Security issues

[motaaa]

Questions:
1.) If someone has my SQL database, would it be possible for him to tweak it in any way to record passwords on login or anything like that. Anyway at all for them to actually "key log" or anything else malicious through altering SQL code?
2.) Someone has my FTP, he installs an exploit, I remove it. I installed a completely fresh version of vBulletin, is there anything else that he could have done to "key log" or anything else malicious through my website? **Pretty much reword of #1
3.) I have a Netgear router (kind of old) with no password protection. Does this make it easier for him to sniff my network? Can he use this to keylog me for any passwords, I know it's possible for him to log unencrypted message packets sent such as AIM but that's not what I'm worried about.
4.) Is there any way I can limit the IP that can log into my website to ONLY my IP or a small IP range around my house? Would this fully prevent anyone else from logging in knowing that I have no VPN installed on my computer.
5.) Are there any suggestions anyone can give me to how this person is doing this? I know exactly who it is, which is the sad part. He's an idiot and he's only 15 or 16 if I remember right, but he does have connections with some very notorious underground hackers from what I hear.
6.) Are there any ways I can manually check for a keylogger that my virus scanner wouldn't pick up? I need any help at ALL anyone can provide me with. Thanks!

Story of my security issues if you want to read
I had my website broken into originally 3 months ago or so and it happened ALL the time for 60 days until I could switch hosts. I found it the reason is because I run a business and a rival companies employee worked at my hosting company and was abusing his power, it was a horrible company with no encryption on the passes or anything. He completely destroyed everything very frequently and I always had to fix stuff up.

Once I switched I never noticed anything weird. However, the other business owner began laughing at me in a message he sent to me (he's extremely unprofessional, a child even) about how he has my current SQL. I told him he may have my old one when I had the bad hosting company but theres no way for him to get it now. Regardless, what is he going to do with a double MD-5 Hashed password with salt?

But more recently I noticed on my forums that many of these posts (and even PM's) had been marked read when I had never seen them. On top of that I had reports of people telling me that I was giving them certain messages on their AIM screen names when I had absolutely never sent those messages. I did a complete virus scan and got 3 reported viruses (2 of which contained possible keyloggers).

The link that the antivirus linked me to so I could view details on the virus was in the "/advisories" directory of the website, so I'm not sure if that means they were just advisories or not. Regardless, the antivirus auto removed them and would not even give me the option of restoring them because of the seriousness of the threat. After that I changed my passwords for everything and then set the option in AdminCP to record IP addresses on the "Who's online?" updates sent every minute so that I could view who's on my account since they weren't making any posts.

When I had gotten hacked originally on my bad host, it was through a proxy based in Atlanta, GA through the FDC-Servers network. He abused his power as a member of my hosting companies team to install an exploit on my server and then used it to delete everything and edit my front page on the exploit, which he logged on to through that proxy in Atlanta. Well since I ran the virus scanner and changed passwords, I got a new IP login to my account that's based in Atlanta, GA.

I also have an automatic live proxy IP rerouter to give me their regular IP so it's not through the proxy this time. However, it's still a BellSouth IP with a range of 74.160.0.0 through 74.191.255.255 so it's not exactly narrowed down too much. I really don't want to get involved in an FBI investigation, but if this happens anymore then they will be called. I actually called them before in Atlanta and they told me I had a case but I would need to call the ones in my area, and I just decided against it after thinking it over. So I want to do EVERYTHING in my power to fully prevent this so I won't have to get involved with the FBI.

Note that I have a Netgear router with no password required to login, I don't know if that means he can sniff my router a whole lot easier or not. I really have no idea how he's getting my passes constantly, read my questions at the top of this post.