Hacker File on my desktop can YOU Open it??

Everytime the clown gets into my comouter, he leaves this file on my desktop. Ifs there anyone that can open it, and also maybe help me find out how he keeps getting in? I have gone, Lynksys firewall router, zonealarm,,, although I had not finished reloading my system this time, and had not got ZA installed, when I saw this file... so I am off to reload my OS, and kick person off. Please advise.
OK, it will not let me upload it, it has a file name of

'~' and when I click properties, I get just the ~ to try to open it, it says it has 172 KB (176,594 bytes) and on disk 176 KB (180,224 bytes)

C:\Documents and Settings\Greg & Mary\Desktop\~
please advise
I can email it to anyone here if you think you can open it and ruin his day.....

 

when I check my registery to try to find files that have ~ in them, I get theses:
C:\PROGRA~1\NETMEE~1\conf.exe
C:\PROGRA~1\NETMEE~1\rrcm.dll
C:\PROGRA~1\WINDOW~3\wmplayer.exe
C:\PROGRA~1\WINDOW~3\wmplayer.exe
I dont know if this jhelps. or if this is just the way the files show themselves in the reg.... please advise, I am so tired of the clown, I am ready to fly to colorado.

 

You need to go to the link and follow the instructions in steps 1 thru 3 do not try to fix anything in hijackthis yourself let one of the experts do that after you post your log.
go here

 

BIG C , I appreciate your fast response, and I am going to go download and answer with the files for highjackthis, but I beleive this is not, just a highjack, I beleive this is more sinister then that simple problem, this is a clown who has been hacking our computer, again and again, for the past year. I have in the past 8 months, not been able to stay online for more then a few weeks, without haveing to reinstall my OS. He is a very sick person. Off to donwload the programs , be back soon.

 

Logfile of HijackThis v1.97.7
Scan saved at 8:15:29 PM, on 5/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\System32\TCAUDIAG.exe
C:\Program Files\Eset\nod32kui.exe
C:\Valve\Steam\Steam.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\regedit.exe
C:\Program Files\ESET\nod32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\DOWNLO~1\setup.exe
C:\Documents and Settings\Greg & Mary\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38123.8485300926
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab




The missing link is the ESET FILES for the virus checker NOD32, imon.dll. I think the hacker ruined the connection to it... that is why it is not working.

 

I am going to move this thread to the hijack cleaning forum where it will get the attention it needs.

bigc

 

Hi Greg1951, and welcome.

This link here might help explain the Tilde (~) you are seeing appear on your desktop: http://www.pchell.com/support/tildefile.shtml

And the O10 line you are seeing in HijackThis that says "Broken Internet access because of LSP provider 'imon.dll' missing". That is quite normal to see that at the moment when you have IMON enabled. But should NOT be fixed, because that imon.dll IS there. HijackThis just doesn't recognize it as being there. This link here will help explain it a bit better maybe: https://www.wilderssecurity.com/showthread.php?t=32673

I do not see anything in your log that would indicate an infection or trojan activity. But if you would rather go a bit deeper then you might want to try a scan with an anti-trojan program.

Here are two excellent anti-trojan programs that have a free 30-day trial:

TDS-3
Before you open and run the program, download the latest radius database file Radius td3 update. Right-click on the link shown on the updates page, and choose "Save target as" and save it to your TDS install directory (say "yes" to overwriting the one that is there). When you open TDS set all "Scan Control" settings to their highest sensitivity, then choose the 'Full system Scan" and scan your local drives.

TrojanHunter
Since this would be a trial version, you will have to bring TrojanHunter's ruleset up to the most recent one. Follow these steps for updating TrojanHunters Ruleset.

(note - disable any antivirus program you have running before you scan with one of the above anti-trojan programs)

If something turns up then you post back here and let us know, or in one of the other forums more suited to trojan activity.

Regards,

snap

 

humm...just had another look through your running processes, and this is something a bit out of the norm:

C:\WINDOWS\DOWNLO~1\setup.exe

Could you navigate to that setup.exe file and right-click on it (don't left click it) and choose Properties. Then tell me what information is there to help identify it.

If you cannot identify it, or you do not know what it is for. Then upload it for a scan at Kaspersky.

Let us know what the scan says about it.

snap

 

Hmm yes that one is very suspicious please send that setup.exe, to submit@diamondcs.com.au