Trojan.Win32.Dialer.hc

Discussion in 'malware problems & news' started by Rico, Nov 5, 2005.

Thread Status:
Not open for further replies.
  1. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,690
    Location:
    Texas
    Hi Guys

    Pest Patrol finds "Trojan.Win32.Dialer.hc at the following

    hkey current user\software\microsoft\windows\current version\internet settings\zonemap\domains\sgrunt.biz

    ZoneAlarm anti-spyware, TrendMicro anti-spy & AV, Spybot, Bazooka, TrojanHunter 4.2, AdAware - fail to confrim PP's finding of a trojan.

    Next visiting regedit & that path zonemap\domains - has lots of entries that refer to bad things.

    Is this where IE-Spyad stores it long list of bad stuff? Does this sound like another FP from PP? A little re-assuring will help calm the old nerves please & thank you.

    Thanks
    rico
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
  3. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I wouldn't say its a FA becuse domain sgrunt.biz is infected with a dialer.


    tD
     

    Attached Files:

  4. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,690
    Location:
    Texas
    Hi Bigc & Technodrome,

    Note PP was just updated. Also when I went to Kav for an on line scan. It failed complaining about my security settings being to high & reset to medium. I remembered a similar problem regarding network popups. see

    https://www.wilderssecurity.com/showthread.php?t=100326

    Upon looking ath the registry again with sgrunt.biz highlighted (left) the right side says 0x00000004 (4)

    I believe the (4) refers to IE's restricted sites.

    Also I do not think I'll be able to get KAV's online scan working. Previously I tried doing a PC Pitstop scan, it too complained about active x settings being set to high, re-setting to medium (lots or work, switching back & forth), with active x settings at medium PC-Pitstop still would not function. Placed PC-Pitstop in trusted site, & still no luck. Also KAV complained make sure I have administrator rights. I've seen this before also, I'm the only user of this machine & have only one account with admin priviledges. Something funny is going on with my active x. I kinda hoped it would all go away with IE7.

    Thanks
    rico
     
  5. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
  6. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,690
    Location:
    Texas
    Hi Techndrome,

    Regarding the active x thing, I reset all internet security back to default, still kav & F-Secure would not run. Next tried new user account, KAV & F-secure will not run. Thought maybe it was somewhere in services. I started server, still no luck. KAV does not like firefox, tried that line of thinking. Are there any services, or BHO's or app's, or IE"s advanced settings, that would make my Active X, so flaky?

    Sorry about the poor writing above I'm getting sleepy

    Thanks
    rico

    I'll try the scan you mention & post back!
     
    Last edited: Nov 6, 2005
  7. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,690
    Location:
    Texas
    Hi Technodrome,

    Dr. Web found nothing! Did you by chance look at the thread mentioned earlier, I think post 4? I'm not quite sure I understand the meaning of your post #3? Geez! You would think TrojanHunter should be able to pick up on this trojan if it is real? What is this trojan supposed to do? After I typed the last question, Geez I could just google it. I'm getting to sleepy

    Good night
    rico
     
  8. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    As I mentioned earlier in this thread, domain sgrunt.biz is infected and this register entry is probably made by the host file or something similar (those bad sites are the sites in your IE Restricted Sites zone.) You are not infected and PP is triggered on domains that contain a malware.


    It is possible that your ActiveX is broken or blocked by one of those IE security apps. I never use them.



    tD
     
  9. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    That is the location where all Domain sites are stored whether they be Trusted or Restricted Sites and is the location where programs such as IE-Spyad, Spywareblaster(Restricted Sites protection), Spybot's Immunization feature(Restricted Sites portion) place their respective database of sites.
    That site is contained in IE-Spyads database and since you saw 0x00000004 (4) that confirms it is a Restricted Sites entry.
     
  10. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,690
    Location:
    Texas
    Messrs Bigc, Technodrome, & Bubba,

    Many many thanks you guys are great! Thank you very much for being so patient with me. :-*

    Next I'll tell PP tech. support about the FP. Hopefully the next update of PP won't flag (4)'s.

    Thanks Again
    rico


    P.S. - Any thoughts on that 'Active x' thing, mentioned a couple of posts back?
     
  11. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
  12. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,690
    Location:
    Texas
    Hi Technodrome Update on the Active X thingy.

    1. did the regsvr32 /u & reg32svr on the 10 listed files, all 10 were successful.
    no cigar

    2. tried un-ticking 'enable 3rd party browser extensions. no cigar

    3. Downloaded ran BHO demon - I have (according to the demon) 6 BHO's
    disabled one at a time 5, checked to see if i could run online virus check
    from f-secure. no cigar

    5. One or the 6th BHO is listed as an orphaned entry. agtbho.dll which belongs
    to atomica, which changed its name to Guru.net, which is now answers.
    com. I emailed them, to see if i can remove this BHO.

    6. I downloaded but did not run IEfix from mvps. I did not run this as the
    symptoms, the programs describe, do not match my Active X thingy.
    Do you thinks I should try it?

    7. One of the suggestions in the link was to make a new user account
    I did this yesterday. no cigar.

    Got a couple of other things to try & await Guru.net or whoever they are now, reply.

    Thanks
    Rico

    I shall re-name this machine rubiks cube.
     
  13. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    How about to try to reinstall MS script engine?


    tD
     
  14. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I notice you mention ZoneAlarm anti-spyware and I noticed in another thread you mentioned using ZA Pro 6. Since both of those have the capability to block ActiveX....have you disabled their respective ActiveX settings to see if they are causing your problem :doubt:

    Also....PC Pitstop uses simple object tag code on their page to load it's ActiveX component EFAEF0E4-F044-4D57-9900-1C3FF18524C9.

    ZA's Privacy settings\Mobile Code control will block ActiveX.
     

    Attached Files:

    Last edited: Nov 6, 2005
  15. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,690
    Location:
    Texas
    Hi Bubba,

    Before your edit I tried her this way, chose do not load ZA at startup, reboot, reset internet security to medium. Went to f-secure tried the online scan. Still does not like my active x. no cigar.

    Now after re-reading your post, I looked 'mobile code' is "off", custom has no check marks.

    Awhile back I had great trouble downloading the new iTunes (I think i have a post here at Wilders about this) or maybe it was something different. I ended up downloading (Microsoft Tech) Windows Install Cleanup. Not sure what it was used on. Somehow i think its all related. I'll have to spend awhile & see if i can find my notes. Quite an astute observation on your part, about ZA!

    Thanks
    rico
     
  16. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,690
    Location:
    Texas
    Hi Guys,

    From a couple of posts back:

    6. I downloaded but did not run IEfix from mvps. I did not run this as the
    symptoms, the programs describe, do not match my Active X thingy.
    Do you thinks I should try it?

    Don't want to screw it up anymore than it already! Just being cautious. Any known caveats with IE fix?

    Thanks
    rico
     
  17. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    I would ask you first to take a look at a few of your programs further to make sure one of them is not blocking ActiveX controls and plugins independent of IE.

    Also....if you feel comfortable....would you take a look at the below reg location and tell me what the value for dword 1001 is Please.

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
     

    Attached Files:

  18. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,690
    Location:
    Texas
    Hi Guys,

    Is this the MS script engine your talking about?




    Microsoft Windows Script 5.6 (Windows 2000, XP)
    The following files will install Microsoft® Windows® Script containing Visual Basic® Script Edition (VBScript.) Version 5.6, JScript® Version 5.6, Windows Script Components, Windows Script Host 5.6, and Windows Script Runtime Version 5.6.

    Date: April 23, 2003


    NOTE: Awhile back I "Removed the Microsoft Java Machine", then installed
    Sun Java. I was told Ms's Java was a security risk & that MS does not
    support, as they lost a lawsuit regarding this.


    Thanks
    rico
     
  19. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,690
    Location:
    Texas
    Hi Bubba

    From regedit:

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3

    1001 is (1)
    Excitement I hope!

    Thanks
    rico

    actually its 0x00000001 (1)
     
  20. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Last edited: Nov 7, 2005
  21. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,690
    Location:
    Texas
    Hi Bubba,

    I would definitely say 2004 I could use PC-Pitstop. Then never went back until, like last week. I never really tried an online AV scan. The iTunes thing see:

    https://www.wilderssecurity.com/showthread.php?t=87353.

    The iTunes thing was kinda/sort of resolved with a MS Tech (i was able to download itynes update) this involved, deleting lots of things in IE plus download & useage of the 'Windows install clean up' tool. I remember on thing he had me do was, create a new user account, which did not help. I also think we looked at active or/an inactive BHO's in IE. Geez perhaps it was fixed, & beame broken again with the MS update.

    Should I do the paste & add to reg. that's from your post? I'll do an erunt & system restore point first.

    Thanks
    rico
     
  22. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Those are items that need to be there so if they are already there all you will do is overwrite them. It sure want hurt to give it a go IMHO.
     
  23. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,690
    Location:
    Texas
    Hi Bubba,

    Success adding KB909889.reg > reboot > restore default IE security internet > re tick IE options advanced Enable on demand (internet explorer) & (other) and went to & got:
     

    Attached Files:

  24. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Is that a differnet error message or the same one you had been receiving ?
     
  25. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,690
    Location:
    Texas
    Hi Bubba,

    Same

    rico
     
Thread Status:
Not open for further replies.