"base2 PaneForm"...ever heard of this

[bozo]

My System:
P-4 2.4 Ghz
512 RDRAM
Windows SP2
Multiple layers of security...all up to date.

Here's the problem, when I shut down windows...shutdown begins normally, then a windows error popup apears saying "this program is not responding", and the countdown begins and the program (file ???) get's closed, and shutdown is then, normal.

The program (file???) is "base2 PaneForm"

This began after one of two installs of a new multi-function machines.
The first was a Brother 620, which I tested for about a month. I un-installed the SW, and returned the machine (piece of junk...multiple problems).
The second is a HP photoseries 2600. This machine is still hooked up & running fine.

My delima is what this program (file???) is & why it is running in the background. If it's a leftover from the Brother SW package,,,then I want to remove it. It may also be part of the HP SW package (which is a SW bloat BTW), in which case I may need it to do certain task.

I have a program to monitor startup programs, but I can't see anything that would resemble this program (file???). Same with "Task Manager"...nothing that resembles this program (file???)

This is NOT an earth shattering problem, since it's only about a 15 second delay...but if it's running in the background, and it don't need to be than I want to stop it from running.

[rjfvillarosa]

Can you go into "start up" in msconfig and give us a list of the prgrams that are checked or run a hjt log, make sure you run the hjt straight after booting up before you have opened any programs.

[bozo]

Log removed, not needed any more, was way too long

[rjfvillarosa]

According to zonelabs you have the "petch" trojan/virus.

http://vic.zonelabs.com/tmpl/body/CA....jsp?VId=37468

According to symantec you have picked it up through IRC,

http://securityresponse.symantec.com...w32.petch.html

Considering the amount of damage this virus can do I would strongly suggest a format and reinstall.

[bozo]

Quote:

Originally Posted by rjfvillarosa According to zonelabs you have the "petch" trojan/virus. http://vic.zonelabs.com/tmpl/body/CA....jsp?VId=37468 According to symantec you have picked it up through IRC, http://securityresponse.symantec.com...w32.petch.html Considering the amount of damage this virus can do I would strongly suggest a format and reinstall.

rjfvillarosa...what in my log leads you to believe I have the "petch" trojan? My system is NOT experiencing ANY of the symptoms of that trojan\virus, in fact my system is running excellant right now.

I run nightly updates for AVG anti-virus, and then a complete anti-virus scan...this is every night. I also have Zone Alarm Pro, and three spyware programs...one, MS Anti-spyware which runs in residence continually. I just checked the AVG log and it has run every night as scheduled...no viruses. Secondly, Zone Labe & Symantic both say this virus\trojan enters via IRC. I have never used IRC chat or any other messenger service.

[rjfvillarosa]

XEC.EXE

right at the bottom of your management tools list, google search xec.exe and that is what it comes back with and I have seen this infection on many an occasion, also why is your log so truncated it should be much shorter.

Here is the Brother software that is still on your system:
O23 - Service: BrSplService (Brother XP

spl Service) - brother Industries Ltd -

[bozo]

OK, I got rid of the Logitek Desktop messenger, and then tool this hjt log:

Quote:

Logfile of HijackThis v1.99.1 Scan saved at 5:05:58 PM, on 5/24/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\brss01a.exe h:\BOGIEP~1\Grisoft\AVGFRE~1\avgamsvr.exe h:\BOGIEP~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe h:\Bogie Programs\Roxio\GoBack\GBPoll.exe C:\Program Files\Gigabyte\Gigabyte Management Tools\GMTService.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe H:\BOGIEP~1\VCOM\SYSTEM~1\MXTask.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ZONELABS\vsmon.exe H:\BOGIEP~1\Grisoft\AVGFRE~1\avgcc.exe H:\BOGIEP~1\Grisoft\AVGFRE~1\avgemc.exe H:\BOGIEP~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE H:\Bogie Programs\Microsoft AntiSpyware\gcasDtServ.exe H:\BOGIEP~1\VCOM\SYSTEM~1\mxtask.exe C:\WINDOWS\System32\svchost.exe H:\Bogie Programs\BillP Studios\WinPatrol\WinPatrol.exe H:\Bogie Programs\Zone Labs\ZoneAlarm\zlclient.exe H:\Bogie Programs\ClipCache\clipc.exe H:\Bogie Programs\HP\Digital Imaging\bin\hpqtra08.exe H:\Bogie Programs\BigFix\BigFix.exe H:\Bogie Programs\HP\Digital Imaging\bin\hpqgalry.exe C:\WINDOWS\system32\wuauclt.exe H:\Bogie Programs\VCOM\PowerDesk\PDExplo.exe H:\Bogie Programs\HiJackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Bogie Programs\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - h:\Bogie Programs\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [AVG7_CC] h:\BOGIEP~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] h:\BOGIEP~1\Grisoft\AVGFRE~1\avgemc.exe O4 - HKLM\..\Run: [EM_EXEC] H:\BOGIEP~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE O4 - HKLM\..\Run: [gcasServ] "H:\Bogie Programs\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [TCLOCKEX.EXE] H:\Bogie Programs\Tclock\TCLOCKEX.EXE.lnk O4 - HKLM\..\Run: [WinPatrol] H:\Bogie Programs\BillP Studios\WinPatrol\WinPatrol.exe O4 - HKLM\..\Run: [Zone Labs Client] h:\Bogie Programs\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKCU\..\Run: [ClipCache] H:\Bogie Programs\ClipCache\clipc.exe /wait 3 O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE O4 - Global Startup: HP Digital Imaging Monitor.lnk = H:\Bogie Programs\HP\Digital Imaging\bin\hpqtra08.exe O4 - Global Startup: HP Image Zone Fast Start.lnk = H:\Bogie Programs\HP\Digital Imaging\bin\hpqthb08.exe O4 - Global Startup: BigFix.lnk = H:\Bogie Programs\BigFix\BigFix.exe O8 - Extra context menu item: &Dictionary - http://www.ezreference.com/_/ie-com-sp.htm O8 - Extra context menu item: &Encyclopedia - http://www.ezreference.com/_/ie-com-e-sp.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://H:\BOGIEP~1\MICROS~1\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Bogie Programs\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Bogie Programs\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - H:\Bogie Programs\Hello\PicasaCapture.dll O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - H:\Bogie Programs\Hello\PicasaCapture.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1099738674031 O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?326 O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - h:\BOGIEP~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - h:\BOGIEP~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe O23 - Service: GBPoll - Roxio, Inc. - h:\Bogie Programs\Roxio\GoBack\GBPoll.exe O23 - Service: GMT-Service - Unknown owner - C:\Program Files\Gigabyte\Gigabyte Management Tools\GMTService.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: SystemSuite Task Manager - V Communications, Inc. - H:\BOGIEP~1\VCOM\SYSTEM~1\MXTask.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZONELABS\vsmon.exe

[rjfvillarosa]

This is a link to the analysis of your latest log on the HJT site, according to them its clean.
http://www.hijackthis.de/logfiles/39...6b3c44f73.html

I also noticed that XEC.EXE has disappeared but there is a .exe with a very similar name associated with your logitech, maybe just a bad coincidence of names.
O4 - HKLM\..\Run: [EM_EXEC] H:\BOGIEP~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE

Ok my mistake, the log is so truncated it looks like a separate entry and there is no XEC.EXE it is actually EM_EXEC.EXE

[bozo]

It now seems as though removing Logitek Desktop Messenger has changed my hjt log considerably including the "XEC.EXE" entries which are now gone. What do you think of the latest log?

1. Are there other removal tools that I could do to make sure I do not have this trojan\virus.

2. If I do have this virus\trojan, would'nt up to date virus protection have detected it?

[rjfvillarosa]

I don't think you do have it, your log was so truncated it made it look like a separate entry, follow the link I gave you and inspect your analysis on the HJT site it shows up pretty clean, I also singled out the Brother software that is still running on your machine.
Can you tell me how many things are checked in "MSCONFIG" so that they run when you start windows.?

[bozo]

rjfvillarosa...the other logitech entry is from an older device and I know it's OK. I looked at the rest of the review, and it seems all is well as far as the log goes...seems as though the new logitech keyboard I recently bought was also loading me up with their "Desktop Messenger", which seemed to contain the bad log entries.

Now I'll try a restart.

[glc]

Do you have an Epson printer too? If not, you have the Epson status monitor installed.

Word to the wise - whenever installing ANY Logitech software, do a custom install and do NOT install the Desktop Messenger and all the other crap they want to shove in your face. All that does is clog up your bandwidth looking for updates and anything else Logitech wants to try to feed you.

[bozo]

Yes I do have an Epson printer on this computer. Thanks for the heads up on Logitech...I always do a custom install, and avoid anything with the word "Messenger" like the plague, but this one got by me. This was a good time to do some other house cleaning in my HJT log, however!

I still have the "base2PaneForm" Not Responding on shutdown, and I have found two other programs\files that also do the same on shutdown. They are "WindowFormsParkingWindow", and the last one I was not able to get totally but it started with "hp". I am now pretty sure these "Not Responding" errors are a part of the HP multi-function machine SW. I'll probably just let it be since this is only a 10-15 second delay...and there are no other evident problems with the system.

Thanks All!

[rjfvillarosa]

This is post #6 from
http://forum.pcmech.com/showthread.php?t=126271

Quote:

Originally Posted by rjfvillarosa Hey Rails how you doing? I came across this problem once before, it seems the problem is a piece of badly written script associated with a HP all in one printer. If the "WindowsFormsParkingWindow" is in XP (ie shutdown). Make sure you don't have HP Image Zone Fast Start (hpqthb08.exe) in your startup folder.

From your HJT log.

O4 - Global Startup: HP Image Zone Fast Start.lnk = H:\Bogie Programs\HP\Digital Imaging\bin\hpqthb08.exe