There's not even any need to pull the disk. Without any encryption it is trivial to boot into the root account, change any password, collect any files, install any software, and put the passwords back when you're done if you want.
With home directory encryption your personal files would be safe, nobody is going to get access to those unless they have your password. Of course, if they have repeated physical access while it's in you possession they could boot into the root account and install a key-logger.
You don't have to browse shady things to be a potential target. For example, compromised ad servers can push attacks across many popular respectable sites.
There are no guarantees, just levels of confidence.
That's also why you need to salthash your passwords if you store them. The rainbow table needs to be generated with the salthash that's used on the site...
[Update - 3:45 GMT] Update: DO NOT DOWNLOAD ANYTHING
If you receive ANY email which seems coming from Mt.Gox asking you to download something (certificate, generating program, etc), DO NOT DOWNLOAD. Do not either input your password on any site which is not MTGOX.COM.
If they have the hashed password from the user database they verify it the same way the website does when you try to log in.
They run the guessed password through an algorithm and compare the output to the value from the database. If they match, the password will work to log into the website.
I don't understand half of the things you are saying at the end there but that ip address corresponds to the Boomerang for Gmail plugin. If you did install that plugin this would be expected behavior.