[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Reverse engineering

Posted on 2014-08-18
18
Medium Priority
?
399 Views
Last Modified: 2014-08-21
My OS is win 7 Prof 64 bit.  I have been plagued by the malware Win32/Caphaw.  After walking thru with Microsoft paid support, not sure what they did but the Task Manager's Services or Processes  showed the culprit (Alert.exe) that was displaying the virus notification screen, see screen shot.  
The Q is how do i trace backwards, which program triggered this alert.exe to be executed.  MS suspects a link in my email client or my Torch browser because it happens whenever i open an email client either thru Outlook 2007 or thru the web, using Torch or IE or Opera.  My email is msn the free account.  
hope the Gurus can throw some light how I can trace this program to its roots, and delete the offending program from its source.
thank u.
win32-caphaw-screen-shot.JPG
0
Comment
Question by:jegajothy
  • 6
  • 6
  • 4
  • +2
18 Comments
 
LVL 28

Expert Comment

by:jhyiesla
ID: 40268064
I would attempt to use some standard scanning tools like malwarebytes (malwarebytes,org) or combo fix (bleeping computer.com). There are also other ones like tdsskiller from Kaspersky that will remove some Root Kit infections. If you still can't get rid of it or your system seems wonky even after you think you've cleaned it, save off your data and wipe and reload the OS. I know that's extreme some times, but then you know you are OK going forward.
0
 
LVL 24

Expert Comment

by:aadih
ID: 40268070
0
 
LVL 37

Expert Comment

by:Kimputer
ID: 40268095
Actually, you are the one who should remember when it got infected (assuming we're talking about a computer you are using, not a friend or colleague). That's because Win7 employs User Account Control, which means, you have to click several times on OK before a virus gets properly installed!
Anyway, you can't always trace back how or what, it could be you're missing info in your browser history, file dates could have been changed by the virus etc etc. The best way to remember is when you allowed the virus to access your system.

All the above of course, assumes you kept your Windows up to date, but also all your other software, browsers, plugins etc. It also assumes you DIDN'T disable UAC.
If this isn't correct, the next question is of course, WHY? (Also means the virus didn't need your approval to install itself, making tracing it even more difficult)
0
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

 
LVL 33

Expert Comment

by:Dave Howe
ID: 40268239
If procexp doesn't show a dependency (i.e. in the tree display, alert.exe running under another process) procmon is probably your best bet - while procexp (as recommended above, and really a good piece of software) will show you what is running, procmon is better for showing what process launched what other process.
0
 

Author Comment

by:jegajothy
ID: 40269256
in response to everyone, MS paid support, had tried everything like Kaspersky TDSS Killer, slim...... , Malwares Antimalwares premium, Avast premier, Windows Essentials, but the rogue program still manages to show up, whenever I load an email client like outlook 2007 or Incredimail or msn email account thru the web browser, like Torch or Opera.  Initially MS thought the virus was piggy backed to the Torch browser, and the software was uninstalled, but it is still there.  
Probably, before I go to the extreme solution, let me see if I can uninstall Outlook 2007 completely and then run all the anti virus programs and see if it detects it and then reinstall Outlook 2007.  Thank u to everyone for their input, but I am still laden with this problem.
0
 

Author Comment

by:jegajothy
ID: 40269268
in response to aadih, I downloaded and ran the Process monitor, and attach herewith the list of processes.  Hope if u could please see if there is anything unusual, or close to the win32/caphaw program, and if yes, what should I do.  Thank u
processmonitor-results.TXT
0
 
LVL 37

Expert Comment

by:Kimputer
ID: 40269626
I'm a bit confused now, are you still trying to analyse Alert.exe, as in, its origin, vector of attack? Or do you just want to remove it and be done with it?
0
 

Author Comment

by:jegajothy
ID: 40270019
In response to kimputer, I am trying to delete Alert.exe and whatever dependencies or derivatives that it may have, completely from my computer.  but don't u think one should analyze this first, because I do not know what else damage it will cause if it is not removed systematically like how the program Revo uninstaller does its work.
in fact the screen appeared again when I tried to access my Outlook 2007 email message. Thank u for your response and suggestions.
0
 
LVL 37

Expert Comment

by:Kimputer
ID: 40270042
Most of the time, people can't remember if the virus was from an email, web browsing or whatever. It's not that much use to trace it back. Just keep to the safe rules, and you'll be fine:
Don't open files you don't know / need (goes for web browsing as well as email), no matter how tempting (bank, UPS, DHL).
Keep Windows up to date, as well as all other programs (java/adobe/flash etc) and antivirus
Always close popups with ALT+F4.
Set all browsers to highest security (enable plugin on click)
Keep UAC on.
Log in as a "normal" user. Keep admin user/password seperately, only type it in when needed (installing software you're sure it's safe).

No on to the alert.exe which you don't seem to be able to get rid of. Get rid of it OUTSIDE of Windows! Use a bootable CD/USB from any antivirus company to clean your PC (AVG, Avast etc, all free). For good measure, why not scan it multiple times with different CD's.
You will now most definitely get rid of the main virus. Some extra components can now be removed with types like Malwarebytes inside Windows again.
0
 
LVL 24

Accepted Solution

by:
aadih earned 2000 total points
ID: 40270044
The problem process is:

"taskeng.exe            2,368 K      6,264 K      5024            
    Alert.exe      < 0.01      22,112 K      4,752 K      5004"

It's a scheduled task.

It'd be difficult to determine which task is it which gets scheduled by "task scheduler," however.

My advice is to scan using MalwareBytes AntiMalware (free) to clean this "virus," which it is. If that does not work, use HitmanPro or ComboFix to remove it (Also scan with TDSSKiller for any rootkit infection just to make sure).  Rather than more analysis, cleaning it up is the road you must travel now.
0
 

Author Comment

by:jegajothy
ID: 40270092
in response to aadih, thank u for your feedback.  I have tried all those that u had suggested, and even Microsoft paid support did the same thing, and I even repeated them after they logged off but it still did not find the culprit.
Meanwhile, how do I get rid of the two files u found.  A search for alert.exe did not find anything.  A search for tasking.exe found it, but please see the snap shot of the screen I got.  is it safe to delete the file.  Thank u again for your feedbacks.
taskeng-exe-snapshot.JPG
0
 
LVL 24

Expert Comment

by:aadih
ID: 40270104
No, do not delete taskeng. It's a required system file.  

Go to task scheduler, and inspect each scheduled task (under Windows, most probably, but not necessarily) one by one until you find the one [task] that has "alert.exe" in it.  That's the only way, as far as I know.  Painstaking and time consuming.
0
 
LVL 24

Expert Comment

by:aadih
ID: 40270111
Did you also scan using AdwCleaner?

If not, please do it; it takes only a few minutes.
0
 
LVL 37

Expert Comment

by:Kimputer
ID: 40270216
As I said before, the more nasyt ones you can never delete from inside Windows (code is already started, and sometimes even hidden through special hooks). Removing it OUTSIDE windows (USB/CD boot) is the safest way to go.
0
 

Author Comment

by:jegajothy
ID: 40270463
In response to Aadih, I used that too, but it could not find the rogue.  Looks like that the win32/caphaw is a real nasty one.
0
 
LVL 24

Expert Comment

by:aadih
ID: 40270468
No kidding.  :-(
0
 

Author Closing Comment

by:jegajothy
ID: 40276421
What Microsoft paid support could not solve, u solved it, thank u so much.
0
 
LVL 24

Expert Comment

by:aadih
ID: 40276464
You solved it!  

Great.

:-)
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
It’s a season to be thankful, and we’re thankful for users like you who engage on site, solve technology problems, and network with others in the industry. What tech are we most thankful for? Keep reading.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

868 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question