In this article I will be demonstrating how a virus/adware was found on a clients PC and how it was removed without the use of Virus scanners or adware removing software as they were unable to detect it.

Edit: This article is not removal instructions for AntiSpyLab. If you need removal instructions go HERE.

Edit: Over the last week since writing this article, this infection has been showing up everywhere and some adware removal tools such ewido can now detect this.

This article begins when I was called out to a clients place because they said they were infected by some sort of Spyware. Upon arrival I find this:


Fake Windows Security Center
View Full Size

The key parts of this image is that this message is designed to look like it is part of the inbuilt Windows XP Security Center. Up the top it has the Internet Explorer security warning bar which says “Warning: possible Spyware or Adware infection! Click here to scan your computer for Spyware and Adware…”

When the Click here link is clicked it takes me to the website called Antispylab where I can purchase their Spyware removing products. When I look closer at the link it also contains an affiliate code “aff=242”, this means if any of that antispyware software is brought through that link, the person that placed this page on my clients computer will gain a percentage of the sale (usually around 5 to 10 percent). It seems that the creator of this infection was financially motivated.
To further push the purchase of this software, the creator made it so that a windows bubble pops up frequent infection/hacking warnings as shown below:


Fake Windows Security Popup

Removing the Malicious file:

The most obvious step to start with is run a virus scanner and an Adware/Spyware scanner which I did and let it run through its scans however the computer came up clean.
It seems the Virus/Adware/Spyware scanners are unable to detect this problem.

I am going to have to get my hands dirty and remove it manually.
I used the popular tool Process Explorer XP to view the processes that are currently running in the background. As I was logged in using a limited user account it showed non-Windows processes. Here is a picture of what showed up:


Looking in Process Explorer
View Full Size

  • explorer.exe – is essentially the WindowsXP graphic interface itself.
  • lxbmbmgr.exe & lxbmbmon.exe – are part of the clients Lexmark Printer
  • CAVTray.exe & CAVRid.exe – are parts of their Antivirus, VET.
  • msmsgs.exe – is MSN Messenger, a popular chat client.
  • HijackThis.exe – is a tool of mine I was using at the time to look for the virus.
  • Procexp.exe – is a tool of mine that is currently what we are currently viewing the processes in.
  • mspaint.exe – is Microsoft Paint which I used to take the screenshot we are currently looking at.
  • winserv32.exe – is unknown to me. It isn’t part of the essential processes that are needed to run windows even though its company name is Microsoft.
  • repigsp.exe – is a child process of winserv32.exe which is also not part of the essential windows processes. This process only appeared when the “Internet attack attempt detected…” bubble popped up.