Trojan.Win32.Dialer.hc

Hi Guys

Pest Patrol finds "Trojan.Win32.Dialer.hc at the following

hkey current user\software\microsoft\windows\current version\internet settings\zonemap\domains\sgrunt.biz

ZoneAlarm anti-spyware, TrendMicro anti-spy & AV, Spybot, Bazooka, TrojanHunter 4.2, AdAware - fail to confrim PP's finding of a trojan.

Next visiting regedit & that path zonemap\domains - has lots of entries that refer to bad things.

Is this where IE-Spyad stores it long list of bad stuff? Does this sound like another FP from PP? A little re-assuring will help calm the old nerves please & thank you.

Thanks
rico

 

it is possibly a false positive but it wouldn't hurt to do one more scan Kaspersky Online Scan

 

I wouldn't say its a FA becuse domain sgrunt.biz is infected with a dialer.


tD

 

Hi Bigc & Technodrome,

Note PP was just updated. Also when I went to Kav for an on line scan. It failed complaining about my security settings being to high & reset to medium. I remembered a similar problem regarding network popups. see

https://www.wilderssecurity.com/showthread.php?t=100326

Upon looking ath the registry again with sgrunt.biz highlighted (left) the right side says 0x00000004 (4)

I believe the (4) refers to IE's restricted sites.

Also I do not think I'll be able to get KAV's online scan working. Previously I tried doing a PC Pitstop scan, it too complained about active x settings being set to high, re-setting to medium (lots or work, switching back & forth), with active x settings at medium PC-Pitstop still would not function. Placed PC-Pitstop in trusted site, & still no luck. Also KAV complained make sure I have administrator rights. I've seen this before also, I'm the only user of this machine & have only one account with admin priviledges. Something funny is going on with my active x. I kinda hoped it would all go away with IE7.

Thanks
rico

 

I don't know about your active x thing but you can use DrWeb (www.drweb.com) cureIT tool (ftp://ftp.drweb.ru/pub/drweb/cureit/) to check for possible malware. You don’t have to install it. Just run it and scan your machine.

tD

 

Hi Techndrome,

Regarding the active x thing, I reset all internet security back to default, still kav & F-Secure would not run. Next tried new user account, KAV & F-secure will not run. Thought maybe it was somewhere in services. I started server, still no luck. KAV does not like firefox, tried that line of thinking. Are there any services, or BHO's or app's, or IE"s advanced settings, that would make my Active X, so flaky?

Sorry about the poor writing above I'm getting sleepy

Thanks
rico

I'll try the scan you mention & post back!

 

Hi Technodrome,

Dr. Web found nothing! Did you by chance look at the thread mentioned earlier, I think post 4? I'm not quite sure I understand the meaning of your post #3? Geez! You would think TrojanHunter should be able to pick up on this trojan if it is real? What is this trojan supposed to do? After I typed the last question, Geez I could just google it. I'm getting to sleepy

Good night
rico

 

As I mentioned earlier in this thread, domain sgrunt.biz is infected and this register entry is probably made by the host file or something similar (those bad sites are the sites in your IE Restricted Sites zone.) You are not infected and PP is triggered on domains that contain a malware.


It is possible that your ActiveX is broken or blocked by one of those IE security apps. I never use them.



tD

 

That is the location where all Domain sites are stored whether they be Trusted or Restricted Sites and is the location where programs such as IE-Spyad, Spywareblaster(Restricted Sites protection), Spybot's Immunization feature(Restricted Sites portion) place their respective database of sites.

That site is contained in IE-Spyads database and since you saw 0x00000004 (4) that confirms it is a Restricted Sites entry.

 

Messrs Bigc, Technodrome, & Bubba,

Many many thanks you guys are great! Thank you very much for being so patient with me.

Next I'll tell PP tech. support about the FP. Hopefully the next update of PP won't flag (4)'s.

Thanks Again
rico


P.S. - Any thoughts on that 'Active x' thing, mentioned a couple of posts back?

 

Try these suggestions: http://64.233.161.104/search?q=cach..._21209811.html repairing activex in ie6&hl=en


tD

 

Hi Technodrome Update on the Active X thingy.

1. did the regsvr32 /u & reg32svr on the 10 listed files, all 10 were successful.
no cigar

2. tried un-ticking 'enable 3rd party browser extensions. no cigar

3. Downloaded ran BHO demon - I have (according to the demon) 6 BHO's
disabled one at a time 5, checked to see if i could run online virus check
from f-secure. no cigar

5. One or the 6th BHO is listed as an orphaned entry. agtbho.dll which belongs
to atomica, which changed its name to Guru.net, which is now answers.
com. I emailed them, to see if i can remove this BHO.

6. I downloaded but did not run IEfix from mvps. I did not run this as the
symptoms, the programs describe, do not match my Active X thingy.
Do you thinks I should try it?

7. One of the suggestions in the link was to make a new user account
I did this yesterday. no cigar.

Got a couple of other things to try & await Guru.net or whoever they are now, reply.

Thanks
Rico

I shall re-name this machine rubiks cube.

 

How about to try to reinstall MS script engine?


tD

 

I notice you mention ZoneAlarm anti-spyware and I noticed in another thread you mentioned using ZA Pro 6. Since both of those have the capability to block ActiveX....have you disabled their respective ActiveX settings to see if they are causing your problem

Also....PC Pitstop uses simple object tag code on their page to load it's ActiveX component EFAEF0E4-F044-4D57-9900-1C3FF18524C9.

ZA's Privacy settings\Mobile Code control will block ActiveX.

 

Hi Bubba,

Before your edit I tried her this way, chose do not load ZA at startup, reboot, reset internet security to medium. Went to f-secure tried the online scan. Still does not like my active x. no cigar.

Now after re-reading your post, I looked 'mobile code' is "off", custom has no check marks.

Awhile back I had great trouble downloading the new iTunes (I think i have a post here at Wilders about this) or maybe it was something different. I ended up downloading (Microsoft Tech) Windows Install Cleanup. Not sure what it was used on. Somehow i think its all related. I'll have to spend awhile & see if i can find my notes. Quite an astute observation on your part, about ZA!

Thanks
rico

 

Hi Guys,

From a couple of posts back:

6. I downloaded but did not run IEfix from mvps. I did not run this as the
symptoms, the programs describe, do not match my Active X thingy.
Do you thinks I should try it?

Don't want to screw it up anymore than it already! Just being cautious. Any known caveats with IE fix?

Thanks
rico

 

I would ask you first to take a look at a few of your programs further to make sure one of them is not blocking ActiveX controls and plugins independent of IE.

Also....if you feel comfortable....would you take a look at the below reg location and tell me what the value for dword 1001 is Please.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

 

Hi Guys,

Is this the MS script engine your talking about?




Microsoft Windows Script 5.6 (Windows 2000, XP)
The following files will install Microsoft® Windows® Script containing Visual Basic® Script Edition (VBScript.) Version 5.6, JScript® Version 5.6, Windows Script Components, Windows Script Host 5.6, and Windows Script Runtime Version 5.6.

Date: April 23, 2003

NOTE: Awhile back I "Removed the Microsoft Java Machine", then installed
Sun Java. I was told Ms's Java was a security risk & that MS does not
support, as they lost a lawsuit regarding this.


Thanks
rico

 

Hi Bubba

From regedit:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

1001 is (1)
Excitement I hope!

Thanks
rico

actually its 0x00000001 (1)

 

The one signifies enabled. I also re-read your earlier posts where you said you added the sites to your Trusted Zone....so I appologize for having you check that

How long has this been going on Rico ?

Could it have come about after a recent MS Security Update ?

ActiveX controls may not load as expected in Internet Explorer due to defense in depth changes introduced in cumulative security update 896688 (MS05-052)

 

Hi Bubba,

I would definitely say 2004 I could use PC-Pitstop. Then never went back until, like last week. I never really tried an online AV scan. The iTunes thing see:

https://www.wilderssecurity.com/showthread.php?t=87353.

The iTunes thing was kinda/sort of resolved with a MS Tech (i was able to download itynes update) this involved, deleting lots of things in IE plus download & useage of the 'Windows install clean up' tool. I remember on thing he had me do was, create a new user account, which did not help. I also think we looked at active or/an inactive BHO's in IE. Geez perhaps it was fixed, & beame broken again with the MS update.

Should I do the paste & add to reg. that's from your post? I'll do an erunt & system restore point first.

Thanks
rico

 

Those are items that need to be there so if they are already there all you will do is overwrite them. It sure want hurt to give it a go IMHO.

 

Hi Bubba,

Success adding KB909889.reg > reboot > restore default IE security internet > re tick IE options advanced Enable on demand (internet explorer) & (other) and went to & got:

 

Is that a differnet error message or the same one you had been receiving ?

 

Hi Bubba,

Same

rico