using it and secure it if you are - if you're in Germany and your ex-girlfriend is in Russia, it is a non-issue and not a part of your current problem.
• Take a look at the processes running on you PC, make sure you know what is running and why
• Since you have KAV, put it in paranoid mode for a time just to verify that no potentially dangerous applications (i.e. keyloggers and the like..) are running. Perform a complete and comprehensive system scan with this feature enabled.
• Review the list of applications allowed to communicate with the outside world by your software firewall. Again, verify that you recognize and approve all of them.
• With respect to email - at least with Yahoo, forwarding skips your inbox, so it's unlikely simple forwarding. However, if you exclusively use this as a webmail client, and she is able to remotely log on (have you changed you password to test if this solves the problem?), she may be able to read everything at will, particularly if sent messages are automatically saved. It's then a simple process of accessing the Yahoo mailbox and reading stuff. This is actually where I'd focus the bulk of my attention. Review settings and so forth with Yahoo support if needed; apprise them of your concerns as well.
• If you use a local mail client in addition to Yahoo mail (I don't believe that allow use of a local client in conjunction with their service), make sure that an auto cc/bcc setting or separate add-in/plug-in is not active.
• As for accessing other sites, etc., were notifications of these sites to you (set-up, passwords, etc.) made by email? If so, see above. Remote access to you mail account seems the most straightforward explanation.
• While a complete OS reinstall would appear to be the simplest and surest cure, it will accomplish little if you mail accounts are compromised and remote access is the entry path. Similar comments apply to another other services that may be in question (myspace, etc.). Any service which allows web-based access should be viewed as a possible entry point until discounted. As noted above, passwords for all these services should be updated.
• If you are concerned about some of the more exotic approaches one could use (the problem as described seems completely explainable through remote access to your mail account), slave the drive to a second machine and evaluate it.

Blue

 

Very helpful comments, Blue. Much appreciated.

Ran KAV and checked apps in my firewall...everything checks out ok

To answer your question about changing my passwords, yes, I did that about 2-3 weeks ago. Which is why I find the blocked list so troubling because there are contacts listed there that I didn't begin communication with until AFTER I changed my passwords (10-12 randomized, alpha-numeric characters).

Regarding access to other sites like Myspace, yes, they did send me a confirmation email, but as above, I changed my passwords (without email confirmation) and she still gained access into my accounts.

After checking my firewall for trusted apps, I also checked the network monitor. I found the following (is this normal for firewall settings??):

0. Allow TCP or UDP OUT from IP [ANY] to IP [ANY] where source port is [ANY] and DESTINATIN PORT is [ANY]

1. Allow ICMP OUT from IP [ANY] to IP [ANY] where ICMP message is ECHO REQUEST

2. Allow ICMP IN from IP [ANY] to IP [ANY] where ICMP message is FRAGMENTATION NEEDED

3. Allow ICMP IN from IP [ANY] to IP [ANY] where IC
MP message is TIME EXCEEDED

4. Allow IP OUT from IP [ANY] to IP [ANY] where IPPROTO IS GRE

5. Block and LOG IP IN or OUT from IP [ANY] to IP [ANY] where IPPROTO is ANY

 

Good, although how do you know that everything checks out ok? Precisely what do you mean by that? Sorry to focus on details, but that is what matters here and assume nothing. Verify that you did adjust the settings on KAV to high and included scanning for "Potentially dangerous software" - see screenshot below. If not, redo the scan with this enabled. I'd probably also take something like SAS for a spin. I've not used it, but it gets high marks from many. It's a long shot, but easily taken before moving on to aggressive measures. Also, have you posted to any of the sites that help with disinfection (not done here, but look here for some options).

If we assume you haven't missed any descriptive details here, that would imply direct access to the information. Is there any other mechanism that would lead to a block? Say a touchy spam filter?

I'm not a firewall maven, but that looks to be the default for Comodo. Correct?

These issues are somewhat difficult to debug remotely, especially in a case in which a person has had physical access to these machines. Physical access allows a completely different level of compromise than is typically possible surfing around.

There are lots of possible avenues one could pursue to examine the machine. However, if your own observations are correct (i.e. access to accounts on which you've recently changed passwords, unusual configuration activity on your email account), and you simply wish to rid yourself of the problem, I'd simply make the tacit assumption that you machine is compromised to a degree that renders any of the approaches we generally use here patchwork at best.

At this point, the question is how much time do you want to spend potentially hunting ghosts versus moving on?

Have you performed a comprehensive review and evaluation of all processes running on your machine? Do you feel as though you can diagnose the situation? If not, then hand this problem off to a person who can examine the machine live. There is simply no substitute for a trained eye at the machine.

As I mentioned above, slaving the drive to a second machine and performing an in-depth evaluation while booted from a known clean system is a quick and relatively easy operation.

As a final level, I'd:

• Copy all nonexecutable files (documents, records, photos, music, post office files, serial keys for purchased programs and the OS, etc.) off the machine and tuck them on an external HDD. If you're paranoid with respect to embedded exploits, scan this volume from a second, verified good, machine.
• Nuke the laptop harddrive
• Reinstall the OS
• Download a fresh copy of KAV and install it.
• Update the OS
• Download new copies of all programs you wish to install and install using the fresh downloads.
• While doing this, change all passwords to web-based sites using a known good computer. Do not use your PC. If possible, change your profiles and have all activation/confirmation information sent to a new e-mail account that you create for this purpose only. Keep this separate from your main account.
• Watch for unexpected activity of any sort.

If you're unsure of any of these steps, or if you're not equipped to do them, hire someone to do it.

Blue

 

[Please refer to our Terms Of Service. Thank you. - Menorcaman]

tos well i never saw that maybe it should be at the top of page and labelled rules

 

When I said it "checks out", I meant that I checked the apps in my firewall and ran KAV and it didn't detect anything.

BUT...I DID overlook clicking the "Potentially dangerous software" DOH!

Scanned again with the following results:

- detected: riskware not-a-virus: Downloader.Win32.DigStream File: C:\System Volume Information\_restore{88D97A9B-4421-4162-830F-7750B2787694}\RP1\A0000018.msi//ESPNInst//WiseSFX Dropper//WISE0010.BIN//WiseSFX Dropper//WISE0008.BIN
- detected: riskware not-a-virus: Downloader.Win32.DigStream File: C:\System Volume Information\_restore{88D97A9B-4421-4162-830F-7750B2787694}\RP1\A0000019.msi//ESPNInst//WiseSFX Dropper
- detected: riskware not-a-virus: Downloader.Win32.DigStream File: C:\System Volume Information\_restore{88D97A9B-4421-4162-830F-7750B2787694}\RP49\A0003971.exe
detected: riskware not-a-virus: Downloader.Win32.DigStream File: C:\System Volume Information\_restore{88D97A9B-4421-4162-830F-7750B2787694}\RP9\A0000371.EXE//WiseSFX Dropper//WISE0010.BIN//WiseSFX Dropper//WISE0008.BIN
detected: riskware not-a-virus: Downloader.Win32.DigStream File: C:\System Volume Information\_restore{88D97A9B-4421-4162-830F-7750B2787694}\RP9\A0000373.MSI//ESPNInst//WiseSFX Dropper
- detected: riskware not-a-virus: Downloader.Win32.DigStream File: C:\WINDOWS\Temp\PR2C4.tmp//WiseSFX Dropper//WISE0010.BIN//WiseSFX Dropper//WISE0008.BIN
- detected: riskware not-a-virus: Downloader.Win32.DigStream File: C:\WINDOWS\Temp\PR2C5.tmp//WISE0010.BIN//WiseSFX Dropper
- detected: riskware not-a-virus: Downloader.Win32.DigStream File: C:\WINDOWS\Temp\PR2C6.tmp//WiseSFX Dropper//WISE0008.BIN
- detected: riskware not-a-virus: Downloader.Win32.DigStream File: C:\WINDOWS\Temp\PR2C7.tmp//WISE0008.BIN
- detected: riskware not-a-virus: Downloader.Win32.DigStream File: C:\WINDOWS\Temp\PR2C8.tmp

KAV could not disinfect the files, so I deleted them. From the resulting log, it seems that these files are the remnants of pre-installed programs that I uninstalled (ESPNmotion, Gem master, or something like that, etc.)

No, I haven't posted to any disinfection sites yet. I assumed they would help me clean the computer, but not tell me HOW it got infected in the first place, which is why I'm posting here first.

With that said, however, I hear what you're saying about weighing the options of "potentially hunting ghosts versus moving on". I'll have to cut my losses here and try to forget about what that B**** has done...

Thanks for all your input (this includes previous posters as well)!

 

Understood. One aspect to focus on is the physical access. You'll see a lot of commotion here regarding rootkits and the like. To be perfectly blunt, I believe this threat is vastly overstated for a normal usage situation at the moment. However, in the case of an individual with a malevolent focus, physical access to a machine, and expertise or access to expertise, it's another matter altogether. If that is the HOW, remote debugging is not the way to go and disinfection show proceed via a complete and prejudicial nuke and pave of the machine done with a take no prisoners/make no assumptions approach.

Best of luck!

Blue

 

I just wanted to concur with Blue in his post immediately above. A far more serious concern for the average computer user is who has physical access to your personal computer. One can buy a $79 professional keylogging program, install it, have it operate in Stealth mode - and there you go. No need for rootkits or anything else other than physical access to your PC for 15 minutes.

 

there is one other thing which you should check and its easy to check.
go to settings in kaspersky antivirus and go to trusted zone.
check both the exclusion marks and trusted application tabs.
make sure there is no keyloggers in the trusted zone.
its no use kaspersky having lastest defs if the keylogger is in the trusted zone.
lodore

 

I Always suspected those Russian Chicks were up to shadyness Ever since Tatiana Grogeyva won that Pole Vault Olympics a while ago Any Dudesss with legs that long is bound to have an advantage when it comes to running off like what Happened to this poster She Vamoosed with his Mail and Sold it Secretly to the KGB for further Investigation, Iv'e never trusted Dudes in Dark Glasses since I watched Men in Black I & II or Foreign Women come to think of it

 

it looks like a lot of people are private messaging me to give the hacking link google for it yourselves