Hacker File on my desktop can YOU Open it??

Discussion in 'adware, spyware & hijack cleaning' started by Greg1951, May 18, 2004.

Thread Status:
Not open for further replies.
  1. Greg1951

    Greg1951 Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    13
    Everytime the clown gets into my comouter, he leaves this file on my desktop. Ifs there anyone that can open it, and also maybe help me find out how he keeps getting in? I have gone, Lynksys firewall router, zonealarm,,, although I had not finished reloading my system this time, and had not got ZA installed, when I saw this file... so I am off to reload my OS, and kick person off. Please advise. :mad:
    OK, it will not let me upload it, it has a file name of

    '~' and when I click properties, I get just the ~ to try to open it, it says it has 172 KB (176,594 bytes) and on disk 176 KB (180,224 bytes)

    C:\Documents and Settings\Greg & Mary\Desktop\~
    please advise
    I can email it to anyone here if you think you can open it and ruin his day.....
     
  2. Greg1951

    Greg1951 Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    13
    when I check my registery to try to find files that have ~ in them, I get theses:
    C:\PROGRA~1\NETMEE~1\conf.exe
    C:\PROGRA~1\NETMEE~1\rrcm.dll
    C:\PROGRA~1\WINDOW~3\wmplayer.exe
    C:\PROGRA~1\WINDOW~3\wmplayer.exe
    I dont know if this jhelps. or if this is just the way the files show themselves in the reg.... please advise, I am so tired of the clown, I am ready to fly to colorado.
     
  3. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    You need to go to the link and follow the instructions in steps 1 thru 3 do not try to fix anything in hijackthis yourself let one of the experts do that after you post your log.
    go here
     
  4. Greg1951

    Greg1951 Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    13
    BIG C , I appreciate your fast response, and I am going to go download and answer with the files for highjackthis, but I beleive this is not, just a highjack, I beleive this is more sinister then that simple problem, this is a clown who has been hacking our computer, again and again, for the past year. I have in the past 8 months, not been able to stay online for more then a few weeks, without haveing to reinstall my OS. He is a very sick person. Off to donwload the programs , be back soon.
     
  5. Greg1951

    Greg1951 Registered Member

    Joined:
    Dec 11, 2003
    Posts:
    13
    Logfile of HijackThis v1.97.7
    Scan saved at 8:15:29 PM, on 5/18/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\System32\MsPMSPSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    C:\WINDOWS\System32\CTHELPER.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
    C:\WINDOWS\System32\TCAUDIAG.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Valve\Steam\Steam.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\regedit.exe
    C:\Program Files\ESET\nod32.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\DOWNLO~1\setup.exe
    C:\Documents and Settings\Greg & Mary\Local Settings\Temp\Temporary Directory 1 for hijackthis1977.zip\HijackThis.exe

    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\msconfig.exe /auto
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
    O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
    O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
    O4 - HKLM\..\Run: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /run
    O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.exe -on
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [nod32kui] C:\Program Files\Eset\nod32kui.exe /WAITSERVICE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\launchpd.exe"
    O4 - HKCU\..\Run: [Steam] C:\Valve\Steam\Steam.exe -silent
    O4 - HKCU\..\RunOnce: [CTStartup] "C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE" /play
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O10 - Broken Internet access because of LSP provider 'imon.dll' missing
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_42.cab
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.ipswitch.com/_installs/wsftp_le/setup.exe
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38123.8485300926
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab




    The missing link is the ESET FILES for the virus checker NOD32, imon.dll. I think the hacker ruined the connection to it... that is why it is not working.
     
  6. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I am going to move this thread to the hijack cleaning forum where it will get the attention it needs.

    bigc
     
  7. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi Greg1951, and welcome.

    This link here might help explain the Tilde (~) you are seeing appear on your desktop: http://www.pchell.com/support/tildefile.shtml

    And the O10 line you are seeing in HijackThis that says "Broken Internet access because of LSP provider 'imon.dll' missing". That is quite normal to see that at the moment when you have IMON enabled. But should NOT be fixed, because that imon.dll IS there. HijackThis just doesn't recognize it as being there. This link here will help explain it a bit better maybe: https://www.wilderssecurity.com/showthread.php?t=32673

    I do not see anything in your log that would indicate an infection or trojan activity. But if you would rather go a bit deeper then you might want to try a scan with an anti-trojan program.

    Here are two excellent anti-trojan programs that have a free 30-day trial:

    TDS-3
    Before you open and run the program, download the latest radius database file Radius td3 update. Right-click on the link shown on the updates page, and choose "Save target as" and save it to your TDS install directory (say "yes" to overwriting the one that is there). When you open TDS set all "Scan Control" settings to their highest sensitivity, then choose the 'Full system Scan" and scan your local drives.

    TrojanHunter
    Since this would be a trial version, you will have to bring TrojanHunter's ruleset up to the most recent one. Follow these steps for updating TrojanHunters Ruleset.

    (note - disable any antivirus program you have running before you scan with one of the above anti-trojan programs)

    If something turns up then you post back here and let us know, or in one of the other forums more suited to trojan activity.

    Regards,

    snap
     
  8. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    humm...just had another look through your running processes, and this is something a bit out of the norm:

    C:\WINDOWS\DOWNLO~1\setup.exe

    Could you navigate to that setup.exe file and right-click on it (don't left click it) and choose Properties. Then tell me what information is there to help identify it.

    If you cannot identify it, or you do not know what it is for. Then upload it for a scan at Kaspersky.

    Let us know what the scan says about it.

    snap
     
  9. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
Thread Status:
Not open for further replies.