[coywolf]

I've got a very annoying security issue that I can't seem to figure out. Some guy in indonesia (according to an ip trace. thank you gmail) keeps changing my gmail password every couple of nights. Its easy enough for me to change it back, I can just reset it using an associated account, but its a pain nonetheless. My problem is that I cannot figure out how its being done. I've tried several different anti virus programs, none of which found anything. I've used a key encrypting tool that encrypts every key stroke as its entered, I've tried reinstalling firefox, I've tried using google chrome for a few days. this started when I was connected at college, but its continued since i've moved home for the summer, so its not something with that network. I've started using LastPass to manage my passwords, and every time i have to reset the password I randomly generate one. I tried signing out and clearing all private data every time I accessed the account. None of this changed a thing. The password continues to be changed. However, my associated account never gets an unintended password reset email, and for the first 24 hours, that is the only way it can be reset.

If anyone has any ideas, I would love to hear them.
..and sorry for the wall of text.

[lunarlander]

Please visit this page :
http://mail.google.com/support/bin/topic.py?topic=12914

click on "I cannnot access my account" Then select
"my account has been compromised"

and then fill out the form.

[coywolf]

I've done all that before. That was what I used to do to get my account back. I've changed accounts since then and set up the secondary email to get it back faster, but I continue to have the same troubles.

[occiput]

Quote:

Originally Posted by coywolf

I've done all that before. That was what I used to do to get my account back. I've changed accounts since then and set up the secondary email to get it back faster, but I continue to have the same troubles.

Somebody has access to your ip address ( like everybody else) when you are surfing. Install GeSWall (freeware), a browser envelope or Sandboxie, a much superior browser protector( shareware) and see how things change. If your computer is still compromised, get back and we'll talk about masking your ip!

[coywolf]

well, installing GeSWall might have done it. I think I'll wait a couple more days before I mark this as solved, just in case, but thanks for the tip.

[coywolf]

Alright, as I kind of figured, it happened again. Now, I WAS on my laptop the other day, wirelessly connected to my router. Could that have messed it up? The program wasn't installed there. However, I was only using firefox. I never logged into the account.

And something I was curious about, even if this person had access to my ip address, how could that be used to retrieve my password?

[lunarlander]

Is your wireless router set up with WAP encryption? Without encryption, things send over the air can be sniffed out, like your gmail password.

[coywolf]

Its set up with..I think WEP Personal. And even so, the IP address I pulled from gmail said this guy was in indonesia. And also, my desktop is connected directly to the router.

[lunarlander]

Did you also change your Gmail's secret question + answer ?

[Vaqxine]

If he can manage to get your password every time, I'm guessing your system contains some form of malware. Keyloggers are common now, and that would be a reason for him knowing your password each time.

I suggest you post in the Malware Removal & HijackThis Logs forum with a HJT log if you think this may be the case. It would be wise to atleast scan your computer with an anti-virus right now, but do not remove anything just yet.

[coywolf]

lunar lander: Yes, I usually change the security question when I reset the password

Vaqxine: I've run scans with Kaspersky, BitDefender, and Avira, which is what I'm actively using now, and none of them came up with anything.

[Vaqxine]

Have you been picking a strong password? e.g. $3xamp1e%
And security questions that nobody could guess?

If you have, then you must be infected with something.
I'd suggest checking your netstat log.
For Windows XP, go to
Start -> Run -> CMD and type in Netstat -nb
It will show all the processes that are connecting to the internet, check if any of them are suspicious.

[sdikevin]

The indonesia IP really doesn't mean anything. Anyone can do a whois and then run an IP Spoof to cover their real IP. If you ask me, someone was running some kind of packet sniffer tool or something on the college network. It seems like they got the password for both your email accounts, and are doing the same thing you are when they change it on you. They then log into the other account and delete the email sent to it about the password change. Try this go to friends house that you can trust, create a new account on their computer and link it with the others. From that PC change all 3 account passwords agiain.

[coywolf]

All my passwords have been auto generated, things like EQw9l6p3

I checked the netstat log, nothing seemed suspicious. At the moment, it was all firefox, xfire, and jucheck.exe

sdikevin: i'll get started on trying that

[coywolf]

Alright well, sorry I haven't posted in a while, but I wanted to give this some time to confirm it. It looks like changing my password from my friends computer might have done the trick. Haven't had it changed back in..I guess about a week at least now. Thanks for all the suggestions.