• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Sogou

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Spyware // Adware // Trojans Discussion

View previous topic :: View next topic  
Author Message
haggii
Just Arrived
Just Arrived


Joined: 15 Aug 2004
Posts: 1


Offline

PostPosted: Mon Aug 28, 2006 5:07 pm    Post subject: Sogou Reply with quote

I found references to this in my registry and regardless what I do they keep coming back.

I have run hijackthis but no dodgy entries show.

here are the registry entries that keep coming back
HKEY_CLASSES_ROOT\clsid\{238d0f23-5dc9-45a6-9be2-666160c324dd}
HKEY_CLASSES_ROOT\clsid\{765035b3-5944-4a94-806b-20ee3415f26f}
HKEY_CLASSES_ROOT\clsid\{941a4793-a705-4312-8dfc-c11ca05f397e}

Apps run include, (run both in normal and in safe mode).

HiJackThis
PestPatrol (only pest patrol finds the entries)
AdAware SE
Ewido
AVG
Spybot S&D
Blacklight
Rootkitrevealer
StartUpList

I've manually searched for any of the various file names listed on the ca website but none are there.

So my question is two fold.

Where else can I look or are there other tools I can employ to find where it's hiding.[/url]
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Mon Aug 28, 2006 5:27 pm    Post subject: Reply with quote

Did you look in your add/remove programs to see if it was there? (It's a slim chance, but worth a look).

Do you have any of these on your system?
p2psvr.exe
soda.exe
skinpacker.exe
strmfea.exe

Do you have these directories on your system?
%Profile Dir%\application data\p4p
%Commonprogram Files%\sogou pxp
%Program Files%\p4p
Back to top
View user's profile Send private message Visit poster's website
haggii
Just Arrived
Just Arrived


Joined: 15 Aug 2004
Posts: 1


Offline

PostPosted: Mon Aug 28, 2006 7:16 pm    Post subject: Reply with quote

Groovicus wrote:
1. Did you look in your add/remove programs to see if it was there? (It's a slim chance, but worth a look).

2. Do you have any of these on your system?
p2psvr.exe
soda.exe
skinpacker.exe
strmfea.exe

3. Do you have these directories on your system?
%Profile Dir%\application data\p4p
%Commonprogram Files%\sogou pxp
%Program Files%\p4p

1. Yes, already checked but nothing there.
2. No.
3. No.

Thanks for taking the time to look Smile
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Mon Aug 28, 2006 7:42 pm    Post subject: Reply with quote

One of the problems with pulling informaion from the web is that it is usually behind. Confused

When you were looking for those folders and directories, did you have your system set to show hidden files and folders? All the information I can find says that at least you should have the p4p files.
Back to top
View user's profile Send private message Visit poster's website
haggii
Just Arrived
Just Arrived


Joined: 15 Aug 2004
Posts: 1


Offline

PostPosted: Mon Aug 28, 2006 8:55 pm    Post subject: Reply with quote

Groovicus wrote:
When you were looking for those folders and directories, did you have your system set to show hidden files and folders? All the information I can find says that at least you should have the p4p files.

I have hidden files/folders, including protected system files shown by default.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer]
"SearchSystemDirs"=dword:00000001
"SearchHidden"=dword:00000001
"IncludeSubFolders"=dword:00000001
"CaseSensitive"=dword:00000000
"SearchSlowFiles"=dword:00000000
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Mon Aug 28, 2006 9:21 pm    Post subject: Reply with quote

First, let me apologize if I appear to be asking simplistic questions. I just want to make sure that something obvious was not overlooked.So the next question is, when you looked for those files, did you use the search feature? And if you used the search feature, did you remember to check the box that instructs to also search in hidden files and folders? (Many people miss this step).

Is the toolbar appearing in your browser as described in the link you provided?

I am coming up with some other names related to those clsids:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-041211-3655-99&tabid=2

See if you have any of those.
Back to top
View user's profile Send private message Visit poster's website
haggii
Just Arrived
Just Arrived


Joined: 15 Aug 2004
Posts: 1


Offline

PostPosted: Tue Aug 29, 2006 5:29 pm    Post subject: Reply with quote

Groovicus wrote:
1. First, let me apologize if I appear to be asking simplistic questions.

2. did you remember to check the box that instructs to also search in hidden files and folders? (Many people miss this step).

3. Is the toolbar appearing in your browser as described in the link you provided?

4. I am coming up with some other names related to those clsids:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-041211-3655-99&tabid=2

1. Not at all, sometimes the simplest of things get overlooked.

2. Yes.

3. No.

4. That puzzled me as well, but no, none of the other files are present.



I'm not actually concerned about it's/their presence other than for the fact that I can't find how they keep coming back.
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Tue Aug 29, 2006 10:08 pm    Post subject: Reply with quote

It sort of bothers me though. It is fairly obvious that you have some new variant that is escaping detection. Pert PAtrol, Norton, and AVG purport to be able to remove it. You have already looked in all the locations where they say to look, and you can not find anything. Some appliation is monitoring those keys, and some application is rewriting them once deleted. About the only other thing I can think of is to use Process Explorer, run it, delete the keys, and then monitor the output to see what file runs.
http://www.sysinternals.com/Utilities/ProcessExplorer.html

RegProt may be another option since it monitors the registry, but I don't recall that it tells you which program is trying to write to the registry, only that something is trying to write to it.

That's all I can think of right at the moment.
Back to top
View user's profile Send private message Visit poster's website
haggii
Just Arrived
Just Arrived


Joined: 15 Aug 2004
Posts: 1


Offline

PostPosted: Thu Aug 31, 2006 2:16 pm    Post subject: Reply with quote

I couldn't get rid of it so in the end I just formatted and installed an image of the drive.

Thanks very much for your assistance :cheers:
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Thu Aug 31, 2006 10:11 pm    Post subject: Reply with quote

Don't thank me.. I apparently didn't do any good. Sad

I hate it when people have to reformat!
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Spyware // Adware // Trojans Discussion All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register