Trojan.Win32.Dialer.hc

That is not an ActiveX warning per say....an ActiveX warning is similar to the below pic. I assumed wrongly that you were speaking of a normal ActiveX warning given what you said earlier...."it too complained about active x settings being set to high". We need to be looking into what policy is preventing this ActiveX problem

I recall a post in another thread concerning your use of RegDefend. Is that on this PC and if so I'll assume 2k or XP. If XP....what type user is this....Limited User ?

Normal ActiveX warning:

 

Hi Bubba,

Yes this machine has RegDefend, XP home SP2, I am the administrator, always.

Geez! Sorry to have led you down a wrong path, I thought for sure it was Active X. Glad I posted the pic.

Thanks
rico

Just disabled RD same message as before. I also run PG.

 

Re: Trojan.Win32.Dialer.hc


Searching Google further more for Trojan.Win32.Dialer.hc gave up a labyrinth of aliases in following databases:

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453096347

http://www.viruslist.com/en/viruses/encyclopedia?virusid=70462

http://www.sophos.com/virusinfo/analyses/trojqlowdra.html

http://66.102.9.104/search?q=cache:...info/analyses/index_q.html qlowzones-15&hl=nl

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=132300

http://www.viruslist.com/en/viruses/encyclopedia?virusid=88655

http://www.viruslist.com/en/viruses/encyclopedia?virusid=87306



When I Google for Trojan.Win32.Dialer.hc , I get an sponsored link (advertisement in right corner) on the Google searchpage. It shows this message:

Trojan.Win32 Remover
Can't remove Trojan.Win32?
Kill Trojan.Win32 Now, Free Scan
www.ScanForFree.com

This link pointed to a (dubious) online scanner:

http://www.scanforfree.com/xoftspy.htm

But when I look at this website I find Xoftspy in the Rogue/Suspect Anti-Spyware Products list.

http://www.spywarewarrior.com/rogue_anti-spyware.htm#trustworthy

Seems Pest Patrol is the only online scanner who finds Trojan.Win32.Dialer.hc, but doesn't remove it. (Only if you buy it...)

But it seems like www.Nod32.com and www.Sophos.com can detect/remove the Trojan.Win32.Dialer.hc also. There are free trials for both scanners, but I never tried them.

I hope this helps.
kind regards,

 

Hi Ontopic,

Thank you very much for your effort, however, this turned out to be a FP from PestPatrol. See post #9 this thread. After post 9 the posts were pretty much about solving an activex or what's blocking activex.

Thanks again
rico

 

Hi Bubba,

I've tried closing all applications, still get the same "insufficient rights" message. Tried googleing the error message & searching MS knowledge base. Hopelessly lost. Thought it might be due macromedia, not sure.

Thanks
rico

 

Hi Bubba,

Searched registry edit/find (just key ticked) for "policies" (sans "") did not find any reference or keys with ActiveX in policies.

Thanks
rico

 

Hi Bubba, Tried the following:

1. Search registry with find options Key (unticked) Values & Data (ticked)
for ActiveX & looked for any instance of "policies." Found Nothing

2. Tried safe-mode with network & fsecure in trusted zone - same error
message. Insufficient rights...


Thanks
rico

 

Unfortuantely Rico I am now hunting for a needle in a hay stack. I would ask you to re-check all your software protection including your rules for RegDefend. One last item that you can check for in the registry would be Security_RunActiveXControls. If found let us know what the value is Please. Other than that I'll have to holler uncle.

 

In searching for the needle. Question?

Wouldn't this take RegDefend out of the picture?

Security_RunActiveXControls

Typed this exactly in regedit's find - found nothing
is that what you meant for find?

Also Perhaps related. I cannot get to www.janus.com (mutual fund). All I get is a white screen & tries forever to load. Perhaps whats blocking janus is blocking fsecure? That phishing web site you posted at ten-forward, I could not get that page to load until I unticked Spyblaster "macromedia". I'm rambling now.

Thanks
rico

P.S. My rules for RegDefend are the default rules, which came with the prog. ver 2.0

 

If you have IE set to High setting you want see anything. Right click the page and select View source. All that's there is script code and meta refresh....both are diabled in High setting.

 

Hi Bubba - Thanks for the info on Janus. I'm too excited

I found in RD:

When I look at: Hkey_users\default\software\microsoft\windows\current version\internet settings - I can't find Security_Run...

in RD for the pic the following are ticked only:

set value, delete value, ask user - This all occurs in Rd's configure > web browser protection

Geez! Do I see a shiny glimmer of light from the needle?

 

Hi Bubba,

Tried disableing all groups in RD, including "Web Browser Protection" > reboot
still "insufficient rights..." at FSecure online scan.


Thanks
rico

P.S. Tried setting security > internet to default janus page will not display, IE progress (page loading gauge) stalls half way through. Mouse pointer is changed while on this site & not allow right click. Also same placing janus in trusted sites.

 

Hi Bubba -I finally got to Janus the site will not run with ZA on! Tried lowering everything in ZA or off no Janus. Kill ZA & janus is fine. Hurrah!

Fsecure online scan - With all RD's configure > global registry rules > groups enabled UN-Ticked. I rebooted then went to Hkey_users\.default\software\microsoft\windows\currentversion\internetsettings still absent "Security_RunActiveXControls"

Should'nt this be here as RD seems to think it should? And could this be why I get the persistent "insufficient rights..." error? Did I just prick myself, & draw blood with that needle? Nah! I'm just giddy from seeing Janus. Here's apic of reg. RD's global protection (all groups) off or unticked & rebooted.

Take care Bubba & Good Night from Azusa

 

I suggest you take a close look at ZA's Mobile Control in regards to how it overlaps with the same protection found in IE. Hopefully thru some of the problems you are experiencing you'll better understand that disabling ActiveX, Script....etc in IE is the same over-lapping protection in ZA. Also....Zonelabs has a very good tutorial that spells out the Mobile Control feature very well. On their Service and Support.....look in the Product-Specific Support section and select your product. Then select the appropriate user guide for download..

That entry in RD is simply a Registry Rule that RD monitors but that does not mean it actually exists in the registry by default. There are a number of RD rules that do not actaully exist in the registry for all users but since malware writers do use those registry locations the RD developers created those Registry Rules.

 

Good Morning Bubba,

Okay! But from the pic. in Post #36, what does that correspond to in Post #38 pic.? Is my post #38 different, than XPer's who can F online?

BTW - This whole thread started out a "Trojan.Win32.Dialer.hc." I finally (tried lost of time, make contact) got through to PP's tech. He thanked me for the info. on the FP & said he would hurry the info. to the code writers. The insufficient rights thingy, is easier than getting a message to PP.

Do you think IE7, will write the missing line in the registry (if indeed a line is missing) & solve this thingy?

Thanks
rico

P.S. I suggest you take a close look at ZA's Mobile Control in regards to how it overlaps with the same protection found in IE. I will scouts honor! Also FYI the "Mobile Control" radio button is "Off" always has been. I'll still check it though.

 

As I mentioned above....that RD Rule(post # 36) will guard that particular registry entry if that key exists. As you are showing in post # 38....that registry key does not exist but RD will protect that key if it ever gets installed by a program or malware.

"There are a number of RD rules that do not actaully exist in the registry for all users but since malware writers do use those registry locations the RD developers created those Registry Rules."

 

Hi Bubba,

Yes I understand! My question is, is a key missing at that location? Second If the key is there & RD is told not to block will it work?

Or

Compare keys (at that location) with someone who can do an on line F if i'm missing something, add the key, then block RD. To see if it will work?

Just thinking out loud

Thanks
rico

 

hi i have a this trojan 2.....i know where it is...its in the key "hkey_current_user \software\microsoft\windows\currentversion\internet settings\zonemap\domains\sgrunt.biz"

i know how to get thier but when i get their idk wat to do.....so can someone help me out...

 

Hi Faultless18

Do you see 0X0000004 (4) like the pic.? If you do you should be okay.

 

I wonder if anyone can please help.

Pest Patrol keeps finding Trojan.Win32.Dialer.hc and won't remove it. It tells me that: One or more pest items could not be quarantined. This may be due to a reboot being required to complete the removal of a pest. etc., etc. I have rebooted and it's in the quarantine and I have deelted it, then run a scan immediately and it's there agin and this keeps going on over and over.

I have done a regedit and treid to delet the folder sgrunt.biz, but I cannot selete the folder. I tried renaming it to sgrunta.biz, but to no avail and I can't delete that either. In fact I cannot delete any of the folders in zonemap\domains.

I have run Spybot, TrendMicro Anti-Spyware, Ewido Security Suite, CounterSpy, PandaAcitveScan, Spsweeper, Microsoft Anti Spyware, Norton AntiVirus and none of these have found this Dialer, only Pest Patrol which won't delete it.

My registry looks exactly like the picture on post #44 with the value of 4.

The funny thing is, is that my other computer also had this same Dialer and Pest Patrol deleted it from that computer with no problems at all.

Can anyone please tell me how to get rid of this thing. It's driving me mental and I don't know if it's really in my computer or not. I need to know as I do not want to compromise the security of my computer.

I hope someone has a solution for me, or I will soon be bald from pulling my hair out.

Thanks

 

The 4 in that registry location signifies a site entry that is in Internet Explorer's Restricted Zone. If you use Spybot's Immunization feature that is how that entry got there. The bottom line is Pest Patrol is falsely reporting a valid entry placed there possibly by Spybot.

 

I am sorry if I cause any trouble. For some time ago my Kaspersky Antivirus discovered trojan (It was Trojan.Win. unfortunately I don’t remember the rest of the name.)what appeared in C:\Documents and Settings\All Users\Documents\setup.exe. There where setup.exe file and a text file named autorun (Maybe it was autorun.exe, but I am not sure.). When I deleted them, they appeared in some time again and so some period of time. Finally I thought that trojan is gone but recently I downloaded PestPatrol trial version and that said that I have Trojan.Win32.Dialer.hc in hkey_current_user\software\microsoft\windows\current version\internet settings\zonemap\domains\sgrunt.biz.

So could you help me please, is this real trojan, maybe the same that was discovered by Kaspersky Antivirus or is this just a false alarm by Pest Patrol, because I have used AdAware SE Personal, Spybot Search & Destroy, AVG Antispyware trial version, a-squared Anti Malware 2.1 trial version, Trojan Remover trial version, a-squared Anti- dialer and non of these programs couldn’t find this trojan.

Please help me, I am getting crazy here. I can’t find the answer nowhere. Thank you for your help and sorry for bothering you. I hope my English is not too bad.

 

Hello AWorriedPerson,

As part of Spybot Search & Destroy's Immunization function it places numerous entries into the proper location of the registry for Internet Explorer protection and one of those entries is sgrunt.biz. If you are using Spybot Search & Destroy's Immunization feature....then Pest Patrol is falsely reporting a valid entry placed there possibly by Spybot.

HTH,
Bubba

 

Thank you so much Bubba! You really gave back my peace of mind. But if you excuse me my probably really stupid rookie question- What is Internet Explorer registry and could I also enter it? And if then should I delete sgrunt.biz?

And one thing more. My Spyware doctor gave me an alert.
Spyware Doctor Activity Report
Generated on 12/2/2006 3:51:21 PM Spyware Doctor Homepage
PC Tools Homepage
Technical Support



Scans (basic information only):

Scan Results:
scan start: 12/2/2006 5:03:30 PM
scan stop: 12/2/2006 5:03:33 PM
scanned items: 783
found items: 0
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Browser Defaults, Favorites and ZoneMap Scanner, ActiveX Scanner, Browser Activity Scanner, Disk Scanner



Infection Name Location Risk

Scan Results:
scan start: 12/2/2006 5:03:43 PM
scan stop: 12/2/2006 5:22:39 PM
scanned items: 71711
found items: 9
found and ignored: 0
tools used: General Scanner, Process Scanner, Hosts scanner, LSP Scanner, Registry Scanner, Browser Defaults, Favorites and ZoneMap Scanner, ActiveX Scanner, Browser Activity Scanner, Disk Scanner



Infection Name Location Risk
Elitemedia Pop64 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\elitemediagroup.net High
Elitemedia Pop64 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\elitemediagroup.net## High
Elitemedia Pop64 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\elitemediagroup.net##* High
Elitemedia Pop64 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\elitemediagroup.net\mmm High
Elitemedia Pop64 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\elitemediagroup.net\mmm## High
Elitemedia Pop64 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\elitemediagroup.net\mmm##* High
Elitemedia Pop64 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\elitemediagroup.net\www High
Elitemedia Pop64 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\elitemediagroup.net\www## High
Elitemedia Pop64 HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\elitemediagroup.net\www##* High




I searched from Internet and found this.

This section contains the description and advanced technical information
Troj/LowZone-BB is a Trojan for the Windows platform.

The following registry entry is created to run Troj/LowZone-BB on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
elitemedia
<pathname of the Trojan executable>

The following registry entries are set, affecting internet security:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\elitemediagroup.net\

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\elitemediagroup.net
*
2

It is from www.sophos.com/security/analyses/trojlowzonebb.html

Later I downloaded new version of Spyware Doctor and it didn't find anything. So was this a false alart?



Thank you so much for your help.