Firewall Blackjack request on port 1025

Hi all!

My firewall (Norman) keeps asking for internet access for port 1025 for svchost.exe

I can't determen wich service this is. It tells me 'system' that's all.
But it keeps wanting to connect to another ip address.

TDS cannot find anything wrong, I can only see it's there in port explorer (great proggie!)

What can I do?

Frans

 

Here's my hijackthis log. Can somebody check this for me? I think I saw a switch point at the end!

Logfile of HijackThis v1.97.7
Scan saved at 15:22:33, on 19-4-2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
H:\ftp\security\regprot\regprot\regprot.exe
C:\Weather Watcher\ww.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\ProcessGuard\dcsuserprot.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\System32\hpoipm07.exe
C:\Program Files\Norman\NPF\NPFMSG.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\ProcessGuard\procguard.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\United Devices\UD.EXE
C:\Program Files\United Devices\ud_6800466.exe
C:\Program Files\United Devices\ud_6800466_0.dir\ud_ligfit_Release.exe
C:\Norman\Nvc\BIN\Zlh.exe
C:\Norman\Nvc\BIN\Zanda.exe
C:\NORMAN\Nvc\BIN\NIP.EXE
C:\NORMAN\Nvc\BIN\nvcoas.exe
C:\NORMAN\Nvc\BIN\NVCSCHED.EXE
C:\NORMAN\Nvc\BIN\NJEEVES.EXE
C:\NORMAN\Nvc\BIN\nipsvc.exe
C:\NORMAN\Nvc\BIN\cclaw.exe
C:\NORMAN\Nvc\BIN\NYMSE.EXE
C:\Program Files\Port Explorer\PortExplorer.exe
C:\Program Files\TrojanHunter 3.8\TrojanHunter.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.nl
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nos.nl/nieuws/nieuws/index.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.nl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Fraha's own explorer
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;localhost;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: ANWB Toolbar - {EBB03E3E-020A-418D-B322-761B730CA860} - C:\Program Files\ANWBToolbar\ANWBToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver3\LVCOMS.EXE
O4 - HKLM\..\Run: [Iomega Startup Options] C:\Program Files\Iomega\Common\ImgStart.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [CookieWall] C:\Program Files\AnalogX\CookieWall\cookie.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKLM\..\Run: [ScriptSentry] C:\Program Files\Script Sentry\ScriptSentry.exe /check
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 3.8\THGuard.exe"
O4 - HKLM\..\Run: [Total Uninstall] C:\Program Files\Total Uninstall\Tun.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [CSSplash] C:\Program Files\CryptoSuite\cs_splash.exe
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"
O4 - HKLM\..\Run: [RegProt] h:\ftp\security\regprot\regprot\regprot.exe /start
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Norman ZANDA] C:\NORMAN\Nvc\BIN\ZLH.EXE /LOAD /SPLASH
O4 - HKCU\..\Run: [WeatherWatcher] C:\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Iomega Active Disk] C:\Program Files\Iomega\AutoDisk\AD2KClient.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MailWasher] C:\PROGRA~1\MAILWA~2\MAILWA~1.EXE
O4 - HKCU\..\Run: [SecureItPro] C:\Program Files\SecureIt Pro\secureitpro470p.exe /LOADSILENT
O4 - HKCU\..\Run: [RssReader] C:\Program Files\RssReader\RssReader.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Process Guard.lnk = C:\ProcessGuard\procguard.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Startup: StickIt Note Launcher.lnk = C:\StickIt\StickIt Launcher.exe
O4 - Startup: StickIt UDP Server.lnk = C:\StickIt\SIserver.exe
O4 - Startup: UD Agent.lnk = C:\Program Files\United Devices\UD.EXE
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: HPAiODevice(hp officejet d series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet d series\Bin\hpoojd07.exe
O4 - Global Startup: ID-Blaster Plus.lnk = C:\Program Files\ID-Blaster Plus\idblasterplus.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NPF Messenger.lnk = ?
O4 - Global Startup: PGPtray.lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell (HKLM)
O9 - Extra 'Tools' menuitem: ieSpell Options (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: ANWB (HKLM)
O9 - Extra 'Tools' menuitem: ANWB-toolbar (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O15 - Trusted Zone: www.anwb.nl
O15 - Trusted Zone: http://www.devolkskrant.nl
O15 - Trusted Zone: http://groups.msn.com
O15 - Trusted Zone: http://www.nosnieuws.nl
O15 - Trusted Zone: nl.sitestat.com
O15 - Trusted Zone: www.tspeedtest.nl
O16 - DPF: HushEncryptionEngine - https://mailserver1.hushmail.com/shared/HushEncryptionEngine.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...apple.com/sikes/nl/win/QuickTimeInstaller.exe
O16 - DPF: {54BA1E8F-818D-407F-949D-BAE1692C5C18} (Attribute Class) - http://gemal.dk/browserspy/capicom.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/250ce77526692283cb05/netzip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2003120501/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {8E28B3A9-FE83-45D1-B657-D5426B81A121} (CustomerCtrl Class) - http://cs7b.instantservice.com/jars/customerxsigned33.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
O16 - DPF: {97AFC0D9-660E-4ACE-B025-46FD64AE335A} (EmailImport.EmailImportControl) - http://www.friendster.com/import/emailimport.cab
O16 - DPF: {9A54032D-31F7-400D-B184-83B33BDE65FA} (MSN File Upload Control) - http://sc.groups.msn.com/controls/FileUC/MsnUpld.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37645.3993171296
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://sc.groups.msn.com/controls/PhotoUC/MsnPUpld.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444554340000} - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://fraha.instantlogic.com/XUpload.ocx
O16 - DPF: {EE5CA45C-BFAC-48E6-BE6C-3C607620FF43} - http://companion.logitech.com/companion/logitech/ver1.3.0.2041/bin/imvid.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F630A6F3-F89E-4374-99CC-28A8AA003208} - http://sls.switchpoint.com/Connect/switchpoint/5.1/Starter.cab

Greetings and regards

Frans

 

Hi Fraha,

Your log is pretty clean , so I will give you this link and move your thread to the firewall forum.

http://www.dslreports.com/forum/remark,9499491~mode=flat?r=299

Regards,

Pieter

 

The ip numbers are here and are from all over the globe. I've seen brazil, Japan and others!

151,200,246,190
194,236,144,79
195,186,215,213
195,96,66,214
200,149,245,176
200,164,83,44
200,171,128,150
200,171,132,166
207,46,244,186
208,163,33,71
213,98,154,16
61,146,10,65
61,95,246,214
81,214,167,159
82,185,121,194
194,109,104.104

Enjoy! ;-)

Frans

 

OK, thanks for the reply,

I'll wait for other reactions then.

Regards

Frans

 

Hi Frans

Can you provide any more detail on the type of communication from your logs? (Protocol, direction, source port, destination port, destination IP - complete log entries would help, just xxx out your public IP)

Regards,

CrazyM

 

Thanks for all the respons. It seems solved for now. If this returns I'll be back!

Frans

 

Hi Guys,

I am having same problems. Svchost.exe accepts connection from differnet ips. Everytime i run tcpview, i see port 1025 is connected to some ip either on my cable network or some from internet...different countries..

I tried all sort of tricks, reading packets, watching port etc...i dont know, whats happening there..i can block the port but i am more curious to know whats happening on there..


Looking forward for somehelp

[edit] -> its a TCP connection and connected ip is different everytime

Thanks,
as

 

this article is very exaustive

http://www.microsoft.com/windows200...ws2000/en/server/help/sag_rras-ch2-adv_11.htm

 

Hi,

Well i kept investigation on port 1025 connection. And i found remote computer connects to my pc using WBEM, and it creates some files under C:\WINDOWS\System32\WBEM\Repository\FS

So WIM or WBEM can be source of big exploit...as WIM gives entire details of workstation along with remote control...

Investigating further on it......


Regards,

 

i want to understand what you want know about 1025 port.

as i posted, the link explane how work a network behind a router or modem or proxy.
if the nat is active or you have a server browser,the port from 1025 to 5000 must be open, or if these ports are not open, external client computers are not able to access the Web sites or other application you run.

if you want more security,restrict incoming traffic on your firewall by Internet protocol (IP) address instead of by port.For example, create a filter that only allows traffic from the proxy server through the perimeter network's internal firewall, on any port in the 1025 to 5000 range,so this filter allows incoming traffic on any port that has a source address that matches the proxy server's address, and blocks all other traffic.

 

Are you running a firewall?

Could you provide full details of the connections: protocol, source and destination IP/ports. Just xxx out your public IP.

Regards,

CrazyM

 

Which OS and services are you running?

WIM? Did you mean WMI - Windows Management Instrumentation
WBEM - Web Based Enterprise Management

Regards,

CrazyM

 

I am running Windows XP Professional.

Protocol : TCP
PORT: 1025

IP: changes every time

I have zone alarm as personal firewall but it doesnt detect.


SVCHOST.exe accepts connection on port 1025. I am not behind any firewall and i use dsl here. Since there could be many instances of svchost.exe because it is used by os for internet connection etc.



>>WIM? Did you mean WMI - Windows Management Instrumentation
>>WBEM - Web Based Enterprise Management

Yes, this is what i saw in file monitor. I downloaded a file system monitor from sysinternals and ran. I found the svchost.exe which has accepted connection on 1025 is reading and writing files in C:\WINDOWS\System32\WBEM\Repository\FS

One file which was written on every session grown to 5 MB+, file is OBJECTS.DATA.

Now i have disabled WIM service from services.msc and i dont see any such connection on 1025.

It seems to be resolved but i am still curious to know, what was happening there..if i didnt stop, what would have been possible..etc..

But i guess, its good start point to further investigate on this port 1025 thingy...

Believe me WIM and WBEM can be used to do anything on a remote system as per my knowledge.

cheers,
A

 

I see about the same thing, and it started recently, within the last week or so.
I see protocols 1025, 1026, and 1027 also associated is 3127 and 6129.
I use Zone Alarm Pro on my own machine, so I just blocked the three lower ports.
I harvisted the following list from the Kiwi Syslog deamon that I have logging traffic through my Linksys gateway router.

The 68.94.xxx.xxx are within Cox.net, my cable provider.

Jim

68.208.82.194 4522 <my internet ip> 1025
205.30.41.202 24937 <my internet ip> 1027
205.141.54.10 11404 <my internet ip> 1026
68.146.66.254 4056 <my internet ip> 1025
68.146.66.2 1741 <my internet ip> 1025
68.20.18.127 3919 <my internet ip> 1025
68.94.201.135 4759 <my internet ip> 3127
68.94.201.135 4760 <my internet ip> 6129
68.94.201.135 4759 <my internet ip> 3127
68.94.201.135 4760 <my internet ip> 6129
68.94.201.135 4641 <my internet ip> 1025
68.88.184.171 3621 <my internet ip> 1025
68.4.238.220 2525 <my internet ip> 1025
68.17.31.34 4862 <my internet ip> 1025
68.4.225.56 4028 <my internet ip> 1025
68.92.89.53 1277 <my internet ip> 1025
68.163.58.24 4227 <my internet ip> 1025
68.125.34.31 3717 <my internet ip> 1025
68.92.154.200 4280 <my internet ip> 1025
68.21.1.24 4189 <my internet ip> 2745
68.21.1.24 4191 <my internet ip> 1025
68.21.1.24 4196 <my internet ip> 3127
68.21.1.24 4197 <my internet ip> 6129
68.21.1.24 4196 <my internet ip> 3127
68.21.1.24 4191 <my internet ip> 1025

 

I checked further and concluded that this is a fairly wide-spread and rapidly spreading trojan virus:

http://www.f-secure.com/v-descs/agobot_fo.shtml#details

I am doing a current scan to see if any attacks actually penitrated my machine.

 

Hi,

As i mentioned in my last post that svchost.exe on port 1025, let remote computer access through WBEM or WIM.

But i lately found, it doesnt use WBEM or WIM all time. This time it was using \WINDOWS\system32\modemui.dll

I am really serious now and more curious to know, what does it do.

As jim@knock.com just mentioned, it could be trojen. So it makes our concerns more serious.

Guys, lets find the exact reason with soln.

Regards,
Abdul

 

You mention "I have zone alarm as personal firewall but it doesnt detect", then say "I am not behind any firewall and i use dsl here".

Are you currently running a firewall or not?
Are you currently running any proxy or other web filtering utilities?

You mention protocol TCP and port 1025, but in order to clarify what type of connections may be happening we need more details. Are these in fact remote systems connecting to your system, or connections initiated by your sytem? Protocol, direction, local address (xxx out your public IP), local port, remote address, remote port.

Edit: svchost.exe may need some outbound access, but you should not be allowing unsolicited inbound connections.

Regards,

CrazyM