T
Thomas Cameron
All -
I have a Windows 2000 server which somehow got connected to the 'Net without
AV software on it. Now there is a new "service" called "Mouse Button
Monitor" which is controlled by %windir%\system32\mousebm.exe. I also found
the following files in %windir%\system32 which appear to be new:
08/15/2005 09:00p 8,201 .exe
08/15/2005 12:42p 1,518 eq
08/15/2005 11:28a 0 eraseme_61087.exe
08/15/2005 11:28a 71 i
08/15/2005 08:39a 8,201 mousebm.exe
08/14/2005 04:00p 0 svnlitup32.exe
The file called ".exe" has the system and hidden attributes set.
I deleted the files from system32 but they re-appear after a reboot. I try
to stop the "Mouse Button Monitor" using "net stop mousebm /y" and I get:
C:\DOCUME~1\ADMINI~1\Desktop>net stop mousebm /y
The requested pause or stop is not valid for this service.
More help is available by typing NET HELPMSG 2191.
The stop and pause buttons are greyed out for the "Mouse Button Monitor"
service.
The file "i" contains entries like this:
open 24.173.15.63 16670
user 1 1
get eraseme_61087.exe
quit
The file "eq" contains pages and pages of entries which look like this:
open 24.173.252.20 10082
user 23107 28392
get svnlitup32.exe
quit
open 24.173.144.52 1317
user 17789 4406
get svnlitup32.exe
quit
open 24.173.2.21 30380
user 31975 3371
get svnlitup32.exe
quit
open 24.173.2.116 14953
user 16493 3501
get svnlitup32.exe
quit
I grabbed the latest McAfee SuperDAT and extracted it. I ran scan.exe from
the command line like this:
scan c:\ /all /sub /clean /log c:\vscan.log
It reported no viruses.
Every time I try to install McAfee on the machine, I get an error saying
"The Windows Installer Service could not be accessed. This can occur if you
are running Windows in safe mode, or if the Windows installer is not
correctly installed. Contact your support personnel for assistance."
I think I'm screwed. This sound familiar to anyone?
Thomas
I have a Windows 2000 server which somehow got connected to the 'Net without
AV software on it. Now there is a new "service" called "Mouse Button
Monitor" which is controlled by %windir%\system32\mousebm.exe. I also found
the following files in %windir%\system32 which appear to be new:
08/15/2005 09:00p 8,201 .exe
08/15/2005 12:42p 1,518 eq
08/15/2005 11:28a 0 eraseme_61087.exe
08/15/2005 11:28a 71 i
08/15/2005 08:39a 8,201 mousebm.exe
08/14/2005 04:00p 0 svnlitup32.exe
The file called ".exe" has the system and hidden attributes set.
I deleted the files from system32 but they re-appear after a reboot. I try
to stop the "Mouse Button Monitor" using "net stop mousebm /y" and I get:
C:\DOCUME~1\ADMINI~1\Desktop>net stop mousebm /y
The requested pause or stop is not valid for this service.
More help is available by typing NET HELPMSG 2191.
The stop and pause buttons are greyed out for the "Mouse Button Monitor"
service.
The file "i" contains entries like this:
open 24.173.15.63 16670
user 1 1
get eraseme_61087.exe
quit
The file "eq" contains pages and pages of entries which look like this:
open 24.173.252.20 10082
user 23107 28392
get svnlitup32.exe
quit
open 24.173.144.52 1317
user 17789 4406
get svnlitup32.exe
quit
open 24.173.2.21 30380
user 31975 3371
get svnlitup32.exe
quit
open 24.173.2.116 14953
user 16493 3501
get svnlitup32.exe
quit
I grabbed the latest McAfee SuperDAT and extracted it. I ran scan.exe from
the command line like this:
scan c:\ /all /sub /clean /log c:\vscan.log
It reported no viruses.
Every time I try to install McAfee on the machine, I get an error saying
"The Windows Installer Service could not be accessed. This can occur if you
are running Windows in safe mode, or if the Windows installer is not
correctly installed. Contact your support personnel for assistance."
I think I'm screwed. This sound familiar to anyone?
Thomas