Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Qttask.exe Quicktime Installed Itself - What Now?


  • Please log in to reply
25 replies to this topic

#1 tos226

tos226

    BleepIN--BleepOUT


  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:05 AM

Posted 14 August 2006 - 08:31 PM

This is weird. Out of the blue after I started up the computer I was greeted by the standard message that Windows updates are ready (I'm delaying installation for a week or so). Immediately after, ZoneAlarm suite warned me that "Quicktime wants to run at startup", so I denied. Executable is qttask.exe.

Well, it parked itself in the system tray.
I googled a bit and checked c:\windows directory where I see new things from today 7:40pm, but nothing conclusive to understand really
- wiadebug.log
- wiaservc.log
I gather these are related to windows image acquisition - what it that??? I don't aquire any such thing.
then there is
- windowsupdate.log (yeah, I'll do it after I read if it'll break my system)
and
- Qfont.for
- QTfont.qfn

I ran Spybot - it's clean.
I will run a-square and ad-aware in safe mode later
I thought of running Trojan hunter but apparently my temp licence (from about a year ago) expired.

What's this all about?
Why would I get Apple computer program on WindowsXP home? How did it get in?


Edited upon further looking:
1. Bleeping computer startup list shows it as Apple program, no need to have it at startup
2. There's a CoolWebSearch, but my exe filename does not match
3. qttask.exe is in program files.

This is info from ZoneAlarm advice - copied and pasted

QuickTime is trying to open an existing process.

The current security setting for QuickTime does not permit this action, or ZoneAlarm Security Suite is asking you whether to allow this behavior. Your computer is safe.
Inside the OSFirewall alert



Alert property Alert property value Technical explanation
Program Name QuickTime A program running on your computer, which attempted an action that was detected by the OSFirewall.
Filename C:\PROGRAM FILES\QUICKTIME\qttask.exe The filename of the program that ZoneAlarm Security Suite found on your computer.
Program Size 77824 The size of the program executable file in bytes.
Program MD5 c9128ae6036cdf67873a516e1a00ed4b The MD5 hash, or number, that uniquely identifies the executable.
Smart Checksum e88d2e2d1b37a7175dbb80bfe299affe The SKIMP hash, or number, that uniquely identifies the executable.
Date Modified Dec-02-2003 07:05:00 PM The date when C:\PROGRAM FILES\QUICKTIME\qttask.exe was most recently modified.
Event Type Process The event involved starting or terminating a thread or process.
Sub Event Type OpenProcess QuickTime attempted to open another process.
Command Line "C:\WINDOWS\system32\ctfmon.exe" The command being used to open another process.


Edited some more:
I removed it from the system tray by doing Exit.
It stopped qttask running.
I don't know whether a service runs - names are not obvious to me.
Zone Alarm suite again says QuickTime wants to be at startup, and the alert displays an entry about attempt to Set Value in the registry: HKLM|Software|Microsoft\Windows\CurrentVersion\Run,
with a comma at the end. I suspect the entry is in there already, should I remove it?

The ZA alerts me every time I switch a page right here at BC, as well as on another site, and there are now over 100 entries in the alerts list related to QT.

Edited by tos226, 14 August 2006 - 09:54 PM.


BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,853 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:05 AM

Posted 14 August 2006 - 11:50 PM

tos226:

You aren't the only one to have had this happen, though I'm surprised that it would be caused by Windows Update files.

First: QuickTime is a media player that some files require to run. An example is the multimedia files in my Encyclopaedia Brittanica program. The problem comes in because the darned thing wants to start when windows starts which isn't necessary. To keep it from doing that, follow buddy215's directions in the quote I have pasted in below.

start quicktime/click on edit/click on preferences/click on quicktime preferences/click on update/ uncheck check for updates automatically


Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:05 AM

Posted 15 August 2006 - 07:57 AM

Thanks a bunch for that link. Good info there and I'll do the settings tonight. But I'm still not too clear about it.

No, I do not think it's in any way related to the windows update - I looked through the update log - nothing there.

So it came in on its own, eh?
It bothers me that it actually put itself into the system tray without me allowing it. ZA is doing a fine job telling me that QT wants to do things, but in my opinion it's too late, is it not? Perhaps if I went on a website, I gave it an implicit permission ??? Yikes :thumbsup: I don't think it's like that. Any thoughts would be appreciated. I'm trying to understand.

#4 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,853 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:05 AM

Posted 15 August 2006 - 08:26 AM

Hmm. I wonder if QuickTime had been installed in your computer, but just not activated? Did you watch any multi-media stuff about the time those messages started up? One of those may have used QuickTime and triggered it's desire to start-up when you start-up the computer.

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#5 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:05 AM

Posted 15 August 2006 - 08:42 AM

Hmmm is right :thumbsup:
No I did not watch anything that moved. Anything that moves is blocked.

Yeah, I guess it got installed in some fashion, but thankfully ZA gave me a chance to stop it from the registry change, and indeed there was no QT there, and Spybot did not see it either. But it sits there and nags me constantly - i.e. it tries to install itself or run or whatever, and so ZA keeps telling me what QT wants to do, and I have to click deny, deny, deny whole evening.

Now, here's a good one - it clearly says APPLE.
It does confirm what buddy suggests in his replys to the other post
http://www.answersthatwork.com/Tasklist_pages/tasklist_q.htm

Edited by tos226, 15 August 2006 - 08:42 AM.


#6 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:01:05 AM

Posted 15 August 2006 - 09:06 AM

Do you have iTunes in relation to an iPod?
It could of come from installing iTunes.


To disable Quicktime (qttask) at startup.

> start
> run
> type "msconfig"
> click "ok" button
System Configuration Utility will now show
>click "startup" (tab)
> look for "qttask
> uncheck box (qttask)
> click: "apply" button
> click "ok" button

If it were I, I'd look in Search for files and folders and delete all I find related to QTime.

Setting a restore point beforehand is always a good idea. Just in case. ;)
Posted Image

#7 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:05 AM

Posted 15 August 2006 - 10:50 AM

No iTunes, no iPod.
Thanks Scarlett. I'll look into msconfig, but I doubt it's there because Spybot startup list would have shown me. I think it is TRYING to install for startup and ZA and I are stopping it. But something must be running since it insisted on sitting in the system tray.

In ZA it got itself into the Programs list but no permissions of any sort to access the internet or anything - Auto put all ????? in there which is fine by me.

#8 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:05 AM

Posted 15 August 2006 - 08:16 PM

Few seconds ago I was going to report how quiet things are and that it's all fixed this evening.

Now the unimaginable happened:
As soon as I got on this site, QuickTime wants to run at startup, I deny, and navigating to this section of the forums is immediately followed by the ZA alert where I deny any runs at startup.

Hmmm???

This makes NO SENSE WHATSOEVER.

#9 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,853 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:02:05 AM

Posted 15 August 2006 - 08:53 PM

Okay,

We have two members experiencing similar problems with QuickTime but apparently from different causes and different reasons but apparently starting at about the same time.

Here is the link to the other topic

Is there something malicious going on or is it some sort of crazy bug or just a weird coincidence? Why won't this problem get fixed and stay fixed?

I think we need to get together on these two and find out if there is something in common.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 15 August 2006 - 08:54 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#10 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:05 AM

Posted 16 August 2006 - 10:21 AM

First of all, this qttask, while behaving strangely, is no threat, just a resource hog. I googled for MD5 signature
http://research.pestpatrol.com/Search/File...PVT=-1463431650
http://www.programchecker.com/file/1646.aspx
Both of these places match MD5 that ZoneAlarm OS protection reported, and indicate that Quick Time is legitimate.

I still don't know what started it all.

I reviewed, saw and confirmed few findings
1. QT does not now run at startup, and never did because ZA was blocking it in the OS firewall
2. QT is no longer in the task list, that removal worked
3. the \programFiles\Quick Time directory is from 2003, as are all entries underneath (yeah, I know hackers can change the date)
4. Spybot S&D and Lavasoft Ad-Aware DeepScan - clean report
5. a-squared - clean report
6. There are no registry entries related to it that I can see
7. HijackThis, while it has few 016 entries, also confirms QT not running and basically matches my previous HJT logs
8. QT directory scan by ZA and PestPatrol - clean
9. Spybot's startup list did not, nor does it now, show it in the startup list (I do not run TeaTimer - that would conflict with ZA)
10. I did go into the settings of QT using buddy123 recommenation and changed the settings accordingly

Why won't this problem get fixed and stay fixed?

I think I know what happened yesterday on this forum - DIRTY CACHE. Please confirm this makes sense.
Having seen all above, I decided that it's not a real event anymore but dragging in old internet files from the day before. So I deleted all internet temp files (overdue by about 5 days!), ran Cache cleaner in ZAsuite, ran CCleaner, which recognized items slated for deletiong, went on BC and QT hasn't plagued me.

If anything changes, I will report tonight, again, in order to pool our resources on this subject, which seems like a very nice idea.

#11 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:05 AM

Posted 16 August 2006 - 10:27 AM

To disable Quicktime (qttask) at startup.

> start
> run
> type "msconfig"
> click "ok" button
System Configuration Utility will now show
>click "startup" (tab)
> look for "qttask
> uncheck box (qttask)
> click: "apply" button
> click "ok" button

Scarlett, msconfig is an unknown file in the cmd window :thumbsup:
I found one in some part of the indows installer ...\i868 or something similar, so now I know what you're talking about. It's not in windows nor in windows\system32. Weird?

To tell you the truth, I'd rather not use it, since I rely on Spybot S&D to set/deselect in order to have all changes in one place (though this change was not required). But I find it curious that msconfig is unknown!

#12 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:01:05 AM

Posted 16 August 2006 - 10:43 AM

I just don't know tos.
QuickTime is legit, but why on earth did it pop up in your system to begin with?
I find this entire thing to be curious from start to finish.
Up to and including the fact that "msconfig" is an unknown file command.

And please do not ever do anything that you do not feel comfortable with.

I can't wait to see how this all pans out.
It is over my head now.
Posted Image

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,136 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:05 AM

Posted 16 August 2006 - 01:41 PM

msconfig is an unknown file in the cmd window

You use msconfig with Start > Run, not cmd.

In Win XP, MSConfig.exe is located in the following folders:
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\
C:\WINDOWS\system32\dllcache\
C:\WINDOWS\ServicePackFiles\i386\

But Spybot or similar startup managers are the route to go for disabling startup entries.

Anyway if you install/update iTunes, it includes installing QuickTime which you may not have noticed. The QuickTime system tray applet will install and load on system bootup without asking, even if you have previously disabled it in QuickTime preferences prior to installing. Also when clicking certain audio/video links on a web site, this can trigger the program to run. Once that happens it will want to run at startup just like Real Player. When that happens, programs that monitor startups will provide an alert.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:05 AM

Posted 16 August 2006 - 04:26 PM

You use msconfig with Start > Run, not cmd.

In Win XP, MSConfig.exe is located in the following folders:
...
C:\WINDOWS\ServicePackFiles\i386\

Thanks!! Yes, that's where I double clicked on finally, but just looked in there, since I'm comfortable with the Spybot method.

Anyway if you install/update iTunes, ... Also when clicking certain audio/video links on a web site, this can trigger the program to run. Once that happens it will want to run at startup just like Real Player. When that happens, programs that monitor startups will provide an alert.

As I wrote above, no iTunes. I did not clicked any A/V links. But there is a possibility that on a A/V-related site, I hovered over some such link. Is it possible that just mousing over would cause the installation and all the silliness that followed?

If your answer is YES - than this adventure is over, since I might have a probable cause, which is the key thing that annoyed me - where did it come from. And your explanation clarifies its nasty little unnecessary attempt to force itself (with no success) into startup 113 times in one short evening. Yikes :thumbsup: :flowers:

#15 tos226

tos226

    BleepIN--BleepOUT

  • Topic Starter

  • Members
  • 1,568 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:LocalHost
  • Local time:02:05 AM

Posted 16 August 2006 - 04:46 PM

I think we need to get together on these two and find out if there is something in common.

It's THREE now, the third one is about IE7 beta. Not what I use, But the same plague
http://www.bleepingcomputer.com/forums/t/62391/quicktimecheck-scriptable-object/




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users