strange problem with adware

I have a difficult problem with adware.popup that was detected under a routine system scan by Norton Antivirus.

I am running XP Professional SP2

there is a folder named SBSI on c:\Windows\Help\

It contains a file named cabcom.dll, which is the one identified by Norton.

the problem is, the file cannot be removed, the reason is, it's included in the notificaty key if winlogon hklm/Software/Microsoft/WindowsNT/CurrentVersion/Winlogon/notify.

I have no idea how the dll is called, but using process explorer from sysinternals I found that the .dll is listed under winlogon.

I checked all the usual registry entries (run, runonce) and win.ini, system.ini, the starup folder, nothing.

I tried manually deleting the registry entries, for both, winlogon/notify and where the .dll is registered in system.root, it doesn't work because the application rewrites the registry keys, if I change a value or rename the key it fixes it.

I can't unload the application, I tried killing the handler with process explorer but it doesn't work.

I tried booting up in safe mode, even with only the command prompt, and it's the same.

I looked at Symantec's removal instructions but it only says to scan the system and whem prompted delete all the identified files, that was what failed in the first place.

Spybot, ad-aware and another spyware tool I used don't even detect it.

It's not mentioned by McAfee or Panda, nor it is in the Microsoft knowledge database.

I don't think the .dll is doing much, first because it would be blocked by the firewall, second because sp2 blocks all pop-ups, I haven't noticed any unusual activity, nor browser hijacking or anything like that. I have monitored the TCP activity and the .dll is not trying to contact anything over the internet.

The question is, how do I get rid of it? I've searched in google and only found one more site that offers a removal tool, since I don't know the tool I didn't want to install it (I am paranoid).

the strangest thing is that Symantec says the only way to install this thing is through another application that requires it. I haven't installed any free application/tool/program whatever in a very long time (and this adware has only been in my system for a few days), I have only installed licensed software, mostly very technical stuff (such as vmware) of visual studio tools for office, so I have no clue how this went into my system.

Any help will be very appreciated.

 

Hi,

I ran several scanners in safe mode, along with Norton, they only detected several tracking cookies, except for Norton that detected adware.adpopu (cabcom.dll) but couldn't delete it.

this is the hijackthis logo

Edit by chaslang: Inline log attached

 

No, I didn't setup any proxy overrides.

 

I followed the process, but when I booted in safe mode and intended to delete cabcom.dll it told me the file was being used by another application, I checked if it was read only and it was not.

This is the hijackthis log, as you can see the entries are still there, the reason is that cabcom.dll seems to restore the registry keys if they are deleted or changed in any way (it even has defined functions to do this).

I contacted the publisher and they sent me an application, I suppose to uninstall it, I couldn't look into this because outlook blocked the attachment and asked them to send me a .zip file. In any case, I was planning on running it on a virtual machine first to see what it does.

The other option I was thinking of was to setup a software restriction policy to not allow cabcom.dll to run, the problem is that it's launched by winlogon.exe that runs every time you logon, even on safe mode, and because the application rebuilds the registry key you can't get rid of it. I am hoping a software restriction policy would prevent it from running and then I could safely remove the file and the registry keys, what do you think?

here is the hijackthis new log (attached this time).

by the way, thank you very much for your help.

 

Hi Chaslang,

I made sure I closed all internet explorer and all windows explorer windows, as well as the email client.

regarding that url dynhost.inetcam.com, not, I do not recall it, I checked the website and seems to be a streaming video site but I have never visited it before.

 

Hi Chaslang,

I am happy to say that I found a way to remove this thing (crossing fingers).

I used the Microsoft's recovery console, basically I bootted up from the Windows XP CD, and when it loaded I typed R, then it asked for the Administrator's password, but the console doesn't really log on, it only needs the password to access the harddrive (and it won't give you access to all of it).

with the command prompt I just navigated to the folder and delete the guilty files.

Then rebooted and run hijackthis, the logo showed the old registry entries but was indicating that the file was missing (which I loved), so I have hijackthis fixing them. Then ran the scan again and the keys were gone (before they would come back). To make sure I quit hijackthis and starte again, same result, then I manually open the registry and took a look, they were gone.

This is apparently a not so well known tool, being a programmer I am not too much into admin tools so I have to search a bit for it but it paid off.

It could be a way to remove nasty stuff when everything else fails, although it's probably not for the average user.

Thanks for all your help. (btw I removed the proxy as well, I didn't set it up so it shouldn't be there).