Unknown Trojan Help - calco.exe

Hi there,

I just recently formatted my computer and put back on XP Pro SP2, and I noticed that I have a process running called calco.exe in my C:\WINDOWS\system32\DirectX folder. It is 68.5 KB and it gives no information in the properties box.

I have NOD32 and it detected it as a "Operating memory - probably unknown NewHeur_PE virus [7]" and it quarantines it and then it will come back on the process list in a few minutes. This is the reason why I think it's not a false positive, since it has trojan-like behavior.

I try deleting the file and it just comes back again. I have searched for it in regedit and there are no entries. And I try and Goodgle it and getting nothing helpful either.

Thanks,

Charles

 

Try booting to Safe Mode and run a full on-demand scan. The NOD32 Control Center will not work in Safe Mode, so you will have to go through Start --> All Programs --> Eset --> NOD32 .

 

First turn off System Restore in Windows XP

Right click on My Computer-> Properties -> Systerm Restore -> Check "Turn off..." . Apply and OK

Make sure your NOD32 is updated via going to Control Center -> Update -> Update now

Configure your NOD32 correctly for on-demand scan.Open Start-Programs-ESET-NOD32 and configure as shown here

Boot in Safe Mode . To do this , hit F8 repeatedly while your WIndows is starting before the Windows logo appears .You'll open Windows Advanced Menu and choose Safe Mode . Wait some time and log into your computer.Goto Start-Programs-ESET-NOD32 . Remember to choose the right profile which you already configured and perform full Scan&Clean

 

Ok, I did a full scan in Safe Mode and the same NewHeur_PE virus was detected and deleted. And then I boot into regular mode and there it is again on the process list. I just submitted it to NOD32 sample page for analysis.

 

can you please scan the file on
http://www.virustotal.com/
or
http://virusscan.jotti.org/

 

Scan it on virustotal and post a screenshot.

 

VirusTotal came back with a few red flags but when I looked at calco.exe in Process Explorer properties I found that it was linked to some .dll's that are trojans: WININET.dll

Some of the other .dll's that are associated with calco.exe (in the 1st attached pic) are critical windows dlls which means it's disguising itself in them I'm guessing?

http://www.liutilities.com/products/wintaskspro/dlllibrary/wininet/

http://img354.imageshack.us/img354/173/calcokn4.th.jpg

http://img354.imageshack.us/img354/6109/virustotalru1.th.jpg

edit: I put WININET.dll throught Virus Total and it came back with no viruses at all

 

Have you turned off System Restore before going to Safe Mode . It is important , really important .

In addition to my previous advise I would suggest you open Start->Run->type regedit.exe and press ENTER .Carefully navigate to Hkey-Local Machine\Software\Microsoft\Windows\Current version\Run and in the right , check for file associated to that trojan . Right click on them and Delete . After that close and boot in Safe Mode and perform full scan .

Something else , really useful . Download and install Unlocker
http://ccollomb.free.fr/unlocker/

Use it to manually kill that file and associated stuff.

If nothing helps , please send the suspected file to the TechSupport and point them to that thread here at Wilders . The address is support@eset.us or support@eset.sk

Good luck !

 

Yes I have turned off System Restore a while ago and I have also gone into regedit without any trace of calco.exe anywhere. The only problem I have with deleting those associated files is that they are actual core system files and deleting them could cause system failure.

Also here is my HijackThis log:

~ snip ~ HijackThis Logs may only be posted upon request of a Moderator or Specialist ~ Blackspear

 

lchazl, please check you PM (Private Mail) box, someone is trying to contact you to obtain a sample of this file to analyse and send to Eset..

Blackspear.

 

Post removed.

Wilders Security and Security Specialists in general do NOT recommend the use of automated HijackThis log analysers due to the amount of false positives they can produce and the damage that can be done when an inexperienced person uses such analysers.

As well, turning off System Restore would be the very last step in any cleaning steps of an infected computer since nothing in System Restore can be harmful unless it's used to restore from. You certainly wouldn't turn System Restore off if you weren't sure the PC was infected, and definitely NOT before fiddling with the registry.

A backup of the registry should be the first suggestion before telling someone to go into it and start deleting items.

ESET's Technical Support do NOT recommend the above, and nor do the Staff and Specialists at Wilders.

Blackspear.

 

I understand that HijackThis is not 100% sure of anything, also I know that System Restore in itself isn't bad but it is something I don't need. I have also made backups to my registry so there is no harm done =)

 

That's ok, my response was due to a Post that has now been removed, it had advice that in the wrong hands of an inexperienced person could be harmful to their computer.

Blackspear.

 

What I did do just recently was to delete calco.exe in the \directx folder and then replace it with any other .exe and rename it to calco, this half solves the problem but for example i put cmd.exe in place of it and all it does now is open up cmd.exe every little while, 2 of them on bootup.

I know it's just a test but it stops the real file from opening since it can't overwrite it.

 

Hi Ichazl,

If you want to remove this one you can use the free version of superantispyware (www.superantispyware.com)

Good Luck

 

It worked beautifully!!!

Thank you very much tfarctlov
I got the program and it found the registry entries and deleted the file. I guess the trojan changed it's name from calco to calcc just right now, but I am sure it is gone because I have scanned it again with NOD32.

This is what it found and what I subsequentially deleted:

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}
HKCR\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}
HKCR\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}\InprocServer32
HKCR\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}\InprocServer32#ThreadingModel
C:\WINDOWS\system32\calcc.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{00212521-4FEF-4AD3-B3AA-E0531B8DC123}
HKCR\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}

 

Glad to hear it's gone

Just wondering... Did this file get sent in for analysis at any time - so that others can be protected also?

Cheers

 

After thinking about it for a little, calcc.exe was the originator file that kept recreating calco.exe to carry out its work.

I have the option to restore calcc.exe from the quarantine to submit for analysis but I just don't want to run the risk of getting infected again. Do you people think I should or is their no risk or reinfection?

 

Just hit "Submit for analysis", and it will be sent via "Threatsense".

Don't restore the file.

Cheers

 

Just got advise that it was probably calcc.dll doing the creating if that makes it any easier...

Cheers

 

But the thing is that it was quarantined by Super AntiSpy, not NOD32 and the only option it gives is to restore or delete quarantined items

 

If possible, please submit the file calcc.dll to samples @ eset.com with a link to this thread in the subject.

 

It's submitted =)

 

Phew - I'm glad that's all over
Just to confirm, NOD32 detects that sample calcc.dll as Win32/TrojanDropper.Small.NDQ

Cheers