aol9 and hidden server detected

I would like to know if this is ok,as i have installed aol 9 and once it was up and running everything was ok and i used port explorer to see if there was anything different and low and behold there was one hidden server detected and it is aoldial.exe, this is aol connectivity service dialer [udp on port 1089] is this ok or should action be taken.
I have checked my firewall and all ports are stealth in all sights that i checkedmy firewall in.


the mul

 

Hello the Mul, will that be the part of your AOL 9 which is calling home if necessary to connect to interent with the AOL software?
See what happens if you disable send -- you might get disconnected or not able to do several things, you can enable spying on it's traffic so yuou know if it is spying on every key you touch, etc.
You can expect it to be at least part of them.
Do TDS, SpybotS&D and Ad-Aware alarm on it?

 

Hi The Mull, I am a little concerned about this file aoldial.exe as it comes up in Google with some freference about virus type behaviour, would you please ZIP up a copy and submit the file to submit@diamondcs.com.au.
Also would you post your Autostart viewer log here:
The link to to the viewer: http://www.diamondcs.com.au/index.php?page=products
Please tick the three options in Main, save to a text file and copy / paste here.

Thanks Pilli

 

This is the log u asked for.DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Steven@MERCURY, 04-04-2004
c:\autoexec.bat
PATH C:\BITWARE\
c:\windows\system32\autoexec.nt
C:\WINDOWS\system32\mscdexnt.exe
C:\WINDOWS\system32\redir.exe
C:\WINDOWS\system32\dosx.exe
c:\windows\system32\config.nt
C:\WINDOWS\system32\himem.sys
c:\windows\wininit.ini [rename]
nul=C:\WINDOWS\UNINST~1\WASHAN~1\setup.exe
c:\windows\system.ini [drivers]
timer=timer.drv
voice=C:\BITWARE\is101.drv
c:\windows\system.ini [boot]\shell
C:\WINDOWS\Explorer.exe
c:\windows\system.ini [boot]\scrnsave.exe
C:\WINDOWS\System32\ssmypics.scr
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
C:\WINDOWS\Explorer.exe
HKCU\Control Panel\Desktop\scrnsave.exe
C:\WINDOWS\System32\ssmypics.scr
HKCR\vbsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\vbefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\jsefile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wshfile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKCR\wsffile\shell\open\command\
C:\WINDOWS\System32\WScript.exe "%1" %*
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccRegVfy
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
C:\WINDOWS\system32\NeroCheck.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bwprnmon.exe
C:\BITWARE\NT\bwprnmon.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EPSON Stylus C62 Series
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WINDVDPatch
C:\WINDOWS\system32\CTHELPER.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UpdReg
C:\WINDOWS\UpdReg.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Jet Detection
C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTStartup
C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
C:\WINDOWS\system32\mobsync.exe /logon
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nod32kui
C:\Program Files\Eset\nod32kui.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AOLDialer
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\MRUBlaster
C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\EPSON Stylus C62 Series
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S29.tmp"
HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
C:\WINDOWS\System32\CTFMON.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\system32\SHELL32.dll
C:\WINDOWS\System32\webcheck.dll
C:\WINDOWS\System32\stobject.dll
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
C:\PROGRA~1\NORTON~1\NAVW32.exe
C:\WINDOWS\Tasks\Symantec NetDetect.job
C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
C:\Documents and Settings\Steven\Start Menu\Programs\Startup\Kaspersky Anti-Virus Monitor.lnk
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\AvpM.exe
C:\Documents and Settings\Steven\Start Menu\Programs\Startup\MRU-Blaster Scheduler.lnk
C:\Program Files\MRU-Blaster\scheduler.exe
C:\Documents and Settings\Steven\Start Menu\Programs\Startup\MRU-Blaster Silent Clean.lnk
C:\Program Files\MRU-Blaster\mrublaster.exe
C:\Documents and Settings\Steven\Start Menu\Programs\Startup\Process Guard.lnk
C:\Program Files\ProcessGuard\procguard.exe
C:\Documents and Settings\Steven\Start Menu\Programs\Startup\SpywareGuard.lnk
C:\Program Files\SpywareGuard\sgmain.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
C:\Program Files\AOL Companion\companion.exe
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
autocheck autochk *
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
C:\WINDOWS\system32\userinit.exe
HKLM\System\CurrentControlSet\Control\WOW\cmdline
C:\WINDOWS\system32\ntvdm.exe
HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
C:\WINDOWS\system32\imon.dll
C:\WINDOWS\System32\dcsws2.dll
C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\rsvpsp.dll
HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
C:\WINDOWS\system32\JAVASUP.VXD


The Mul

 

There does not seem to be any alert jooske from the programmes u stated and can u tell how to zip the file to send to dcs as i am still learning many things and am not sure how to do it.


The Mul

 

That saves some grey hairs already!
Do you have winzip? I added it to my rightclick menu in windows explorer, so for me it is rightclick on the file, choose "Add to zip" and it's done.
If it's not in the rightclick menu maybe you have winzip somewhere on your system (didn't it come standard with windows installs?) to do it the same way via the program?

 

In the meantime did you check online at www.kaspersky.com/remoteviruschk.html ?submit online an in a few seconds you get a reply on that same page.
In fact i think it is ok as the scanners you used would be the first to beep alarms.

 

Hi The Mul, It looks pretty clean to me though I am no expert - I do notice the autodial run key so it won't harm to check that out.
If you are using XP it has built in zipping functions, right click the file and Send to compressed .ZIP this this will just copy it to the same file name but with the .zip extention and in the folder where the file to be zipped is located.

HTH Pilli

 

Thanks for all your help, I have scanned aoldial.exe with kav remote virus checker and also with kav 4.5 and all are clear, as well as a scan with tds3 and all is well and good.
I have set up special rules in my firewall to block all tcp and udp of this file and now all is blocked.
What I would like to know should this process not be stopped in port explorer as i have now blocked it in both directions, when i have blocked other applications in the past all communication on that port stops straight away, but with aoldial.exe it still shows up as running even though the firewall is blocking both inbound and out bound on this application.

The Mul

 

There is probably a process starting it. You can change it's name for instance adding .tmp behind it and see if that gives problems in your AOL functioning and connection.

 

Thanks for all your help, as i have said i have blocked all in bound and out bound and all scans are clear on aol dial.exe so i am going to wait and see .
What I would like to know is that i have added a zip file of aoldial.exe but do u normaly write some details of what u have found and what is going on.
Can u also tell me if u terminate the process with port explorer can u start it again or is it terminated for ever.
The Mul

 

Hi The Mul, Yes you can restart the process after termination.
Remeber that you will have to give Port Explorer Terminate "Allow" in Process Guard if you have the programme on your protection list

 

Thanks pilli for your help and I will use the advise u gave me.
I have tried to send the zip file by email to dcs ,but this is what is emailed back to me after i send the email to dcs, The following addresses had permanent fatal errors [submit@diamomdcs.com.au>].
Can u tell me if there is another address i can send the zip file to.

The Mul

 

Diamondcs not diamomndcs I made a typo in the first url I posted - Smack my wrists Corrected now.
submit@diamondcs.com.au

 

Thanks again for your help and I will forgive u this time [ ha ha] all the best.




The mul

 

the mul,

Is the installation of AOL 9.0 a Beta version? AOLDial.exe is part of beta version. It is required by AOL 9.0 beta unless you are using BYOA cable modem.

In further checking, AOLDial.exe has been morphed into the GM version of AOL 9.0 as well.

 

I thought I would let u all know, I have recieved a reply from diamondcs on the aoldial.exe zip file that I sent them so they could check for anything suspicious and this is what they had to say.

This file looks clean, and since its an AOL file you should trust it

Please remember that the Port Explorer feature that shows items in RED is to identify unknown files using sockets which have no windows ON SCREEN - AOL probably has a number of tray icons which do not count when Port Explorer makes these calculations. If you make a window show on screen then the sockets will return to BLACK


Best regards,
DiamondCS Support


The Mul

 

So now all is ok and clear and the file gets black when you click the systray icon?
Thanks for letting us know! Good that you asked!

 

I think it is better to ask and be safe than to leave It and take a risk.


The Mul