This is weird. Out of the blue after I started up the computer I was greeted by the standard message that Windows updates are ready (I'm delaying installation for a week or so). Immediately after, ZoneAlarm suite warned me that "Quicktime wants to run at startup", so I denied. Executable is qttask.exe.

Well, it parked itself in the system tray.
I googled a bit and checked c:\windows directory where I see new things from today 7:40pm, but nothing conclusive to understand really
- wiadebug.log
- wiaservc.log
I gather these are related to windows image acquisition - what it that??? I don't aquire any such thing.
then there is
- windowsupdate.log (yeah, I'll do it after I read if it'll break my system)
and
- Qfont.for
- QTfont.qfn

I ran Spybot - it's clean.
I will run a-square and ad-aware in safe mode later
I thought of running Trojan hunter but apparently my temp licence (from about a year ago) expired.

What's this all about?
Why would I get Apple computer program on WindowsXP home? How did it get in?


Edited upon further looking:
1. Bleeping computer startup list shows it as Apple program, no need to have it at startup
2. There's a CoolWebSearch, but my exe filename does not match
3. qttask.exe is in program files.

This is info from ZoneAlarm advice - copied and pasted


Edited some more:
I removed it from the system tray by doing Exit.
It stopped qttask running.
I don't know whether a service runs - names are not obvious to me.
Zone Alarm suite again says QuickTime wants to be at startup, and the alert displays an entry about attempt to Set Value in the registry: HKLM|Software|Microsoft\Windows\CurrentVersion\Run,
with a comma at the end. I suspect the entry is in there already, should I remove it?

The ZA alerts me every time I switch a page right here at BC, as well as on another site, and there are now over 100 entries in the alerts list related to QT.

tos226:

You aren't the only one to have had this happen, though I'm surprised that it would be caused by Windows Update files.

First: QuickTime is a media player that some files require to run. An example is the multimedia files in my Encyclopaedia Brittanica program. The problem comes in because the darned thing wants to start when windows starts which isn't necessary. To keep it from doing that, follow buddy215's directions in the quote I have pasted in below.



Orange Blossom

Thanks a bunch for that link. Good info there and I'll do the settings tonight. But I'm still not too clear about it.

No, I do not think it's in any way related to the windows update - I looked through the update log - nothing there.

So it came in on its own, eh?
It bothers me that it actually put itself into the system tray without me allowing it. ZA is doing a fine job telling me that QT wants to do things, but in my opinion it's too late, is it not? Perhaps if I went on a website, I gave it an implicit permission ??? Yikes I don't think it's like that. Any thoughts would be appreciated. I'm trying to understand.

Hmm. I wonder if QuickTime had been installed in your computer, but just not activated? Did you watch any multi-media stuff about the time those messages started up? One of those may have used QuickTime and triggered it's desire to start-up when you start-up the computer.

Orange Blossom

Hmmm is right
No I did not watch anything that moved. Anything that moves is blocked.

Yeah, I guess it got installed in some fashion, but thankfully ZA gave me a chance to stop it from the registry change, and indeed there was no QT there, and Spybot did not see it either. But it sits there and nags me constantly - i.e. it tries to install itself or run or whatever, and so ZA keeps telling me what QT wants to do, and I have to click deny, deny, deny whole evening.

Now, here's a good one - it clearly says APPLE.
It does confirm what buddy suggests in his replys to the other post
http://www.answersthatwork.com/Tasklist_pages/tasklist_q.htm

Do you have iTunes in relation to an iPod?
It could of come from installing iTunes.


To disable Quicktime (qttask) at startup.

> start
> run
> type "msconfig"
> click "ok" button
System Configuration Utility will now show
>click "startup" (tab)
> look for "qttask
> uncheck box (qttask)
> click: "apply" button
> click "ok" button

If it were I, I'd look in Search for files and folders and delete all I find related to QTime.

Setting a restore point beforehand is always a good idea. Just in case. ;)

No iTunes, no iPod.
Thanks Scarlett. I'll look into msconfig, but I doubt it's there because Spybot startup list would have shown me. I think it is TRYING to install for startup and ZA and I are stopping it. But something must be running since it insisted on sitting in the system tray.

In ZA it got itself into the Programs list but no permissions of any sort to access the internet or anything - Auto put all ????? in there which is fine by me.

Few seconds ago I was going to report how quiet things are and that it's all fixed this evening.

Now the unimaginable happened:
As soon as I got on this site, QuickTime wants to run at startup, I deny, and navigating to this section of the forums is immediately followed by the ZA alert where I deny any runs at startup.

Hmmm???

This makes NO SENSE WHATSOEVER.

Okay,

We have two members experiencing similar problems with QuickTime but apparently from different causes and different reasons but apparently starting at about the same time.

Here is the link to the other topic

Is there something malicious going on or is it some sort of crazy bug or just a weird coincidence? Why won't this problem get fixed and stay fixed?

I think we need to get together on these two and find out if there is something in common.

Orange Blossom

First of all, this qttask, while behaving strangely, is no threat, just a resource hog. I googled for MD5 signature
http://research.pestpatrol.com/Search/File...PVT=-1463431650
http://www.programchecker.com/file/1646.aspx
Both of these places match MD5 that ZoneAlarm OS protection reported, and indicate that Quick Time is legitimate.

I still don't know what started it all.

I reviewed, saw and confirmed few findings
1. QT does not now run at startup, and never did because ZA was blocking it in the OS firewall
2. QT is no longer in the task list, that removal worked
3. the \programFiles\Quick Time directory is from 2003, as are all entries underneath (yeah, I know hackers can change the date)
4. Spybot S&D and Lavasoft Ad-Aware DeepScan - clean report
5. a-squared - clean report
6. There are no registry entries related to it that I can see
7. HijackThis, while it has few 016 entries, also confirms QT not running and basically matches my previous HJT logs
8. QT directory scan by ZA and PestPatrol - clean
9. Spybot's startup list did not, nor does it now, show it in the startup list (I do not run TeaTimer - that would conflict with ZA)
10. I did go into the settings of QT using buddy123 recommenation and changed the settings accordingly


I think I know what happened yesterday on this forum - DIRTY CACHE. Please confirm this makes sense.
Having seen all above, I decided that it's not a real event anymore but dragging in old internet files from the day before. So I deleted all internet temp files (overdue by about 5 days!), ran Cache cleaner in ZAsuite, ran CCleaner, which recognized items slated for deletiong, went on BC and QT hasn't plagued me.

If anything changes, I will report tonight, again, in order to pool our resources on this subject, which seems like a very nice idea.

Scarlett, msconfig is an unknown file in the cmd window
I found one in some part of the indows installer ...\i868 or something similar, so now I know what you're talking about. It's not in windows nor in windows\system32. Weird?

To tell you the truth, I'd rather not use it, since I rely on Spybot S&D to set/deselect in order to have all changes in one place (though this change was not required). But I find it curious that msconfig is unknown!

I just don't know tos.
QuickTime is legit, but why on earth did it pop up in your system to begin with?
I find this entire thing to be curious from start to finish.
Up to and including the fact that "msconfig" is an unknown file command.

And please do not ever do anything that you do not feel comfortable with.

I can't wait to see how this all pans out.
It is over my head now.

You use msconfig with Start > Run, not cmd.

In Win XP, MSConfig.exe is located in the following folders:
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\
C:\WINDOWS\system32\dllcache\
C:\WINDOWS\ServicePackFiles\i386\

But Spybot or similar startup managers are the route to go for disabling startup entries.

Anyway if you install/update iTunes, it includes installing QuickTime which you may not have noticed. The QuickTime system tray applet will install and load on system bootup without asking, even if you have previously disabled it in QuickTime preferences prior to installing. Also when clicking certain audio/video links on a web site, this can trigger the program to run. Once that happens it will want to run at startup just like Real Player. When that happens, programs that monitor startups will provide an alert.

Thanks!! Yes, that's where I double clicked on finally, but just looked in there, since I'm comfortable with the Spybot method.


As I wrote above, no iTunes. I did not clicked any A/V links. But there is a possibility that on a A/V-related site, I hovered over some such link. Is it possible that just mousing over would cause the installation and all the silliness that followed?

If your answer is YES - than this adventure is over, since I might have a probable cause, which is the key thing that annoyed me - where did it come from. And your explanation clarifies its nasty little unnecessary attempt to force itself (with no success) into startup 113 times in one short evening. Yikes

It's THREE now, the third one is about IE7 beta. Not what I use, But the same plague
http://www.bleepingcomputer.com/forums/topic62391.html

I used iTunes as an example. There are other programs that come bundled with QuickTime and you may have installed one of them which installed the software. I know it comes with AOL and Apple seems to be pushing it with other software as evident on their site.
QuickTIme Software Licensing Agreements.

Check the date on the folder in C:\Program Files\QuickTime and see if you installed anything else at the same time. At least that would explain its presence. If thats the case, then I would say you probably clicked on a link without realizing it which activated the program to run.

I was just reading that topic, but I think in heris (blend of his and her ) case it's some other kind of file trying to pop it's way in. Hshe says it's an active-x, which is different from the file that's been plaguing you. But it certainly seems to be the same company!

Have you got it behaving now?

Orange Blossom

If I allowed every program that wanted to start-up when the computer starts up to do so, I could wait for a day before I could USE ANY of it. :snooze: Methinks it defeats the purpose of quick access.

OK, I now understand that iTunes was your example. Thanks. Basically I was not running any A/V stuff. The appearance of QT for me remains a mystery.

QuickTime directory date is Decmber 2003, as are all items underneath. Version is 6.3. Date is from before I got this computer (2004). OEM gift I suppose.

In an old NTbackup of mine, I found a log from 2005. It includes QuickTime. It sits in Docs and settings\all users\ApplicationData\QuickTime, as well as in Programs list. Clearly, it's been here all along. But it never bothered me like this up to the time when for some reason it came alive 8/14.

To add to my first post or two, let me quote several log entries, in case anyone can figure it all out. Reminder - I did NOT allow any registry changes to occur. I'm currently in the block it or ask me mode in ZA and the OS firewall is always ON, but I'm not sure that logs such as these reflect this really, but perhaps they'll tell you something that's useful. The items that concern me are attempts in bold, even though they were blocked.

(9 of these for 8/14)

(113 of these)

Finally these selected items - what was it trying to do, especially rundll.


8/16 and so far this evening – clean and quiet. Nothing related to QuickTime, so I gather that the Cache cleaning did the job, and that the QT nagging, while I was on this site, was due to the first day occurence.

tos
There is no need to have both Zone Alarm and your OS firewall running at the same time.

Many use a stand alone firewall in place of the OS version.
As MS firewall only checks for incoming packets and not outgoing.

Indeed, and ZA firewall shuts off the Windows Firewall by default because having more than one on can create conflicts. Did you manually activate the windows firewall again?

Orange Blossom

I do NOT have Windows Firewall running, it's shut off when ZA installed.

OS firewall is part of the Zone Alarm Security Suite - a very important protection present since v6.
It is not the same thing as Program Control.

OS firewall also has nothing to do with packets, but only with protecting the integrity of all applications and registry, as in this instance it has been doing all along.

In the logs, the entry is OSFW. And in the alert tabs GUI it's just named OS firewall.

I misunderstood this statement.



OS firewall to me is the MS one.

My apologies.

No problem, Scarlett.
I didn't know the windows thing might be called OS firewall. Learning every day.

I only wish I could solve this blasted QT mystery. It's nagging me that something like this would cause so much havoc! Any ideas?????????

And, as always, thanks for all your cool posts. It's fun here

Whoa! See this:
http://www.dslreports.com/forum/remark,16707648

My summary
>>> Some users began having issues when they actually ran the application.
>>> Others, like me, just got a nasty surprise from this PERSISTENT PEST. The reports began 8/14, same as here. Page 2 is interesting.
>>> Just as I reported that when I was on this forum, the startup alerts were coming on, over there they report the same thing during use of the Broadband forum.
>>> People there suspect that the latest issue of windows upgrades may play a role - that was my original idea as well, see first post. Thing is I did NOT yet install, I just keep closing the "updates are ready" popup.

Any ideas?

The discussion in that thread seems to confirm what I suspected. You had QuickTime installed all along without knowing and now certain web links are triggering the program to run at startup resulting in alerts if protection features are in place to detect this type of activity.

Quietman7,
So QuickTime looks seriously flawed in its design of forced startup and ends up being a pest misused by ads or something, right?

Anyway, I made this thread so long, while your answer in an earlier post was staring me in the face. My only excuse is that I did not grasp the implication of what you wrote there (just the facts), for which I apologize.
I've learned a lot in this adventure. Thanks !!