SG1
August 25th, 2005, 04:18 PM
HijackThis! report states
O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll
and I'm assuming for now that this accounts for a sudden
inability to update DRWEB AV in the normal fashion.
HJT did find the problem - bless its heart but doesn't
fix it and indicates that Spybot can remedy things; well
if so, how exactly? S&D shows me winsocks and most are
checked off in green, but not the four mentions of the
above .dll file. So, I'm thinking, this is not good.
If S&D can solve this, perhaps, what do I want to do,
or how do I tackle this mess?
===================
From what I've read I gather that I have to cross my
fingers & try the lspfix app, to restore things - and
I've also read that the "fix" can sometimes cause real
grief. But of course, a possible "unknown" file inside
the above listed .dll can cause far more grief, I should
imagine.
If you're reading this post, I can (obviously) access
the net but among other things, it seems that just
recently Naviscope (an older ad/javascript blocker) and
MSIE 5.0 browser are constantly at odds over use of the
proxy & specifically the port setting/s: hence, it's
been tough just recently to update the DRWEB AV. And
one of the guys at DRWEB told me, after seeing the av's
log file, that indeed there's some mess up re the proxy
setting.
Well, that's not happened til recently, and I'm guessing
that the trouble's mentioned in the HJT report (above).
But what I'm really wondering about is... huh?! There's
a reason I'm using 904,000 security apps while surfing &
finding even more to use (recently), and yet, I get this
mess. Um... we don't go to risky sites, nor do we just
willy nilly "click on get mail" until after MWPro has
deleted 97% per cent of mail, and even then the AV's
checking the rest on the way in to our mailboxes. (And
yes I do update the AV by getting the daily zip files &
extracting it to the AV's DIR), to cover my bases for
now.
===================
Elsewhere, in other news, on the Western front:
AdAware Plus SE told me that WhenU.DesktopToolbar also
came to visit, but it dealt with that matter - and
sometime ago Spybot dealt with (BackWebLite) from our
new Logitech mouse/software, & a a few other little
nasties that had over time also boarded our PC.
===================
*** What I have learned, and continue to learn about
'net security is largely due to this site and you
folks here, and it is the reason that I always come
back, daily, and at times like this when I need to pick
your brains for remedies. So, thanks, Paul and to all
you great folks here that are so willing to help. ***
===================
(Maladies continuing again, here).
===================
And I think it was AdAware Plus SE that glommed me onto
the presence or a clever little restart.exe, which may
have been part of VOPTXP's app, I'm fairly sure, but I
also find a same named file all over in the mouse app.
AA Plus SE seemed to show that something was in VoptXP
defragger & and so (for good or ill) I stuck restart.exe
in a DIR & changed attributes of it - and shortly after
that, WinPatrol stopped popping up the dialog boxes on
how "mystery files" (always two in a row) wanted to do
the AutoStart thing. Well, said files, in one case, had
bizarre symbols for a name with no info about it given,
and the other was merely gray box with no name and also
no info about it. Well, I clicked NOPE everytime that
WinPatrol showed me info on the apps wanting to start.
While not the smartest guy in the room, I know, I have
to assume that an app wanting to start in legit manner
won't try to hide info from the user.
===================
Now, moving on, folks:
As for a printer related file,
C:\WINDOWS.000\SYSTEM\LEXBCES.EXE
(and please don't ask about dufus WINDOWS.000 DIR
as that's another long, sorry, story)...
the registry shows, for printer stuff, a mention on
"Allow AutoDial during Startup"=dword:00000000
"Always Allow AutoDialer"=dword:00000000
and here my query is this: with all 0s, and this PC
lingo that I don't speak - does all 0s mean this
autodial stuff is in an on or off state? Off, I hope,
as I do sometimes see a Lemark printer file running, &
I always kill it, when I see it. (The printer's out of
ink right now, anyway, so I figure that file needn't run
at the moment).
===================
I'm placing the Reg. item below, re DRWEB AV. I wonder
about the four million Fs at end of this notation.
(Further up in this post, I mentioned the trouble with
updating our AV in regular fashion, and to my untrained
eye all the Fs looked odd. (?) Does that mean something
or not, in this case, perhaps?
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\WinSock2]
[HKEY_LOCAL_MACHINE\Software\WinSock2\Drwhook Provider]
@=dword:0293807e
[HKEY_LOCAL_MACHINE\Software\WinSock2\Drwhook Provider\ffffffff-ffff-ffff-ffff-ffffffffffff]
===================
General PC house cleaning:
After recent PC repairs and upgrades, etc., it seems
that the PC starts up even slower than I recall; am
staring at WIN98se startup screen, for a long while.
I've removed "12,000 things" from Programs menu, & have
been deleting as much as possible or moving it to D:
drive, and have (in a recent download frenzy), held back
from installing all those apps that I've gotten.
Am doing trial of VoptXp defragger, which is nice; but I
wonder, what else can one do, to make bootup time fleet
of foot once again, as it was once upon a time?
Last day or so, I've changed things so that only Win
Patrol and Sentinel are start ups, and even then the
latter program shuts off, after file integrity checks.
So, I then load security apps, only if going on the net
but have limited that lately, as I worry about "the file
within a file" that HijackThis! reports about, and am
afraid of what said file may be doing while I'm on the
internet).
Have gotten and will use SockLock app AFTER I get rid
of the mystery thing, messing with Winsock; and have
been trying FireFox browser too, to see if that's less
a target for the idle script kiddies, than is MSIE. I
wonder if I made horrendous gaffe recently, trying the
Medium safety browser setting in IE, to see more of a
few sites - but I most always have very high safety
settings in IE 5.0 and gazillion security apps on, and
AdWatch's lof file shows it has has foiled at least 8
browser hijacks - so I hope I generally do things right,
most of the time - and perhaps "most of the time" is
apparently not good enough(???!)
===================
So... that's it for this week, viewers, and for those
of you still awake after reading this who may offer any
advice on mess #394 that it seems I've collected
recently, I would again, as always, appreciate your help
& advice.
Many thanks, for advice/info
Best, SG1 (Pat)
*** Late note added: seems WinPatrol tells me, while
getting ready to go on net to post this, that at least
one of those "mystery no name apps" wants to autostart
again. <sigh> Something like 1(copyright symbol)A, the
program appears to be named. (?!?!) *** And then the
one with no name - info, wants to start, too...
O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll
O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll
and I'm assuming for now that this accounts for a sudden
inability to update DRWEB AV in the normal fashion.
HJT did find the problem - bless its heart but doesn't
fix it and indicates that Spybot can remedy things; well
if so, how exactly? S&D shows me winsocks and most are
checked off in green, but not the four mentions of the
above .dll file. So, I'm thinking, this is not good.
If S&D can solve this, perhaps, what do I want to do,
or how do I tackle this mess?
===================
From what I've read I gather that I have to cross my
fingers & try the lspfix app, to restore things - and
I've also read that the "fix" can sometimes cause real
grief. But of course, a possible "unknown" file inside
the above listed .dll can cause far more grief, I should
imagine.
If you're reading this post, I can (obviously) access
the net but among other things, it seems that just
recently Naviscope (an older ad/javascript blocker) and
MSIE 5.0 browser are constantly at odds over use of the
proxy & specifically the port setting/s: hence, it's
been tough just recently to update the DRWEB AV. And
one of the guys at DRWEB told me, after seeing the av's
log file, that indeed there's some mess up re the proxy
setting.
Well, that's not happened til recently, and I'm guessing
that the trouble's mentioned in the HJT report (above).
But what I'm really wondering about is... huh?! There's
a reason I'm using 904,000 security apps while surfing &
finding even more to use (recently), and yet, I get this
mess. Um... we don't go to risky sites, nor do we just
willy nilly "click on get mail" until after MWPro has
deleted 97% per cent of mail, and even then the AV's
checking the rest on the way in to our mailboxes. (And
yes I do update the AV by getting the daily zip files &
extracting it to the AV's DIR), to cover my bases for
now.
===================
Elsewhere, in other news, on the Western front:
AdAware Plus SE told me that WhenU.DesktopToolbar also
came to visit, but it dealt with that matter - and
sometime ago Spybot dealt with (BackWebLite) from our
new Logitech mouse/software, & a a few other little
nasties that had over time also boarded our PC.
===================
*** What I have learned, and continue to learn about
'net security is largely due to this site and you
folks here, and it is the reason that I always come
back, daily, and at times like this when I need to pick
your brains for remedies. So, thanks, Paul and to all
you great folks here that are so willing to help. ***
===================
(Maladies continuing again, here).
===================
And I think it was AdAware Plus SE that glommed me onto
the presence or a clever little restart.exe, which may
have been part of VOPTXP's app, I'm fairly sure, but I
also find a same named file all over in the mouse app.
AA Plus SE seemed to show that something was in VoptXP
defragger & and so (for good or ill) I stuck restart.exe
in a DIR & changed attributes of it - and shortly after
that, WinPatrol stopped popping up the dialog boxes on
how "mystery files" (always two in a row) wanted to do
the AutoStart thing. Well, said files, in one case, had
bizarre symbols for a name with no info about it given,
and the other was merely gray box with no name and also
no info about it. Well, I clicked NOPE everytime that
WinPatrol showed me info on the apps wanting to start.
While not the smartest guy in the room, I know, I have
to assume that an app wanting to start in legit manner
won't try to hide info from the user.
===================
Now, moving on, folks:
As for a printer related file,
C:\WINDOWS.000\SYSTEM\LEXBCES.EXE
(and please don't ask about dufus WINDOWS.000 DIR
as that's another long, sorry, story)...
the registry shows, for printer stuff, a mention on
"Allow AutoDial during Startup"=dword:00000000
"Always Allow AutoDialer"=dword:00000000
and here my query is this: with all 0s, and this PC
lingo that I don't speak - does all 0s mean this
autodial stuff is in an on or off state? Off, I hope,
as I do sometimes see a Lemark printer file running, &
I always kill it, when I see it. (The printer's out of
ink right now, anyway, so I figure that file needn't run
at the moment).
===================
I'm placing the Reg. item below, re DRWEB AV. I wonder
about the four million Fs at end of this notation.
(Further up in this post, I mentioned the trouble with
updating our AV in regular fashion, and to my untrained
eye all the Fs looked odd. (?) Does that mean something
or not, in this case, perhaps?
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\WinSock2]
[HKEY_LOCAL_MACHINE\Software\WinSock2\Drwhook Provider]
@=dword:0293807e
[HKEY_LOCAL_MACHINE\Software\WinSock2\Drwhook Provider\ffffffff-ffff-ffff-ffff-ffffffffffff]
===================
General PC house cleaning:
After recent PC repairs and upgrades, etc., it seems
that the PC starts up even slower than I recall; am
staring at WIN98se startup screen, for a long while.
I've removed "12,000 things" from Programs menu, & have
been deleting as much as possible or moving it to D:
drive, and have (in a recent download frenzy), held back
from installing all those apps that I've gotten.
Am doing trial of VoptXp defragger, which is nice; but I
wonder, what else can one do, to make bootup time fleet
of foot once again, as it was once upon a time?
Last day or so, I've changed things so that only Win
Patrol and Sentinel are start ups, and even then the
latter program shuts off, after file integrity checks.
So, I then load security apps, only if going on the net
but have limited that lately, as I worry about "the file
within a file" that HijackThis! reports about, and am
afraid of what said file may be doing while I'm on the
internet).
Have gotten and will use SockLock app AFTER I get rid
of the mystery thing, messing with Winsock; and have
been trying FireFox browser too, to see if that's less
a target for the idle script kiddies, than is MSIE. I
wonder if I made horrendous gaffe recently, trying the
Medium safety browser setting in IE, to see more of a
few sites - but I most always have very high safety
settings in IE 5.0 and gazillion security apps on, and
AdWatch's lof file shows it has has foiled at least 8
browser hijacks - so I hope I generally do things right,
most of the time - and perhaps "most of the time" is
apparently not good enough(???!)
===================
So... that's it for this week, viewers, and for those
of you still awake after reading this who may offer any
advice on mess #394 that it seems I've collected
recently, I would again, as always, appreciate your help
& advice.
Many thanks, for advice/info
Best, SG1 (Pat)
*** Late note added: seems WinPatrol tells me, while
getting ready to go on net to post this, that at least
one of those "mystery no name apps" wants to autostart
again. <sigh> Something like 1(copyright symbol)A, the
program appears to be named. (?!?!) *** And then the
one with no name - info, wants to start, too...