Results 1 to 5 of 5

Thread: Un-Named Processes- reported by FPORT

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002

    Un-Named Processes- reported by FPORT

    Hi Guys,

    Googled out on this one.. or I am lazy..

    Looked at a machine yesterday, that appeared to be "Now"clear of Malware..
    WinXP Pro, P4-2.4Ghz, 512Mb.yada yada, 10/100, into a hub, and a xp box .. internet is via a XP Box with firewall / internet gateway

    it's history was:

    Various malware removed: including
    My SearchBar
    Perfect Nav

    GaoBot.XX (various versions over the last couple of weeks - the system has been patched and repatched.. after finding the gaobot.. I check and find the pataches are no nolonger here)

    Now after using the Cleaner, Spybot, Adaware, AVG, and the installed PC-Cillen..

    Most of that crap is clear.. also ran removal tools for Gaobot, bugbear, nachi/welcher, yaha, sasser

    But, the gatway box is still reporting traffic (after isolating it) from this box to various IP's on port 25 (POP3) (64.x.x.x 65.x.x.x 220.x.x.x to name a couple of ip groups) .
    A run with FPORT showed a couple of Un-named or Blank processes on TCP and UDP ports on the machine.. namley
    Process 1548 tcp 3001 and udp 1813
    but as the process ID changes from boot to boot this isnot a help.. but the above is the common ports but these also seem to change.. (only made one note on this ..I am pissed at self for not making more notes)..

    during a boot into safe mode . I noted a file being loaded I didn't recognise.. and a quick google showed it to be a part of PCAnywhere..(huh I thought I had disabled that months ago I left it there "just incase I needed It").. the file Gernuwa.sys.

    so in one pass.. I then removed All Symantec progs and files.. PcAnywhere, liveupdate and redirector ..
    While I was here I removed another program I found "Remote Control Pro"
    as well as "Trojan remover"
    As each of these were installed by the previous tech.. It may be a backdoor I may not have covered..


    After removing the above three progs.. the outbound traffic to port25 ip's seems to have stopped.. BUT

    I still have a un-named process on a tcp and udp port when i FPORT.. the machine..

    I ihaven't used process explorer or simiolar as yet..

    any other ideas to pin down this un-named process.. (HJTéd this box to death )

    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    TCPview has always been much more accurate for me when it comes to ending processes.

    Maybe a system file was replaced and boots up instead of the legit one in safe mode? Maybe MD5's of the executables will get it for you, compared to md5s of legit ones. I think md5's of system files are posted somewhere on the web.


  3. #3
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Undies: Just so we are clear here port 25 is SMTP rather than POP3. So the traffic was outbound a la virus activity.

    Another note, Symantec is horrible for leaving drivers etc. on the box when you uninstall.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    Another tool that is great for tracking this type of mess down is Process Explorer. It maps processes to actual files on the host. Give it a try.

    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    TS: Yes my dyslexia is getting worse.. I am now confusing port assignments.. yes it is outbound, the traffic was to Port 25, and your correct i am wrong..it is SMTP traffic not POP....

    Hos, thanks for that. seems my version of process exp is now some 12mths old.. and for a d.l whore like me that is strange.. .

    Didn't get to investigate the problem properly this afternoon.. found another machine on the network with a Netsky.p.. it firedup in a similar manner to what i was chasing yesterday..except it and the rest of the pc's on that segment were off yesterday.. oh and what i was chassing was spasmodic.. this netsky traffic was constant.. to the point the Wirless lan was slowed to a snails pace..slower. dead snails pace..

    Soda.. only just got TCPView.. will give it a blast.. thanks..

    thanks guys
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts