aol9 and hidden server detected

Discussion in 'Port Explorer' started by the mul, Apr 4, 2004.

Thread Status:
Not open for further replies.
  1. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    I would like to know if this is ok,as i have installed aol 9 and once it was up and running everything was ok and i used port explorer to see if there was anything different and low and behold there was one hidden server detected and it is aoldial.exe, this is aol connectivity service dialer [udp on port 1089] is this ok or should action be taken.
    I have checked my firewall and all ports are stealth in all sights that i checkedmy firewall in.


    the mul
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hello the Mul, will that be the part of your AOL 9 which is calling home if necessary to connect to interent with the AOL software?
    See what happens if you disable send -- you might get disconnected or not able to do several things, you can enable spying on it's traffic so yuou know if it is spying on every key you touch, etc.
    You can expect it to be at least part of them.
    Do TDS, SpybotS&D and Ad-Aware alarm on it?
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi The Mull, I am a little concerned about this file aoldial.exe as it comes up in Google with some freference about virus type behaviour, would you please ZIP up a copy and submit the file to submit@diamondcs.com.au.
    Also would you post your Autostart viewer log here:
    The link to to the viewer: http://www.diamondcs.com.au/index.php?page=products
    Please tick the three options in Main, save to a text file and copy / paste here.

    Thanks Pilli
     
  4. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    This is the log u asked for.DiamondCS Autostart Viewer (www.diamondcs.com.au) - Report for Steven@MERCURY, 04-04-2004
    c:\autoexec.bat
    PATH C:\BITWARE\
    c:\windows\system32\autoexec.nt
    C:\WINDOWS\system32\mscdexnt.exe
    C:\WINDOWS\system32\redir.exe
    C:\WINDOWS\system32\dosx.exe
    c:\windows\system32\config.nt
    C:\WINDOWS\system32\himem.sys
    c:\windows\wininit.ini [rename]
    nul=C:\WINDOWS\UNINST~1\WASHAN~1\setup.exe
    c:\windows\system.ini [drivers]
    timer=timer.drv
    voice=C:\BITWARE\is101.drv
    c:\windows\system.ini [boot]\shell
    C:\WINDOWS\Explorer.exe
    c:\windows\system.ini [boot]\scrnsave.exe
    C:\WINDOWS\System32\ssmypics.scr
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
    C:\WINDOWS\Explorer.exe
    HKCU\Control Panel\Desktop\scrnsave.exe
    C:\WINDOWS\System32\ssmypics.scr
    HKCR\vbsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\vbefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\jsefile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wshfile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKCR\wsffile\shell\open\command\
    C:\WINDOWS\System32\WScript.exe "%1" %*
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccApp
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ccRegVfy
    C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NeroCheck
    C:\WINDOWS\system32\NeroCheck.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\bwprnmon.exe
    C:\BITWARE\NT\bwprnmon.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TkBellExe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\EPSON Stylus C62 Series
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O6 "USB001" /M "Stylus C62"
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\WINDVDPatch
    C:\WINDOWS\system32\CTHELPER.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\UpdReg
    C:\WINDOWS\UpdReg.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Jet Detection
    C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\CTStartup
    C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\Synchronization Manager
    C:\WINDOWS\system32\mobsync.exe /logon
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\nod32kui
    C:\Program Files\Eset\nod32kui.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AVPCC
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\avpcc.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\AOLDialer
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce\MRUBlaster
    C:\Program Files\MRU-Blaster\indexcleaner.exe -CC
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\EPSON Stylus C62 Series
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\System32\E_S29.tmp"
    HKU\.Default\Software\Microsoft\Windows\CurrentVersion\Run\CTFMON.EXE
    C:\WINDOWS\System32\CTFMON.EXE
    HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\System32\webcheck.dll
    C:\WINDOWS\System32\stobject.dll
    C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job
    C:\PROGRA~1\NORTON~1\NAVW32.exe
    C:\WINDOWS\Tasks\Symantec NetDetect.job
    C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
    C:\Documents and Settings\Steven\Start Menu\Programs\Startup\Kaspersky Anti-Virus Monitor.lnk
    C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\AvpM.exe
    C:\Documents and Settings\Steven\Start Menu\Programs\Startup\MRU-Blaster Scheduler.lnk
    C:\Program Files\MRU-Blaster\scheduler.exe
    C:\Documents and Settings\Steven\Start Menu\Programs\Startup\MRU-Blaster Silent Clean.lnk
    C:\Program Files\MRU-Blaster\mrublaster.exe
    C:\Documents and Settings\Steven\Start Menu\Programs\Startup\Process Guard.lnk
    C:\Program Files\ProcessGuard\procguard.exe
    C:\Documents and Settings\Steven\Start Menu\Programs\Startup\SpywareGuard.lnk
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk
    C:\Program Files\AOL Companion\companion.exe
    HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
    autocheck autochk *
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit
    C:\WINDOWS\system32\userinit.exe
    HKLM\System\CurrentControlSet\Control\WOW\cmdline
    C:\WINDOWS\system32\ntvdm.exe
    HKLM\System\CurrentControlSet\Control\WOW\wowcmdline
    C:\WINDOWS\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386
    HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\
    C:\WINDOWS\system32\imon.dll
    C:\WINDOWS\System32\dcsws2.dll
    C:\WINDOWS\system32\mswsock.dll
    C:\WINDOWS\system32\rsvpsp.dll
    HKLM\System\CurrentControlSet\Services\VxD\JAVASUP\
    C:\WINDOWS\system32\JAVASUP.VXD


    The Mul
     
  5. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    There does not seem to be any alert jooske from the programmes u stated and can u tell how to zip the file to send to dcs as i am still learning many things and am not sure how to do it.


    The Mul
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    That saves some grey hairs already! ;)
    Do you have winzip? I added it to my rightclick menu in windows explorer, so for me it is rightclick on the file, choose "Add to zip" and it's done.
    If it's not in the rightclick menu maybe you have winzip somewhere on your system (didn't it come standard with windows installs?) to do it the same way via the program?
     
  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    I suspect this file is okay. I am running AOL 9.0 Broadband and this file isn't on my system. But searching in google, I found it is on several peoples system, and it may be beta related. When I am online there are various parts that establish connections. WAOL.exe is always there as is ASCD.exe. Ascd on my system is where your aoldial.exe is located. Depending on your location you should be able to go online and ask AOL.

    Pete
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    In the meantime did you check online at www.kaspersky.com/remoteviruschk.html ?submit online an in a few seconds you get a reply on that same page.
    In fact i think it is ok as the scanners you used would be the first to beep alarms.
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi The Mul, It looks pretty clean to me though I am no expert - I do notice the autodial run key so it won't harm to check that out.
    If you are using XP it has built in zipping functions, right click the file and Send to compressed .ZIP this this will just copy it to the same file name but with the .zip extention and in the folder where the file to be zipped is located.

    HTH Pilli
     
  10. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    Thanks for all your help, I have scanned aoldial.exe with kav remote virus checker and also with kav 4.5 and all are clear, as well as a scan with tds3 and all is well and good.
    I have set up special rules in my firewall to block all tcp and udp of this file and now all is blocked.
    What I would like to know should this process not be stopped in port explorer as i have now blocked it in both directions, when i have blocked other applications in the past all communication on that port stops straight away, but with aoldial.exe it still shows up as running even though the firewall is blocking both inbound and out bound on this application.

    The Mul
     
  11. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    There is probably a process starting it. You can change it's name for instance adding .tmp behind it and see if that gives problems in your AOL functioning and connection.
     
  12. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    Thanks for all your help, as i have said i have blocked all in bound and out bound and all scans are clear on aol dial.exe so i am going to wait and see .
    What I would like to know is that i have added a zip file of aoldial.exe but do u normaly write some details of what u have found and what is going on.
    Can u also tell me if u terminate the process with port explorer can u start it again or is it terminated for ever.
    The Mul
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi The Mul, Yes you can restart the process after termination.
    Remeber that you will have to give Port Explorer Terminate "Allow" in Process Guard if you have the programme on your protection list ;)
     
  14. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    Thanks pilli for your help and I will use the advise u gave me.
    I have tried to send the zip file by email to dcs ,but this is what is emailed back to me after i send the email to dcs, The following addresses had permanent fatal errors [submit@diamomdcs.com.au>].
    Can u tell me if there is another address i can send the zip file to.

    The Mul
     
  15. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Diamondcs not diamomndcs :eek: I made a typo in the first url I posted - Smack my wrists :'( Corrected now.
    submit@diamondcs.com.au
     
  16. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    Thanks again for your help and I will forgive u this time [ ha ha] all the best.




    The mul
     
  17. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    the mul,

    Is the installation of AOL 9.0 a Beta version? AOLDial.exe is part of beta version. It is required by AOL 9.0 beta unless you are using BYOA cable modem.

    In further checking, AOLDial.exe has been morphed into the GM version of AOL 9.0 as well.
     
  18. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    I thought I would let u all know, I have recieved a reply from diamondcs on the aoldial.exe zip file that I sent them so they could check for anything suspicious and this is what they had to say.

    This file looks clean, and since its an AOL file you should trust it

    Please remember that the Port Explorer feature that shows items in RED is to identify unknown files using sockets which have no windows ON SCREEN - AOL probably has a number of tray icons which do not count when Port Explorer makes these calculations. If you make a window show on screen then the sockets will return to BLACK


    Best regards,
    DiamondCS Support


    The Mul
     
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    So now all is ok and clear and the file gets black when you click the systray icon?
    Thanks for letting us know! Good that you asked!
     
  20. the mul

    the mul Registered Member

    Joined:
    Jul 31, 2003
    Posts:
    1,703
    Location:
    scotland
    I think it is better to ask and be safe than to leave It and take a risk.


    The Mul
     
Thread Status:
Not open for further replies.