cancel
Showing results for 
Search instead for 
Did you mean: 

MS Visual C++Runtime Library in toolbar at start up

N/A

MS Visual C++Runtime Library in toolbar at start up

I have Win XP Home Edition OS, and run ZA Pro, NAV 2003, a registry editor, and anti-malware programs.

My problem is that every time I start up one of the two administrator profiles, a little white box materialises in the left-hand of the toolbar, with the legend 'MS Visual C++Runtime Library.' Task Mgr shows the Library process as 'running,' and it can be stopped there, but it always re-appears on the next boot-up.

I assume that a new program that I have loaded could be the cause? I've tried enabling most services through msconfig, & virus checks, spyware checks, and registry checks without joy. I've also looked in Task Mgr for running processes, but haven't seen any obvious/unusual client programs that might be using the library.

Any suggestions? I'm willing to copy the entries from running the 'Startlist' program if that might help (BTW, MS XP Newsgroups are down, so can't post there as well). Thanks.
16 REPLIES
N/A

MS Visual C++Runtime Library in toolbar at start up

Is your AV software up to date, have you recently scanned for virii, and if so, were any detected. I suspect you may be experiencing Remote Procedure Call.
N/A

MS Visual C++Runtime Library in toolbar at start up

Thanks for the suggestion, smithclan. Yes - I've swept for virii, using NAV which has all updates (when I swept, up to 170404; now, up to 210404).

I've just realised, from Task Mgr, that the associated process is called 'Astartupdate.exe.' Also, that the icon for the (anti-spyware? can't remember!) program a2 is not showing in the errant profile; instead, I have the a2 Start Center, so I might delete that icon, and see what happens, and look at any settings in that process. I will also look at the 'Options' against the process 'a2update' in Zone Alarm, as perhaps a2update is calling on the C++ Library, as it can't get through to the a2 website.

Additional suggestions gratefully received Smiley. With such problems, thinking out loud & brainstorming is always helpful, I've found.
N/A

MS Visual C++Runtime Library in toolbar at start up

My idea about the a2 program was a blind alley.

The only two files I can find with AUPDATE in their names are the AUPDATE Application File from NAV 2003, and the catchily-named AUPDATE.EXE-2253CB60.pf Pre-Fetch File, in C:\WINDOWS\Prefetch. My best guess is that the Prefetch area is some kind of holding area for programs that need to access the internet or launch other processes?

I've already double-checked the ZA program permissions for all Symantec products and run Norton LiveUpdate manually, in both profiles, without success. I'll keep plugging away.
Community Veteran
Posts: 14,469
Registered: 30-07-2007

MS Visual C++Runtime Library in toolbar at start up

If it is something that is run on startup try running one of the startup monitors I list in General: Essential Security software and see if you can identify what it is?

You could also use one of the task managers to view what is running and show what folder it is running from - try TaskInfo 2003.

Note: the prefetch folder is used by XP to enable quicker loading of apps by storing parts of the app in a known place. You can safely delete the contents of that folder but it will repopulate as you run programs.
pcorker
Grafter
Posts: 309
Registered: 05-09-2007

MS Visual C++Runtime Library in toolbar at start up

This:
http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
gives quite a bit of info as to what is running and what is associated with it.
Pat
N/A

MS Visual C++Runtime Library in toolbar at start up

Time to hand it over to Symantec. I've tried :

1. Deleting the 'Autoupdate'pre-fetch file. The white box disappeared until another PF file had been created.
2. Ensuring that Live Update and Netdetect scheduled tasks are properly passworded in both administrator profiles.
3. Virus checks, spyware & trojan checks (Trojan Hunter), & that I've no critical OS updates needed (I haven't).
4. Double-checking that all Symantec products have full program permissions in ZA Pro (including ability to call Open processes).
5. Symantec Virus check - have enabled all scripting, but it just won't run, and I get a msg suggesting scripting is the problem.
6. Running 'Registry First Aid' and deleting all 'backweb' items, including autodiallers.
7. Running 'msconfig' and enabling most services.
8. Using Task Info 2003 & Process Explorer, which verify that Automatic Update is requesting the task, status described as 'Waiting for User.'

I've tried other things, but this Tinkerman has had enough for the day, so I'm off for some creative thinking. Thanks so much for your suggestions. My instinct now is that maybe a worm or somesuch has gotten through & is well-hidden in the registry, but I just can't believe that it hasn't been detected by up-to-date versions of Ad-Aware, Spybot S&D, Spywareblaster, NAV, a2, etc..
N/A

MS Visual C++Runtime Library in toolbar at start up

..I also reinstalled NAV 2003, and have disabled the Autoupdate function for a while.

One quick thing - I suspect that the excerpt below from running 'Startuplist' could be significant. Any thoughts, please?
----------------------------------------------------------------------------------------------------------


Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*
-------------------------------------------------------------------------------------------------
Thanks.
N/A

MS Visual C++Runtime Library in toolbar at start up

It is most probably Zone alarm and permissions.
The suspect programme starts to run and waits for a DNS lookup or similar before finishing loading. If ZA stops the DNS lookup, the programme will never finish loading and the correct "loaded & running Icon" will never appear.
N/A

MS Visual C++Runtime Library in toolbar at start up

Must suggest you are infectes with a variant of W32.Gaobot. Have a look at what it does, and compare to your symptoms.

http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.adn.html

for latest variant. All variants have similar characteristics. Check for suspicious startup entries in registry, as per HKeys at above URL.

If you have quarantined any infected files, you can virus scan as many times as you like without detecting any infection, but once the virus has been executed, it is the subsequent running processes that cause the problems, not the executable itself.

It is possible you have become infected, even though you keep your AV software up to date, by a new virus variant unknown to your latest Av definitions.

Is your software set to update automatically?

Do you supplement this with interim manual updates?

Symantec issue updates as soon as a new threat is identified.

Live update, unless this has changed very recently, only occurs once a week.

As a point of interest, i have noted a number of posts regarding router problems. I know very little about these things, although i do know they have a log in user name and password. Is it possible that these have a weak username and password, and possibly even common default ones, which are being exploited. Again read the capabilities of the above worm.
N/A

MS Visual C++Runtime Library in toolbar at start up

N/A

MS Visual C++Runtime Library in toolbar at start up

Thank you all very much indeed for your help. Apologies for the length of what follows:

1. I'm sure that my PC is infected. Identifying the culprit (apart from me!) is a little harder. I don't think it's W32.Gaobot, although, as smithclan points out, it could be a variant. I now recall , just after joining Plusnet, accidentally placing a machine on the Plusnet network in a trusted zone on ZA Pro (for about 10 mins), & receiving a packet through port 135! I immediately closed the hole, & updated and ran Norton AV and two Trojan Hunters, nullified a suspicious registry entry, & reported the machine. I thought that was that....
2. Confirmation that it's an infection seems to be the fact that in the last two days, I haven't been able to do System Restore, & there were several failures of ZA's True Vector application in a row at one point. Also, ZA had been blocking Windows NT logon and Windows Explorer from accessing some 'Open Process' on the Net, plus various computer review/subscriber sites. Again, for a short period, the Norton AV tray icon looked dull yellow in colour, i.e. slightly grayed-out.
3. I checked the host file as recommended by Norton (thanks, smithclan), but didn't find the list of blocked sites that the Gaobot worm would be expected to make; instead, I had alist of about 400-500 sites, including 'adult' ones which I'd never heard of, all of which I deleted through Notepad, leaving only 'localhost.'
4. I shut down System Restore to delete infected Restore points, downloaded Norton's 'Intelligent Update' and 22-4-04 AV definitions, & ran a full system scan in safe mode. Nothing.
5. I checked the registry entries as Norton suggests. Nothing under H_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, and I don't seem to have the other key they mention, same as before but ending 'CurrentVersion\RunServices'. Against the key HKEY_LOCAL_MACHINE\Software\Symantec\Norton Antivirus\LiveUpdate\Cmdlines\Cmdline1 I found a Product Name 'Avenge 1.5 Micro Defs2,' which I understand is okay. However, I searched the Registry for 'Avenge' and found 'AVENGE DEFS' in a location uncharacteristically given in capitals, as C: PROGRAM$1\COMMON$1\SYMANT$1\VIRUS D$1, where $ is actually an S-like squiggle on its side.
6.Using 'msconfig', I long ago disabled two Startup items with nothing under 'Start Up Item' or 'Command' but with locations given as SOFTWARE\Microsoft\Windows\Current Version\Run.

I'm stumped, as the problem is still there, and I'm thinking of wiping my hard disk after scanning & saving all documents & product-registrations, & then reinstalling XP and MS Office & other software. I'll carry on doing some Google searches for similar symptoms to mine, first, though. If the infection isn't showing on AV scan, then I can only think that it's well-hidden in the Registry.
N/A

MS Visual C++Runtime Library in toolbar at start up

16 bit applications can be made to run from win.ini, check that out.
Also, shell apps can be run from autoexec.bat (you may have to change the view properties to show systems files to view it).

I still think this could be a system app linked to NAV or similar and not a virus. After all, what virus would stick itself in the system tray to tell you it's there ??
What happens if you start in safe mode ??

You have however had a "hijack", that is why the adult URL's were in your hosts file.
N/A

MS Visual C++Runtime Library in toolbar at start up

Hi, cqg4uzg. I'm typing from college (in the doghouse as my wife says that I'm spending too much time on the computer.. I should've married a techie Smiley).

Symantec/Norton Tech. Support have been very prompt in getting back to me, &, like you, seem to think that it's possible that there is some kind of program trouble, & have sent me a URL for a document on their site.

I'll post here as soon as I've tried out yours & their ideas.

(Sandra Bullock was a delightful tech-head in The Net. I wonder..?)
N/A

MS Visual C++Runtime Library in toolbar at start up

Problem solved. Thanks very much to everyone for all of your ideas. The Symantec bods knew their stuff, & were right.

Deleting all files from the Symantec Live Update Downloads folder, & then re-installing Live Update worked a treat. Symantec explain the issue as being that of having corrupted files in the Downloads folder.

For anyone who might have a similar problem, the explanatory document's url is

http://service1.symantec.com/support/sharedtech.nsf/docid/2001041712190413

As a result of the discussion here, I've deleted all of the dubious stuff in my host file (I've used ZA Pro to lock the host file now; I know that there's some disadvantage, but can't remember what). I'm ecstatic (& maybe I'll stay off the computer a bit, too). This thing was beginning to prey on my mind even in the small hours...