?
Solved

Spyware? Virus? Urgently strange: "Found New Hardware" but nothing new installed; "new" device name not found in online searches.

Posted on 2005-04-12
19
Medium Priority
?
10,191 Views
Last Modified: 2013-12-04
Hi,

I have a WinXP system. Just now, after restart, it starts the found new hardware wizard when I have absolutely not installed any new hardware. Haven't plugged anything new into usb ports or anything. The name of the device is "SDDMI2", for which absolutely nothing comes up when I search online at google, yahoo, msn, dell forums, experts-exchange. In the device manager, it shows up under "Other Devices" with a big yellow "!", of course cause it's not installed yet.

But I don't know what it is and am afraid it may be some type of virus/spyware/etc so I don't even know what to do with it. I even looked under "msconfig" just to see, but there is nothing out of the ordinary there as far as I can see.

I think the strangest things are: 1) I didn't even install anything; and 2) even stranger that I can't find anything on the internet relating to the name of this "new" device.

Does anyone have any ideas or suggestions on either what it is, how to get rid of it? I guess I can disable it in the device manager, but I don't know if that would just "hide" it or if it would really get rid of it permanently. I'm concerned that it may be some type of privacy/security issue. Thanks.
0
Comment
Question by:jc10
  • 6
  • 5
  • 5
  • +3
19 Comments
 
LVL 9

Expert Comment

by:stengelj
ID: 13769292
You can't post duplicate questions in separate topics.  The admins will likely delete one of your questions soon if you don't.  What you CAN do is create pointers to your original question.  A question is not allowed more than 500 points per question so you should select the correct location for you question and delete it in the locations you do don't want it in.
0
 

Author Comment

by:jc10
ID: 13769310
Oh, I didn't know that. Thanks. I'll delete the other one and leave this one open.
0
 
LVL 4

Accepted Solution

by:
armeen earned 900 total points
ID: 13770784
I can't find anything on it either!!

Have a look in your registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

and there *should* be a key under one of these called SDDMI2

if there is, I guess there won't be a "DisplayName" but it may have an "ImagePath" which will point to a dll, sys or exe file - maybe if you look at the properties of this file you will see a company name or some other cllue to what is causng it?


0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 12

Assisted Solution

by:David Wall
David Wall earned 200 total points
ID: 13771843
The obvious first line of attack is to ensure your av id upto date and a full scan done, then follow the advice in Pete Longs site for hijackings  at http://www.petenetlive.com/Tech/Browsers/hijack.htm.

0
 
LVL 12

Assisted Solution

by:Phil_Agcaoili
Phil_Agcaoili earned 900 total points
ID: 13773162
Humor me,

Reboot and the next time the system restarts and the new hardware wizard appears, select Do Not Install hardware and select the checkbox for never ask for installation.

Then Start-->Settings-->Control Panel-->System-->Hardware-->Device Manager
What appears with a red or yellow symbol?

Then select this device-->right mouse click-->Properties
What does this say?

Occam's razor, it's probably not as malicious as you may think it is so explore that first.

If there isn't anything there, reboot to SafeMode, defrag, and see if it happens again.

If all else fails and your paranoia gets the best of you, I wrote this guide to identify and eradicate spyware and malware:
http://spaces.msn.com/members/greyhat/Blog/cns!1pUk7QRF4x9-c8NiDSc_ZYKg!129.entry

Let us know your results.
0
 

Author Comment

by:jc10
ID: 13774278
Thanks for the responses. The most worrisome thing for me is that searches online turn up nothing. I'm not sure what I'll try next just yet, but this is what I have so far. Any feedback is appreciated.


WallD, I've gone through those scans listed on the link you gave, as well as a virus scan, but nothing out of the ordinary came up.


Phil, whenever I reboot, I get the "found new hardware" wizard, but the first screen of the wizard asks if i give permission to access windows update to get the required driver for the new hardware. It says I can give permission everytime, just this time, or not at all. If I select to not give permission, it asks to select the proper device driver automatically or manually. If I select manually, I get a list of device types. If I hit cancel, then the wizard will exit, but will reappear upon startup or if I scan for new hardware from the device manager. There is no where that I get the option you mentioned to "Do Not Install" and to "never ask for installation". At what point should it ask me that question? Does this hardware wizard not act the way the hardware wizard is supposed to? By the way, I'm using WinXP Home w/ SP2 if that makes a difference in the hardware wizard. In device manager, it is shown as "SDDMI2" with a yellow "!". Under properties for this device, it says everything is unknown (manufacturer, location) and that this item is not properly installed. Nothing about "occam's razor". I haven't tried safemode and defrag yet, and I haven't tried all the stuff listed in your guide yet.


armeen, here is the registry entry i found. I searched for the file shown, "DDMI2.sys" online and got a couple hits for it, but it is just listed in somebody's post, not talked about at all:

Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SDDMI2
Class Name:        <NO CLASS>
Last Write Time:   4/12/2005 - 11:04 PM
Value 0
  Name:            Type
  Type:            REG_DWORD
  Data:            0x1

Value 1
  Name:            Start
  Type:            REG_DWORD
  Data:            0x3

Value 2
  Name:            ErrorControl
  Type:            REG_DWORD
  Data:            0x1

Value 3
  Name:            ImagePath
  Type:            REG_EXPAND_SZ
  Data:            \??\C:\WINDOWS\system32\DDMI2.sys

Value 4
  Name:            DisplayName
  Type:            REG_SZ
  Data:            SDDMI2


Key Name:          HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SDDMI2\Security
Class Name:        <NO CLASS>
Last Write Time:   4/12/2005 - 6:46 PM
Value 0
  Name:            Security
  Type:            REG_BINARY
  Data:            
00000000   01 00 14 80 90 00 00 00 - 9c 00 00 00 14 00 00 00  ................
00000010   30 00 00 00 02 00 1c 00 - 01 00 00 00 02 80 14 00  0...............
00000020   ff 01 0f 00 01 01 00 00 - 00 00 00 01 00 00 00 00  ÿ...............
00000030   02 00 60 00 04 00 00 00 - 00 00 14 00 fd 01 02 00  ..`.........ý...
00000040   01 01 00 00 00 00 00 05 - 12 00 00 00 00 00 18 00  ................
00000050   ff 01 0f 00 01 02 00 00 - 00 00 00 05 20 00 00 00  ÿ........... ...
00000060   20 02 00 00 00 00 14 00 - 8d 01 02 00 01 01 00 00   ...............
00000070   00 00 00 05 0b 00 00 00 - 00 00 18 00 fd 01 02 00  ............ý...
00000080   01 02 00 00 00 00 00 05 - 20 00 00 00 23 02 00 00  ........ ...#...
00000090   01 01 00 00 00 00 00 05 - 12 00 00 00 01 01 00 00  ................
000000a0   00 00 00 05 12 00 00 00 -                          ........


0
 
LVL 4

Expert Comment

by:armeen
ID: 13774518
ok so it gives a .sys file, have a look at the properties for:

C:\WINDOWS\system32\DDMI2.sys

does it give a company name?

note: drivers normally live in c:\windws\system32\drivers so it immedietly makes me wonder why this is where it is.


ed
0
 

Author Comment

by:jc10
ID: 13774629
Ok, I checked the file properties now. Sorry, I misunderstood your post before when u mentioned the properties. Here is what it says:

Description: DDMI Service
Copyright: 2001-2004 Gteko Ltd.
File Version: 1.0.0.7
Product Name: DDMI

So that is helpful, at least there is a name now. I'll see what else I can find online with this new info now. Or maybe someone recognizes the name? Thanks for the help to this point.
0
 
LVL 4

Expert Comment

by:armeen
ID: 13774697
hmm no worries, I am not sure if it will help tho beause i checked their web site and they provide software for other companies to ship - if you can't find which product, in windows explorer sort the files by date modified and look for any other files which were modified at the same time as this sys file, the idea of this is to find which files were installed at the same time as this file - if you find any (and the times are pretty much identical) then that may give some clue as to what the device is.
0
 
LVL 4

Expert Comment

by:armeen
ID: 13774755
i wouldnt normally recommend it, but in this case it might be worth doing, if you delete:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SDDMI2

then it won't be displayed in the device manager as it won't exist.

You will need to right click on the key, go to properties and give yourself permissions to delete the key first.
0
 
LVL 4

Expert Comment

by:armeen
ID: 13774761
export it first tho and make a backup in case u get problems later on.

:)

ed
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 13774963
According to your C:\WINDOWS\system32\DDMI2.sys file, it is a product from Gteko Ltd:

Does your company use any of these products?

http://www.gteko.com/?page=prodmodules.htm

 GTAgent
A preemptive support module, GTAgent enables targeted distribution of software updates (drivers and applications), Auto Fixes and informational messages to Windows-based systems.
More Details.
 
 GTWebCheck
An automated self-help problem-resolution system for Windows-based software, GTWebCheck is only initiated and activated by the user.
More Details.
 
 GTSolve
A web-based portal or local application that automates 'Frequently Asked Questions' (FAQ), GTSolve provides direct access to a rich library of Auto Fixes, tutorials and utilities.
More Details.
 
 GTConnect
A first-time setup application, GTConnect automates the initial setup and configuration of an Internet connection and home networks.
More Details.
 
 GTAssist
Combining traditional help-desk capabilities of service ticket management with a diagnostic and problem resolution mechanism, GTMail is Gteko's automated, web-based, e-mail support platform.
More Details.
 
 GTRemote
PC users are allowed to connect over the Internet to an online technical support center without worrying about firewalls and proxies using GTRemote, Gteko's remote control tool.
More Details.
 
 GTGuard
An automated security-enforcement solution, GTGuard helps end-users and IT managers maintain a secure desktop environment.
More Details.
 
 GTInventory
An easily implemented asset-management tool, GTInventory provides automated asset discovery, reporting capabilities and supports software license management.
More Details.
 
 GTHomeNet
Using an easy and intuitive graphical interface, GTHomeNet allows end-users to easily control their home network and digital devices.
More Details.

Also, I was doing it by memory, but you can disable a piece of hardware by selecting the yellow ! device (DDMI in your case)--
>properties-->

Under the General Tab-->Device usage-->Do not use this device (disable)
This will disable this device.


And Occam's razor is a theory...Google it for more details...
In short, in the face of something unknown, the most likely conclusion is the answer or it's right in front of you so don't think too hard about it because it's just a device driver loaded from an application that may be already used.  Your helpdesk or your IT department may be using this on your system for support purposes.

As I look up the Gteko products, they are for helpdesk support and for remote software distribution for corporations.
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 13774997
Again, I don't think you have anything to worry about.

1. Disable the device in Device Manager as I noted above. This will prevent the Hardware Wizard from bringing it up again.
2. Contact your IT folks and ask them if they are using this software.
3. Check the malware/spyware cleaning guide I linked to eariler if you are still paranoid.

I do not believe that anything insidious is going on within your system.
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 13775007
While I'm here :)

Occam's Razor
http://en.wikipedia.org/wiki/Occam's_Razor

"When multiple explanations are available for a phenomenon, the simplest version is preferred."
0
 

Author Comment

by:jc10
ID: 13775109
Ok, thanks for all the help. Like I said at the beginning, I was most concerned with the fact that searching online gave zero results. Usually if I have some computer/spyware/whatever issue, I just search online and fix it up, and even if I can't fix it myself easily, at least I can find info about it. So, I appreciate your patience.

I managed to get through to the tech support. He just asked me uninstall the "SDDMI2" device through the device manager. When I restarted after that, the new hardware wizard didn't come back. Then I just emphasized my concern was not JUST with how to uninstall, but also with how this happened in the first place (in case of spyware, etc.). The guy basically said it was a normal file, and a normal registry entry. He said probably cause by some conflict or driver update related to running windows update. He said it's not common, but it happens.

So again thanks. It was really just a rare non-issue I guess. I'll do my best with the points.
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 13775128
jc10,

Just make sure that YOUR IT folks use the tools from Gteko.

I started looking at the tools and they offer some very powerful functionality--control of your system.  I can see legitimate uses for it, but I can also see someone misuse it.
0
 

Author Comment

by:jc10
ID: 13775218
Phil, it was Dell tech support for my fairly new Dell home system. I'm relieved that it's supposedly something normal, but you're right, I'm curious about why it is there too. I didn't ask specifically about Gteko though. Maybe it's for the Remote Assistance tool? Hopeful it's something like that, though I don't know how to determine that.
0
 
LVL 12

Expert Comment

by:Phil_Agcaoili
ID: 13775393
Thanks for the tip...I wonder if we'll see an exploit to Dell's tech support methodology in the coming months using this Gteko software.

Interesting.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 32644645
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question