I have a computer running Windows XP Professional Edition. I am by no
means a computer novice; I've been working the field for the past 8
years. But my computer is having a problem that has stumped me and
I'm curious to know if anyoen else has any ideas as to what might be
wrong or how to fix it.
Windows Calculator (calc.exe) opens, apparently by itself, several
times per day. It happens when I'm not at my computer, as well as
when I am, and I cannot find any rhyme or reason for this behavior. I
have McAfee Virusscan with the latest updates, the computer is behind
three firewalls (one at my ISP, one at my home router, plus WinXP's
built in "firewall"). If it's a virus, it isn't one known by McAfee.
I emailed them and they had no idea, and said they wouldn't be able to
isolate a virus without more specific information, such as an infected
file or logs of what is happening, which I don't have. If it's a
backdoor, again, Virusscan isn't picking it up, and the attacker is
somehow making it through the firewalls (and is also apparently doing
no damage other than annoying me with the constant execution of
calc.exe).
First, I'm wondering if anyone is familiar with this sort of problem
and can offer some sort of insight as to what might be going on.
Second, if no one has heard of anything like this, I would like some
advice as to how I can figure out what's going on and make it stop
without having to reformat (I have too much school and work related
material scattered all over the hard drive on this computer and
backing it all up for a reformat would be extremely tedious).
Thanks in advance for any advice. $5.00 tip if I get this fixed. |
Request for Question Clarification by
davebug-ga
on
28 Oct 2003 19:41 PST
Not that this provides any answers, but for help in determining if
there are others having a similar problem, is this you?
http://groups.google.com/groups?lr=&th=955e238cf9c7e5ad
|
Clarification of Question by
bl00d-ga
on
28 Oct 2003 22:15 PST
No, that isn't me, but that sounds like exatly the problem I'm having.
I did what the people in that thread suggested (msconfig and removing
unnecessary or unfamiliar programs from startup), as well as what
people have suggested in the comments for this question (renaming
calc.exe). If possible, I would like to wait to see if any of these
changes makes a difference before receiving an answer. I'll post
either later tonight or tomorrow with the results and let you know if
I still need help with this.
|
Clarification of Question by
bl00d-ga
on
28 Oct 2003 23:02 PST
It's still starting. Immediately upon deleting calc.exe, it appears
right back in the folder again (within 5 seconds). I've tried now
replacing calc.exe with a different program to see what happens.
Anyway, take my question off hold. Feel free to answer any time,
since I'm still having the problem. Thanks.
|
Request for Question Clarification by
serenata-ga
on
29 Oct 2003 10:58 PST
Could it be a virus?
Here's a bit from Trend Micro on a virus that names itself calc.exe:
http://it.trendmicro-europe.com/enterprise/security_info/ve_detail.php?id=55961&VName=WORM_GELCAN.A&VSect=T
Serenata
|
Clarification of Question by
bl00d-ga
on
29 Oct 2003 16:16 PST
If it's a virus, it's not a virus that is known to McAfee. The
description on the page whose URL you posted also does not match the
problem I'm having. The copy of calc.exe which is being launched is
in c:\windows\system32
Upon deleting it, it comes right back. I also made a copy of Notepad
and named it c:\windows\system32\calc.exe, replacing the calc.exe
which was being launched. Now, Notepad gets periodically launched.
So whatever is causing this problem obviously does not reside in the
calc.exe file, since I replaced it. It's some kind of external
program which is executing the program based on its location and file
name.
Is there any way in Windows XP to see logs of what programs were
executed, and hopefully who or what they were executed by?
|
Request for Question Clarification by
aht-ga
on
29 Oct 2003 18:58 PST
bl00d-ga:
The symptoms you describe are eerily similar to the symptoms
associated with the worm Scorvan. You can read more about this at
Panda Software's virus library page:
http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?lst=det&idvirus=39975
Symantec also lists this worm in its virus information library.
Interestingly enough, the Network Associates/McAfee virus information
libraries do not appear to contain any reference to this worm.
Please review the Panda Software information, and if possible get a
different virus scanner to check your system. Also, refer to the
folder locations listed in the Panda Software information, and see if
you can find any evidence of the worm on your computer.
Good luck,
aht-ga
|
Clarification of Question by
bl00d-ga
on
02 Nov 2003 02:55 PST
I ran the virus scanner from Panda, and it returned no viruses. But
here's the kicker. My computer's performance became so terrible (in a
short period of time) that I simply decided to format the hard drive a
while ago and reinstall XP. I figured that this would alleviate the
speed problems (which it di) and also get rid of whatever problem is
causing calc.exe to keep opening. My hard drive has two partitions,
and I only reformatted the main one, where the operating system is
installed. The other partition contains most everything else.
After reformatting, calc.exe is -still- opening. So this means that
whatever is causing the problem somehow resides on the other
partition. But as to how it's being run is beyond me. Since I
reformatted, there should be nothing in the registry or anywhere else
that's causing a program on the 2nd partition to launch upon booting
my machine.
That description on Panda's site sounds a lot like what's going on
here, but again, their scanner returned nothing, and I also tried
their advice for how to get rid of it manually, and that didn't work
either. I ran the scan both before and after the reformat, on both
partitions.
Any help from here would be really great, since the only other fix I'm
able to think of would be to reformat the other partition too, but
that would be a much more massive project since that's where all of my
important files and programs are. Backing up 20 or so gigs to CD-R is
not something I'm looking forward to doing.
|
Request for Question Clarification by
bookface-ga
on
03 Nov 2003 08:52 PST
What kind of keyboard are you using? It doesn't perchance have a
"calculator" button or the like, does it? It seems an unlikely
culprit, but...
- bookface
|
Clarification of Question by
bl00d-ga
on
05 Nov 2003 09:14 PST
No, it doesn't. There are three non-standard function keys, but none
of them opens calc.exe. Additionally, the program starts even when
I'm not at my computer. If I leave and go to class, and come home 3
hours later, there will be two or three instances running that weren't
there before.
P.S. I think I just hit an all time record for most clarifications on
any one question. ;)
|
Request for Question Clarification by
feilong-ga
on
27 Nov 2003 01:27 PST
If it's a virus hidden in your drive, I suggest you scan your present
drive using a different computer with an updated antivirus just to
make sure that the problem is not in your system and to isolate
troubleshooting only in your problem drive. The antivirus setting in
the primary master of the second computer should be set to autoprotect
and the heuristics should be set to highest. Set your problem drive as
secondary master. Start the computer and then scan your problem drive.
In your case, I think it would be better if the antivirus in the
second computer is PC-cillin by Trend Micro since it detects a virus
that mimics calc.exe.
If a virus is not found, run the suggested anti-spyware programs
suggested by Tlspiegel-ga below. Install and run the programs in the
second computer to scan your problem drive.
Please tell us if a virus and/or spyware is found and ifthe problem is
finally solved.
-Feilong
|
