Howdy. Ever since applying the latest Windows Defender Update (Apr3-4) when I open an-vir, I get a pop-up window (from defender) warning that a GroupE dialer is installed. Would someone with Defender installed and up-to-date please pop their an-vir open and see if they get the same thing. I've investigated this and the hit seems to be a false positive, so don't freak. In fact, I did a system restore to before Defender updated this morning and the warning is gone. Just want to know if I'm the only one, which I shouldn't be if this is a MS updater issue. Thanks.
AnVir / Windows Defender conflict?
(30 posts) (10 voices)-
Linuxchix0r
MemberI have it installed but have not seen it give that pop up and it runs daily.
Posted 16 years ago # -
CreamyPretzel
MemberMrFISHY: I also recieved the warning. Here is the message I got:
Category:
DialerDescription:
This program dials toll numbers to create telephone charges.Advice:
Review the alert details to see why the software was detected. If you do not like how the software operates or if you do not recognize and trust the publisher, consider blocking or removing the software.Resources:
process:
pid:5768Summary:
Application Execution change occurred.This agent scans software just before it runs. You are alerted if the software has a high potential for harming your computer.
Checkpoint:
Running Processes
_ _ _ _ _ _ _ _ _As far as I'm concerned, it can dial up all the numbers it wants, as my Internet connection is through a wireless Internet provider and has nothing whatsoever to do with phone lines. So I say "Dial away!" -Dan
Posted 16 years ago # -
CreamyPretzel
MemberI just did some more investigating on this problem. The reason that you no longer have the problem after restoring to your pre-Defender-update point is because Defender was evidently unaware of this scam at that point. It still exists on your PC. The new Defender update evidently now knows about this file, and is seeing it on your PC, as well as on mine.
This file calls an adult-related phone number repeatedly, thus racking up charges on your phone bill. I thought about this and decided that even though I do not use dial-up, I do NOT want ANY program on my PC that would include such a file. I have used Defender moments ago to successfully remove the file. If that in turn causes a program of mine to stop working, then so be it. Any program with a file like that, I want nothing to do with. I have noticed no program problems yet.
If you want more info about the file indicated by Defender, see this web page:
-Dan
Posted 16 years ago # -
earlchuckgasbang
MemberI'm getting the same Defender alert. I'm running v5.0.4 of AnVir that I received from Giveaway of the Day. Defender's online support regarding this dialer says "Delete the file name EGDACCESS_1068.DLL" from the Windows/System32 folder. I don't find one there. What's going on?
Posted 16 years ago # -
MrFishy
MemberBillW50/Earlchuka . . . No, it's not the An_Vir. It''s Windows Defender (a MS spyware scanner). The AnVir for some reason triggers the warning IN THE DEFENDER program. I believe ANVir is fine.
I'm all but certain this is either a false-positive, or the Defender update file from 4-3 is corrupt and may contain the dialer(unlikely).creamypret . . . I trust you read about spreading the infection via non-dialup connections?
http://www.microsoft.com/security/encyclopedia/details.aspx?name=Dialer%3aWin32%2fEGroup.G&threatid=7112I used your link yesterday and didn't find the "bad" file or the registry entry to delete. Using Defender to diable/remove/quarenteen the alleged dialer is futile . . . it'll say it was successful, but close/open WDef and run a scan . . . it'll be there again, or has been every time here.
I spent all day Friday trying to get this issue straightened out. Once again, used system restore to return to before the Windows Defender update of 4-3, which ridded system of the dialer/warnings. Last night I downloaded/installed A-squared Anti-dialer and did a full system scan. Only found my default dialer.
I'm fixing to re-install the WinDef Update (did this twice yesterday) and when the dialer is again detected (100% of the time w/update) I'll take the hour+ to run A-Sqr'ed again. If no dialer is detected by ASq I'm gonna have to check "ignore" on the WDef warning and get back to real life.
I'll let y'all know.
This ( KB915597 (Definition 1.31.8469.0) is the iffy update version
OK . . . I'm back. Re-installed the WDef update, opened An-Vir and voila . . . dialers allegedly back.I'll run this thru A-Sq now. Back in a while.
Posted 16 years ago # -
MrFishy
MemberOk. ASq.Anti-dialer found nothing . . . did another physical search for funky file/reg.entry . . . not there.
Conclusion, though I hate to choose "ignore' on a "high risk" entry detected by the up-to-now reliable WindowsDefender, there doesn't seem to be any explanation other than it's detecting a false positive, so "ignore" it I shall.
There goes 24 hours I'll never get back. Thanks MS!Well, it took me another 1/2 an hour but I finally got AnVir AND WinDef to stop hitting on this . . . but after trying "remove/quaranteen/ignore" the only Defender option that would stop this warning was "always allow" . . . which is kinda scary. I'm trusting A-Sq is a solid app and will pop-up if any NEW dialer behavior is detected.
I'm out of ideas if some tech person would is concerned enough to carry on.Posted 16 years ago # -
JoanRC
MemberI have anvir 5.o.4 on my Vista machine but don't use windows defender, so haven't got the warning. I did a manual check in my registry and did not find the value associated with this dialer, nor did I find the .dll in my system 32 directory.
I scan all downloads, even from GOTD, with SuperAntispyware http://www.superantispyware.com/ . It didn't alert me during the download and did not detect anything when I ran a full disk scan just now. I have five programmes that can tell me what is running on my machine; and none of them is showing me the presence of this dialler. Anvir doesn't show this dialler running, either.
I concur with Mr. Fishy -- this is a false positive.
Those of you who do not know how to check your registry, just do the following. Open the Vista start menu and enter "regedit" without the quotes into the search bar at the bottom of the menu (WinMe and XP also have something similar in the start menu). You may need to type in "run regedit" for WinMe or Win 98. This will bring up your registry. Yes, this is a scary place but just don't touch anything you don't need to and you'll be fine. You can use the tree view panel the same way you do in Windows Explorer to open folders and subfolders. When you've opened the right key, look in the details panel to see if the value "Instant Access = rundll32.exe EGDACCESS_1068.dll,InstantAccess" is there.
If you are not comfortable actually poking around in the registry, open it up anyway and use the find function, found in the Edit pulldown menu, to search for Instant Access" and "EGDACCESS". If you do find the key, follow the instructions recommended by Microsoft.
Make sure you back up your registry first. Mine is backed up everytime I clean my registry with Crap Cleaner.
Posted 16 years ago # -
MrFishy
MemberJoanRC . . . I'm glad you concur. I didn't know about the "find" feature in regedit. That'll help in the future. As far as scanning downloads, I do all of mine, too . . . both for viruses and spyware/adware . . . all that I can, that is. I don't know of any way to scan M$ updates, which seems to be the origin of this little snafu.
In fact, I tried to re-download the ?able update via Windows update, but even though I'd uninstalled it several times, the original dl was "all ready" dl'ed and ready to install . . . and I didn't feel like investing the time to discover how to rectify that situation.
Of course, I don't like to give even a false positive a "always allow" rating on Microsoft's own spyware/trojan/etc. detector.
Thanks for your input.
FishyPosted 16 years ago # -
Linuxchix0r
MemberI agree this is a false positive from defender first one I have seen. I don't see the file or registry key mentioned in the fix so maybe it has a similar name to that process.
Also ran spyware doctor and avast and both found nothing.
Posted 16 years ago # -
JoanRC
MemberMr. Fishy .. . Yes, a registry search is performed separately from a disk search. I searched my whole hard drive using Agent Ransack in case the file installed itself somewhere other than the system32 directory. However, it can't search the registry.
LinuxchixOr ... It doesn't surprise me to see defender showing false positives. I quit using it when I read a review showing that defender only found 60 % of malware fed to a test machine, whereas most popular third party programmes found 80 - 90 %. I rely more on process monitors such as Winpatrol, Spybot and AnVir to alert me to unusal activity.
And, yes, I used wildcards in my search in order to look for variants on the name. In this case, I used the asterisk to replace _1068 because the memo said this value might vary.
Posted 16 years ago # -
MrFishy
MemberJoanRC . . . like LinuxchixOr, this was the very first time I've seen a false/pos in Defender, in fact in my case, this is the first time it's hit on anything the entire time I've used it (which I think was from the release date?) I don't think Defender's missing anything.
I do take extra good care of my PC's cleanliness and it's really rare for any of my security apps to hit on anything. Since changing from IE to FireFox, I think I've had exactly one slight adware issue (in two+ years) found by an "on demand" AVG anti-spyware scan. Maybe I'm lucky? I'm ALL OVER the internet, too . . . from church to hell.I see M$ has updated Defender again this morning (Sun) . . . and the EGroup dialer hit is gone. It's a shame these app updaters don't issue any info when they pull a boner. I searched and searched , to zero avail. It almost seems like the few of us here are the only folks who noticed this anomaly, which just can't be the case. Nobody's perfect. You make a mistake, you own up to it, try and fix it, and then move on.
Posted 16 years ago # -
JoanRC
MemberMr. Fishy... I have never seen an anti-malware programme showing 100% effectiveness in any test. There is no perfect solution for pc security. Install whatever security programmes you like to work with, set them to whatever defaults you like, and make sure you back up your system and data regularly. Constant tinkering with this stuff can make you paranoid.
Malware changes so fast that anti-malware companies just can't keep up with it. All the virus writer has to do is make some cosmetic changes to non-essential lines of code and voila! you have a "new" virus. Your anti-malware programmes are just a first line of defence, like locking your door when you leave your house. A thief can still break a window and get in; but, he'll risk drawing attention to himself with the noise of breaking glass. Adding a firewall is like adding an electronic security system to your house. Casual thieves are likely to pass you by; determined thieves can still get in. What one person can think up, another can think around.
Also, not everyone has the same definition of what malware is. Many people dislike the toolbars that try to install themselves with software that the use has chosen to download. I son't like bloating up my system with things that I don't need, and I don't like that fact that these installs are often set as the default -- it's a sleazy form of advertising. But some people do like the toolbars. So different anti-malware programmes treat these things differently, and will display different results.
Don't expect MS to acknowledge this week's error. They have a history of being slow to react and of ignoring things they don't want to deal with. They're a monopoly.
"There's no reason to treat software any differently from other products. Today Firestone can produce a tire with a single systemic flaw and they're liable, but Microsoft can produce an operating system with multiple systemic flaws discovered per week and not be liable. This makes no sense, and it's the primary reason security is so bad today."
Bruce Schneier, Cryptogram, 16/04/2002To be fair, a flaw in a tire can cause loss of life in car accident. A flaw in an operating system can only cause loss of data. Of course, people could commit suicide if their lives are ruined by identity theft due to an exploitation of vulnerabilities in the software.
For a balanced discussion of one MS vulnerability, here is an article from The Register http://www.theregister.co.uk/2006/01/21/wmf_fud_from_grc/
Note that a lot of Windows vulnerabilities result from the fact that MS routinely sets defaults to unsafe settings without telling the customers what the implications are.
Posted 16 years ago # -
MrFishy
MemberHowdy - JoanRC . . . didn't mean to imply that Defender was anywhere near 100% at detecting the bad guys . . . just that none of my security apps had been finding anything, so there's no way to guess at what any one app is not detecting. Ideally, of course, they'd all hit at the same time on the same issue, but that's not the state of the industry yet (if we'll ever achieve such cooperation)
As for M$ owning up to any error on their part, I don't expect that . . . rather I'd just like to see any reputable software vendor post a notice on the internet that one of their updates is, in fact, the source of some concern to alert PC users. I know I searched for almost 2 days re:EGroup dialer and couldn't find diddley-squat! (other than general malware info)
It was really a waste of time, but I've plenty so . . .Thanks for the link . . . interesting article.
May I assume you have set your MSUpdate to "download but let me decide when to install"?
Anyone who invites MS into their computer(s) with auto-update is not paying attention. Funny thing is, even with this setting I notice certain updates installed before I've even noticed. I'd disable the whole process, but can't stand the MS shield on my taskbar.Posted 16 years ago # -
JoanRC
MemberHi Mr. Fishy... I didn't mean to imply anything, either. I was just wondering why anyone would be surprised by false positives in any anti-malware programme, let alone in Windows defender, and tried to explain why they are not unusual. I tend to overexplain for the sake of newcomers who might be reading.
I have my MSupdate set to "never install". I have a couple of batch files that eliminate the warning shield, which I got from the Windows Secrets newsletter a few months ago when MS slipped an update past everybody's defenses a few months back. I do manual updates every Tuesday. I'd dig out the article for you; but, right now I have to assume the horizontal and exercise my constitutional.
Posted 16 years ago # -
MrFishy
MemberI've decided to disable my auto-update for M$ . . . don't see "Corporate" Shield yet. Suppose that'll come with my next re-boot. JoanRC, do you bother with that M$ Malicious Software tool?
I don't, mostly because I'm on dial-up, but also cuz' I keep my computer clean and scanned.I figure that had I not automatically updated my Defender (updates thru Windows updater) then I wouldn't have spent last weekend searching and destroying nothing. I almost always end up doing the patch Tuesday manually anyway.
Thanks for all your input on this issue.Posted 16 years ago # -
JoanRC
MemberSorry to take so long to reply; but, I didn't have time to search for the relevant article.
As mentioned earlier, I have disabled MS updates altogether, thanks to two batch files published in the Windows Secrets Newsletter. They disable the warning shield that pops up in the notification tray. Here is the article http://windowssecrets.com/2007/09/27/04-Get-the-latest-Windows-updates-securely. As noted, I do the updates manually, but am now protected against stealth updates from MS.
I have never had occasion to remove malware from my machine. On perhaps a half dozen occasions, my programmes have quarantined questionable software that might otherwise have infected my machine. I do accept the updates for MS Malicious Software tool. It might be my first line of defence if I had an infection, simply because I would expect it to be fairly simple to use; and because I would expect it to be able to remove the most frequently encountered types of malware.
Posted 16 years ago # -
LeKanaw
MemberHi Joan
Thank you very much for getting back to us!! :D
Must be something wrong w the link though, I only get:Oops. The article you were looking for cannot be found. Please double check the URL.
Do you have the exact article's title & date??
I'm a registered paid user, but I still find it complicated finding anything in their past issues... And if it is in their paid version, nobody here without an accnt will be able to access it.
Just tell me what/where, I'll copy/paste here, if u don't have the time!Amicalement, Manu :-D
Posted 16 years ago # -
RunesageMagik
MemberMangoette, if you remove the period that was inadvertently appended to the end of her link, it'll work. :-) I don't let Billie Behemoth do anything automatically. And I dread the thought of him getting his grubby little hands on Yahoo.
Posted 16 years ago # -
LOL.. Take the period off the end...
http://windowssecrets.com/2007/09/27/04-Get-the-latest-Windows-updates-securely
My warning shield has been disabled for quite a while and I use Auto Patcher for my updates. http://www.downloadsquad.com/2007/11/26/autopatcher-is-back/ I wait at least a week for any glitches to pop up in the updates and be fixed. Then I pick and download what I decided I need.
Posted 16 years ago # -
You got a Corporation now? "Mango Corp".... Man, I need to really look for a program to just keep track of you and all your titles etc.
And you are are not half as silly as the "Silly Billy". I agree Rune. MS and and Yahoo...Can you say "Monopoly"? He wrecked Hotmail. I had an account for years and got no spam. The minute he bought it..spam galore. I went to Yahoo.
Back to OT(sorry about the rant).. Speaking of the MS Malicious Software tool, has any one ever seen it raise it's Malicious little head? I have been known to end up in the bowels of the internet and all my other stuff is sending me messages, ringing bells and whistles but that MS Malicious Software tool just sits there quietly minding it's own business.
Posted 16 years ago # -
LeKanaw
MemberHi Ambassador :D
Ohh yes dear, I wrote you an *official* letter about it!!
You really should address me properly... BwahahawaaaaGo here, to know more about that MS * Yahoo * GG * AOL deal
http://www.giveawayoftheday.com/forums/topic/3076I'll try to add anything I come across
High Priestess of the Mango Order, Manu
Posted 16 years ago # -
copmom
MemberHowdy.. I've had a yellow exclamation mark on my Window's Defender for over 2 weeks now, I click on it, have it check for new definitions and it says there aren't any, so I close the box and the exclamation mark still stays there about checking for new definitions. That's become a pain! Anyone know about this?
I went here and followed the directions and it's still there!
http://support.microsoft.com/?kbid=915105Posted 16 years ago # -
MrFishy
MemberThanks everyone for your input on this matter. Now, how's everyone feeling about this SP3 upgrade?
It's a huge download for us dial-uppers . . . and my XPsp2 has been pretty darn reliable. I can't decide if I wanta mess with it or not? Who knows what's really going on @ M$?Posted 16 years ago #
Reply
You must log in to post.