find process using hidden port

A user had a number of instances of serv-u ftp server on an XP pro
machine. I removed all the obvious ones. I ran tds3 the locahost
port scan and it turned up a high number tcp port open. I tried telnetting
to that port and it was another serv-u ftp server. But the problem is,
no process shows up anywhere associated with that port. I tried netstat -an
and fport and neither one showed that port being used. But clearly it was.
What can I do to find the program that is doing this and remove it?
I tried the port explorer program it and also did not show anything
using that port. Does that mean it's a driver perhaps?

 

Disregard, see Gavin's post below

 

It could possibly be using a rootkit style process hider, you could run ASViewer below, in Safe Mode

Be sure all autostart locations are showing (show drivers etc) and then save a log to email us at support - or attach it here. Check it for personal information if you are going to attach it

 

What or where can i get this ASViewer?

 

http://www.diamondcs.com.au/index.php?page=asviewer

 

there are some entries starting with \??\
"\??\C:\windows\system32\drivers\procguard.sys"
What does it mean differently from others shown normally as paths.
How to doubl/know exist of windows rootkits on a windows box?
thx.

 

Hi bebongbong, Did you post your ASviwer text file to support@diamondcs.com for analysis as requested?

 

I finally found out what it was: hackerdefender
There is a trick to seeing it which is to map a
drive from another machine to an administrative
share on the compromised machine. The trojan
cannot hide files as well when it is access via
a share.
This key was visible via asviewer:
HKLM\System\CurrentControlSet\Services\TskSrv\ C:\WINDOWS\system32\hxdefsvchst.exe

One can search the mapped drive for files that start out hxdef. I am told that removing its ini file and rebooting
will stop the hiding actions of hackerdefender and then it can be removed. Some associates told me that
this trojan is often accompanied by something called wolff.

I am told that norton can now detect it. But I doubt that it can running on the same machine as the rootkit.

 

TDS would see it too now for you?
Indeed getting thaqt ini file out should be the first step to unhide it and make it workless to start with.
You might like to post your ASViewer log for more nasties, or if you like the HJT log.