Is the Dell Dock a Trojan program?

Xelkos,

I couldn't find an exception on my computer for Dell Dock but... I had an issue when I first got my computer and un-installed Dell Deck, then downloaded Dell Dock from Stardock. My wireless router uses ip address, so I don't even know what the ip address is on what you're seeing. I tried to compare my daughters ip addresses with mine looking for an identical one, since we both have Dell Dock installed.

I have run a full scan with FREE Avast Home Edition, Malwarebytes Anti-Malware, SuperAntiSpyware and Spybot Search & Destroy and they do NOT find anything. Did you try running full scans with your Virus protection and the above listed programs. If the above programs do find something, I would then suggest that you go to DELL Malware Removal Forum, read the top post by bugbatter and follow the instructions.

Rick

Trend Micro 2008 doesn't find any "known" critters. ZoneAlarm Pro notified me of the suspicious activity, which alerted me. Normally I would not think nothing of it, but I though it was odd that I got an alert since Dell Dock's been in place for a few months on this build.
Have a Russian Trojan scanner, not sure if it will function in a 64 bit OS. When this AV expires, will go Kapersky Labs.

As to why it's (NETBT) trying to  contact my laptop computer (home network) over 100 times a day is worrying me. There is no reason for Dell Dock to be trying to access other computers on my network, let alone accessing anything on the internet.

The name "CHINCHILLA     :0" could not be registered on the interface with IP address 192.168.1.104. The computer with the IP address 192.168.1.105 did not allow the name to be claimed by this computer. (numerous events of this)

192.168.1.100 = Router
192.168.1.101 = Network Printer
192.168.1.102 = Axim X50v (wi-fi)
192.168.1.104 = XPS 630i (wired)
192.168.1.107 = XPS 630i (wi-fi)
192.168.1.105 = Laptop #1 (wired)
192.168.1.10_ = Laptop #1 (wi-fi)
192.168.1.10_ = Laptop #2 (wi-fi)
192.168.1.10_ = Zune (wi-fi)

Dell Dock is using 192.168.1.104 (XPS 630i) to connect to 192.168.1.105 (laptop #1 wired). Why?

192.168.1.105 is an RFC 1918 non routeable number.  Numbers in that range would need to be translated via router to become public addresses.

RFC1918 - Address Allocation for Private Internets

Hosts within enterprises that use IP can be partitioned into three
   categories:

      Category 1: hosts that do not require access to hosts in other
                  enterprises or the Internet at large; hosts within
                  this category may use IP addresses that are
                  unambiguous within an enterprise, but may be
                  ambiguous between enterprises.

      Category 2: hosts that need access to a limited set of outside
                  services (e.g., E-mail, FTP, netnews, remote login)
                  which can be handled by mediating gateways (e.g.,
                  application layer gateways). For many hosts in this
                  category an unrestricted external access (provided

                  via IP connectivity) may be unnecessary and even
                  undesirable for privacy/security reasons. Just like
                  hosts within the first category, such hosts may use
                  IP addresses that are unambiguous within an
                  enterprise, but may be ambiguous between
                  enterprises.

      Category 3: hosts that need network layer access outside the
                  enterprise (provided via IP connectivity); hosts in
                  the last category require IP addresses that are
                  globally unambiguous.

   We will refer to the hosts in the first and second categories as
   "private".  We will refer to the hosts in the third category as
   "public".

The Internet Assigned Numbers Authority (IANA) has reserved the
   following three blocks of the IP address space for private internets:

     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

Xelkos,

My Dell Dock is not doing this. I have a Studio 1737 32-bit with Vista Home Premium. I actually monitor my network at all times using Linksys EasyLink Advisor and I soo no other connections that are out of place. When I'm home alone, I have no issues.

Did you scan for viruses and malware using the tools I mentioned above?

What type of security are you using in your wireless router?

Since you're using a network printer, I would suggest using...

WPA-PSK(TKIP) Security (Personal)

Update the firmware in your wireless router

Broadcast SSID (To make the connection easier, it may be easier to change the SSID name)

Mixed mode

Use channels 1, 6 or 11(I use channel 11)

Save and exit. power everything off for 30 seconds. turn everything back on and try to connect. Remember you'll need to setup your network printer and Zune, again.

Rick

You either have a security issue with your wireless router or malware. DELL Malware Removal Forum

I do see there is another version of Dell Dock out now, 15c. I was using 15b.

Will have to look at the update notes.

Rick,

  Though I do appreciate your willingness to help me fix a router and network printer issue that I am not having,  the discussion topic was why a shortcut-holding program is trying to connect to other computer in the network; not if it was actually succeeding, infecting, key-logging, or seeding.

  Came here wanting to know why Dell Dock is trying to access another computer on my system. It's not getting through apparently, but it keeps trying, and I have running logs of its attempts. Key word there, attempts.

  Scans are coming back with no "known" results. Still, there are alerts of suspicious activity. At this point uninstalling the program seems to be the cure for now. May try installing it again and see if the activity still wants to persist.

15c really isn't 15c, it's 15b still. I had removed the previous Dell Dock, cleaned the registry, and after a few reboots and registry scans, I downloaded a new Dell Dock and installed that.

Dell Dock was behaving itself, till I switched back to Vista x64 just a few minutes ago.
ZAP hit me with an alert that DellDock.exe is trying to access the Internet. Okay... tell me again why a program that just holds shortcuts is trying to access the internet again?

It was trying to access 91.199.212.169:HTTP, and that brings up a white Opening window showing:

You have chosen to open       which is a:  application/ocsp-response     from: http://91.199.212.169

Which downloads an unusual file: IgiAAmvE.part @ 5 bytes in size, and stopping that download brings up yet another window: Visual C# Command Line Compiler has stopped working. Which further results in an error window:

Dell Dock The Dell Dock's language file, which in necessary for its operation, has failed to load. Please check your Dell Dock installation

And of course Dell Dock crashes.

Now, 5 byte in length, as claims to be a language file? Sounds more like a virus than a language file to me.

The previous attempt of GhLsMMxw.part results came back negative for critters, and at 5 byes too:

NotePad2 reads it as:
0

Scanned IgiAAmvE.part and no results came back.

NotePad2 reads it as:
0

I don't know what's going on either, and if not for ZoneAlarm, Pro notifying me I'm not sure what issues I'd end up with.

ZoneAlarm Pro's Log:

Rating: High Date / Time: 2009-07-04  05:19:14-6:00 Type: Program Access Program: DellDock.exe Source IP: Destination IP: Direction: Outgoing (connect) Action Taken: Blocked Count: 1 Source DNS: Destination DNS: Policy: Personal Policy

and..

Rating: High Date / Time: 2009-07-04  05:19:14-6:00 Type: Program Access Program: DellDock.exe Source IP: Destination IP: 67.51.175.174:80 Direction: Outgoing (connect) Action Taken: Blocked Count: 1 Source DNS: Destination DNS: crl.comodoca.com Policy: Personal Policy

and...

Rating: High Date / Time: 2009-07-04  05:08:06-6:00 Type: Repeat Server Program Program: C:\Windows\System32\svchost.exe Source IP: 192.168.1.107:50600 Destination IP: Direction: Incoming (listen) Action Taken: Allowed Count: 1 Source DNS: MyXPSpc Destination DNS: Policy: Personal Policy

and....

Rating: High Date / Time: 2009-07-04  05:07:52-6:00 Type: Repeat Program Program: C:\Program Files\Dell\DellDock\DellDock.exe Source IP: Destination IP: 91.199.212.169:80 Direction: Outgoing (connect) Action Taken: Blocked Count: 1 Source DNS: Destination DNS: crl.comodoca.com Policy: Personal Policy

This program seems to have more going on with it than a simple shortcut organizer.

I also use Virus Total to selectively scan files remotely. No "known" hits are coming back, still doesn't discount the odd behavior of a shortcut organizer.

Why would it need to send out for file downloads from the internet after installation? Doesn't say that it has a self updating feature, after all, it just holds shortcuts - nothing else. Why does it need to go and download short files, and then compile them? What is it really trying to do? And when it's not allowed to do it, it wants to crash.

It is just supposed to holds shortcuts. By it's actions it is a Trojan, in that it's doing some other unknown activity while holding your shortcuts.

While it has no "known" virus hits, it is grabbing files on its own and compiling them.
I seen JavaScript run, grab files, compile, and start malicious activity and run viruses that did not exist in a simple harmless web page. Problem is with this, the infection source is not tagged and is free from virus/Trojan tags, yet it's still resident and keeps compiling. Thus  the process keeps repeating while the web page was opened.

Xelcos, try Googling the DNS address,ie: crl.comodoca.com, and see what you come up with. I think you are correct in assuming something fishy is going on.IIMHO, I would come up with a differrent dock alternative. I had a similar expierience while using the Dell Rescource Center program.Something was trying to call home somewhere, I ditched it , and now do my own drver,Bio's updates etc.Might be something harmless,but not worth the agrevation of knowing something is trying to do something under the table!Good Luck.P.S. I also ditched the windows for Linux,LOL.

For a program that just holds & organizes shortcuts, I still can't see why it needs to connect to the internet.

Definition of: Trojan A program that appears legitimate, but performs some illicit activity when it is run. It may be used to locate password information or make the system more vulnerable to future entry or simply destroy programs or data on the hard disk. A Trojan is similar to a virus, except that it does not replicate itself. It stays in the computer doing its damage or allowing somebody from a remote site to take control of the computer. Trojans often sneak in attached to a free game or other utility. For information about various Trojans that are spread on the Internet, visit the Lockdown Corporation at www.lockdowncorp.com. See rootkit, RAT, Back Orifice, NetBus, PrettyPark, Talking Trojan and virus.

It may be legitimate, yet this program is downloading files in 5 byte increments, and using the computer's files to compile - which gives more indication of a program readying it's payload, or building something that was not included into the original program. Which also gives an indication of even more suspicious of an unknown activity.

That's how virus' and malicious programs get into computer systems from seemingly innocent programs. A program gets in, starts downloading files, compiling, and releasing virus or other attacks. The initial program gets past the virus scanners cause it isn't a virus, but it will download and compile them on the host computer. That sort of infection is the worst to get rid of, and the affected user is best to rebuild from that point, as the program may have constructed other program to load and release their payload(s).

Not trying to say Dell Dock is malicious, but I am saying it's activities are associated to those of a Trojan program.

Essentially, Dell Dock holds a set of shortcuts and macros to facilitate the ability to launch programs from an easier to use GUI (Graphical User Interface). Such a program does not need to access the internet. It does not need to download files. It does not need to compile files that were not included in the original installation container.

Are there other program that are similar to the Dell Dock that are legitimate, and hold / organize shortcuts, in a pleasant GUI that can reside on the top portion of the desktop (with an auto-hide option)?

Stardock refused to comment on the issue, saying to contact Dell.

Hello, For help and support for the Delldock please visit www.delldock.com Thanks, Michael Emmerd Technical Advisor and Consumer QA Stardock Systems, Inc. http://www.impulsedriven.com

Hay Xelkos, all IP address you posted go to a Comodo inc. which is (from what there site says) a security company that does internet security...could be fake or not. do you have any software that has come from this company...any SSL licences for secure email transfer or anything like that? if not, someone is using the exe to do bad to you. call Comodo and see what they say!!!