Anyone recognise cpmv.exe

[Eric Parker]

I'm fixing a laptop that was infected with a variety of nasties.
It was given to me when an SP2 upgrade failed.
I had to do a repair install.
I've installed and updated AVG Free, TrojanHunter trial, Nod32 trial, Adaware, Spybot
S&D and Hijackthis.
I booted into safe mode (Win XP Pro) and used the above utilities to clean it up.
It now seems to be clean but there is an entry in the Hijackthis log I do not
understand and cannot find any thing about it.

04 - HKLM\..\Run: [cpmv] C:\WINNT\cpmv.exe

Using explorer with
Display the contents of system folders
Show hidden files and folders
Hide protected operating system files (unticked)
I cannot find the file to submit to virustotal.
I cannot find the file using a command prompt.

The owner of the machine cannot help.
The only reference I can find to CPMV is a biological virus, which makes me think it
is perhaps a nasty (from someone with a sense of humour ?).

I could let hijackthis have its way with it but before I shoot in the dark - Any
clues ?

thanks

eric

 

[Robert Baer]

I'm fixing a laptop that was infected with a variety of nasties.
It was given to me when an SP2 upgrade failed.
I had to do a repair install.
I've installed and updated AVG Free, TrojanHunter trial, Nod32 trial, Adaware, Spybot
S&D and Hijackthis.
I booted into safe mode (Win XP Pro) and used the above utilities to clean it up.
It now seems to be clean but there is an entry in the Hijackthis log I do not
understand and cannot find any thing about it.

04 - HKLM\..\Run: [cpmv] C:\WINNT\cpmv.exe

Using explorer with
Display the contents of system folders
Show hidden files and folders
Hide protected operating system files (unticked)
I cannot find the file to submit to virustotal.
I cannot find the file using a command prompt.

The owner of the machine cannot help.
The only reference I can find to CPMV is a biological virus, which makes me think it
is perhaps a nasty (from someone with a sense of humour ?).

I could let hijackthis have its way with it but before I shoot in the dark - Any
clues ?

thanks

eric

I suppose you used Find Files...
Most virus type programs add to the pile in \system32, so usw windows
explorer there and sort by date, most recent first.
It probably is an exe near the top; the date is when it got placed.
If in doubt, rename as XEX *after* killing the task immediatelyafter
boot and as soon as you see the desktop (use <Ctrl><Alt><Delete>).

 

[Adam Piggott]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm fixing a laptop that was infected with a variety of nasties.
It was given to me when an SP2 upgrade failed.
I had to do a repair install.
I've installed and updated AVG Free, TrojanHunter trial, Nod32 trial, Adaware, Spybot
S&D and Hijackthis.
I booted into safe mode (Win XP Pro) and used the above utilities to clean it up.
It now seems to be clean but there is an entry in the Hijackthis log I do not
understand and cannot find any thing about it.

04 - HKLM\..\Run: [cpmv] C:\WINNT\cpmv.exe

Using explorer with
Display the contents of system folders
Show hidden files and folders
Hide protected operating system files (unticked)
I cannot find the file to submit to virustotal.
I cannot find the file using a command prompt.

Try typing:
attrib cpmv.exe
in C:\WINNT, see if it shows up there.

If not, you could use Sysinternals' RootKitRevealer[1] to see if it's
hidden itself using more stealthy methods. You could also try putting the
hard disk into another computer.

Is the exe actually in the running task list? It might have a registry
entry but doesn't exist any more

[1] http://www.sysinternals.com/Utilities/RootkitRevealer.html

HTH,


Adam Piggott,
Proprietor,
Proactive Services (Computing).

- --
Please replace dot invalid with dot uk to email me.
Apply personally for PGP public key.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFCpXjo7uRVdtPsXDkRAhJoAJ0SdI5LesGHo+JFl1I4kMJ0HWP+2wCfadKE
43U2KoLwJ+RyZews31BF0mY=
=clZs
-----END PGP SIGNATURE-----