I then proceeded to look to see what was causing these processes to launch using a built in Windows tool called msconfig (Start > Run and type msconfig). Looking at the startup tab this usually allows you to deselect check boxes so that processes wont start on bootup. However this time it seems everything is grayed out.

View Full Size

I suspected that these unknown processes were trying to stop me from removing them. So I went back to process explorer, killed the process and all the boxes in msconfig became enabled again and then unticked winsrv32 from loading at startup. It was at this point it was confirmed that these files were defiantly malicious and the cause of the original problem.

View Full Size

Using Process Explorer again, I found out where they were located on the harddrive which was C:\Windows\system32 and deleted the files winsrv32.exe and its child process repigsp.exe.

I restarted the computer to see if they continued to load at startup, opened up Process Explorer and there they were again, however winsrv32.exe was now called runsrv32.exe

This typically indicates that there are additional files somewhere on the computer which check to see of the existence of the malicious and if it has been removed (by a virus scanner or manually removed) it will regenerate it.

Using Process Explorer again, I killed the process, unticked it in msconfig and went back to the System32 folder the file resided in.
Right next to the runsrv32.exe was a file called runsrv32.dll which was the exact same file size as runsrv32.exe. I would normally be careful as runsrv32.dll could easily be a real DLL used to run Windows however due to its exact file size as the virus I took the chance and deleted it.

I looked around for other files with similar properties as the virus executable which was 8kb in size and created on 02/05/2006 at 4:07pm and noticed that there was another executable called a.exe which I deleted as well.

I restarted the computer again, loaded up Process Explorer and it wasn’t running, Great!
I looked around for similar files to the virus and nothing else was present either. It looks like that it has been successfully removed. All that was left was to clean up the “about:blank” page in Internet Explorer that had been hijacked to create the original fake Windows Security Center message.

I opened up Hijack This! and removed the following lines:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main\,HomeOldSP = about:blank

When about:blank doesn’t exist, Windows will regenerate it. I restarted IE again and it was it back to normal. All signs of the infection has been totally removed.

I asked my client when the computer started with this problem and they said last night. I then asked them if they had open and emails with attachments, downloaded any “free screensavers, toolbars, emoticons” and the usual adware suspects which to which he said he didn’t, all he did the night before was check his email and all of which had no attachments. I checked the status of the computers windows updates and it is about 16 or so critical updates behind so my best guess was that his computer was exploited because it was unpatched. It most likely got onto his PC by either a ISP searching worm that seeks out all the computers within a certain ISP’s subnet, or it was a drive by download while he was surfing websites.

I still dont know how to classify infection. It behaved badly like a trojan trying to stop me removing it, I believe it transfered like a virus and its throwing up advertisements like adware.

Leave a comment and let me know what you think it would be classified as.

Tools used: Process Explorer, Hijack This! & MSConfig