Port 1025 Listening

Windows 98SE, ZoneAlarm Pro (ZAP), IE6.0SP1, TCPView v2.34

Even before I connect to the Internet (with the phone line unplugged) TCPView is reporting:
Protocol.....Local Address.....Remote Address.....State
TCP...........0.0.0.0:1025........0.0.0.0:0................Listening

If I close ZAP then this port is no longer left listening. Zap has the option to share security settings off, and its Zone Labs Client is blocked in the Program control. I contacted them and was told I must have a trojan running on my computer. If so nothing has ever found it (Pest Patrol or NAV).

Once connected it shows the this with IE open: (after surfing awhile)
Protocol.....Local Address.....Remote Address.....State
TCP...........0.0.0.0:1025........0.0.0.0:0................Listening
TCP...........127.0.0.1:2798.....0.0.0.0:0................Listening
UDP...........127.0.0.1:2798.....*.*

Closing all other programs, I have checked what programs are running with Norton System Information and haven't found anything out of the ordinary thus I am guessing ZAP is leaving this port listening since when I am offline and close ZAP this port is no longer listening. Was the person at ZAP wrong in telling me I must have a trojan or something causing it? Or is this normal for such reports?

If ZAP is not causing it and it is not normal, is there a free program that will list the process that is causing this port to be listening that works on W98SE? (Portmon_v3.02 doesn't seem to be working).
Thanks & have a good one.

 

How to read NETSTAT -AN results (best information I have found so far)
http://www.geocities.com/merijn_bellekom/new/netstatan.html

Port Service Lookup Utility http://www.treachery.net/tools/ports/index.html
Port 1025
Protocol TCP Name blackjack Description network blackjack
Protocol TCP Name listen Description listener RFS remote_file_sharing
Protocol TCP Name shoppro Description ShopPro accounting software
Protocol TCP Name FraggleRock Description [TROJAN] Fraggle Rock
Protocol TCP Name md5Backdoor Description [TROJAN] md5 Backdoor
Protocol TCP Name NetSpy Description [TROJAN] NetSpy
Protocol TCP Name RemoteStorm Description [TROJAN] Remote Storm
http://www.simovits.com/trojans/trojans.html
port 1025 AcidkoR, BDDT, DataSpy Network X, Fraggle Rock , KiLo, MuSka52, NetSpy, Optix Pro , Paltalk, Ptakks, Real 2000, Remote Anything, Remote Explorer Y2K, Remote Storm, RemoteNC
(Another site added) Backdoor.Yajing

None of the trojans appear to be on the computer, via searching for it's file or looking for their registry entries, full NAV scans in the safe mode, etc. As for RFS remote file sharing the search has only brought up general information and not any to tell you if it is on your computer or not.

I have been working on the problem for over a month now and I am sick and tired of it. The only thing out of the ordinary I have found is a entry for Kasperskylab in my registry when I have never knowingly installed anything pretaining to it. I'm to the point now I'm ready to get off the internet because this much flustration & anxiety thinking a problem exits since a ZAP rep told me it did is just not worth it. It wouldn't be the first time a company's rep mis-guided me with false information but just knowing this to be the case would give me peace of mind. I have fully uninstalled ZAP and deleted all of its registry entries and re-installed it to a new folder location and it is still going on.

All the locations I've gone to for help either weren't knowledgeable enough to give any or just didn't. The name of this place really made me think I might get this solved, but I guess not. Since others have read this link though, I'm throwing in what I have come up with in case anyone else is seeing this problem.

Today it has been 1 year since I stayed with my Aunt to help her out before she died in a way that really hurt, so it's real easy to see that spending a whole month of my life playing with trying to figure this one out is about the last straw and a big waste of precious time. Thrown in just so you know my frame of mind right now and don't get your feathers ruffled by anything, believe me it's not worth it.

 

I ran across this
http://www.security-forums.com/forum/viewtopic.php?p=2081

 

Thanks, I had been there but didn't follow the links except for RFS file sharing which led no where as to find out if it is even set up on my machine, which it shouldn't be unless it was planted on me from the net or malicious program.
This computer is a IBM brand, thus the link to "Port 1025 problem" may be helpful once I have time to see if a ttdbserver is started when I start up. I have renamed my Telnet program to prevent any misuse of it by others because I never use it.
Still seems strange to me when I am offline & I close ZAP it closes the TCP listening state of port 1025.

 

Port 1025 is Enabled as Open by many Software Firewalls.

It is used by variety of applications and is needed at times.

You have to find the Port Rules list of you Software Firewall and disable the Rule.

When using a Security scanner if this Port is opened it comes with the “Horrible list”.

This does not mean that you have this “Junk” on you computer it just shows the General knowledge about “Junk” that might exploit.

In your TCPview shows Remote address 00.00.00.oo it mean that at the moment it is connected to Nothing outside of your system.

 

Thanks for the feedback.
Port 1025 is Enabled as Open by many Software Firewalls. It is used by variety of applications and is needed at times.
Reason I contacted ZoneAlarm who told me it must me a virus or something. Back when I used NIS it was listening too, but stopped later.
Do programs that you haven't registered sometimes leave this listening?
And since it stops listening when ZoneAlarm is closed wouldn't that mean it is the program that is opening it or since they deny it does that something malicious has attacked to opening with it?

You have to find the Port Rules list of you Software Firewall and disable the Rule....Not sure of what this one means but I did set up a rule to block all inbound and outbound TCP/UDP traffic on port 1025.

This does not mean that you have this “Junk” on you computer it just shows the General knowledge about “Junk” that might exploit.

In your TCPview shows Remote address 00.00.00.oo it mean that at the moment it is connected to Nothing outside of your system.
Kind of lost of this information I picked up:
If it says 0.0.0.0 on the Local Address column, it means that port is listening on all 'network interfaces' (i.e. your computer, your modem(s) and your network card(s)).
Thus:
0.0.0.0 listening means a program on my computer is listening for calls out and in from its IP address?
The “Horrible list” flys by so fast in TCPView its hard to tell if any IP address tries to connect to 1025 but no blocks to it show up in my firewall so I guess they are not.
127.0.0.1 only appears when I have a browser page open and from its information is okay to be listening.
I do get left with this sometimes:
Protocol.....Local Address.....Remote Address.....State
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1025 127.0.0.1:1642 TIME_WAIT
TCP 127.0.0.1:1636 0.0.0.0:0 LISTENING
UDP 127.0.0.1:1636 *:*
Is there anything strange about both local addresses (0.0.0.0 & 127.0.0.1) having the same port (1025) used if no blocks for the rule in my firewall showed up for any IP using that port also? I suspect the firewall is doing this since if I save a page it adds information from my privacy settings into the saved file, but that is just a guess.