Windows Vista forum

General discussion

cpmsky trojan

The cpmsky trojan has entered my computer and I can't get it off using message board advice to date, according to google searches. Is there any more up-to-date solution that anyone has heard of? Am using Vista Home.

cpmsky seems to attack IE rather than Firefox and am thinking of simply uninstalling IE as I never use it anyway.

But would prefer some CNET Forum guru to show me the way!

Thanks in advance!

Discussion is locked
You are posting a reply to: cpmsky trojan
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: cpmsky trojan
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Try HiJackThis...

In reply to: cpmsky trojan

1.) Reboot into Safe Mode by presing F8 during boot.
2.) Download and run HiJackThis, looking for and deleting an entry along the lines of:
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\cpmsky.dll" DllStart
3.) Browse to C:\Windows\System32 and delete the file cpmsky.dll (if found).
4.) Reboot back into Normal Mode and verify the problem is resolved.

Hope this helps,

P.S. As glb613 said, you cannot simply uninstall Internet Explorer, and forcibly removing it is inadvisable as it would cause other applications to cease to function properly.

Collapse -
cpmsky v. HiJackThis

In reply to: Try HiJackThis...

Hello John,

Thanks for your help. As you can probably tell, I'm a novice at this kind of thing. I download and ran HiJackThis, and I found one entry containing the word cpmsky:

O2 - BHO: cpmsky browser optimizer - {cc75d02d-6f7b-70b5-12a8-03c3f7a5466d} - C:\Windows\system32\{93bda402-3c2c-d69c-7f01-9d55f8e2dd46}.dll

I then checked / ticked the box for this entry and instructed HiJackThis to fix it, which it went ahead and did.

I then browsed the files and folders in the System32 window but couldn't find a file named cpmsky.

I then ran HiJackThis again and the entry appeared again. Looks like it is still on my computer.

Should I go through every folder in System32 and check every individual entry, but it seems to be hidden some how, and resistant to my basic use of HiJackThis.

Anything else I should try?



Collapse -
Send me a copy of your HJT log...

In reply to: cpmsky v. HiJackThis

Cpmsky typically is removable using HJT to 'fix' that one entry while in Safe Mode, but it seems there's more under the surface. If you would, please either post a copy of your full HJT log here or via Private Message through my member profile and we'll go from there.


Collapse -
I destroyed cpmsky but now have adzgalore

In reply to: Send me a copy of your HJT log...

I had another go at your solution and it seems to have worked. THANKS.

Am still under attack. In the meantime my daily AVG scan picked up a puper trojan and apparently healed it.

But now I have the adzgalore trojan and its proving to be more tricky. It appears in my Programs list and when I go to uninstall it a security window prompts me to transcribe a distorted code - but I decide not to do this as it looks suspicious - I don't want to manually execute an unknown program by mistake.

any hot tips on adzgalore? (i don't see in my HJT list)

Collapse -

In reply to: I destroyed cpmsky but now have adzgalore

-> Never attempt to use a malware infection's "uninstaller" in an attempt to remove it for, as you suspected, that can be designed to make the problem worse rather than better.

Adzgalore is typically an indication of the Fotomoto trojan, and it should be quarantined by a full scan with AVG while in Safe Mode, Windows Defender (preinstalled), or through TrendMicro's online Housecall scan. Afterward I'd still post a copy of the HJT log to see what else may be present and undetected up to this point.


Collapse -
NOD32 to the rescue

In reply to: Adzgalore...


Thanks for very kind advice. I switched my computer on this morning and all documents and most programs had seemingly been wiped, it looked much like a first start up on a new computer. I cursed. Then I restarted and everything was back again.

Not wanting to take any more chances, took it straight to the IT service center at the end of my street and for $23 they used ESET NOD32 Antivirus software, to search and destroy several trojans (they say). Now its all clean and running ok, and I have their guarantee.

It was worth every cent, just for peace of mind.

I think all of this trouble started after I installed Limewire - and I used it to download just 1 old classic game that I couldn't buy in any shop - not like I was stealing films and albums.

So, I guess the moral of the story is that Limewire aint worth it!

Thanks again and happy computing.


Collapse -
Thanks John

In reply to: NOD32 to the rescue

Got that virus installing LimeWire, was very careful when I got the ads (and games) and searched for Adzgalore and just took the files away. Thought I was fine, but every now and again the ads from cpmsky still appeared. So I googled, found this thread, followed your instructions and it seems I'm ok finally.
If worse should go to worse, I keep all my pics and music on a external harddrive, and I backup my computer at least twice a year. Not so hard to do and worth every penny you pay for a device or discs.

Thanks again John, easy solution that worked! My first virus, since I always have the firewall and antivirus on, but hey, they're not perfect obviously.

Collapse -
Btw NOD32

In reply to: Thanks John

If they found several Trojans and other harmful things, you should really consider what your computers safety level's at. And do back it up every now and again, I would've gone back two month's if I hadn't found this thread, but it would have been free. And with most of my stuff still there.


Collapse -
How to fix a RUNDLL error

In reply to: Adzgalore...

Hi john,

The names Karl. I have NOD32 and it doesn't seem to protect well. When I start up my computer this RUNDLL error always pops up:

"C:\WINDOWS\system32\{e61b857a-611b-d887-e50a-196043ae18b0}.dll cannot be found OR failed to load" one of those.

I searched for this file and deleted it. I'm not sure if i was suppose to do this, But it still keeps popping up.

I also have adzgalore and it keeps popping up. I use firefox now but I uninstalled IE7 and reinstalled it and it seemed to work ABIT better, not as bad. I also seen adzgalore in "add or remove programs" so i uninstalled it from there and it worked fine after but when i restart my computer, it returns.

I was reading you're advice to users and you seem to be the guy to fix most problems so i thought I'd go to you. Please help me out.

Thanks in Advance

Collapse -
Can't remove adzgalore from pc.

In reply to: Send me a copy of your HJT log...

Hey John,

I see you help a lot of people here and was wondering if you wouldn't mind looking through a copy of my HJT log and see if there is anything I can erase since 'adzgalore' does not go away, even after I've scanned with AVG and Malware.



Collapse -
Are the best

In reply to: Try HiJackThis...

They are the best, my problem no longer exists. I like to receive new info of how battling with trojans and the worms that see themselves on web. Thank you very much

PS sorry for my english a only speak spanish


Collapse -
Worms and trojans...

In reply to: Are the best

New worms, trojans, and viruses are released on a daily (even hourly) basis, with information on the specific new and ongoing threats available from the likes of McAfee (, SANS (, etc. To protect yourself, though, make sure you have good firewall, antivirus, and antispyware software installed, updated daily, real-time protection enabled, and regular (usually weekly) scans performed.


Collapse -
can someone please analyze my HJT file to get rid of cpmsky?

In reply to: Worms and trojans...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:10 PM, on 3/15/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\AIM6\aim6.exe
C:\Program Files (x86)\Electronic Arts\EADM\Core.exe
C:\Users\Kumar\Program Files (x86)\DNA\btdna.exe
C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe
C:\Program Files (x86)\HP\HP Software Update\hpwuSchd2.exe
c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files (x86)\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe
C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Internet Explorer\IEUser.exe
c:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe
C:\Program Files (x86)\AIM6\aolsoftware.exe
C:\Program Files (x86)\Registry Mechanic\regmech.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: mysidesearch search enhancer - {21B19874-2066-B2AB-71B8-FE1079665E5D} - C:\Windows\SysWow64\yrtxddbaswryh.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - c:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~2\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: cpmsky browser enhancer - {7C25A617-7FD1-1403-6346-61F96C01B6AF} - C:\Windows\SysWow64\tocguezqmyeagt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - c:\Program Files (x86)\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\hp\support\hpsysdrv.exe
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files (x86)\Creative\Sound Blaster X-Fi\Volume Panel\VolPanlu.exe" /r
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [HP Software Update] c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files (x86)\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LELA] "C:\Program Files (x86)\Linksys\Linksys EasyLink Advisor\Linksys EasyLink Advisor.exe" /minimized
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [albmdxadcikcszap] C:\Windows\System32\regsvr32.exe /s "C:\Windows\system32\tocguezqmyeagt.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] "C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter
O4 - HKCU\..\Run: [Aim6] "C:\Program Files (x86)\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [EA Core] "C:\Program Files (x86)\Electronic Arts\EADM\Core.exe" -silent
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Users\Kumar\Program Files (x86)\DNA\btdna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files (x86)\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [RegistryMechanic] C:\Program Files (x86)\Registry Mechanic\RMTray.exe /H
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Bluetooth.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send image to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Send page to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files (x86)\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~2\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Send To Bluetooth - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: Send to &Bluetooth Device... - {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O13 - Gopher Prefix:
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) -
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - c:\Program Files (x86)\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files (x86)\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: HP Chasis Button Service (HPBtnSrv) - Unknown owner - c:\hp\HPEZBTN\HPBtnSrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - c:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Linksys Updater (LinksysUpdater) - Unknown owner - C:\Program Files (x86)\Linksys\Linksys Updater\bin\LinksysUpdater.exe
O23 - Service: LiveUpdate - Symantec Corporation - c:\Program Files (x86)\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - c:\Program Files (x86)\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~2\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files (x86)\Viewpoint\Common\ViewpointService.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

End of file - 12571 bytes

Collapse -
Just in case there is no answer.

In reply to: can someone please analyze my HJT file to get rid of cpmsky?

Popular Forums

Computer Newbies 10,686 discussions
Computer Help 54,365 discussions
Laptops 21,181 discussions
Networking & Wireless 16,313 discussions
Phones 17,137 discussions
Security 31,287 discussions
TVs & Home Theaters 22,101 discussions
Windows 7 8,164 discussions
Windows 10 2,657 discussions


Best Black Friday Deals

CNET editors are busy culling the list and highlighting what we think are the best deals out there this holiday season.