Sogou

Networking/Security Forums -> Spyware // Adware // Trojans Discussion

Author: haggii PostPosted: Mon Aug 28, 2006 5:07 pm    Post subject: Sogou
    ----
I found references to this in my registry and regardless what I do they keep coming back.

I have run hijackthis but no dodgy entries show.

here are the registry entries that keep coming back
HKEY_CLASSES_ROOT\clsid\{238d0f23-5dc9-45a6-9be2-666160c324dd}
HKEY_CLASSES_ROOT\clsid\{765035b3-5944-4a94-806b-20ee3415f26f}
HKEY_CLASSES_ROOT\clsid\{941a4793-a705-4312-8dfc-c11ca05f397e}

Apps run include, (run both in normal and in safe mode).

HiJackThis
PestPatrol (only pest patrol finds the entries)
AdAware SE
Ewido
AVG
Spybot S&D
Blacklight
Rootkitrevealer
StartUpList

I've manually searched for any of the various file names listed on the ca website but none are there.

So my question is two fold.

Where else can I look or are there other tools I can employ to find where it's hiding.[/url]

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Mon Aug 28, 2006 5:27 pm    Post subject:
    ----
Did you look in your add/remove programs to see if it was there? (It's a slim chance, but worth a look).

Do you have any of these on your system?
p2psvr.exe
soda.exe
skinpacker.exe
strmfea.exe

Do you have these directories on your system?
%Profile Dir%\application data\p4p
%Commonprogram Files%\sogou pxp
%Program Files%\p4p

Author: haggii PostPosted: Mon Aug 28, 2006 7:16 pm    Post subject:
    ----
Groovicus wrote:
1. Did you look in your add/remove programs to see if it was there? (It's a slim chance, but worth a look).

2. Do you have any of these on your system?
p2psvr.exe
soda.exe
skinpacker.exe
strmfea.exe

3. Do you have these directories on your system?
%Profile Dir%\application data\p4p
%Commonprogram Files%\sogou pxp
%Program Files%\p4p

1. Yes, already checked but nothing there.
2. No.
3. No.

Thanks for taking the time to look Smile

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Mon Aug 28, 2006 7:42 pm    Post subject:
    ----
One of the problems with pulling informaion from the web is that it is usually behind. Confused

When you were looking for those folders and directories, did you have your system set to show hidden files and folders? All the information I can find says that at least you should have the p4p files.

Author: haggii PostPosted: Mon Aug 28, 2006 8:55 pm    Post subject:
    ----
Groovicus wrote:
When you were looking for those folders and directories, did you have your system set to show hidden files and folders? All the information I can find says that at least you should have the p4p files.

I have hidden files/folders, including protected system files shown by default.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Explorer]
"SearchSystemDirs"=dword:00000001
"SearchHidden"=dword:00000001
"IncludeSubFolders"=dword:00000001
"CaseSensitive"=dword:00000000
"SearchSlowFiles"=dword:00000000

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Mon Aug 28, 2006 9:21 pm    Post subject:
    ----
First, let me apologize if I appear to be asking simplistic questions. I just want to make sure that something obvious was not overlooked.So the next question is, when you looked for those files, did you use the search feature? And if you used the search feature, did you remember to check the box that instructs to also search in hidden files and folders? (Many people miss this step).

Is the toolbar appearing in your browser as described in the link you provided?

I am coming up with some other names related to those clsids:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-041211-3655-99&tabid=2

See if you have any of those.

Author: haggii PostPosted: Tue Aug 29, 2006 5:29 pm    Post subject:
    ----
Groovicus wrote:
1. First, let me apologize if I appear to be asking simplistic questions.

2. did you remember to check the box that instructs to also search in hidden files and folders? (Many people miss this step).

3. Is the toolbar appearing in your browser as described in the link you provided?

4. I am coming up with some other names related to those clsids:
http://www.symantec.com/security_response/writeup.jsp?docid=2006-041211-3655-99&tabid=2

1. Not at all, sometimes the simplest of things get overlooked.

2. Yes.

3. No.

4. That puzzled me as well, but no, none of the other files are present.



I'm not actually concerned about it's/their presence other than for the fact that I can't find how they keep coming back.

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Tue Aug 29, 2006 10:08 pm    Post subject:
    ----
It sort of bothers me though. It is fairly obvious that you have some new variant that is escaping detection. Pert PAtrol, Norton, and AVG purport to be able to remove it. You have already looked in all the locations where they say to look, and you can not find anything. Some appliation is monitoring those keys, and some application is rewriting them once deleted. About the only other thing I can think of is to use Process Explorer, run it, delete the keys, and then monitor the output to see what file runs.
http://www.sysinternals.com/Utilities/ProcessExplorer.html

RegProt may be another option since it monitors the registry, but I don't recall that it tells you which program is trying to write to the registry, only that something is trying to write to it.

That's all I can think of right at the moment.

Author: haggii PostPosted: Thu Aug 31, 2006 2:16 pm    Post subject:
    ----
I couldn't get rid of it so in the end I just formatted and installed an image of the drive.

Thanks very much for your assistance :cheers:

Author: GroovicusLocation: Centerville, South Dakota PostPosted: Thu Aug 31, 2006 10:11 pm    Post subject:
    ----
Don't thank me.. I apparently didn't do any good. Sad

I hate it when people have to reformat!



Networking/Security Forums -> Spyware // Adware // Trojans Discussion


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group