Anyone recognise cpmv.exe

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I'm fixing a laptop that was infected with a variety of nasties.
It was given to me when an SP2 upgrade failed.
I had to do a repair install.
I've installed and updated AVG Free, TrojanHunter trial, Nod32 trial, Adaware,
S&D and Hijackthis.
I booted into safe mode (Win XP Pro) and used the above utilities to clean it up.
It now seems to be clean but there is an entry in the Hijackthis log I do not
understand and cannot find any thing about it.

04 - HKLM\..\Run: [cpmv] C:\WINNT\cpmv.exe

Using explorer with
Display the contents of system folders
Show hidden files and folders
Hide protected operating system files (unticked)
I cannot find the file to submit to virustotal.
I cannot find the file using a command prompt.

The owner of the machine cannot help.
The only reference I can find to CPMV is a biological virus, which makes me
think it
is perhaps a nasty (from someone with a sense of humour ?).

I could let hijackthis have its way with it but before I shoot in the dark - Any
clues ?



Re: Anyone recognise cpmv.exe

Eric Parker wrote:

Quoted text here. Click to load it
   I suppose you used Find Files...
   Most virus type programs add to the pile in \system32, so usw windows
explorer there and sort by date, most recent first.
   It probably is an exe near the top; the date is when it got placed.
   If in doubt, rename as XEX *after* killing the task immediatelyafter
boot and as soon as you see the desktop (use <Ctrl><Alt><Delete>).

Re: Anyone recognise cpmv.exe

Hash: SHA1

Eric Parker wrote:
Quoted text here. Click to load it

Try typing:
attrib cpmv.exe
in C:\WINNT, see if it shows up there.

If not, you could use Sysinternals' RootKitRevealer[1] to see if it's
hidden itself using more stealthy methods. You could also try putting the
hard disk into another computer.

Is the exe actually in the running task list? It might have a registry
entry but doesn't exist any more :-)



Adam Piggott,
Proactive Services (Computing).

- --
Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
Version: GnuPG v1.4.0 (MingW32)


Site Timeline