end task dialog box with no program name

[freecho]

I'm having a few problems. I get intermittent freeze up runing Win ME. Also when I shutdown I freeze, forcing me to press power button. What seems to worry me the most is sometimes when I shutdown, I get a dialog box stating a program is not responding and then gives me the option to end task or wait, but there isn't any program name on the title bar. I'm concerned if this is viral behavior. I have not read any other post on this.

Here is my startuplist that everyone else seem to be fond of but i haven't a clue what most of these entries are. Much appreciated for any help.

StartupList report, 1/27/2003, 11:12:54 PM
StartupList version: 1.51
Started from : F:\INCOMING\STARTUPLIST.EXE
Detected: Windows ME (Win9x 4.90.3000)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\ADAPTEC\GOBACK\GBPOLL.EXE
C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\EXECUTIVE SOFTWARE\DISKEEPERWORKSTATION\DKSERVICE.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\BCMDMMSG.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\DEVLDR16.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\POPROXY.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\VERIZON ONLINE\WINPOET\WINPPPOVERETHERNET.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\PROGRAM FILES\LOGITECH\MOUSEWARE\SYSTEM\EM_EXEC.EXE
C:\PROGRAM FILES\LOGITECH\DESKTOP MESSENGER\8876480\PROGRAM\BACKWEB-8876480.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZAPRO.EXE
C:\WEBSHOTZ\WEBSHOTS\WEBSHOTSTRAY.EXE
E:\ACROBAT\DISTILLR\ACROTRAY.EXE
F:\INCOMING\STARTUPLIST.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start Menu\Programs\StartUp]
EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\SYSTEM\E_SRCV02.EXE
Webshots.lnk = C:\webshotz\Webshots\WebshotsTray.exe
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Acrobat Assistant.lnk = E:\acrobat\Distillr\AcroTray.exe

Shell folders Common Startup:
[C:\WINDOWS\All Users\Start Menu\Programs\StartUp]
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
Norton Auto-Protect = C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
NAV DefAlert = C:\PROGRA~1\NORTON~1\DEFALERT.EXE
Norton eMail Protect = C:\Program Files\Norton AntiVirus\POPROXY.EXE
Tweak UI = RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\SYSTEM\\NVCpl.dll,NvStartup
a-winpoet-service = "C:\Program Files\Verizon Online\WinPoET\winpppoverethernet.exe"
ICSMGR = ICSMGR.EXE
EM_EXEC = C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE
devldr16.exe = C:\WINDOWS\SYSTEM\devldr16.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
GoBack Polling Service = C:\Program Files\Adaptec\GoBack\GBPoll.exe
SAgent2ExePath = C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
ScriptBlocking = "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
TrueVector = C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
SchedulingAgent = mstask.exe
DkService = C:\Program Files\Executive Software\DiskeeperWorkstation\DkService.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

LDM = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
Microsoft Works Update Detection = C:\Program Files\Microsoft Works\WkDetect.exe

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 25/1/2003, 23:44:20)

[rename]
nul=C:\WINDOWS\TEMP\~f51e43.tmp
nul=C:\WINDOWS\TEMP\~f51e43.tmp

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

SET windir=C:\WINDOWS
SET winbootdir=C:\WINDOWS
SET COMSPEC=C:\WINDOWS\COMMAND.COM
SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND;E:\ULTRAE~1
SET PROMPT=$p$g
SET TEMP=C:\WINDOWS\TEMP
SET TMP=C:\WINDOWS\TEMP

--------------------------------------------------

C:\WINDOWS\WINSTART.BAT listing:

C:\WINDOWS\tmpcpyis.bat

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SURFSA~1\SURFSA~1.DLL (file missing) - {CBB0A6A0-8430-11D4-814D-0050047090B1}
(no name) - c:\windows\downloaded program files\googletoolbar_en_1.1.66-deleon.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}
(no name) - E:\ACROBAT\ACROBAT\ACTIVEX\ACROIEHELPER.OCX - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

--------------------------------------------------

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
PCHealth Scheduler for Data Collection.job
Symantec NetDetect.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job
weekly virus scan.job
daily live update check.job

--------------------------------------------------

Enumerating Download Program Files:

[{11111111-1111-1111-1111-111111111111}]
CODEBASE = http://canderp1.nocreditcard.net/download/newdial-erp/975/dialer.exe

[MSNBC News Menu Control 3.01]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\NEWSM301.OCX
CODEBASE = http://www.msnbc.com/download/nr1228.cab

[IPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\OCCACHE\IPIXX.OCX
CODEBASE = http://www.ipix.com/viewers/ipixx.cab

[CfgAOL Class 2]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\NSCFGAOL.DLL
CODEBASE = https://www.netsetter.com/r/ns/config/nscfgaol.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[GigexCtrl ActiveX]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GIGEXAGENT.DLL
CODEBASE = http://www.gigex.com/tv/igor/gigexagent.dll

[{41F17733-B041-4099-A042-B518BB6A408C}]
CODEBASE = http://a224.g.akamai.net/7/224/52/2...apple.com/qt502/us/win/QuickTimeInstaller.exe

[MailConfigure Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\MAILCFG.DLL
CODEBASE = http://supportservices.msn.com/us/oeconfig/MailCfg.cab

[Symantec RuFSI Registry Information Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\RUFSI.DLL
CODEBASE = http://security1.norton.com/us/sa/common/common/bin/cabsa.cab

[CV3 Class]
InProcServer32 = C:\WINDOWS\SYSTEM\WUV3IS.DLL
CODEBASE = http://windowsupdate.microsoft.com/R1024/V31Controls/x86/mil/en/actsetup.cab

[Symantec AntiVirus scanner]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\AVSNIFF.DLL
CODEBASE = http://security1.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab

[Download.Complete]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\DOWNLOAD.OCX
CODEBASE = http://www.measureup.com/test/controls/SelectPlace.CAB

[AV Class]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\PAV.DLL
CODEBASE = http://pcpitstop.com/antivirus/PCPAV.CAB

[QuickTime Object]
InProcServer32 = C:\WINDOWS\SYSTEM\QTPLUGIN.OCX
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[Update Class]
InProcServer32 = C:\WINDOWS\SYSTEM\IUCTL.DLL
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37594.828125

--------------------------------------------------

Enumerating Winsock LSP files:

Protocol #1: csloa2.dll (file MISSING)

--------------------------------------------------
End of report, 8,307 bytes
Report generated in 0.607 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[Rollin' Rog]

Welcome to TSG, freecho. I don't see any obvious explanation for the shutdown problem there and that will probably have to be investigated using "clean-boot" methods.

There are some minor issues you can resolve with the program HijackThis available here:

http://www.lurkhere.com/~nicefiles/

Under Browser Helper Objects, you have this "orphaned" entry, which is probably not very legit one way or another:

(no name) - C:\PROGRA~1\SURFSA~1\SURFSA~1.DLL (file missing) - {CBB0A6A0-8430-11D4-814D-0050047090B1}

Under Download Program Files you have several entries which should be removed:

1 -- [{11111111-1111-1111-1111-111111111111}]
CODEBASE = http://canderp1.nocreditcard.net/do.../975/dialer.exe

2 -- [IPIX ActiveX Control]
InProcServer32 = C:\WINDOWS\OCCACHE\IPIXX.OCX
CODEBASE = http://www.ipix.com/viewers/ipixx.cab

3 -- [CfgAOL Class 2]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\NSCFGAOL.DLL
CODEBASE = https://www.netsetter.com/r/ns/config/nscfgaol.cab

4 -- [GigexCtrl ActiveX]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\GIGEXAGENT.DLL
CODEBASE = http://www.gigex.com/tv/igor/gigexagent.dll

5 -- [Download.Complete]
InProcServer32 = C:\WINDOWS\DOWNLOADED PROGRAM FILES\DOWNLOAD.OCX
CODEBASE = http://www.measureup.com/test/controls/SelectPlace.CAB

>> These can all be removed with HijackThis. The ones I am listing are either spy and dialer related, not necessary or mysterious with no data concerning them. Do not fear removing any of them. Legitimate sites will prompt you to accept a download of their ActiveX objects when required. You should ONLY accept these prompts from trusted sites.

Note on number 4: If you are satisfied with Gigex's Privacy Statement, then of course it's up to you whether it provides a worthwhile service:

http://www.gigex.com/company/com_privacy.asp

======================

To troubleshoot the shutdown problem, I would suggest running msconfig and under the startup tab, remove checks for all but ScanRegistry, systray, and *.statemgr and see if the problem persists. If it does then the problem is not likely related to startups. If you can shutdown normally, begin re-checking groups of files, such as those for your antivirus and firewall and see if the problem returns; proceed until you find the culprit.

This one should really be left permanently unchecked as it is only an update checker for logitech and you don't need any unnecessary clutter...

LDM = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

Also here is a good link that is useful in evaluating what you see in a startup list:

http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM

 

[freecho]

thanks rollin. that dialer.exe looked suspicious to me. the others look greek to me. i just dl hijakthis and i'll see if i can figure out how to use it.

 

[freecho]

wow. what a great program and it's super fast. i got rid of the stuff in question. i'm gonna reboot and see if they're still around. now i looked at some of the programs that hijackthis listed and some of the programs i've been trying to find ways of stopping it from loading (like unchecking it in msconfig). In particular, "devldr16" and "check for microsoft works update". Can i just check it and click the fix checked ?? Can it be that simple??

I read somewhere in this site on how to get rid of "devldr16" but it didn't work for me. I was reading that devldr16 is only needed for dos sounds and that it is very unstable and worthwhile to get rid of.

 

[Rollin' Rog]

devldr is damn near impossible to get rid of and will just come back if deleted or unchecked. Some people report renaming the file helps, but still leaves the startup entry, though no error is reported. I would just leave it alone, personally.

I would not remove anything through HijackThis that you are not sure you want to permenantly remove. If unchecking them in msconfig only results in their coming back, then that will happen if they are deleted too.

If you figure a way to get rid of Works update detection, let me know; I've done everything but rename the files in XP and it keeps coming back. I think others have better luck in other OS systems just disabling it through Works itself: customize > uncheck "notify". Doesn't work for me though.

 

[freecho]

thanks. I'll leave it be. I knew it wouldn't be that easy.

 

[Rollin' Rog]

Was the original problem resolved? I know if it is a very intermittant type of problem it is not easy to isolate except by disabling startup programs for an extended period of testing.

You can also try doing a ctrl-alt-del before shutting down and systematicaly "end-task" the processes. Then shutdown when only Explorer and systray are left. This might allow you to pin-point the offender.

 

[freecho]

maybe over the weekend i'll try the unchecking all except a few on the msconfig. as for ctrlaltdel then end task all except systray and explorer, it never shutdown fully. it's like the system is expecting to shut something down. But it's not running so it just hang. I end task everything when i do my weekly scandisk, defrag and virus check and whenever i do it, i can never fully shutdown.

 

[Rollin' Rog]

Ok, but as you end task things, you may get a "program not responding" for one of them. If you do, then what you end tasked is "the program"

 

[freecho]

i still get a dialog box sometimes when i shut down telling me that a program is not responding and if i want to end task, wait or shutdown with no indication to what program it is. Normally the name of the program is on the title bar but it's simply blank. I'm afraid it's some kind of virus running that is able to elude detection.
This may sound very naive but wouldn't any popular viral checker with updated definitions detect any malicious codes? i know that new viruses comes out daily but i figure if i keep updating the definitions a virus will eventually be detected.
Also, is there a way of checking if my virus checker is actually able to detect a virus?

 

[brendandonhu]

Yup there is a dummy-virus file you can download from http://eicar.org

 

[Rollin' Rog]

If you are not actively using Internet Connection Sharing, I would suggest you disable that at least temporarily for testing. You show it in your startups as:

ICSMGR = ICSMGR.EXE

Also, while I doubt it's a virus, we've seen a few cases where NAV does miss things. You can do an online scan here to double check:

http://housecall.antivirus.com/

 

[freecho]

I just got rid of ics program and all is fine.

I tried changing the name of devldr16 and see what happens. My headphones stop working which I rather have so thank god I didn't delete it.

I also checked out eicar.com--> pretty neat. Norton works fine. My friend said he gets copies of the real viruses to check to see if his AV program actually runs. He doesn't actually runs them, he just does a scan and see if they find it. Is this good practice?

I think I'll skip on stopping all programs from starting except a few only because the problem occurs only occasionally and would hate to run the cpr for long periods w/o certain programs. Maybe in the future I'll try it.

As for end tasking and see which programs hang, there are a few of them.
-zonealarm hangs
-devldr16 almost all the times hangs
-navapw32(norton) hangs
-poproxy (also norton's I think)
-bcmdmmsg (my modem)
-Winpppoverethernet

I'm not really worried about the hanging problem, I'm more worried about the end task box that do not give me any clue as to what program it is referring to. My friend tells me it's time to reformat and to get rid of winME.
Sorry for running off like this but I'm trying to respond to all the comments

 

[Rollin' Rog]

I would leave this one unchecked as it is simply a vendor piece of "spyware" that has no useful functionality:

LDM = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

And you can experiment with leaving -bcmdmmsg unchecked. I have this as well in XP and can't see any difference with it checked or unchecked. It's probably for some messaging function that I have no use for.

This is much the same as backweb, just checks for updates:

Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe

Webshots and Acrobat Assistant you may not find important to keep in startup as well.

You can review what these are and any others using this link:

http://www.lafn.org/webconnect/mentor/startup/PENINDEX.HTM

 

[freecho]

when you say to leave unchecked do you mean to uncheck it using msconfig.exe or something else like hijackthis?
I used msconfig.exe to disable bcmmsg.. and it still pops up in my task manager. Sometimes when i disable using msconfig it simply adds another entry in the msconfig on top of the unchecked version, however the bcmmsg program is currently unchecked but still remains in my task manager.