View previous topic :: View next topic |
Author |
Message |
haggii Just Arrived
Joined: 15 Aug 2004 Posts: 1
|
Posted: Mon Aug 28, 2006 5:07 pm Post subject: Sogou |
|
|
I found references to this in my registry and regardless what I do they keep coming back.
I have run hijackthis but no dodgy entries show.
here are the registry entries that keep coming back
HKEY_CLASSES_ROOT\clsid\{238d0f23-5dc9-45a6-9be2-666160c324dd}
HKEY_CLASSES_ROOT\clsid\{765035b3-5944-4a94-806b-20ee3415f26f}
HKEY_CLASSES_ROOT\clsid\{941a4793-a705-4312-8dfc-c11ca05f397e}
Apps run include, (run both in normal and in safe mode).
HiJackThis
PestPatrol (only pest patrol finds the entries)
AdAware SE
Ewido
AVG
Spybot S&D
Blacklight
Rootkitrevealer
StartUpList
I've manually searched for any of the various file names listed on the ca website but none are there.
So my question is two fold.
Where else can I look or are there other tools I can employ to find where it's hiding.[/url]
|
|
Back to top |
|
|
Groovicus Trusted SF Member
Joined: 19 May 2004 Posts: 9 Location: Centerville, South Dakota
|
Posted: Mon Aug 28, 2006 5:27 pm Post subject: |
|
|
Did you look in your add/remove programs to see if it was there? (It's a slim chance, but worth a look).
Do you have any of these on your system?
p2psvr.exe
soda.exe
skinpacker.exe
strmfea.exe
Do you have these directories on your system?
%Profile Dir%\application data\p4p
%Commonprogram Files%\sogou pxp
%Program Files%\p4p
|
|
Back to top |
|
|
haggii Just Arrived
Joined: 15 Aug 2004 Posts: 1
|
Posted: Mon Aug 28, 2006 7:16 pm Post subject: |
|
|
Groovicus wrote: |
1. Did you look in your add/remove programs to see if it was there? (It's a slim chance, but worth a look).
2. Do you have any of these on your system?
p2psvr.exe
soda.exe
skinpacker.exe
strmfea.exe
3. Do you have these directories on your system?
%Profile Dir%\application data\p4p
%Commonprogram Files%\sogou pxp
%Program Files%\p4p |
1. Yes, already checked but nothing there.
2. No.
3. No.
Thanks for taking the time to look
|
|
Back to top |
|
|
Groovicus Trusted SF Member
Joined: 19 May 2004 Posts: 9 Location: Centerville, South Dakota
|
Posted: Mon Aug 28, 2006 7:42 pm Post subject: |
|
|
One of the problems with pulling informaion from the web is that it is usually behind.
When you were looking for those folders and directories, did you have your system set to show hidden files and folders? All the information I can find says that at least you should have the p4p files.
|
|
Back to top |
|
|
haggii Just Arrived
Joined: 15 Aug 2004 Posts: 1
|
Posted: Mon Aug 28, 2006 8:55 pm Post subject: |
|
|
Groovicus wrote: |
When you were looking for those folders and directories, did you have your system set to show hidden files and folders? All the information I can find says that at least you should have the p4p files. |
I have hidden files/folders, including protected system files shown by default.
[HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer]
"SearchSystemDirs"=dword:00000001
"SearchHidden"=dword:00000001
"IncludeSubFolders"=dword:00000001
"CaseSensitive"=dword:00000000
"SearchSlowFiles"=dword:00000000
|
|
Back to top |
|
|
Groovicus Trusted SF Member
Joined: 19 May 2004 Posts: 9 Location: Centerville, South Dakota
|
Posted: Mon Aug 28, 2006 9:21 pm Post subject: |
|
|
First, let me apologize if I appear to be asking simplistic questions. I just want to make sure that something obvious was not overlooked.So the next question is, when you looked for those files, did you use the search feature? And if you used the search feature, did you remember to check the box that instructs to also search in hidden files and folders? (Many people miss this step).
Is the toolbar appearing in your browser as described in the link you provided?
I am coming up with some other names related to those clsids:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-041211-3655-99&tabid=2
See if you have any of those.
|
|
Back to top |
|
|
haggii Just Arrived
Joined: 15 Aug 2004 Posts: 1
|
Posted: Tue Aug 29, 2006 5:29 pm Post subject: |
|
|
Groovicus wrote: |
1. First, let me apologize if I appear to be asking simplistic questions.
2. did you remember to check the box that instructs to also search in hidden files and folders? (Many people miss this step).
3. Is the toolbar appearing in your browser as described in the link you provided?
4. I am coming up with some other names related to those clsids:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-041211-3655-99&tabid=2
|
1. Not at all, sometimes the simplest of things get overlooked.
2. Yes.
3. No.
4. That puzzled me as well, but no, none of the other files are present.
I'm not actually concerned about it's/their presence other than for the fact that I can't find how they keep coming back.
|
|
Back to top |
|
|
Groovicus Trusted SF Member
Joined: 19 May 2004 Posts: 9 Location: Centerville, South Dakota
|
Posted: Tue Aug 29, 2006 10:08 pm Post subject: |
|
|
It sort of bothers me though. It is fairly obvious that you have some new variant that is escaping detection. Pert PAtrol, Norton, and AVG purport to be able to remove it. You have already looked in all the locations where they say to look, and you can not find anything. Some appliation is monitoring those keys, and some application is rewriting them once deleted. About the only other thing I can think of is to use Process Explorer, run it, delete the keys, and then monitor the output to see what file runs.
http://www.sysinternals.com/Utilities/ProcessExplorer.html
RegProt may be another option since it monitors the registry, but I don't recall that it tells you which program is trying to write to the registry, only that something is trying to write to it.
That's all I can think of right at the moment.
|
|
Back to top |
|
|
haggii Just Arrived
Joined: 15 Aug 2004 Posts: 1
|
Posted: Thu Aug 31, 2006 2:16 pm Post subject: |
|
|
I couldn't get rid of it so in the end I just formatted and installed an image of the drive.
Thanks very much for your assistance :cheers:
|
|
Back to top |
|
|
Groovicus Trusted SF Member
Joined: 19 May 2004 Posts: 9 Location: Centerville, South Dakota
|
Posted: Thu Aug 31, 2006 10:11 pm Post subject: |
|
|
Don't thank me.. I apparently didn't do any good.
I hate it when people have to reformat!
|
|
Back to top |
|
|
|