Many messy misc. queries: Long post - sorry!

Discussion in 'other security issues & news' started by SG1, Aug 25, 2005.

Thread Status:
Not open for further replies.
  1. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    HijackThis! report states

    O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll
    O10 - Unknown file in Winsock LSP: c:\windows.000\system\drwebsp.dll

    and I'm assuming for now that this accounts for a sudden
    inability to update DRWEB AV in the normal fashion.

    HJT did find the problem - bless its heart but doesn't
    fix it and indicates that Spybot can remedy things; well
    if so, how exactly? S&D shows me winsocks and most are
    checked off in green, but not the four mentions of the
    above .dll file. So, I'm thinking, this is not good.
    If S&D can solve this, perhaps, what do I want to do,
    or how do I tackle this mess?

    ===================
    From what I've read I gather that I have to cross my
    fingers & try the lspfix app, to restore things - and
    I've also read that the "fix" can sometimes cause real
    grief. But of course, a possible "unknown" file inside
    the above listed .dll can cause far more grief, I should
    imagine.

    If you're reading this post, I can (obviously) access
    the net but among other things, it seems that just
    recently Naviscope (an older ad/javascript blocker) and
    MSIE 5.0 browser are constantly at odds over use of the
    proxy & specifically the port setting/s: hence, it's
    been tough just recently to update the DRWEB AV. And
    one of the guys at DRWEB told me, after seeing the av's
    log file, that indeed there's some mess up re the proxy
    setting.

    Well, that's not happened til recently, and I'm guessing
    that the trouble's mentioned in the HJT report (above).

    But what I'm really wondering about is... huh?! There's
    a reason I'm using 904,000 security apps while surfing &
    finding even more to use (recently), and yet, I get this
    mess. Um... we don't go to risky sites, nor do we just
    willy nilly "click on get mail" until after MWPro has
    deleted 97% per cent of mail, and even then the AV's
    checking the rest on the way in to our mailboxes. (And
    yes I do update the AV by getting the daily zip files &
    extracting it to the AV's DIR), to cover my bases for
    now.

    ===================
    Elsewhere, in other news, on the Western front:

    AdAware Plus SE told me that WhenU.DesktopToolbar also
    came to visit, but it dealt with that matter - and
    sometime ago Spybot dealt with (BackWebLite) from our
    new Logitech mouse/software, & a a few other little
    nasties that had over time also boarded our PC.

    ===================

    *** What I have learned, and continue to learn about
    'net security is largely due to this site and you
    folks here, and it is the reason that I always come
    back, daily, and at times like this when I need to pick
    your brains for remedies. So, thanks, Paul and to all
    you great folks here that are so willing to help. ***

    ===================
    (Maladies continuing again, here).
    ===================
    And I think it was AdAware Plus SE that glommed me onto
    the presence or a clever little restart.exe, which may
    have been part of VOPTXP's app, I'm fairly sure, but I
    also find a same named file all over in the mouse app.

    AA Plus SE seemed to show that something was in VoptXP
    defragger & and so (for good or ill) I stuck restart.exe
    in a DIR & changed attributes of it - and shortly after
    that, WinPatrol stopped popping up the dialog boxes on
    how "mystery files" (always two in a row) wanted to do
    the AutoStart thing. Well, said files, in one case, had
    bizarre symbols for a name with no info about it given,
    and the other was merely gray box with no name and also
    no info about it. Well, I clicked NOPE everytime that
    WinPatrol showed me info on the apps wanting to start.
    While not the smartest guy in the room, I know, I have
    to assume that an app wanting to start in legit manner
    won't try to hide info from the user.

    ===================
    Now, moving on, folks:

    As for a printer related file,
    C:\WINDOWS.000\SYSTEM\LEXBCES.EXE

    (and please don't ask about dufus WINDOWS.000 DIR
    as that's another long, sorry, story)...

    the registry shows, for printer stuff, a mention on

    "Allow AutoDial during Startup"=dword:00000000
    "Always Allow AutoDialer"=dword:00000000

    and here my query is this: with all 0s, and this PC
    lingo that I don't speak - does all 0s mean this
    autodial stuff is in an on or off state? Off, I hope,
    as I do sometimes see a Lemark printer file running, &
    I always kill it, when I see it. (The printer's out of
    ink right now, anyway, so I figure that file needn't run
    at the moment).

    ===================
    I'm placing the Reg. item below, re DRWEB AV. I wonder
    about the four million Fs at end of this notation.
    (Further up in this post, I mentioned the trouble with
    updating our AV in regular fashion, and to my untrained
    eye all the Fs looked odd. (?) Does that mean something
    or not, in this case, perhaps?

    REGEDIT4

    [HKEY_LOCAL_MACHINE\Software\WinSock2]

    [HKEY_LOCAL_MACHINE\Software\WinSock2\Drwhook Provider]
    @=dword:0293807e

    [HKEY_LOCAL_MACHINE\Software\WinSock2\Drwhook Provider\ffffffff-ffff-ffff-ffff-ffffffffffff]

    ===================

    General PC house cleaning:

    After recent PC repairs and upgrades, etc., it seems
    that the PC starts up even slower than I recall; am
    staring at WIN98se startup screen, for a long while.
    I've removed "12,000 things" from Programs menu, & have
    been deleting as much as possible or moving it to D:
    drive, and have (in a recent download frenzy), held back
    from installing all those apps that I've gotten.

    Am doing trial of VoptXp defragger, which is nice; but I
    wonder, what else can one do, to make bootup time fleet
    of foot once again, as it was once upon a time?

    Last day or so, I've changed things so that only Win
    Patrol and Sentinel are start ups, and even then the
    latter program shuts off, after file integrity checks.
    So, I then load security apps, only if going on the net
    but have limited that lately, as I worry about "the file
    within a file" that HijackThis! reports about, and am
    afraid of what said file may be doing while I'm on the
    internet).

    Have gotten and will use SockLock app AFTER I get rid
    of the mystery thing, messing with Winsock; and have
    been trying FireFox browser too, to see if that's less
    a target for the idle script kiddies, than is MSIE. I
    wonder if I made horrendous gaffe recently, trying the
    Medium safety browser setting in IE, to see more of a
    few sites - but I most always have very high safety
    settings in IE 5.0 and gazillion security apps on, and
    AdWatch's lof file shows it has has foiled at least 8
    browser hijacks - so I hope I generally do things right,
    most of the time - and perhaps "most of the time" is
    apparently not good enough(o_O!)

    ===================

    So... that's it for this week, viewers, and for those
    of you still awake after reading this who may offer any
    advice on mess #394 that it seems I've collected
    recently, I would again, as always, appreciate your help
    & advice.

    Many thanks, for advice/info
    Best, SG1 (Pat)

    *** Late note added: seems WinPatrol tells me, while
    getting ready to go on net to post this, that at least
    one of those "mystery no name apps" wants to autostart
    again. <sigh> Something like 1(copyright symbol)A, the
    program appears to be named. (?!?!) *** And then the
    one with no name - info, wants to start, too...
     
  2. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
    sg1,

    can walk you through a rebuild...but need to know a few things.

    1. is their anything on the existing drive you want to keep?
    2. if their is do you have a way to transfer it to another media source?
    3. do you have a win98se cd?
    4. do you have the misc. program cd's like word etc?
    5. do you have access to another computer to check this thread?
     
  3. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Ravin;

    1) Would like to keep about everything from C:, of course.
    2) Could back up all again to D:, and/or maybe to CD.
    3) Yes, have WIN98SE CD, boot disk, WinRescue98 backups.
    4) Have (on) drives/disks/CDs, source for most everything, I think/hope.
    5) Still have ol'standby (Compaq 586, w/24MB Ram! ;-) re net access;
    have minor fear that it too got "stolen" as it only had ZA Firewall and
    Naviscope on it (to block ads, Javascript). Not sure if it was taken over
    last time I used it.

    But from sound of your note, before you propose walk down Radical Road (as
    it were), bear in mind PC Repair guy >could not< get this PC to take reinstall
    over my current WIN98SE. Wonder if security apps, by virtue of being on the
    PC, somehow fended off reinstall - that possible? Seems to also be a not
    repaired correctly ailment with single/double fifo issue as I lose D: on every
    other reboot and so, E: becomes D: til next reboot. Go figure...

    And the popup box that WinPatrol shows me (always two, one after the
    other) seems to have undergone a name change since yesterday afternoon
    but the mystery file that wants to restart - one of them - still has a name
    with just odd symbols. What to do, what to do?

    Thanks for any help that you may offer, Ravin.
    Best, SG1 (Pat)
     
  4. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
    1) Would like to keep about everything from C:, of course.

    unfortunately theirin lies the problem...personally I don't keep anything on a home computer that couldn't be thrown away. as erikalbert had mentioned in another thread you had posted re-installs over existing 98se rarely turns out well and you end up with problems.

    another option for you would be to go back to the computer guy and have him put in new hard drive (fairly cheap these days) as master and slave your old and that way you can connect it and disconnect it for retrieval purposes of items you wanted.

    good luck. sorry couldn't be of more help.
     
    Last edited: Aug 26, 2005
  5. SG1

    SG1 Registered Member

    Joined:
    Jan 16, 2003
    Posts:
    430
    Ravin;

    Good of you to reply, again. As my last note said, PC Guy >could not< get reinstall-"refresh" of OS over existing DIR for unknown reason/s and hence, I got dufus WIN000 DIR. Problematic, perhaps, tho' all works by and large after time messing around w/it. Call me diehard, or perverse, maybe. ;-)

    Anyway, I wonder if hardware type firewall'd work on this dial up PC? I ask as I for some reason always think of cable or dsl modems as using hardware f'walls.

    The other thing, if anyone can comment: re WinPatrol's popup alerts on the unknown apps that want to autostart... don't know if I'm dufus for blocking anything important but here's partial sample of WP's log. Again, as I said earlier, I am quite leary about allowing startup that will not correctly ID itself.
    Sloppy programming, or... worse?!

    08/26/2005 10:42 AM RESET_SHELL WINLOGON_Shell Winlogon Shell
    08/26/2005 10:44 AM START_Alert WINLOGON_Userinit û©Å
    08/26/2005 10:44 AM RESET_USERINIT WINLOGON_Userinit Winlogon Userinit
    08/26/2005 10:44 AM START_Alert WINLOGON_Shell
    08/26/2005 10:44 AM RESET_SHELL WINLOGON_Shell Winlogon Shell
    08/26/2005 10:46 AM START_Alert WINLOGON_Userinit û©Å
    08/26/2005 10:46 AM RESET_USERINIT WINLOGON_Userinit Winlogon Userinit
    08/26/2005 10:46 AM START_Alert WINLOGON_Shell
    08/26/2005 10:46 AM RESET_SHELL WINLOGON_Shell Winlogon Shell
    08/26/2005 10:48 AM START_Alert WINLOGON_Userinit û©Å
    08/26/2005 10:48 AM RESET_USERINIT WINLOGON_Userinit Winlogon Userinit
    08/26/2005 10:48 AM START_Alert WINLOGON_Shell
    08/26/2005 10:48 AM RESET_SHELL WINLOGON_Shell Winlogon Shell

    Thanks, again, all.
    Best, SG1 (Pat)
     
Loading...
Thread Status:
Not open for further replies.