Jump to content


Photo

some CWS that just wont go away :(


  • Please log in to reply
7 replies to this topic

#1 ByT3z

ByT3z

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 09 June 2004 - 01:26 PM

I can remove this brower hijack with Hijack this or CWS shredder, but when i reboot ( a few times) it just comes back

i'm assuming that there's another file on my pc that creates all these .dll files

in this case, its lgcab.dll
it's been all sorts of dll files in the past that i've removed (cccg.dll, cijhh.dll, ...)


here's the log

Logfile of HijackThis v1.97.7
Scan saved at 20:18:04, on 9/06/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\devldr32.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lgcab.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lgcab.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lgcab.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\System32\lgcab.dll/sp.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\System32\lgcab.dll/sp.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\System32\lgcab.dll/sp.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: (no name) - {9862A1F8-3980-4364-9474-FB49487845BB} - C:\WINDOWS\System32\lgcab.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [mswspl] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: Dexia netbanking - http://netbanking.de...t//DexiaIIA.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab

#2 ByT3z

ByT3z

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 09 June 2004 - 03:04 PM

bump

#3 ByT3z

ByT3z

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 10 June 2004 - 01:24 PM

bump again, plz help

#4 embon

embon

    Member

  • New Member
  • Pip
  • 1 posts

Posted 10 June 2004 - 01:48 PM

I have been experiencing the same problem, and I may have a temporary solution. Try opening regedit (Start > Run > regedit) or any other registry editor. Do a search for the name of that DLL file, and you should find it somewhere around HKEY_LOCAL_MACHINE. Right click it, select "Modify," and simply change the location, to a DLL that doesn't exist.

If you do not delete the DLL, it shouldn't regenerate another one, and you shouldn't experience the problems by that simple registry edit. I'm not sure if it will work for you, but so far I haven't been getting any problems from it, although this is probably better left to the much more experienced helpers ;)

#5 ByT3z

ByT3z

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 11 June 2004 - 11:22 AM

hey, that is a good (temporary) solution !

too bad it'll keep popping up on every spyware scan i do :|

#6 ByT3z

ByT3z

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 12 June 2004 - 09:54 AM

bump, still need a permanent fix :(

#7 ByT3z

ByT3z

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 13 June 2004 - 04:31 AM

bumpy

#8 ByT3z

ByT3z

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 13 June 2004 - 06:29 AM

fixed it, just run the command "regsvr32 /u xxxx.dll" to unregister that damn dll that keeps CWS coming back

thx to mirry :p




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button