A week or two ago, I was at work, and my Android popped up with an alert that it couldn't sign into my Gmail account. Come to find out, it had been logged into from an IP in China which changed my e-mail. They also had the password to my battle.ent account, and promptly got that locked.
I got home from work, and set about sweeping my main desktop computer (the only one I had signed in to both accounts from). Could not find a THING (no suspicious programs running, . So, I decided the only safe way was to nuke from orbit, and used my recovery disk to reload my computer.
The next day, they had me again.
Disconnecting the main desktop from the LAN and internet, I set about with my other desktop into my router - I did a factory reset from inside the router, changed the router name, IP, as well as the PW. I made it a point not to log into my accounts on any other computer and a few days later, they get me again.
I change my password on my Google account again from work. When I get home, I'm exhausted (12+ hour days) and this time, only log in to my Google Account from my netbook, which happens to be running Vista and not Win7 like my desktops. This is Wednesday.
Everything looks clear until just about now. I get home from work, I'm on my Android doing a lil' web surfing, I connect to my Wifiz, and whether that's a coincidence or not, about 10 minutes later I have a notification that my password to Google is no longer valid. Yup, they're in again.
A few things noticed from my router logs:
Blocked incoming TCP packet from 126.96.36.199:80 (China) to (my internet ip):36355 as SYN:ACK received but there is no active connection.
Blocked incoming TCP connection request from 188.8.131.52:12200 (China) to (my internet ip):7212
Blocked incoming UDP packet from 184.108.40.206:1304 (Malaysia) to (my internet ip):26568
Along with that, I've noticed at various times connections in my router's internet sessions list from my LAN IP to IPs in Asia. Is my router compromised or has some sort of undetectable keylogger/virus simply spread to every machine on my network?
Edited by hamluis, 05 September 2010 - 04:26 PM.
Removed HJT log per request ~ Hamluis.