My email passwords were changed

[Guest]

When trying to log onto two of my e-mail accounts supplied by seperate ISPs
my e-mail passwords would not work. Both passwords were different. I called
both ISPs and they tried entering the passwords at their end and they did not
work.

My e-mail passwords were changed.

I am running XP-Pro SP2, Internet explorer and outlook express 6. I have a
cable connection to the internet. I have a firewall router, NIS 2006 and
Blackice Defender Intrusion software.

I performed scans in windows and also in safe mode with MS Anti-spyware beta
1, NIS 2006 Antivirus, the trojan cleaner, spysweeper (which does not run in
background), ad-aware se pro (does not run in background). All definition
and sw files were up to date. All came up clean. In addition all my windows
updates are also up to date.

My passwords are in a locked safe that needs a combination and a locked box
key, which I only posess. They are their only for verification purposes and
both my work office and home office are alarmed. Both computers need
passwords when turned on. I am sure NO one has my email passwords from me
personally and my systems are not accessed by anyone at my internal locations.

How can I be sure what happened and if my system is clean ? Would a hijack
this analysis help ? Should I debug/format my hard disk ?

Can you help ?

 

[Andre Da Costa]

I can also they are a set of complex passwords with a combination of upper
and lowercase characters and symbols. Its not unusual for you to be typing
in the incorrect information.
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[Guest]

Thank you for your response

I checked this very carefully and entered it also through Internet explorer.
My outlook express also had it as a remembered password since I got the
system.

 

[Bill Sanderson]

Can your mail providers tell you when the passwords were last changed?

Email passwords are typically completely unencrypted between your keyboard
and the mail provider--so a device capturing network packets anywhere along
that path can capture the password.

If your systems are patched up to date, you've been running the malicious
software removal tool on a monthly basis, which detects some trojan and
rootkit variants.

You might want to run F-secure's Blacklight rootkit detector, and
Sysinternals RootKitRevealer.

RootKitRevealers results may take some interpretation--read the help to see
what the "normal" output is before you read too much into it.

A HijackThis analysis wouldn't hurt.

How many locations do you use these email passwords from? Can you
characterize the nature of the networks involved in those locations?

 

[Guest]

The ISPs can tell when a password change request is done by telephone but not
by internet.

Systems are definately patched up to date at least twice a week.

All programs are run at least twice a week

These are stand alone systems. The system at work no longer has internet
access.

Would you please explain where I can obtain F-secure's Blacklight rootkit
detector, and
Sysinternals RootKitRevealer. Also a HijackThis program and analysis ?

Thank you so much for your assistance.

Ben

 

[Bill Sanderson]

F-secure's BlackLight

http://www.f-secure.com/blacklight/


Sysinternals RootKitRevealer:

http://www.sysinternals.com/Utilities/rootkitrevealer.html

For HijackThis, there are lots of locations for both download and analysis.

I'll recommend one, but there are lots of others:

http://www.aumha.org/free.htm

Click on HijackThis in the left column

see the write up of the program for a link "here" to a forum for analysis,
and a tutorial on the use of the program.

--

 

[Guest]

Hi
When I first installed MSAS I had the SAME problem with some passwords,I
corrected them and it did not happen again. I have,however,since uninstalled
the program and will wait to see how the 2nd Beta works out. There are a few
bugs that have to be solved and I'm sure that they will be,but I would rather
wait. I want to use this software but only after some of these problems are
solved. Just thought I'd let you know that someone else had the same
problem.that always makes ME feel better...LOL

Radioguy

 

[Guest]

WOW, You guys are fast.

Thank you. I am slightly nervous on what has happened with my passwords, I
really appreciate the service I received at this newsgroup.

Best regards,
Ben

 

[Guest]

Strange. But the ISPs had the same problem at their end, I wonder why ?

Thank you for letting me know.

Ben

 

[Guest]

One thing I forgot to mention:

Blackice Defender by Internet Security Systems was detecting my own IP
address as an attacker. Internet Security Systems told me to ignore this
intruder warning.

 

[Bill Sanderson]

I'd go with their advice--they know their product. I'm not sure what might
cause such a warning, but I can imagine that it might be a false positive.

I've no idea what to make of your issue--I'm trying to keep an open mind and
see what comes out of your further tests. So far, you seem to have done all
the right things, and the only thing wrong is the "fact" of the password
change.

Have you been able to regain control of the email accounts via the ISP's? I
guess one question that I have which may work against this being the work of
some malicious agency, is what would someone have to gain from this change,
which I'd guess was quickly discovered and rectified?

--

 

[Bill Sanderson]

This isn't an issue I remember seeing posted before, but my memory isn't
perfect. I have considerable difficulty seeing any mechanism in Microsoft
Antispyware which could effect this kind of change--it seems unlikely in the
extreme to me.

 

[Guest]

When you refer to antispyware does that also include trojans and viruses ?

Ben

 

[Bill Sanderson]

I was referring specifically to the Microsoft Antispyware beta1 product.
(i.e. was your experience caused by a bug in that product--I'm unclear about
whether you had it installed before this experience ocurred?)

Frankly--I think it probably takes human agency to have done this. This
doesn't necessarily mean someone actively controlling your machine--just
disclosure of the current account information--account, ISP, and password,
from a system you use that information on, to someone else. So, yes, a
trojan or virus which collects confidential information and was able to
transmit it beyond your machine could be involved.

The question I am left with again, though, is why?
--

 

[Guest]

I beleive it's also human intervention. I have e-mails coming from all over
the world including China and this always concerned me.

All virus and trojan scans come up clean. I even scanned online with trend
micro and symantec.

Thanks again.

 

[Andre Da Costa]

Unwanted e-mails coming from such countries can be a sign somethings up, I
would definitely do some thorough scanning in safe mode just to make sure.
--
Andre
Extended64 | http://www.extended64.com
Blog | http://www.extended64.com/blogs/andre
http://spaces.msn.com/members/adacosta
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

 

[Guest]

I scanned in safe mode with the following programs: spysweeper, microsoft
antispyware beta 1, ad-aware, Norton antivirus (using the navw32 /L switch),
spybot, the cleaner. I also scanned using on line scans from trend micro and
symantec and all came up clean.

This is why I am puzzled.

Thank you for your response.

Ben

 

[Guest]

Try a dedicated anti-trojan scan such as Ewido. http://www.ewido.net/en/
They have an online scanner, or you can download a free trial.

 

[Guest]

Patty,

Thank you for your reply.

I ran Ewido and it came up clean. I also Ran F-Secure and it also came up
clean.

Best regards,
Ben

 

[Guest]

I'm stumped, Ben. I don't recall your saying what the results were of a
rootkit revealer scan. Did you do one of those?

Patty