4 hidden

Discussion in 'Port Explorer' started by Spray-on Dust, Jan 12, 2005.

Thread Status:
Not open for further replies.
  1. Spray-on Dust

    Spray-on Dust Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    51
    Hi, I was recently infected with the sxe7.tmp file and i've been struggling for days to find out how extensively my computer is damaged if at all. I've run all kinds of tests. For more info please see my thread about the sxe7.tmp file in the process guard forum. Anyway, a few moments ago I hovered my cursor over the port explorer icon in the sys tray and saw 15 system, 4 hidden, 0 normal. I freaked out and now I'm looking to you fella's for some help. Please stay with me here, guys. What is the next step? What should I do?
     
  2. Spray-on Dust

    Spray-on Dust Registered Member

    Joined:
    Dec 6, 2004
    Posts:
    51
    Cmon guys. :doubt:
     
  3. frogfoot

    frogfoot Registered Member

    Joined:
    Aug 8, 2004
    Posts:
    116
    Location:
    Yeovil UK
    What processes are using the hidden sockets? Hidden does not necessarily mean bad, it just means that the process has no GUI.
    Tom
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Can you post the log text and or a Screenshot please. :)

    Thanks. Pilli
     
  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Nearly. :) It basically means that the process is not visible on-screen. The process may actually have a GUI, but the GUI would be hidden (ie. invisible, or moved off-screen).

    Most trojans written in languages that are heavily GUI-oriented such as Delphi or Visual Basic actually do have a GUI (usually just one window), but they're set to be invisible. Using TDS-3's advanced window control utilities you can actually send hidden windows special control messages which re-enable/re-show the window, allowing you to see Windows and controls that the trojan author didn't intend for you to see :)
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    To add to Wayne's comments, You will find that the Port Explorer help file is a very useful reference:
    Here is what it says about Hidden Sockets:
    What attributes causes a program to display as a red socket?
    Put simply, if Port Explorer determines that the process has no visual properties (eg. no on-screen windows), it will highlight the socket with red text. This is extremely effective in detecting remote access trojans. However, there are a couple of exceptions to the rule:
    - System services will display as blue, even if they are invisible (most are). It is possible for a trojan to run as a system service, but this is very rare and not a common trojan practice.
    - Programs that have crashed but hanged before completely terminating may have their sockets appear as red, because although the process may still have visual properties on screen such as a dialog window that refuses to close, the process itself has crashed and Port Explorer (or any other program for that matter) will not be able to detect the crashed/hung window.
    - System-tray icons do not currently count as a visual property as there is currently no known way to 'map' a system tray icon back to its parent process, as the system tray is handled by explorer.exe. Therefore, programs will show as red if they have a system tray icon but no other visual property.
    - Port Explorer uses intelligent algorithms to check the position and size of windows, so windows that are visible but are off-screen will not be counted as a 'visual property.
     
  7. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    Just one more thing. The quickest way for anyone to help you with Port Explorer is to restart your PC, close as many programs as you can leaving just the minimum. Make sure you are connected to the internet (some trojans wont open a port unless you are online)

    Now, run PE and click FILE > SAVE TABLE
    This text file can be posted for analysis
     
Thread Status:
Not open for further replies.