Reverse engineering

My OS is win 7 Prof 64 bit.  I have been plagued by the malware Win32/Caphaw.  After walking thru with Microsoft paid support, not sure what they did but the Task Manager's Services or Processes  showed the culprit (Alert.exe) that was displaying the virus notification screen, see screen shot.  
The Q is how do i trace backwards, which program triggered this alert.exe to be executed.  MS suspects a link in my email client or my Torch browser because it happens whenever i open an email client either thru Outlook 2007 or thru the web, using Torch or IE or Opera.  My email is msn the free account.  
hope the Gurus can throw some light how I can trace this program to its roots, and delete the offending program from its source.
thank u.
win32-caphaw-screen-shot.JPG
jegajothyretiredAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jhyieslaCommented:
I would attempt to use some standard scanning tools like malwarebytes (malwarebytes,org) or combo fix (bleeping computer.com). There are also other ones like tdsskiller from Kaspersky that will remove some Root Kit infections. If you still can't get rid of it or your system seems wonky even after you think you've cleaned it, save off your data and wipe and reload the OS. I know that's extreme some times, but then you know you are OK going forward.
0
aadihCommented:
0
KimputerCommented:
Actually, you are the one who should remember when it got infected (assuming we're talking about a computer you are using, not a friend or colleague). That's because Win7 employs User Account Control, which means, you have to click several times on OK before a virus gets properly installed!
Anyway, you can't always trace back how or what, it could be you're missing info in your browser history, file dates could have been changed by the virus etc etc. The best way to remember is when you allowed the virus to access your system.

All the above of course, assumes you kept your Windows up to date, but also all your other software, browsers, plugins etc. It also assumes you DIDN'T disable UAC.
If this isn't correct, the next question is of course, WHY? (Also means the virus didn't need your approval to install itself, making tracing it even more difficult)
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

Dave HoweSoftware and Hardware EngineerCommented:
If procexp doesn't show a dependency (i.e. in the tree display, alert.exe running under another process) procmon is probably your best bet - while procexp (as recommended above, and really a good piece of software) will show you what is running, procmon is better for showing what process launched what other process.
0
jegajothyretiredAuthor Commented:
in response to everyone, MS paid support, had tried everything like Kaspersky TDSS Killer, slim...... , Malwares Antimalwares premium, Avast premier, Windows Essentials, but the rogue program still manages to show up, whenever I load an email client like outlook 2007 or Incredimail or msn email account thru the web browser, like Torch or Opera.  Initially MS thought the virus was piggy backed to the Torch browser, and the software was uninstalled, but it is still there.  
Probably, before I go to the extreme solution, let me see if I can uninstall Outlook 2007 completely and then run all the anti virus programs and see if it detects it and then reinstall Outlook 2007.  Thank u to everyone for their input, but I am still laden with this problem.
0
jegajothyretiredAuthor Commented:
in response to aadih, I downloaded and ran the Process monitor, and attach herewith the list of processes.  Hope if u could please see if there is anything unusual, or close to the win32/caphaw program, and if yes, what should I do.  Thank u
processmonitor-results.TXT
0
KimputerCommented:
I'm a bit confused now, are you still trying to analyse Alert.exe, as in, its origin, vector of attack? Or do you just want to remove it and be done with it?
0
jegajothyretiredAuthor Commented:
In response to kimputer, I am trying to delete Alert.exe and whatever dependencies or derivatives that it may have, completely from my computer.  but don't u think one should analyze this first, because I do not know what else damage it will cause if it is not removed systematically like how the program Revo uninstaller does its work.
in fact the screen appeared again when I tried to access my Outlook 2007 email message. Thank u for your response and suggestions.
0
KimputerCommented:
Most of the time, people can't remember if the virus was from an email, web browsing or whatever. It's not that much use to trace it back. Just keep to the safe rules, and you'll be fine:
Don't open files you don't know / need (goes for web browsing as well as email), no matter how tempting (bank, UPS, DHL).
Keep Windows up to date, as well as all other programs (java/adobe/flash etc) and antivirus
Always close popups with ALT+F4.
Set all browsers to highest security (enable plugin on click)
Keep UAC on.
Log in as a "normal" user. Keep admin user/password seperately, only type it in when needed (installing software you're sure it's safe).

No on to the alert.exe which you don't seem to be able to get rid of. Get rid of it OUTSIDE of Windows! Use a bootable CD/USB from any antivirus company to clean your PC (AVG, Avast etc, all free). For good measure, why not scan it multiple times with different CD's.
You will now most definitely get rid of the main virus. Some extra components can now be removed with types like Malwarebytes inside Windows again.
0
aadihCommented:
The problem process is:

"taskeng.exe            2,368 K      6,264 K      5024            
    Alert.exe      < 0.01      22,112 K      4,752 K      5004"

It's a scheduled task.

It'd be difficult to determine which task is it which gets scheduled by "task scheduler," however.

My advice is to scan using MalwareBytes AntiMalware (free) to clean this "virus," which it is. If that does not work, use HitmanPro or ComboFix to remove it (Also scan with TDSSKiller for any rootkit infection just to make sure).  Rather than more analysis, cleaning it up is the road you must travel now.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jegajothyretiredAuthor Commented:
in response to aadih, thank u for your feedback.  I have tried all those that u had suggested, and even Microsoft paid support did the same thing, and I even repeated them after they logged off but it still did not find the culprit.
Meanwhile, how do I get rid of the two files u found.  A search for alert.exe did not find anything.  A search for tasking.exe found it, but please see the snap shot of the screen I got.  is it safe to delete the file.  Thank u again for your feedbacks.
taskeng-exe-snapshot.JPG
0
aadihCommented:
No, do not delete taskeng. It's a required system file.  

Go to task scheduler, and inspect each scheduled task (under Windows, most probably, but not necessarily) one by one until you find the one [task] that has "alert.exe" in it.  That's the only way, as far as I know.  Painstaking and time consuming.
0
aadihCommented:
Did you also scan using AdwCleaner?

If not, please do it; it takes only a few minutes.
0
KimputerCommented:
As I said before, the more nasyt ones you can never delete from inside Windows (code is already started, and sometimes even hidden through special hooks). Removing it OUTSIDE windows (USB/CD boot) is the safest way to go.
0
jegajothyretiredAuthor Commented:
In response to Aadih, I used that too, but it could not find the rogue.  Looks like that the win32/caphaw is a real nasty one.
0
aadihCommented:
No kidding.  :-(
0
jegajothyretiredAuthor Commented:
What Microsoft paid support could not solve, u solved it, thank u so much.
0
aadihCommented:
You solved it!  

Great.

:-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.