Window's Defender flags "DDMI" Published by Gteko Ltd.

Discussion in 'Software' started by thai_american_42, Jun 12, 2006.

Thread Status:
Not open for further replies.
  1. thai_american_42

    thai_american_42 Corporal

    Today, Windows Defender flaged "DDMI" being added to my system (see below). DDMI is published by Gteko Ltd. I used Windows Defender and tried to block the addition, but the block failed. I could not find anyting on DDMI on the Internet. Should I be concerned by the addition of Gteko's DDMI to my computer system?

    ++++++
    Windows Defender flaggs "DDMI":
    ++++++

    Summary:
    Services and Drivers change occurred.

    This agent monitors services and drivers acting as part of Windows, often running with high security privileges. It ensures that no services are being interfered with or added without proper consent.

    Path:
    C:\WINDOWS\system32\DDMI2.sys

    Detected changes:
    driver:
    SDDMI2

    file:
    C:\WINDOWS\system32\DDMI2.sys

    Advice:
    Allow this detected item only if you trust the program or the software publisher.

    Publisher:
    Gteko Ltd.

    Digitally Signed By:
    NOT SIGNED

    Product name:
    DDMI

    Description:
    DDMI Service

    Original name:
    DDMI2.sys

    Creation date:
    5/22/2005 5:47 PM

    Size:
    6977 bytes

    Version:
    1.0.0.7

    Type:
    dynamic link library (DLL)

    Checkpoint:
    Drivers

    Category:
    Not Yet Classified
     
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Found this on the web ....hope it helps:
    The software to remotely add and remove and steal and modify your files seems to come from Gteko Ltd.

    You should in fact make a Sub Directory in C:\WINDOWS\System32 called DDMI2.SYS and then make it Hidden and read only

    That way when you visit a site or run software that trys to throw this file into that directory it will crash.

    http://www.gteko.com


    DDM architecture enables programs to access and manage data stored on remote systems.



    This means a Remote server has been setup so I can go thru your pants any time I want to. Zone Alarm Security Suite should flag hidden processes that are attempting to "connect" to your machine and or your pc trying to attach to a server via opening a session from your hardware firewall hidden in the background without your permission.




    Any Registry Entry that pokes in here is a Trojan, Virus, Pest
    even if its not on the known list. Its BHO Browser helper object
    and usually throws its spew into C:\WINDOWS\system32 Installing comes via visiting a page or a popup in the background and any responce other than ALT F4 or the reset buttin INSTALLS automatically without your permission.





    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/DDMI2.sys]
    ".Owner"="{EB387D2F-E27B-4D36-979E-847D1036C65D}"

    http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319




    Turns out its an HP/COMPAQ Spyware,Malware. LOL

    You can download the installer and file from the above URL.

    [Version]
    Signature="$CHICAGO$"
    AdvancedINF=2.0

    [Add.Code]
    qdiagh.ocx=qdiagh.ocx
    DDMI2.sys=DDMI2.sys
    DDMI.VXD=DDMI.VXD
    DLPT2.sys=DLPT2.sys
    DLPT2.VXD=DLPT2.VXD
    ;The section name should be exactly component name!

    [qdiagh.ocx]
    file-win32-x86=thiscab
    clsid={EB387D2F-E27B-4d36-979E-847D1036C65D}
    FileVersion=1,0,1,326
    DestDir=11
    RegisterServer=yes

    [DDMI2.sys]
    file-win32-x86=thiscab
    FileVersion=1,0,0,7
    DestDir=11
    RegisterServer=no

    [DDMI.VXD]
    file-win32-x86=thiscab
    FileVersion=1,0,0,2
    DestDir=11
    RegisterServer=no

    [DLPT2.sys]
    file-win32-x86=thiscab
    FileVersion=1,0,0,10
    DestDir=11
    RegisterServer=no

    [DLPT2.VXD]
    file-win32-x86=thiscab
    FileVersion=1,0,1,4
    DestDir=11
    RegisterServer=no
     
  3. thai_american_42

    thai_american_42 Corporal

    Last time, I used Window's Defender to block the action mentioned in my post above. I checked my C:\WINDOWS\system32\ folder and it does have a file named DDMI2, a system file created Sunday, May 22, 2005. mY C:\WINDOWS\system32\ folder also has a file named DDMI64, another system file created Wednesday, December 14, 2005.

    I bring this up again because Window's Defender today (again) flaged "DDMI" as indicated below. I appreciate your post, but am unsure what I should do other than use Window's Defender to block the action. Is allowing the action then hiding the file really a good way to proceed?


    ++++++++++++++++
    Summary:
    Services and Drivers change occurred.

    This agent monitors services and drivers acting as part of Windows, often running with high security privileges. It ensures that no services are being interfered with or added without proper consent.

    Path:
    C:\WINDOWS\system32\DDMI2.sys

    Detected changes:
    driver:
    SDDMI2

    file:
    C:\WINDOWS\system32\DDMI2.sys

    Advice:
    Allow this detected item only if you trust the program or the software publisher.

    Publisher:
    Gteko Ltd.

    Digitally Signed By:
    NOT SIGNED

    Product name:
    DDMI

    Description:
    DDMI Service

    Original name:
    DDMI2.sys

    Creation date:
    5/22/2005 5:47 PM

    Size:
    6977 bytes

    Version:
    1.0.0.7

    Type:
    dynamic link library (DLL)

    Checkpoint:
    Drivers

    Category:
    Not Yet Classified
     
  4. thai_american_42

    thai_american_42 Corporal

    Further on my post today, on selecting Window's Defender to block the action, I got the message "Windows Defender encoundered an error: 0x80501001. One or more actions could not be completed successfully." The message came with an "OK" button, so I pressed OK. Now I don't know whether the detected item was allowed or not. (Now that I remember, this happened last time, too).
     
  5. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  6. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    With that error in Defender, it generally means it has detected a potential threat in a ZIP, RAR aor Windows Restore point file, it is a bug that it doesnt clean said archived file... but this doesnt explain your files as they dont seem to link to any archive or Restore Point.


    This did come from a MS newsgroup.. not a closed beta one tho.

    you can go searching for it here if you so wish, its just I had it saved with a few other Defender issues for me to readup on....

    http://www.microsoft.com/athome/sec...&cr=US&r=33d293cc-19b6-404b-865b-565a73822c7f

    also TimW's suggestion of running the Malware guide is a must, especially as you dont seem to have installed anything from that company.
     
  7. theonlyalterego

    theonlyalterego Private E-2

    My girlfriend ran into the same issue last night on her laptop, she's on windows 2000 and somehow ended up with a DDMI2.sys file under her c:\windows\system32 folder. Avast antivirus picked it up, and it deleted the file, rebooted and ran a full system scan and didn't find anything else.

    After that she installed Zonealarm, and hasn't noticed anything else strange.

    Has anyone noticed any other file activity we should be aware of related to the DDMI2.sys issue?
     
  8. Adrynalyne

    Adrynalyne Guest

    Please noe the date on this thread. Create a new thread instead of attaching to one that is old.

    Thanks.
     
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds