1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Activity in port 1025

Discussion in 'Virus & Other Malware Removal' started by gaby38, Sep 25, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. gaby38

    gaby38 Thread Starter

    Joined:
    Jul 19, 2003
    Messages:
    88
    My firewall is reporting activity in port 1025. The strange thing is, however, that I ran a couple of port scans and they show that the port is closed and sealed. I also ran a Trojan scan and it came out clean.
    I still get the feeling that there’s something not very healthy going on, though.

    Is port 1025 known for Trojan/hacker activity? Any suggestions to make sure my system is safe?

    Thanks in advance. ;)
     
  2. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    Port 1025 is normally associated with an online casino. There is a possibility that you have some foist/spyware on your system

    Go to this page, and download 'Hijack This!'.

    Unzip it, launch Hijack This, then press Scan, and press Save Log

    This will generate a text file that will list all running processes, all applications that are loaded automatically when you start Windows, and more.

    open that file
    Go to Edit | Select all
    Now click Edit | copy to copy it
    Come back to TSG, Right Click and paste its contents here
     
  3. gaby38

    gaby38 Thread Starter

    Joined:
    Jul 19, 2003
    Messages:
    88
    Thank you very much for your response.

    I do have HijackThis and use it regularly. I ran a scan not long ago and I wasn't able to find anything suspicious -or so I thought. I'll post a log and let you experts decide.

    Thanks again
     
  4. gaby38

    gaby38 Thread Starter

    Joined:
    Jul 19, 2003
    Messages:
    88
    OK, so here's my HT log. Can you see anything out of the ordinary?

    Thanks!!

    Logfile of HijackThis v1.96.0
    Scan saved at 10:13:31 AM, on 9/25/2003
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCEVTMGR.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\NISUM.EXE
    C:\PROGRAM FILES\NORTON INTERNET SECURITY\CCPXYSVC.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\EZBUTTON\CP51NBTN.EXE
    C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCAPP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\PRINTRAY.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\PROGRAM FILES\BROWSER MOUSE\BROWSER MOUSE\1.0\LWBWHEEL.EXE
    C:\PROGRAM FILES\EZBUTTON\CPHKCNT.EXE
    C:\DOWNLOADS\REGPRO\REGPROT.EXE
    C:\WINDOWS\RunDLL.exe
    C:\PROGRAM FILES\NIKON\NKVIEW6\NKVMON.EXE
    C:\PROGRAM FILES\NETZERO\QS\EXEC.EXE
    C:\PROGRAM FILES\NETZERO\QS\EXEC.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\PROGRAM FILES\NETZERO\QSACC\X1EXEC.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAM FILES\HIJACKTHIS.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.netzero.net/s/sp
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:7900
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 17;209.247.164.50;64.136.29.30;64.136.21.34;*windowsupdate.microsoft.com;*windowsupdate.com;*wustat.windows.com;*.nyc.office.juno.com;*.corp.netzero.net;*.kbb.com;*.flipdog.com;*.pogo.com;*test-speed.com;www.lavalife.com;<local>
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [CP51NBtn] C:\PROGRA~1\EZBUTTON\CP51NBtn.EXE
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    O4 - HKLM\..\Run: [RegProt] c:\downloads\regpro\regprot.exe /start
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [ccEvtMgr] "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"
    O4 - HKLM\..\RunServices: [Nisum] C:\Program Files\Norton Internet Security\NISUM.EXE
    O4 - HKLM\..\RunServices: [ccPxySvc] C:\PROGRA~1\NORTON~3\CCPXYSVC.EXE
    O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Show All Original Images - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/228
    O8 - Extra context menu item: Show Original Image - res://C:\PROGRAM FILES\NETZERO\QSACC\appres.dll/227
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: MSN Messenger Service (HKLM)
    O9 - Extra button: Real.com (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37862.2818402778
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2003080601/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
     
  5. TOGG

    TOGG

    Joined:
    Apr 2, 2002
    Messages:
    5,856
    I believe that a Windows component, MSTask.exe, also uses 1025 to 'phone home' and it is possible for that to be exploited.

    Let's see what the experts make of the HJT log.
     
  6. gaby38

    gaby38 Thread Starter

    Joined:
    Jul 19, 2003
    Messages:
    88
    Thanks Togg!

    Any kind expert around? please? :) ;)
     
  7. putasolution

    putasolution

    Joined:
    Mar 20, 2003
    Messages:
    4,823
    There appears to be nothing untoward there.
    If your firewall log is telling you that attempts to gain entry via that port have been blocked you should be ok.

    Does the log give an indication of the IP address of the host trying to obtain access?
     
  8. TOGG

    TOGG

    Joined:
    Apr 2, 2002
    Messages:
    5,856
    gaby,

    There has been at least one query about this port before but I couldn't remember details when I posted last. Modesty forbids me to mention that I seem to have been right but you can check out the thread yourself;

    http://forums.techguy.org/showthread.php?s=&threadid=163531&highlight=Port+1025

    Anyway, it's only because I found a reference in a Google search, not due to superior technical knowledge on my part.
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,163
    First Name:
    Derek
  10. gaby38

    gaby38 Thread Starter

    Joined:
    Jul 19, 2003
    Messages:
    88
    Thank you all very much for your input.

    After reading what you guys recommended I learned that this port is used by windows to "call home" as they say. However, it can also be exploited with a malicious intent. This ambiguity is what makes it so difficult to diagnose.

    But I have run Trojan scans from two different sites and port scans from three, and they all come up clean; that is -I think- enough reaffirmation, so I thing I'll just trust them and stop worrying about it.

    Thanks again ;) ;)
     
  11. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Activity port 1025
  1. alvincc88
    Replies:
    2
    Views:
    363
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/167285

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice