All -

I am posting this here because this group knows more about viruses than anyone I know. Forgive me if this is OT.

I have a Windows 2000 server which somehow got connected to the 'Net without AV software on it. Now there is a new "service" called "Mouse Button Monitor" which is controlled by %windir%\system32\mousebm.exe. I also found the following files in %windir%\system32 which appear to be new:

08/15/2005  09:00p               8,201 .exe
08/15/2005  12:42p               1,518 eq
08/15/2005  11:28a                   0 eraseme_61087.exe
08/15/2005  11:28a                  71 i
08/15/2005  08:39a               8,201 mousebm.exe
08/14/2005  04:00p                   0 svnlitup32.exe

The file called ".exe" has the system and hidden attributes set.

I deleted the files from system32 but they re-appear after a reboot. I try to stop the "Mouse Button Monitor" using "net stop mousebm /y" and I get:

C:\DOCUME~1\ADMINI~1\Desktop>net stop mousebm /y
The requested pause or stop is not valid for this service.

More help is available by typing NET HELPMSG 2191.

The stop and pause buttons are greyed out for the "Mouse Button
Monitor" service.

The file "i" contains entries like this:

open 16670
user 1 1
get eraseme_61087.exe

The file "eq" contains pages and pages of entries which look like this:

open 10082
user 23107 28392
get svnlitup32.exe
open 1317
user 17789 4406
get svnlitup32.exe
open 30380
user 31975 3371
get svnlitup32.exe
open 14953
user 16493 3501
get svnlitup32.exe

I grabbed the latest McAfee SuperDAT and extracted it. I ran scan.exe from the command line like this:

scan c:\ /all /sub /clean /log c:\vscan.log

It reported no viruses.

Every time I try to install McAfee on the machine, I get an error saying "The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows installer is not correctly installed. Contact your support personnel for assistance."

I think I'm screwed.  This sound familiar to anyone?


Reply via email to