MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Software
Register FAQ Members List Calendar Casino Mark Forums Read

Software Software such as operating systems like Windows XP, Windows Vista, Windows 7 etc., or specific programs.


Closed Thread
 
Thread Tools Display Modes
  #1  
Old 06-12-06, 12:33
thai_american_42 thai_american_42 is offline
Corporal
 
Join Date: Dec 2005
Posts: 206
Thanks: 9
Thanked 2 Times in 2 Posts
Default Window's Defender flags "DDMI" Published by Gteko Ltd.

Today, Windows Defender flaged "DDMI" being added to my system (see below). DDMI is published by Gteko Ltd. I used Windows Defender and tried to block the addition, but the block failed. I could not find anyting on DDMI on the Internet. Should I be concerned by the addition of Gteko's DDMI to my computer system?

++++++
Windows Defender flaggs "DDMI":
++++++

Summary:
Services and Drivers change occurred.

This agent monitors services and drivers acting as part of Windows, often running with high security privileges. It ensures that no services are being interfered with or added without proper consent.

Path:
C:\WINDOWS\system32\DDMI2.sys

Detected changes:
driver:
SDDMI2

file:
C:\WINDOWS\system32\DDMI2.sys

Advice:
Allow this detected item only if you trust the program or the software publisher.

Publisher:
Gteko Ltd.

Digitally Signed By:
NOT SIGNED

Product name:
DDMI

Description:
DDMI Service

Original name:
DDMI2.sys

Creation date:
5/22/2005 5:47 PM

Size:
6977 bytes

Version:
1.0.0.7

Type:
dynamic link library (DLL)

Checkpoint:
Drivers

Category:
Not Yet Classified
Sponsored links
  #2  
Old 06-12-06, 12:41
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,579
Thanks: 437
Thanked 4,622 Times in 4,367 Posts
Default Re: Window's Defender flags "DDMI" Published by Gteko Ltd.

Found this on the web ....hope it helps:
The software to remotely add and remove and steal and modify your files seems to come from Gteko Ltd.

You should in fact make a Sub Directory in C:\WINDOWS\System32 called DDMI2.SYS and then make it Hidden and read only

That way when you visit a site or run software that trys to throw this file into that directory it will crash.

http://www.gteko.com


DDM architecture enables programs to access and manage data stored on remote systems.



This means a Remote server has been setup so I can go thru your pants any time I want to. Zone Alarm Security Suite should flag hidden processes that are attempting to "connect" to your machine and or your pc trying to attach to a server via opening a session from your hardware firewall hidden in the background without your permission.




Any Registry Entry that pokes in here is a Trojan, Virus, Pest
even if its not on the known list. Its BHO Browser helper object
and usually throws its spew into C:\WINDOWS\system32 Installing comes via visiting a page or a popup in the background and any responce other than ALT F4 or the reset buttin INSTALLS automatically without your permission.





HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/DDMI2.sys]
".Owner"="{EB387D2F-E27B-4D36-979E-847D1036C65D}"

http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?319




Turns out its an HP/COMPAQ Spyware,Malware.

You can download the installer and file from the above URL.

[Version]
Signature="$CHICAGO$"
AdvancedINF=2.0

[Add.Code]
qdiagh.ocx=qdiagh.ocx
DDMI2.sys=DDMI2.sys
DDMI.VXD=DDMI.VXD
DLPT2.sys=DLPT2.sys
DLPT2.VXD=DLPT2.VXD
;The section name should be exactly component name!

[qdiagh.ocx]
file-win32-x86=thiscab
clsid={EB387D2F-E27B-4d36-979E-847D1036C65D}
FileVersion=1,0,1,326
DestDir=11
RegisterServer=yes

[DDMI2.sys]
file-win32-x86=thiscab
FileVersion=1,0,0,7
DestDir=11
RegisterServer=no

[DDMI.VXD]
file-win32-x86=thiscab
FileVersion=1,0,0,2
DestDir=11
RegisterServer=no

[DLPT2.sys]
file-win32-x86=thiscab
FileVersion=1,0,0,10
DestDir=11
RegisterServer=no

[DLPT2.VXD]
file-win32-x86=thiscab
FileVersion=1,0,1,4
DestDir=11
RegisterServer=no
  #3  
Old 06-26-06, 12:39
thai_american_42 thai_american_42 is offline
Corporal
 
Join Date: Dec 2005
Posts: 206
Thanks: 9
Thanked 2 Times in 2 Posts
Default Re: Window's Defender flags "DDMI" Published by Gteko Ltd.

Last time, I used Window's Defender to block the action mentioned in my post above. I checked my C:\WINDOWS\system32\ folder and it does have a file named DDMI2, a system file created Sunday, May 22, 2005. mY C:\WINDOWS\system32\ folder also has a file named DDMI64, another system file created Wednesday, December 14, 2005.

I bring this up again because Window's Defender today (again) flaged "DDMI" as indicated below. I appreciate your post, but am unsure what I should do other than use Window's Defender to block the action. Is allowing the action then hiding the file really a good way to proceed?


++++++++++++++++
Summary:
Services and Drivers change occurred.

This agent monitors services and drivers acting as part of Windows, often running with high security privileges. It ensures that no services are being interfered with or added without proper consent.

Path:
C:\WINDOWS\system32\DDMI2.sys

Detected changes:
driver:
SDDMI2

file:
C:\WINDOWS\system32\DDMI2.sys

Advice:
Allow this detected item only if you trust the program or the software publisher.

Publisher:
Gteko Ltd.

Digitally Signed By:
NOT SIGNED

Product name:
DDMI

Description:
DDMI Service

Original name:
DDMI2.sys

Creation date:
5/22/2005 5:47 PM

Size:
6977 bytes

Version:
1.0.0.7

Type:
dynamic link library (DLL)

Checkpoint:
Drivers

Category:
Not Yet Classified
  #4  
Old 06-26-06, 12:43
thai_american_42 thai_american_42 is offline
Corporal
 
Join Date: Dec 2005
Posts: 206
Thanks: 9
Thanked 2 Times in 2 Posts
Default Re: Window's Defender flags "DDMI" Published by Gteko Ltd.

Further on my post today, on selecting Window's Defender to block the action, I got the message "Windows Defender encoundered an error: 0x80501001. One or more actions could not be completed successfully." The message came with an "OK" button, so I pressed OK. Now I don't know whether the detected item was allowed or not. (Now that I remember, this happened last time, too).
  #5  
Old 06-26-06, 12:45
TimW's Avatar
TimW TimW is offline
MajorGeeks Administrator - Jedi Malware Expert
 
Join Date: Jan 2005
Location: The recesses of my mind!
Posts: 46,579
Thanks: 437
Thanked 4,622 Times in 4,367 Posts
Default Re: Window's Defender flags "DDMI" Published by Gteko Ltd.

To be on the safe side, would have defender block the action, but also do the creation of the subfolder and mark hidden and read only.
Then go here:
Read and run first - Malware section
http://forums.majorgeeks.com/showthread.php?t=35407
Sponsored links
  #6  
Old 06-26-06, 13:21
DavidGP's Avatar
DavidGP DavidGP is offline
MajorGeeks Forum Administrator - Grand Pooh-Bah
 
Join Date: Jan 2002
Location: UK
Posts: 38,744
Thanks: 2,923
Thanked 3,074 Times in 2,797 Posts
Default Re: Window's Defender flags "DDMI" Published by Gteko Ltd.

With that error in Defender, it generally means it has detected a potential threat in a ZIP, RAR aor Windows Restore point file, it is a bug that it doesnt clean said archived file... but this doesnt explain your files as they dont seem to link to any archive or Restore Point.


This did come from a MS newsgroup.. not a closed beta one tho.

Quote:
Information on errors 0x8020800c, 0x80508026, 0x80501001.

If you have encountered any of the error codes listed above, you may want to review the information below for some details on possible causes and actions you may want to consider taking to try and correct the issue. This
information is taken from other threads where these problems were reported.

Also, we will eventually improve the error messages so that they will
contain better information than the cryptic error codes you see in the
current build.

== Error 0x80280800c when performing a quick scan or full scan ==
This error happens when failing to load one of the registry hives on your
machine for some reason. We treat that (incorrectly) as a fatal error. When
we have seen this happen before, it is because of some file corruption on
disk, in at least one case caused by a failing hard drive.

I would recommend running chkdsk and a disk defrag on your machine if you
encounter this error, and see if that addresses the problem. If not, we
should release a fix for this along with one of our signature updates in the
near future.

Thanks to beta tester Dan Koerner for helping us investigate this one.

== Error 0x80508026 or 0x80501001 when trying to remove a threat ==
This error will occur if a threat is detected inside of a container such as
a ZIP file, RAR archive, etc.

The "remove" action cannot (in most cases) be applied to an object inside of
such containers, without deleting the entire container.

It might be worth noting that the original Antispyware beta did not have the
ability to scan inside such containers.

We still need to work on the best way to handle this scenario. The issue is
that you may have a ZIP file with tons of non-malicious file in it, but one
or more "bad" files as well that are detected. The question is: how should
we handle that? Deleting the entire container may inadvertently delete the
clean files as well, and that might not be what you want.

For now you can check if the ZIP file has anything else inside of it that
you want to keep. If not, just delete the ZIP file yourself and you will
have removed the threat.

If you really want to keep the ZIP file around but do not want to see this
error (and again, you can expect that in the future we will have a better
story here - at least not such a cryptic error message) you can disable
scanning inside archives. Clear the checkbox for "Scan inside archives" in
the General Settings section under the Tools menu. Generally, threats inside
archives, while good to know about, are not "active", meaning they can't do
anything bad to your system while inside the archive.

Thanks

-Mike Treit[MSFT]
you can go searching for it here if you so wish, its just I had it saved with a few other Defender issues for me to readup on....

http://www.microsoft.com/athome/secu...b-565a73822c7f

also TimW's suggestion of running the Malware guide is a must, especially as you dont seem to have installed anything from that company.
  #7  
Old 05-28-08, 10:05
theonlyalterego theonlyalterego is offline
Private E-2
 
Join Date: May 2008
Posts: 3
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Window's Defender flags "DDMI" Published by Gteko Ltd.

My girlfriend ran into the same issue last night on her laptop, she's on windows 2000 and somehow ended up with a DDMI2.sys file under her c:\windows\system32 folder. Avast antivirus picked it up, and it deleted the file, rebooted and ran a full system scan and didn't find anything else.

After that she installed Zonealarm, and hasn't noticed anything else strange.

Has anyone noticed any other file activity we should be aware of related to the DDMI2.sys issue?
  #8  
Old 05-28-08, 10:10
Adrynalyne's Avatar
Adrynalyne Adrynalyne is offline
Super Moderator
 
Join Date: Jan 2002
Location: On the Internet
Posts: 18,895
Thanks: 502
Thanked 1,051 Times in 709 Posts
Default Re: Window's Defender flags "DDMI" Published by Gteko Ltd.

Please noe the date on this thread. Create a new thread instead of attaching to one that is old.

Thanks.
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 17:23.

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds


Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger