Last night I was spending some time on mIRC, when my internet goes offline. It's off for 5-10 minutes before it comes back on. I'm a bit worried that I got a virus of some sort, especially since I got one once before when I was on mIRC.
Anyways, I close down all my running programs and press ctrl+alt+delete just to see the running processes. Two things strike me as suspicious, 20.tmp and mousecrm.exe. I run a search on Google for them, but can't find anything. So I run Ad-Aware and AVG Free, the first doesn't find anything other than a couple of tracking cookies, but AVG recognizes 20.tmp and removes it. mousecrm.exe is however still on my running processes list (and apparently unrecognizes by AVG), and so I attempt to close it down. Immediately it returns to the list, and Sygate Personal Firewall pops up asking me if I want to allow c:\windows\system32\mousecrm.exe to connect to esxt.legi0n.net through port 18067. This freaks me out and I after denying it access I even unplug my internet cable, just in case.
I spend the next few hours running AVG over and over (it finds new instances of 20.tmp as well as 2.tmp, but that's it). The [bleep] mousecrm.exe is still running, and something called socks4[1].exe also pops up (I close it down and it stays gone, however). I give up sometime around 6 AM and go to bed, and when I wake up and turn on the computer again I'm asked directly on boot-up if I want to allow mousecrm access to the URL I stated earlier. This time I dig around a bit in my Windows folders, but oddly enough there is no mousecrm.exe in the system32 folder... The closest I can find is in the c:\windows\prefetch folder, a file called mousecrm.exe-27b4fbc7.pf and that's it.
I'm at a loss for what to do, so I ended up coming here
As per the instructions in the FAQ, I downloaded the different programs listed and ran them, but they didn't detect anything. I also downloaded HijackThis and here is my logfile:
Logfile of HijackThis v1.99.1
Scan saved at 18:55:50, on 2005-07-29
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program\Grisoft\AVGFRE~1\avgcc.exe
C:\Program\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program\MSN Messenger\msnmsgr.exe
C:\Program\Roxio\Easy CD Creator 6\AudioCentral\Playlist.exe
C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\2.tmp
C:\Documents and Settings\Annette\Skrivbord\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SmcService] C:\Program\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\Program\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\Program\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program\Delade filer\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RoxioAudioCentral] "C:\Program\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe"
O4 - HKLM\..\Run: [Services] C:\WINDOWS\system32\2.tmp
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program\Delade filer\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1114298000765
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program\Delade filer\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Mouse Cursor Monitor (mousecrm) - Unknown owner - C:\WINDOWS\System32\mousecrm.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program\Sygate\SPF\smc.exe
...As you can see, both mousecrm.exe is currently running as well as 2.tmp (and a bunch of other stuff I am clueless about). Any and all help will be much appreciated, thank you very much for your time!