Unknown Trojan Help - calco.exe

Discussion in 'NOD32 version 2 Forum' started by lchazl, Jul 14, 2006.

Thread Status:
Not open for further replies.
  1. lchazl

    lchazl Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    10
    Hi there,

    I just recently formatted my computer and put back on XP Pro SP2, and I noticed that I have a process running called calco.exe in my C:\WINDOWS\system32\DirectX folder. It is 68.5 KB and it gives no information in the properties box.

    I have NOD32 and it detected it as a "Operating memory - probably unknown NewHeur_PE virus [7]" and it quarantines it and then it will come back on the process list in a few minutes. This is the reason why I think it's not a false positive, since it has trojan-like behavior.

    I try deleting the file and it just comes back again. I have searched for it in regedit and there are no entries. And I try and Goodgle it and getting nothing helpful either.

    Thanks,

    Charles
     
  2. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Try booting to Safe Mode and run a full on-demand scan. The NOD32 Control Center will not work in Safe Mode, so you will have to go through Start --> All Programs --> Eset --> NOD32 .
     
  3. ASpace

    ASpace Guest

    First turn off System Restore in Windows XP

    Right click on My Computer-> Properties -> Systerm Restore -> Check "Turn off..." . Apply and OK

    Make sure your NOD32 is updated via going to Control Center -> Update -> Update now

    Configure your NOD32 correctly for on-demand scan.Open Start-Programs-ESET-NOD32 and configure as shown here

    Boot in Safe Mode . To do this , hit F8 repeatedly while your WIndows is starting before the Windows logo appears .You'll open Windows Advanced Menu and choose Safe Mode . Wait some time and log into your computer.Goto Start-Programs-ESET-NOD32 . Remember to choose the right profile which you already configured and perform full Scan&Clean


    :D
     
  4. lchazl

    lchazl Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    10
    Ok, I did a full scan in Safe Mode and the same NewHeur_PE virus was detected and deleted. And then I boot into regular mode and there it is again on the process list. I just submitted it to NOD32 sample page for analysis.
     
  5. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
  6. ugly

    ugly Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    276
    Location:
    Romania
    Scan it on virustotal and post a screenshot.
     
  7. lchazl

    lchazl Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    10
    VirusTotal came back with a few red flags but when I looked at calco.exe in Process Explorer properties I found that it was linked to some .dll's that are trojans: WININET.dll

    Some of the other .dll's that are associated with calco.exe (in the 1st attached pic) are critical windows dlls which means it's disguising itself in them I'm guessing?

    http://www.liutilities.com/products/wintaskspro/dlllibrary/wininet/

    http://img354.imageshack.us/img354/173/calcokn4.th.jpg

    http://img354.imageshack.us/img354/6109/virustotalru1.th.jpg

    edit: I put WININET.dll throught Virus Total and it came back with no viruses at all
     
    Last edited: Jul 15, 2006
  8. ASpace

    ASpace Guest



    Have you turned off System Restore before going to Safe Mode . It is important , really important .

    In addition to my previous advise I would suggest you open Start->Run->type regedit.exe and press ENTER .Carefully navigate to Hkey-Local Machine\Software\Microsoft\Windows\Current version\Run and in the right , check for file associated to that trojan . Right click on them and Delete . After that close and boot in Safe Mode and perform full scan .

    Something else , really useful . Download and install Unlocker
    http://ccollomb.free.fr/unlocker/

    Use it to manually kill that file and associated stuff.

    If nothing helps , please send the suspected file to the TechSupport and point them to that thread here at Wilders . The address is support@eset.us or support@eset.sk

    Good luck ! :thumb:
     
  9. lchazl

    lchazl Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    10
    Yes I have turned off System Restore a while ago and I have also gone into regedit without any trace of calco.exe anywhere. The only problem I have with deleting those associated files is that they are actual core system files and deleting them could cause system failure.

    Also here is my HijackThis log:

    ~ snip ~ HijackThis Logs may only be posted upon request of a Moderator or Specialist ~ Blackspear
     
    Last edited by a moderator: Jul 15, 2006
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    lchazl, please check you PM (Private Mail) box, someone is trying to contact you to obtain a sample of this file to analyse and send to Eset..

    Blackspear.
     
    Last edited: Jul 16, 2006
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Post removed.

    Wilders Security and Security Specialists in general do NOT recommend the use of automated HijackThis log analysers due to the amount of false positives they can produce and the damage that can be done when an inexperienced person uses such analysers.

    As well, turning off System Restore would be the very last step in any cleaning steps of an infected computer since nothing in System Restore can be harmful unless it's used to restore from. You certainly wouldn't turn System Restore off if you weren't sure the PC was infected, and definitely NOT before fiddling with the registry.

    A backup of the registry should be the first suggestion before telling someone to go into it and start deleting items.

    ESET's Technical Support do NOT recommend the above, and nor do the Staff and Specialists at Wilders.

    Blackspear.
     
  12. lchazl

    lchazl Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    10
    I understand that HijackThis is not 100% sure of anything, also I know that System Restore in itself isn't bad but it is something I don't need. I have also made backups to my registry so there is no harm done =)
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    That's ok, my response was due to a Post that has now been removed, it had advice that in the wrong hands of an inexperienced person could be harmful to their computer.

    Blackspear.
     
  14. lchazl

    lchazl Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    10
    What I did do just recently was to delete calco.exe in the \directx folder and then replace it with any other .exe and rename it to calco, this half solves the problem but for example i put cmd.exe in place of it and all it does now is open up cmd.exe every little while, 2 of them on bootup.

    I know it's just a test but it stops the real file from opening since it can't overwrite it.
     
  15. tfarctlov

    tfarctlov Registered Member

    Joined:
    Jan 9, 2005
    Posts:
    8
    Hi Ichazl,

    If you want to remove this one you can use the free version of superantispyware (www.superantispyware.com)

    Good Luck
     
  16. lchazl

    lchazl Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    10
    It worked beautifully!!!

    Thank you very much tfarctlov
    I got the program and it found the registry entries and deleted the file. I guess the trojan changed it's name from calco to calcc just right now, but I am sure it is gone because I have scanned it again with NOD32.

    This is what it found and what I subsequentially deleted:

    Unclassified.Unknown Origin
    HKLM\Software\Classes\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}
    HKCR\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}
    HKCR\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}\InprocServer32
    HKCR\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}\InprocServer32#ThreadingModel
    C:\WINDOWS\system32\calcc.dll
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{00212521-4FEF-4AD3-B3AA-E0531B8DC123}
    HKCR\CLSID\{00212521-4FEF-4AD3-B3AA-E0531B8DC123}
     
  17. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Glad to hear it's gone :)

    Just wondering... Did this file get sent in for analysis at any time - so that others can be protected also?

    Cheers :)
     
  18. lchazl

    lchazl Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    10
    After thinking about it for a little, calcc.exe was the originator file that kept recreating calco.exe to carry out its work.

    I have the option to restore calcc.exe from the quarantine to submit for analysis but I just don't want to run the risk of getting infected again. Do you people think I should or is their no risk or reinfection?
     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Just hit "Submit for analysis", and it will be sent via "Threatsense".

    Don't restore the file.

    Cheers :D
     
  20. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Just got advise that it was probably calcc.dll doing the creating if that makes it any easier...

    Cheers :)
     
  21. lchazl

    lchazl Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    10
    But the thing is that it was quarantined by Super AntiSpy, not NOD32 and the only option it gives is to restore or delete quarantined items
     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If possible, please submit the file calcc.dll to samples @ eset.com with a link to this thread in the subject.
     
  23. lchazl

    lchazl Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    10
    It's submitted =)
     
  24. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Phew - I'm glad that's all over :D
    Just to confirm, NOD32 detects that sample calcc.dll as Win32/TrojanDropper.Small.NDQ

    Cheers :)
     
Thread Status:
Not open for further replies.