Tech Support Forum banner
Cancel
Create thread New Forums
Status
Not open for further replies.

Yahoo email getting Hijacked, but not??

Jump to Latest
2.2K views 12 replies 4 participants last post by  g.w.  
G
#1 ·
Lately I`ve noticed sometimes, key word being sometimes my Yahoo e-mail seems to get redirected at the sign in. I sign on using the "secure" tab, not sure why, but since spyware, bugs, hacks etc etc getting more frequent, and more ingrained into the net I started doing so. Not sure maybe I had missed it on occasion, but once about a month ago the time between clicking e-mail, and anything happening seemed awful long, and I got to looking at the bar address at the bottom of Firefox, which flickers the different places/names info being loaded. It flashed on something like akami.net for a second, and I thought hmmmm, usually to yahoo I see a lot of Yming, Y something, but had never noted this akami.net. When the page finally loaded it showed it as a broken secure connection. I closed the browser, reopened to Yahoo mail under secure, and it went right there, as it normally would, and without the long delay I`d just had. I`ve noted the same a few times since, and again noted it tonite. A search on Google for Akami.net doesn`t get any hits, I`m not positive if it is Akami, but thats what my minds eye thinks it was. I only saw it on the one occasion, as if it`s opening normally I guess I don`t pay any attention to what is flashing on the bar, but I`ve noted the broken secure link, and assumed was same thing.

Earlier today I had gone through the complete sequence of running Avast, AdAware, Spybot, checked Spyware Blaster, and done a HJT log after checking all of the sites for updates, and updating where available, after which I`d shut down, and hadn`t been back up since just now, where I first went to e-mail, next is here.

I didn`t get any hits on any of the scans except some bot on Avast, which I nuked off. My HJT log showed no new entries, and is clean, and has been since my initial use of it, and since I started using all of these toys.

I guess my question is does this sound familiar to anyone? Anybody share this experience? Any thoughts on a "hack" vs. what appears to be a spyware or attempted Hijack?

Any thoughts let me know.

g.w.
 
See less See more
J
#2 ·
Akamai is a "clearing house" of sorts, for all sorts of programs...almost a file sharing thing. Many legit programs and sites are listed by Akamai, but a multitude of infected programs and files can be found in there, too.

So, Akamai, in and of itself, is not suggestive of a problem. In fact, it could conceivably be a link for one of the ads on your Yahoo home page, as they do that sort of hosting business, as well.

If your tools show nothing, and your HJT log is unchanged, then the overwhealming probability is that nothing significant is afoot. That being said, there are so many new baddies out there right now, that the tools, and even HJT, can't see, that if you continue to have problems, you might want to consider taking a deeper look. We could help you with that.
 
G
#3 · (Edited by Moderator)
jgvernonco Hi and thanks for the reply. You have the spelling correct for what I saw flash by that 1 time, as it did happen again tonite, and again it was after running all the tools for a second "in depth" look to see if I could isolate this as a bad guy. Again nothing popped up.

The only worry I have is when I see this Akamai c*** buzzing by on secure start up to Yahoo mail I also get a broken secure link, which is my worry, that I`m being comprimised somewhere, somehow.

As mentioned this has happened a few times over about a months period of time. I think the only reason I noticed is the secure link was broken, has been a few times since, but wasn`t paying attention to what loaded. I`m looking now, and saw it tonite. I don`t go to mail unless I have a secure lock, so I close the browser, reopen and try again. Tonite it keeps popping up as unsecure. In the past after reopening it has allowed a secure connection.

Any other thoughts?

g.w.
 
G
#4 · (Edited by Moderator)
Update on Yahoo mail

Still not sure if this Akamai c*** has anything to do with it, but for whatever reason I can no longer access my Yahoo mail accounts with a secure sign in.
Numerous reboots, running scans, crossing fingers etc etc, not able to keep a secure lock for sign in.

Anybody else out there that signs in secure at yahoo mail? Maybe they are having problems? Or is it just this system having a problem?

Any help appreciated.

g.w.
 
J
#5 ·
You bet.

Please download HijackThis - this program will help us determine if there are any spyware/malware on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Run a scan and save the log file. Get HijackThis Analyzer and save it to the same folder as the hijackthis.log file. Run HijackThis Analyzer and type in y if you agree. Open up the result.txt file created. Copy the whole result.txt log and post it in the forum. Do not fix anything in HijackThis since they may be harmless.

I'm moving your thread the the HJT Help Forum.
 
G
#6 ·
Here is my HJT log, it`s same as before running the analyzer.

Log was analyzed using HijackThis Analyzer - Updated on 12/6/04
Get updates at http://www.greyknight17.com/download.htm#programs

Logfile of HijackThis v1.97.7
Scan saved at 11:22:32 PM, on 12/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\DIRECPC\webpkg\dpcproxy.exe
C:\WINNT\System32\GEARSec.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\WDBtnMgr.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DirecPC\BIN\dpcstart.exe
C:\PROGRA~1\DirecPC\bin\dpcnav.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\HijackThis Analyzer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: dpcstart.lnk = C:\Program Files\DirecPC\BIN\dpcstart.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38239.7997916667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{71431592-C427-460D-8373-64DE7AD99FBA}: Domain = MY ISP NAME
O17 - HKLM\System\CCS\Services\Tcpip\..\{71431592-C427-460D-8373-64DE7AD99FBA}: NameServer = MY TCP/IP STRINGS

End of HijackThis Analyzer Log.
 
G
#7 ·
You have an outdated version of HijackThis. Click here to get the latest version of HijackThis.

Run a new scan with that one and run it through the Analyzer program.
 
Save
Like Like
G
#8 ·
Ok did the download, looks like the same download I just did yesteday before sending log? Info at top of HJT says is version 1.98.2, but note version at top of HJT log run on analyzer says 1.97.7 would those be the correct versions??



Log was analyzed using HijackThis Analyzer - Updated on 12/6/04
Get updates at http://www.greyknight17.com/download.htm#programs

Logfile of HijackThis v1.97.7
Scan saved at 11:22:32 PM, on 12/13/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\DIRECPC\webpkg\dpcproxy.exe
C:\WINNT\System32\GEARSec.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\WDBtnMgr.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DirecPC\BIN\dpcstart.exe
C:\PROGRA~1\DirecPC\bin\dpcnav.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\HJT\HijackThis Analyzer\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: dpcstart.lnk = C:\Program Files\DirecPC\BIN\dpcstart.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38239.7997916667
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{71431592-C427-460D-8373-64DE7AD99FBA}: Domain = **********
O17 - HKLM\System\CCS\Services\Tcpip\..\{71431592-C427-460D-8373-64DE7AD99FBA}: NameServer = **************


End of HijackThis Analyzer Log.

Let me know.

g.w.
 
G
#9 ·
OOOOPpps

OK my bad. Got to thinking had older versions of HJT, and a few old logs in the file.Nuked entire HJT folder, started anew with new downloads from your most recent links, and now both the HJT and the analyzer have same version # of 1.98.2, hoping this is the correct version now.

Sending on both the actual log file, and the analyzed file.

Logfile of HijackThis v1.98.2
Scan saved at 2:46:19 PM, on 12/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\DIRECPC\webpkg\dpcproxy.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\GEARSec.exe
C:\WINNT\system32\regsvc.exe
C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\pctspk.exe
C:\WINNT\system32\WDBtnMgr.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\DirecPC\BIN\dpcstart.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\DirecPC\BIN\dpcnav.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: dpcstart.lnk = C:\Program Files\DirecPC\BIN\dpcstart.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{71431592-C427-460D-8373-64DE7AD99FBA}: Domain = ****************
O17 - HKLM\System\CCS\Services\Tcpip\..\{71431592-C427-460D-8373-64DE7AD99FBA}: NameServer = *****************


Log was analyzed using HijackThis Analyzer - Updated on 12/6/04
Get updates at http://www.greyknight17.com/download.htm#programs

Logfile of HijackThis v1.98.2
Scan saved at 2:46:19 PM, on 12/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\DIRECPC\webpkg\dpcproxy.exe
C:\WINNT\System32\GEARSec.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\WDBtnMgr.exe
C:\Program Files\WDC\SetIcon.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\DirecPC\BIN\dpcstart.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\DirecPC\BIN\dpcnav.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SetIcon] \Program Files\WDC\SetIcon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: dpcstart.lnk = C:\Program Files\DirecPC\BIN\dpcstart.exe
O4 - Global Startup: ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{71431592-C427-460D-8373-64DE7AD99FBA}: Domain = *********
O17 - HKLM\System\CCS\Services\Tcpip\..\{71431592-C427-460D-8373-64DE7AD99FBA}: NameServer = **************


End of HijackThis Analyzer Log.

Ok another new twist as of today. I have 3 browsers on this system IE6, Firefox, and Opera free version. When I started writing this thread none of the browsers was having a problem keeping a secure connection to my yahoo e-mail, as noted sometimes it would become unsecure, but mostly they worked ok. Then all 3 went belly up for 2 days, wasn`t able to maintain a secure link, would start to load with the little lock closed, but right at the end of the page loading, the lock would pop open. This was consistent with all 3 browsers.
Today IE6 maintains what appears to be a locked "secure" sign on. Firefox keeps the lock closed but now has a red strike (a line) going through the lock (I don`t remeber seeing this in the past, and would assume like a traffic sign this is stating unsecure, but looking at the security cert for this page it says is operational?). Opera starts and ends with the lock hasp open. With all 3 this is an attempt to use secure sign on for my Yahoo e-mail only. I haven`t noted any other pages that are seeming to have a problem, but a few places I go to including here DO NOT offer a secure password entry prior to putting in my password, so I don`t know if I`m comprimised there as well? This thing, whatever it is is getting weird.

I`ve had a bunch of systems down doing upgrades, etc etc. At present only have this 1 online. Will be soon switching out systems for general surfing so in a sense will leave this behind, as my plan is to nuke it clean, but I have several files I`ve downloaded and am having a quandry about what to do with them. I had planned to keep them all, a mix of music MP3`s, some vid files MPEG, AVI, etc, and a few program files. None appeared dastardly, all ran as expected, no EXE files or the like, and all of them go through all the scans I`ve used for bugs, viruses, etc. But I`ve never seen a problem like I`m currently having so I`m thinking one of these files at least has some crapola on it. Thinking again (ouch makes my head hurt) that if it was simply a Winblows problem it wouldn`t be jumping around like this, think I have a bug in my soup.

Any thoughts appreciated. Current plan is to burn all files to CD, keep them around, and hopefully if this is a new type bug maybe a fix will pop up. At least if it is a bug something will point at the darn thing.

g.w.
 
M
#10 ·
hi

There s nothing in this HJT log .


Be careful ,do not delete this file (sattelite connection)
C:\PROGRA~1\DIRECPC\webpkg\dpcproxy.exe


because there s a virus that has the same name dpcproxy.exe , but your is legit do not delete it .

Do this :

navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


Empty the Recycle Bin

Go here and do an online virus scan.

Be sure and put a check in the box by "Auto Clean" before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the exact file name and file location so you can delete it yourself.

good luck
 
G
#11 ·
Hi, I got lost and forgot to recheck this thread I started. Sorry for delay.

Did all of above, didn`t find additional problems, also no change in status, although no new twist have occured. Have since taken off all files of any value, just to be safe. I ran Restore to an earlier happy face point before I noted any problems, and this didnn`t help either, same problems.

If it wasn`t for the holidays and all they entail would have already nuked this system, do have secondary, third and forth back up from the dead, and can use them, but still playing with this one to see if I can figure out what is going on.

Also noting no longer able to play an AVi file?? This is still after restore as well. Thinking Winblows is just degrading, as it oft seems to do.

g.w.
 
Status
Not open for further replies.
You have insufficient privileges to reply here.
Tech Support Forum
  • 4.7M posts
  • 965K members
  • Since 2002
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support Video Card Support