At random, especially when i'm playing a game, the windows calculator will appear at random with at least 5-6 instances running.. As far as I know, I don't have any software open to shortcut to the calculator. When it happens, all instances open at once it's not like one after the other it's as though a script is being executed to open sometimes 5 times, sometimes 10 sometimes 28 copies of the calculator. Any ideas?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Wanet Telecoms Ltd on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Calculator appearing out of nowhere.. 1
- Thread starter MortaR
- Start date
-
1
- #2
Wow, and just last week a guy was complaining he could not find the calculator at all!
I can tell you that just about every tutorial on using the scripting facilities of Windows uses calc.exe as an example, so be sure you did not inadvertantly do something playing with .vbs or the Windows Scripting Host.
Control Panel, Scheduled Tasks, Is there any entry referring to a .vbs or .cmd or .bat that seems strange? Remove the entry.
As a test, rename c:\windows\system32\calc.exe to something like calc32bak.exe.
The script debugger should be enabled under Internet Options, Advanced, and the consequent error message should point you to the guilty file.
I can tell you that just about every tutorial on using the scripting facilities of Windows uses calc.exe as an example, so be sure you did not inadvertantly do something playing with .vbs or the Windows Scripting Host.
Control Panel, Scheduled Tasks, Is there any entry referring to a .vbs or .cmd or .bat that seems strange? Remove the entry.
As a test, rename c:\windows\system32\calc.exe to something like calc32bak.exe.
The script debugger should be enabled under Internet Options, Advanced, and the consequent error message should point you to the guilty file.
- Thread starter
- #3
while searching for the calculator file I found a copy in C:\windows\system32\dllcache and CALC.EXE-02A5B4B1.pf in c:\windows\prefetch. Is this of any help? I'll still rename it now, just wanted to see if these looked familiar/virusy...
Thanks
Thanks
By the way, the freeware Microsoft "Power Calculator" powertoy is just a terrific little gadget to have:
- Thread starter
- #6
mmmmmmm.. happened again.. except now that I check the backup file that I renamed to calcbak.exe is still there and there is the original calc.exe, same size.. Does windows XP file protection cover utils as well? The random popup thing happened again and the calculator opened 4 sessions for no reason five minutes ago..
Yes, the file protection covers among other things any .exe file in c:\windows\system32.
Try this. Download and run Hijack This! and see if it identifies a startup or IE entry referring to the calculator. You can post the log here if it would help.
Try this. Download and run Hijack This! and see if it identifies a startup or IE entry referring to the calculator. You can post the log here if it would help.
- Thread starter
- #8
Sorry about the size guys.. can't see too much in here that would affect it?
Logfile of HijackThis v1.97.2
Scan saved at 9:46:04 PM, on 23/09/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Logfile of HijackThis v1.97.2
Scan saved at 9:46:04 PM, on 23/09/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Code:
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BPA Usage\BPA Usage.exe
C:\Program Files\Tweak-XP\blads.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\WinVNC\winvnc.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Folding@Home\winFAH.exe
C:\Program Files\No-IP\DUC20.exe
C:\Program Files\Internode\mum.exe
C:\Program Files\ICQ\Icq.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Microsoft Visual Studio\VB98\vb6.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Folding@Home\FahCore_78.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\WINDOWS\System32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\mdm.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\MortaR\LOCALS~1\Temp\Rar$EX00.954\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [URL unfurl="true"]http://www.google.com[/URL]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [URL unfurl="true"]http://www.google.com.au[/URL]
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [URL unfurl="true"]http://www.google.com.au[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [URL unfurl="true"]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/URL]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [URL unfurl="true"]http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch[/URL]
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = iexplore
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\RealVNC\WinVNC\winvnc.exe" -servicehelper
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [InternodeUsage] C:\PROGRA~1\INTERN~3\mum.exe
O4 - HKLM\..\Run: [eDonkey2000] C:\Program Files\eDonkey2000\eDonkey2000.exe -t
O4 - HKCU\..\Run: [BPA Usage] "C:\Program Files\BPA Usage\BPA Usage.exe"
O4 - HKCU\..\Run: [BlockAds] C:\Program Files\Tweak-XP\blads.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O4 - HKCU\..\RunOnce: [ICQ] C:\Program Files\ICQ\Icq.exe -trayboot
O4 - Startup: Bigpond ADSL.lnk = ?
O4 - Startup: Folding@home 3.24.lnk = ?
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: Web Entry (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [URL unfurl="true"]http://www.apple.com/qtactivex/qtplugin.cab[/URL]
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - [URL unfurl="true"]http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab[/URL]
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) - [URL unfurl="true"]http://bins.dynamicdesktopmedia.com/cab/ddm_control.CAB[/URL]
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - [URL unfurl="true"]http://security.symantec.com/SSC/SharedContent/vc/bin/AvSniff.cab[/URL]
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - [URL unfurl="true"]http://www.smartforce.com/v2.1/applications/liveplay/Activex/AXClientUtil.cab[/URL]
O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) - [URL unfurl="true"]http://tw.msi.com.tw/autobios/client/iftwclix.cab[/URL]
O16 - DPF: {555500CD-CB54-11D6-8DB9-0000864598B3} (Diagmgr Class) - [URL unfurl="true"]http://instantsupport.asiapac.hp.com/awebui/jsp/answerweb/applets/HPISDiagManager.CAB[/URL]
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - [URL unfurl="true"]http://a840.g.akamai.net/7/840/537/2003050501/housecall.antivirus.com/housecall/xscan53.cab[/URL]
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - [URL unfurl="true"]http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37712.7529976852[/URL]
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} - [URL unfurl="true"]http://dload.ipbill.com/del/loader.cab[/URL]
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - [URL unfurl="true"]http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab[/URL]
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - [URL unfurl="true"]http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab[/URL]
O17 - HKLM\System\CCS\Services\Tcpip\..\{2FA143C7-BBAC-4493-9F9F-39B2418FB5E1}: NameServer = 192.231.203.132 192.231.203.3First, Control Panel, Add/Remove Programs, Windows Components, Accessories and Utilities, Accessories, uncheck the calculator and Okay your way out to remove calc.exe.
It is nice to see someone else who is Folding@Home.
As a guess, the calc.exe is being called as an ODBC object by one of these:
C:\Program Files\BPA Usage\BPA Usage.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) -
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) -
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
Unless there is a compelling reason for these to be running, I would use Hijack to remove the entries. The BPA usage monitor is doing a lot of ODBC tie-ins to Excell and likely Access. You might consider an update to mum.exe, and any macro scripts that are used for Excell or Access by the software.
But removing calc.exe should work.
It is nice to see someone else who is Folding@Home.
As a guess, the calc.exe is being called as an ODBC object by one of these:
C:\Program Files\BPA Usage\BPA Usage.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {23B7A816-3647-49D2-9756-6F41CE8F9201} (ddm_download.ddm_control) -
O16 - DPF: {2C52AF58-B9B1-11D5-9DF6-00508B755B44} (AXClientUtil2 Control) - O16 - DPF: {4E330863-6A11-11D0-BFD8-006097237877} (InstallFromTheWeb ActiveX Control) -
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
Unless there is a compelling reason for these to be running, I would use Hijack to remove the entries. The BPA usage monitor is doing a lot of ODBC tie-ins to Excell and likely Access. You might consider an update to mum.exe, and any macro scripts that are used for Excell or Access by the software.
But removing calc.exe should work.
- Thread starter
- #10
- Status
Similar threads
- Locked
- Question
