Un-Named Processes- reported by FPORT

Hi Guys,

Googled out on this one.. or I am lazy..

Looked at a machine yesterday, that appeared to be "Now"clear of Malware..
WinXP Pro, P4-2.4Ghz, 512Mb.yada yada, 10/100, into a hub, and a xp box .. internet is via a XP Box with firewall / internet gateway

it's history was:

Various malware removed: including
My SearchBar
Perfect Nav

GaoBot.XX (various versions over the last couple of weeks - the system has been patched and repatched.. after finding the gaobot.. I check and find the pataches are no nolonger here)

..
Now after using the Cleaner, Spybot, Adaware, AVG, and the installed PC-Cillen..

Most of that crap is clear.. also ran removal tools for Gaobot, bugbear, nachi/welcher, yaha, sasser

But, the gatway box is still reporting traffic (after isolating it) from this box to various IP's on port 25 (POP3) (64.x.x.x 65.x.x.x 220.x.x.x to name a couple of ip groups) .
A run with FPORT showed a couple of Un-named or Blank processes on TCP and UDP ports on the machine.. namley
Process 1548 tcp 3001 and udp 1813
but as the process ID changes from boot to boot this isnot a help.. but the above is the common ports but these also seem to change.. (only made one note on this ..I am pissed at self for not making more notes)..

during a boot into safe mode . I noted a file being loaded I didn't recognise.. and a quick google showed it to be a part of PCAnywhere..(huh I thought I had disabled that months ago I left it there "just incase I needed It").. the file Gernuwa.sys.

so in one pass.. I then removed All Symantec progs and files.. PcAnywhere, liveupdate and redirector ..
While I was here I removed another program I found "Remote Control Pro"
as well as "Trojan remover"
As each of these were installed by the previous tech.. It may be a backdoor I may not have covered..

NOW:

After removing the above three progs.. the outbound traffic to port25 ip's seems to have stopped.. BUT

I still have a un-named process on a tcp and udp port when i FPORT.. the machine..

I ihaven't used process explorer or simiolar as yet..

any other ideas to pin down this un-named process.. (HJTéd this box to death )


Cheers

TCPview has always been much more accurate for me when it comes to ending processes.

Maybe a system file was replaced and boots up instead of the legit one in safe mode? Maybe MD5's of the executables will get it for you, compared to md5s of legit ones. I think md5's of system files are posted somewhere on the web.

GL

Undies: Just so we are clear here port 25 is SMTP rather than POP3. So the traffic was outbound a la virus activity.

Another note, Symantec is horrible for leaving drivers etc. on the box when you uninstall.

Another tool that is great for tracking this type of mess down is Process Explorer. It maps processes to actual files on the host. Give it a try.

http://www.sysinternals.com/ntw2k/fr.../procexp.shtml

TS: Yes my dyslexia is getting worse.. I am now confusing port assignments.. yes it is outbound, the traffic was to Port 25, and your correct i am wrong..it is SMTP traffic not POP....

Hos, thanks for that. seems my version of process exp is now some 12mths old.. and for a d.l whore like me that is strange.. .

Didn't get to investigate the problem properly this afternoon.. found another machine on the network with a Netsky.p.. it firedup in a similar manner to what i was chasing yesterday..except it and the rest of the pc's on that segment were off yesterday.. oh and what i was chassing was spasmodic.. this netsky traffic was constant.. to the point the Wirless lan was slowed to a snails pace..slower. dead snails pace..

Soda.. only just got TCPView.. will give it a blast.. thanks..


thanks guys