Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hacker problem - prev. employer stalker


  • Please log in to reply
8 replies to this topic

#1 PA Lady

PA Lady

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 10 December 2009 - 12:38 PM

Hi there,

For the past year and a half I've had my previous employer spying on me (small co. of 7 employees - owner and his rt hand man IT guy). Long story, but after I wouldn't fudge his taxes went downhill from there and they were cell phone spying on me (25 coincidences) and the IT guy was sexually harassing me. I left there last Jan. and after just switching cell phone carriers/phones two weeks ago and they're no longer able to spy that way, I get a phone call from the IT guy (mind you now it's been almost a yr since I left there) and he didn't leave a message nor did I answer of course. I'm sure they've been tapped into my computer all this time as well so I've reformatted twice, but every time I do the remote desktop connection seems to always link in to someone.

I've been locked out of my yahoo email, my password file word document password was changed so I was locked out of that, pc was running slow and then a week ago after he called I had a new user with a racecar icon. I've deleted that and reformatted again, went into setup (dos mode or what have you) and disabled remote and wireless connections, but it seems every time that remote desktop connection settings change each time to allow someone to get in.

I've been using netstat lately and copying/pasting to word and netstat.txt to try and look up ip addresses (one from paris, france but I think his server was set to that way bk when) and domains, but I'm a novice here so I need your help. At the very least to lock them out or track them. I have contacted the fbi and local authorities and I need more proof.

It's like having a peeping tom in your living room. The owner had even mentioned to me a year ago about how someone can take over your life or watch the movie, The Net, w/ Sandra Bullock. The list goes on, but I know 100,000% it's them and they were/are doing it. Now I just need more proof.

Of course they've closed the company and prob. set up a new one. Any and all help is appreciated and I copied this from netstat -nab this morning. See anything there???? Please help.

Thank you!

Active Connections

Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 956
c:\windows\system32\WS2_32.dll
C:\WINDOWS\system32\RPCRT4.dll
c:\windows\system32\rpcss.dll
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ADVAPI32.dll
[svchost.exe]

TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
[System]

TCP 71.68.33.149:139 0.0.0.0:0 LISTENING 4
[System]

TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING 2356
[alg.exe]

TCP 127.0.0.1:10110 0.0.0.0:0 LISTENING 1352
[avgemc.exe]

TCP 71.68.33.149:1531 24.25.26.131:80 ESTABLISHED 2944
[firefox.exe]

TCP 127.0.0.1:1031 127.0.0.1:1032 ESTABLISHED 2944
[firefox.exe]

TCP 127.0.0.1:1032 127.0.0.1:1031 ESTABLISHED 2944
[firefox.exe]

TCP 127.0.0.1:1033 127.0.0.1:1034 ESTABLISHED 2944
[firefox.exe]

TCP 127.0.0.1:1034 127.0.0.1:1033 ESTABLISHED 2944
[firefox.exe]

TCP 71.68.33.149:1553 24.25.26.25:80 TIME_WAIT 0
TCP 71.68.33.149:1555 24.25.26.25:80 TIME_WAIT 0
TCP 71.68.33.149:1556 24.25.26.25:80 TIME_WAIT 0
TCP 71.68.33.149:1557 24.25.26.25:80 TIME_WAIT 0
TCP 71.68.33.149:1558 24.25.26.25:80 TIME_WAIT 0
TCP 71.68.33.149:1559 24.25.26.25:80 TIME_WAIT 0
TCP 71.68.33.149:1570 24.25.26.27:80 TIME_WAIT 0
TCP 71.68.33.149:1601 24.25.26.11:80 TIME_WAIT 0
TCP 71.68.33.149:1602 24.25.26.11:80 TIME_WAIT 0
UDP 0.0.0.0:500 *:* 720
[lsass.exe]

UDP 0.0.0.0:4500 *:* 720
[lsass.exe]

UDP 0.0.0.0:445 *:* 4
[System]

UDP 71.68.33.149:137 *:* 4
[System]

UDP 71.68.33.149:138 *:* 4
[System]

UDP 71.68.33.149:123 *:* 1052
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
-- unknown component(s) --
[svchost.exe]

UDP 71.68.33.149:1900 *:* 1196
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP 127.0.0.1:123 *:* 1052
c:\windows\system32\WS2_32.dll
c:\windows\system32\w32time.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]

UDP 127.0.0.1:1900 *:* 1196
c:\windows\system32\WS2_32.dll
c:\windows\system32\ssdpsrv.dll
ntdll.dll
C:\WINDOWS\system32\kernel32.dll
[svchost.exe]


EDIT: Moving to more appropiate forum....I think - MG

Edited by garmanma, 10 December 2009 - 01:09 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:11:32 PM

Posted 10 December 2009 - 01:16 PM

My wife was successful in a harassment case
The one recommendation I can make is to document everything and I do mean everything
Be precise and leave nothing out
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 PA Lady

PA Lady
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 10 December 2009 - 02:02 PM

Thank you garmanma. Yes, I need to keep adding - it gets so exhausting though. Such a shame that people have to invade other people's lives like this - just sick. Not to mention, they've always thought they were above the law and could do whatever they wanted. As they say "what goes around comes around" so eventually they will be repaid 7 fold.

#4 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 35,302 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:08:32 PM

Posted 10 December 2009 - 03:47 PM

Some excellent reference tools you may want to look into here, suggested by our own Quietman7: http://www.bleepingcomputer.com/forums/ind...t&p=1532566

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#5 PA Lady

PA Lady
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 10 December 2009 - 03:52 PM

I also wanted to add that when my screensaver comes on, it used to ask me for my password and now it doesn't. This is within 3 days of reformatting my hard drive. I'm in Charlotte, NC if anyone can help. The server used or computers hacking in would be in Charlotte, NC or Kernersville, NC or where the peepin toms reside... although I'm sure they set it to be from a different country or what have you.

If anyone knows anything that could help me, please just send me a message or post on here. If they're not stopped, then they'll just continue doing it to someone else, someone you know, etc. I find it to be no different then someone breaking into my home. I know how to easily deal with that (ex Army). ;)

#6 danjmilos

danjmilos

  • Members
  • 227 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Steeler Nation Capitol, Pittsburgh, PA
  • Local time:11:32 PM

Posted 10 December 2009 - 03:54 PM

The IRS would be a better place to contact than the FBI. If what you say is true about the taxes they will investigate from the tax angle and will go back more then the 3 years most people think is safe to keep records if needed. If they find something you may get some money out of it, remember the IRS takes down more people than the FBI.

Dan

#7 PA Lady

PA Lady
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:32 PM

Posted 10 December 2009 - 07:33 PM

Thanks Dan :thumbsup: Great idea!!!!

#8 Stang777

Stang777

    Just Hoping To Help


  • Members
  • 1,821 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:09:32 PM

Posted 11 December 2009 - 01:42 AM

I am sorry you are going through all that, it is not right that someone would do that.

Unless you just want to catch them instead of just keeping them out, the first thing I would do is use a good third party firewall that will keep them out, one with outbound protection on it to make sure nothing can be sent out. I would also disable remote desktop and all remote functions through services.msc, just in case that would do a better job of keep it off than what you did. There is only one remote service that seems to be necessary and that is the first remote procedure call (not the one that has locator in the title) as many other functions depend on it, system restore being one of them. Also go into system properties and click on the remote tab and make sure the box allowing remote assistance invitations from your computer is unchecked.

Does the firewall you are currently using have outbound protection?

The firewall I like is the paid version of ZoneAlarm (it is considered the paid version because it only comes with the antivirus program which you pay for, but it is very reasonably priced) as it has an operating system firewall in it which will keep anything from being installed on your system without your knowledge and consent. You can also keep any program that you cannot change the setting for from making an outbound connection by enabling the lock and not letting anything to bypass that lock except for what you want to get out. It is what I use, the lock becomes enabled within one minute of my computer being booted and nothing is getting in, on, or out of, my system, without me letting it. I do not know if any of the free firewalls offer that additional protection but others here probably do.

Just remember that the firewall will log many attempts into your computer that have nothing to do with the company and are not directed to you personally. I get about 70 hits a day with only a handful of those being legit from my isp and none of the other ones are directed at me personally.

Also, I would scan your computer with Malwarebytes and SuperAntiSpyware on a regular basis to make sure that they have not found a way to place something on your system.

Also, when you have reformatted, what method did you use? Did you use a program to perform a low-level format, one that writes zeros to the drive?

Btw, did this computer come from the company you use to work for?

Edited by Stang777, 11 December 2009 - 02:03 AM.


#9 Romeo29

Romeo29

    Learning To Bleep


  • Members
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:10:32 PM

Posted 11 December 2009 - 06:21 AM

You should look at this page : http://www.justice.gov/criminal/cybercrime/reporting.htm
I think FBI has access to all the incoming and outgoing internet traffic of last 6 months from anybody's computer in USA as per the ISP data retention policy.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users