Hello Everybody PE and netstat both show open ports which on every list we know are reported as "unassigned". Upon every reboot the port numbers change (now they are 1140 & 1173) but everything else remains the same. During this investigation we saw some mention of "netx" and now can not re-find this reference. Netx appears to be related to either a server and/or Java. Can someone render some input please? HMSS Q Section
Hello Dan Yes we did see that info on that page but we actually have not got a clue what it means since we are not into programming and have not sought any special Java anything of which we are aware. Hello Jooske So....who would be in the know about this little question in PE? We want to completely nail down every last detail with the same pro-active zeal you had (have) when you first started your security education? We do not know if you have seen some other posts of ours regarding TrueLaunch Bar and its plugins but it uses Explorer to operate and parse the weather from a weather site. We have that set to update weather only once every hour otherwise it should not be active. Perhaps it (TLB) is not releasing Explorer at all. We will contact the creator (author) about this question and report back. Once again thank you for your wisdom and expertise. HMSS Q Section
Hi, Explorer.exe will show up in a couple of cases. Either you have typed a URL in the WINDOWS Explorer address bar and Windows has used that window to load its HTML controls and essentially become an iexplore.exe process.. Or there could be a DLL loaded into explorer.exe so grab Process Explorer from www.sysinternals.com (we have a better tool coming soon but very hard to work on so much at once) With Process Explorer make sure it is set to show DLLs, usually you can click the yellow cog icon to switch to DLL module view.. then show us what you have loaded in explorer.exe Just one other thing Windows apps select random local ports for a connection, so looking up known apps by selecting "What is port x" could either show every app in existence or just trojans and very common services. When the local port is anywhere from 1025 to 4000 then its usually going to be ok ! This might seem a very general comment, however 99.9% of old trojans will show up red anyway
HI QSection, I am afraid I am not a programmer either but I did a little more searching and found that JNLP is implemented, by default, within Java2 for implementation of certain Java applications. It is a required component for 'Web Start' appets. You may want to look at some of the listings of Web Start applications to see what is in common there with your own system usage. This link may help, http://lopica.sourceforge.net/faq.html#applinks Hope this helps
http://www.teamcti.com/pview/ Digging on my system found this nice Process Viewer as well, looks a lot like this Process Explorer and the Faber Toys, which all have possibilities to dig deeper which DLLs and other stuff are used by a certain process; it's small and free too and shows the sizes of each element, which i still miss in Faber Toys. In FT i like among others the descriptions about each element, including what a certain DLL is meant to do f.e. Gavin, this PV has a debugger function built in, you might like to look at it. And it has a command-line version shipping with it, easy for scripting and scheduling etc. Think Dan might think it worth a look as well!
You're welcome Dan. Think all these have their own handy details, and as all are small and free best grab them all. I also like from systernals their Real time Registry Viewer, of which i expect in case there is a nasty with registry keys we can see which it is using and delete the right one if needed. In fact the registry activity from what we see in the Window logging in PE. They've lots of those handy tools there, as i guess about every internetter knows.
On the process viewer and loaded DLLs tool, we will release it tomorrow! Windows NT 2000 XP only sorry But it is very useful for trojans that load DLLs into other processes, those trojans are usually NT only too. I even manually removed a "rootkit" the other day with nothing but this tool ..just by forcibly killing off DLLs inside many processes until the hidden EXE file showed up, which i killed and deleted. Rootkit gone ! Not a true low level rootkit, but the files were invisible in Windows Explorer, and it would have been very hard to remove without this tool. ..ok some processes and DLLs didnt cooperate with trying to unload the rootkit's DLLs, but we got there in the end by perservering
Does it mean win9* users can still be victims, will the dangers not endanger win9* users, or will there be a tool for those users in future, or will we need to check with the monitoring tools mentioned from others even though these might not be able to get to those rootkits and whatever nasties? The tools you and i posted all work for all windows versions, this is why i ask what's the big difference technically which makes them unavailable for the win9* series?
There are still DLL injecting and Win9x kernel modifying trojans, but the exact trojans are different. We may develop a Windows 9x tool which works similarly, however this is not a priority, sorry. Windows NT 2000 and XP are targeted by some trojans which only run on those systems, and use DLL injection techniques. Windows XP has really sold a lot of copies and is the most used OS now already from a few polls I have seen Cant be sure but now 2000 and XP occupy a large percentage of machines. Hopefully the beta release last night was tested enough to release soon, today or tomorrow It should be ok, it is very stable in my testing. Just another reason to somehow get onto Windows 2000 Jooske ! .. Windows 9x doesnt have CreateRemoteThread which is used to create a new thread in another process. There are hacks which create a very similar function, however these are somewhat buggy and can crash the host process in many cases. It also simply doesn't work sometimes ! I find this funny when analysing the trojans that try to do those things on a Win98 machine
So those of us using 98SE are a little better off regarding those particular trojans. Hmmm - great! Gavin - please also see this: www.google.com/press/zeitgeist.html and look down a little on the right of the page regarding o/s usages. Not to argue or be challenging but we knew that Google has been collecting this statistical information for awhile. Thank you for your great work. HMSS Q Section
