Newbie's email and IM being spied on!

Hello Wilders Security Forum world.

I have been looking around and you guys seem pretty high-tech, so I am gonna hope you can get me out of a tough situation.


Bottom line, someone, somehow is getting into my IM's and my emails. They are changing passwords and generally messing with my life.


I have been to other forums, but they have not been helpful.


I have XP on my system and I install the updates.

I am using Norton AV corporate

I have Zone Alarm

I have used Spybot S & D, Adware SE, Hijack this, to name a few.

I was told in another forum after not doing much that I was clean...I know that is not the case because some quoted me on a recent email that I sent someone else in another part of the country, in private.

I have read your forum and seen tons of programs mentioned.

Other than reformatting my hard drive, anyway I can see

1) What program they are using...assuming it is something like a keylogger
2) Less importantly, where is this being sent to
3) HOW TO GET RID OF IT!!

I am a surgeon, so I am not afraid to try to tackle this.

Any help would be appreciated from you guys that know light-years more about this stuff than I ever will!

Thanks!

Mikeinstlouis.

 

Dose sound like a trojan\keylogger. While we wait for the true experts to check in we can do one quick and easy check. Sense there is a "mechanical" type of keylogger as well as the software based ones. Take a look on the back of your PC and make sure there is not a device plugged in between the keyboard and the PC port. Most likely not but a quick and easy thing to check while we wait.

 

I thought of that too. Nothing there, at least on my home PC. I think that it is coming from my home computer. I work for a big university and there is a big firewall for the university and the hospital. I think my home is more likely, but I guess it could be from my university computer too.

Whatever advice the experts give me, I guess I can try on all of my pc's

Thanks for the tip though, ThunderZ

 

Your home PC will be no problem for them to help you with. The University PC may be a different story as it concerns ownership issues. My suggestion concerning that would be to turn it over to the IT staff there. It may involve more then PC on the network. It is very possible as well that one of those PCs` is the source of the problem.

 

mikeinstlouis,

Download, Update and run a full system scan with A-Squared

Then download Dr.Web CureIt and run a scan with that as well.

Hopefully they will detect something and remove it for you.

Another thing you can do is download Security Task Manager

You can use it free for 30 days, but it's well worth buying. It will allow you to see if there are suspicious programs running in the background and give you the ability to remove them.

And while your at it, you might want give Ewido Micro Scanner a try.

Hope this helps.

 

Thanks for the advice. I am in the hosptial right now (working) and can't get to my computer until Sunday.

I have told my IT guys about my problems, they blew me off.

What about programs like snoopfree, GesWall and BOClean that I have heard about?

Thanks!!!

 

Unfortunately not an uncommon response. Many IT Techs. are well versed in configuration and maintenance but not the same when it comes to malware. Have seen it many times.

Do not use any of them but all are mentioned here and generally spoken of highly. In the mean time I would try to think of which PC the e mails and IM`s were sent from. The content of them may jog your memory. If I remember right in your first post in another section you said a friend sent you copies. Did he say how he had obtained them?

 

mikeinstlouis,

You've thrown a couple of items out, let me pursue them a bit.

1. You've mentioned work and home PC's as possible issues. From which one did you write the email in question? Home or work? Can you access the offending email account from both machines or just one of them?

2. Have you firmly eliminated simple forwarding of your email as a possible route for the events you've experienced? If there is no direct connection, could multiple acquaintances form a possible traceback path?

3. One problem with keyloggers is that some occupy a grey area of application. They are commercial programs which can be used for valid as well as untoward reasons. For any security application that you use, make sure it is set on the highest level possible. Since that can generate false positives, do not automatically assume an alert is real - confirm the result before doing anything.

4. If a work machine is a potential vector for this, and you use this in dealing with patient information, I find your IT staff's reaction curious. On the basis of the potential HIPAA implications alone, blowing something like this off is not terribly understandable.

Just so I get a sense of the prior discussion, could you point me to it? Thanks

Blue

 

If it was me, I'd DBAN the entire drive and buy a new keyboard. But, with you being in the medical profession I'd sure make every effort to determine the source of it. If it's a keylogger software, it has to communicate over a network or the internet to get that login information back to the attacker (either this or someone is physically collecting it from the machine). Bottom line is, you'll need someone who knows what they're doing to sit down and inspect the machine probably... it's just too bad that the people who can do this properly aren't usually in the yellow pages so to speak..

Edit:

With you being in a medical professional and dealing with sensitive information that not only affects you.. you might be able to get some assistance from the government with this..

 

BlueZannetti

The previous post is here > https://www.wilderssecurity.com/showthread.php?t=157317 Really not much. Was initially posted on the wrong Board is all.

 

Yeah, I agree it is curious... I wouldn't be shocked to find out it's one of them. You could always go above their heads on it... Either way, from my experience with those type of IT people... they wouldn't know where to begin anyway.. I would expect a hospital to be using something like http://www.faronics.com/html/deepfreeze.asp anyway.. still could be hardware/keyboard related though..

 

Re: BlueZannetti

It sounded as though more in-depth information/discussion had been presented elsewhere...

for example.

Blue

 

I don't recall where the email was sent from, besides, it is more than email. It is passwords that I use for certain sites (such as this). Most of the sites I don't ever visit from work, so I am assuming that the culprit is the home computer. For instance, a friend of mine was on the phone and he told me that I was logged onto yahoo messenger, then I logged out. I was in a car en route from Kansas City to St. Louis, so there was no way it was from me. So, they have a way to get my yahoo accounts as well as a few others.

The email that was quoted was one that was sent TO me from someone else, that I responded to. My guess is that they have somehow gotten into my system with some kind of keylogger or worm and they are keylogging my passwords as I log them in from home.

Regarding the criminal nature, I have contacted police...they did nothing.

The IT people at work said our firewall is "too good"

I guess the bottom line is what can I do to check my computer at home so I feel that it is safe for me to put sensitive (passwords) data in. It is not my keyboard. It is the same keyboard that came with the computer.

Thanks for your responses.

 

My point there was that someone can place a keylogger inside the keyboard...

Nothing is ever 'too good', so that shows that they're clueless imo..

if you had the email still you could look at the header information and get an ip address of where it came from.. not saying this could even be used to track them, because they could be using a free secure account behind a chain of proxies or something...

one thing to be sure of is after you do settle this, change the passwords on everything... maybe even change email accounts or at least use a secure email client with text only or something... also, never use the same login/password for different things.

Like i said, if it was me i'd wipe the entire drive clean... i'd flash the bios... and get some proper protection softwares by downloading them from a trusted computer along with windows updates. I'd unplug my network and not plug it back in until i had did all this, reinstalled and installed/configured the protection software. I'd take no chances with it.. I'd even replace the keyboard and have someone look inside the case that knows their hardware...

You would lose everything on the hard drive in this case, but you never know what may be attached to your files. If you really need some files, at least have someone inspect them on a backup media. It's a tough situation...

 

You mentioned yahoo. Is this your primary email account? You certainly wouldn't need a keylogger to crack web based applications. I guess my question is how strong are your passwords? Are they something like "dognsuds" or are they something like "%byg43@l016!!z"? The former could be broken with brute force, the latter probably never, without of course a keylogger.


Here are some anti-keylogging software you can try
http://www.spywarewarrior.com/uiuc/soft16a.htm

This free one will tell you the software thats trying to hook into the keyboard, worth a try
http://www.snoopfree.com/PrivacyShield.htm

This pay one is a signature based approach. It's whole point of existence is to sniff out software keyloggers.
http://spycop.com/products.htm

 

OK, that's a reasonable extrapolation

OK, but not sure what to make of this on the face of it. But is you IM set to autologon in the event of a restart or periodically poll to refresh information (i.e. waiting messages)? I'm not an IM'er, so forgive the naive questions.

Let's think about this for a moment. For someone to be able to quote email that I sent, the possibilities are:

• Keylogger/trojan of some sort. Aside from yourself, who has physical access to the machine?
• Remote access using a known or guessed password to a webmail account. Is you email client local or web-based? Is there a sent folder on the web?
• Simple physical access to the machine. Are any of your accounts set to autologon or must you type it each time logging in?
• The person you responded to forwarded the email or was somehow the vector to others. Again, are there any possible social connections in the background or does this involve distinctly different branches of acquaintances with no mutual overlap? Not much you can do here except be very circumspect in written communications.

Here is what I would do. It focuses on using available software since, pragmatically speaking, you're not going to become an expert overnight, so I'll skip extensive investigation of the machine state (running processes, SSDT hooks, unknown installed software, etc.). I'll assume that you've already done this to the best of your ability.

As others have mentioned, a complete nuke and reinstall of all software is a very viable approach. It's draconian, but effective, and relatively straightforward if all the needed information (serial numbers, key files, activation codes, etc.) and resources (install disks, etc) are available. It's not unlike what one would do after a hard drive failure. Depending on what you need to reinstall, the time involved could be anywhere from 3 to up to 10 hours of work. At this point you'd be done, but there are downsides. One being that the whether this machine is the issue or not remains an open question. Of course, in some sense I realize that, in principle, remains a very open question unless something is found; coming up empty always leaves the possibility that one didn't look hard enough (or that the problem lies elsewhere...). Let call this option 1.

Option 2 is to switch off on the security software employed. Regardless of cause (use of a "valid" keylogger, installation and approval/exclusion of these applications by a 3rd party with physical access to the machine, lack of coverage by your current software, etc.), a simple step to take is to change the landscape. I'd try to free options initially.

• I'll assume that you've already done some of the steps mentioned already such as running Dr Webs CureIt!. If you haven't, do so now.
• Download the trial versions of Kaspersky Internet suite and Prevx. Do not install them yet. Also download a copy of CCleaner.
• Before you get about uninstalling things, examine the allowed programs and logs of ZA firewall for any suspicious or unknown entries. If you run across something that does not ring a bell, do a quick check at a listing site such as Sysinfo.org. There are others available, this is just one. Do the same for the StartUp and Service entries (Select Start>Run>msconfig check entries under the Services and Startup tabs). Check back before doing anything in the way of a change or deletion.
• Uninstall Symantec AV. Restart and confirm that all vestiges are gone.
• Uninstall ZA firewall. Restart and confirm that all vestiges are gone.
• Cleanup the system. Install CCleaner. First run the Cleaner and allow deletion of anything found, then select Issues (left hand side of window) and Scan for Issues. Fix all issues identified, but do make a registry backup.
• Restart to verify that everything is working as it should.
• Install the trial of KIS. Do a complete installation. Make sure that settings which flag "potentially dangerous software" are enabled (review the documentation to change these settings). Basically, max out the settings and perform a complete system scan after updating.
• After KIS has been installed and run, and assuming nothing was found, install Prevx. There's a lot of ovelap here, and you certainly don't need all components of both programs, but ignore that for the moment. Allow Prevx to perform a complete system scan. Remove any known malware identified and pay attention to any caution programs flagged.
• If nothing turns upwith Prevx, one last verification step that I'd take is to purchase and install BOClean. There is no trial, but there is a 30 day money back guarantee. Install, update and run. It is compatible with the other two. It takes a little more aggressive stance on some riskware applications than some.
• If all of these steps yield a clean machine, I'd probably state that in all likelihood, the machine is fine. With scan times factored in, it takes about as long as a nuke and repave of the system. Is it proof of cleanliness? No. On the other hand it would beg the question as to why someone is more interested in reading your mail and IM's than walking through financial sites with impunity.
• By all means, at this point change all passwords used to access external sites and accounts.

Regardless of whether this is an actual problem or not with your home PC, you don't trust that PC at the moment and that issue is real.

To do something, they need something firm to go on. If what you mention is all that there is available, they don't have anything to go on or anyone to go to. This reaction should be expected. They are not PC maintenance guys after all.

Actually, for what you describe, the firewall (assuming site hardware that is) is irrelevant.

Yep, that's it in a nutshell.

Blue

 

Hey Mike, do you have a wireless connection at home ?

With weak WEP encryption, it takes me about half an hour to drop ALL of someone's internet traffic.

POP, SMTP (mail) and some IM packets are sent unencrypted so...

 

Excellent point! There are many way to get information and all need to be considered.

Blue

 

Sorry for the simplistic approach, but do you have a computer savvy teen ager at home? If so does he communicate with other pc savvy teens?

 

No computer savy teens at home...(fortunately!)

I do have a wireless connection at home, it is my DSL through SBC. I have a wireless lap top. I usually am on my 2wire08 modem, which is said to be secure.

Does that help?

 

Sorry everyone...that is in addition to my laptop. I recently a few weeks ago reformated my laptop. I guess they can get onto that too now.

 

One more time...I am a bit sleep deprived from delivering babies in the middle of the night. I have a desk top. I also have a lap top that I wirelessly connect to with the above mentioned modem. I recently (weeks) did a reformat on the laptop. I hope this makes sense....20 more hours to go in this shift!!!! Then I can go home and work on my computer.

Thanks for all the good advice....keep it coming!

 

Sense you do have a wireless connection the next logical question, is it WPA capable and if so is it enabled and using a strong pass phrase?

 

I have no idea what you are asking. All I know is that I have to enter the keynumber that is underneath my modem to gain access to it, then it says it is secure.

 

When you say modem, could you possibly mean router? Is there an external antenna(s) on it? Or do you have another device attached to it that has antenna(s)? What is the make and model number of the modem? Also of the router, if, you have one. Also, the make and model of the laptop. _aKa_Ghost may very well be on to something here. It is VERY easy to to gain access to an improperly secured wireless network. No software or other devices are needed to be installed on your PCs for this to be accomplished. The reason I ask for the makes and models is so we are able to go to the manufacturers site and find out the capabilities of the device so we can advice you in the best possible secure setup.