OldRebel

16 Posts

March 26th, 2006 22:00

SSDMI2 and DDMI2.sys -What is it? Is it Spyware?

Hello,

I have been searching all day for info about the files SSDMI2 and DDMI2.sys. The best information so far is in an old Dell forum reference (the linkks in the thread also give important info):

http://forums.us.dell.com/supportforums/board/message?board.id=dim_other&message.id=229202&query.id=157240

The reason I am seeking the info is that Windows Defender keeps alerting to something related to this file or service. Those alerts do not appear in any fashion when I am using the PC and I got no alerts that require any sort of action. The alerts are only visible in the Event Viewer. There are also error entries where the service control manager is seeking this service, but the file cannot be located on my PC. I suspect that this is somehow related to Dell Support module or AOL Computer Check Up, but I am unsure. I also do not know what would be seeking to start that service, at regular intervals, even though I am not running Dell or AOL computer check ups at times indicated. This is long, but here are the pertinent entries from the Event Viewer:

___________________________________________________________________

Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date:  3/26/2006
Time:  12:30:42 PM
User:  N/A
Computer: XXXXXX
Description:
Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
  Scan ID: {3622BC44-D056-4EF6-962C-4E324A605AEE}
  User: XXXXXX\xxxx
  Threat Name: Unknown
  Threat Id:
  Threat Severity:
  Threat Category:
  Path Found: service:SDDMI2
  Threat Classification: Unknown
  Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date:  3/26/2006
Time:  12:30:41 PM
User:  N/A
Computer: XXXXXX
Description:
Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
  Scan ID: {FAC8D814-DD88-4E26-8D6F-B20AEF3413A3}
  User: XXXXXX\xxxx
  Threat Name: Unknown
  Threat Id:
  Threat Severity:
  Threat Category:
  Path Found: driver:SDDMI2
  Threat Classification: Unknown
  Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date:  3/26/2006
Time:  12:30:40 PM
User:  N/A
Computer: XXXXXX
Description:
Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
  Scan ID: {3C4386BC-30B6-489C-A6CA-E0C8F40CC3DB}
  User: XXXXXX\xxxx
  Threat Name: Unknown
  Threat Id:
  Threat Severity:
  Threat Category:
  Path Found: driver:SDDMI2
  Threat Classification: Unknown
  Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date:  3/26/2006
Time:  12:30:40 PM
User:  N/A
Computer: XXXXXX
Description:
Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
  Scan ID: {4B0E4DCF-BB6A-4E4D-B0E7-4879AB5904D3}
  User: XXXXXX\xxxx
  Threat Name: Unknown
  Threat Id:
  Threat Severity:
  Threat Category:
  Path Found: service:SDDMI2
  Threat Classification: Unknown
  Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date:  3/26/2006
Time:  12:30:39 PM
User:  N/A
Computer: XXXXXX
Description:
Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
  Scan ID: {273DBCD9-DDAA-4282-BF04-561A0D1D8377}
  User: XXXXXX\xxxx
  Threat Name: Unknown
  Threat Id:
  Threat Severity:
  Threat Category:
  Path Found: driver:SDDMI2
  Threat Classification: Unknown
  Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date:  3/26/2006
Time:  12:30:39 PM
User:  N/A
Computer: XXXXXX
Description:
Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
  Scan ID: {4903FE84-FDF2-4ACC-953C-0DF20C2721FA}
  User: XXXXXX\xxxx
  Threat Name: Unknown
  Threat Id:
  Threat Severity:
  Threat Category:
  Path Found: service:SDDMI2
  Threat Classification: Unknown
  Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date:  3/26/2006
Time:  12:30:39 PM
User:  N/A
Computer: XXXXXX
Description:
Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
  Scan ID: {7FDFE8F6-7328-49DE-957B-D93729BBF4AC}
  User: XXXXXX\xxxx
  Threat Name: Unknown
  Threat Id:
  Threat Severity:
  Threat Category:
  Path Found: driver:SDDMI2
  Threat Classification: Unknown
  Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date:  3/26/2006
Time:  12:30:39 PM
User:  N/A
Computer: XXXXXX
Description:
Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
  Scan ID: {7CF9DDC7-DEFC-4435-BC0A-A60E27957729}
  User: XXXXXX\xxxx
  Threat Name: Unknown
  Threat Id:
  Threat Severity:
  Threat Category:
  Path Found: service:SDDMI2
  Threat Classification: Unknown
  Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date:  3/26/2006
Time:  12:30:38 PM
User:  N/A
Computer: XXXXXX
Description:
The SDDMI2 service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date:  3/26/2006
Time:  12:30:38 PM
User:  N/A
Computer: XXXXXX
Description:
Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
  Scan ID: {CA4E9817-4048-42D9-8BAA-43BD4AB87D23}
  User: XXXXXX\xxxx
  Threat Name: Unknown
  Threat Id:
  Threat Severity:
  Threat Category:
  Path Found: driver:SDDMI2
  Threat Classification: Unknown
  Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date:  3/26/2006
Time:  12:30:37 PM
User:  N/A
Computer: XXXXXX
Description:
The SDDMI2 service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date:  3/26/2006
Time:  12:30:35 PM
User:  N/A
Computer: XXXXXX
Description:
The SDDMI2 service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date:  3/26/2006
Time:  12:29:39 PM
User:  N/A
Computer: XXXXXX
Description:
Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
  Scan ID: {5D62570D-D2A7-413D-843B-92BEFEC7BF0B}
  User: XXXXXX\xxxx
  Threat Name: Unknown
  Threat Id:
  Threat Severity:
  Threat Category:
  Path Found: service:SDDMI2
  Threat Classification: Unknown
  Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Warning
Event Source: WinDefend
Event Category: None
Event ID: 3004
Date:  3/26/2006
Time:  12:29:39 PM
User:  N/A
Computer: XXXXXX
Description:
Windows Defender Real-Time Protection agent has detected potential malware.
For more information please see the following:
http://www.microsoft.com
  Scan ID: {B8867F19-BF94-4F1C-A3AD-F38A9C9DE5E7}
  User: XXXXXX\xxxx
  Threat Name: Unknown
  Threat Id:
  Threat Severity:
  Threat Category:
  Path Found: driver:SDDMI2
  Threat Classification: Unknown
  Detection Type:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date:  3/26/2006
Time:  12:29:37 PM
User:  N/A
Computer: XXXXXX
Description:
The SDDMI2 service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
_______________________________________________________________-___

The file DDMI2.sys does exit, but only in C:\1386. I assume that is a backup copy of the original file from either Dell PC checkup or AOL Computer Checkup since the file no longer exits anywhere else on the PC. The only other reference that file is in the install log for AOL CCup from Dec,2005. Here is part of that install log, where several items are being uninstalled by CCup:

____________________________________________________________________

riteRegStr: set -2147483646\SOFTWARE\America Online\Computer Checkup\InstallDate to 1135843625
WriteRegDWORD: set -2147483646\SOFTWARE\America Online\Computer Checkup\DCULastScanDate to 0
Call: 419
IfFileExists:
Delete: ERROR -- "C:\WINDOWS\system32\ddmi2.sys" does not exist. Skipping delete.

_________________________________________________________________

I do not know what all this means, but AOL CCup must be Gtek;Dell Support module is powered by Gteko. Obviously the file was removed either by me when I unstalled mywaysearch or Dell cyber coach or by AOL CCup during one on its installations. This is just a great mystery, and only a problem in that SOMETHING must still be trying to start that service each day but fails.

Any opinion or insight would be welcome.
'

BTW- no malware is found on my PC by any of my scanners, which include:

McAfee VirusScan 10.0

Spysweeper

Ewido

A-squared

Ad AwareSE Personal

Spybot S&D

X Cleaner

Windows Defender beta2

MRT and Stinger

Rootkitrevealer

Blacklight beta

HJT

I am trying to find out what is trying to start this service and if it is malware, or do I have some missing Dell components?

Responses(26)

bamajim

10.4K Posts

March 27th, 2006 00:00

OldRebel

The error codes you are getting have to do with driver modules trying to access RAM

Clear your event log and see if that resolves the concern

Start - Control panel - Administrative tools -event log

clear the event log and see if that resolves your issue

If not please reply

bamajim

bamajim

10.4K Posts

March 27th, 2006 01:00

Old rebel

In admin tools you can click on computer management.
The tree on the left pane. System tools click to expand - highlite event viewer.
Then on the right pane you will see the 4 folders.
Highlite application rt click - clear all events. You will be asked if you want to save log. Select yes. save in doc. folder for reference.

bamajim

OldRebel

16 Posts

March 27th, 2006 01:00

Ok. I went ot administrative tools, but I did not see how to clear the event log. Any more specific instructions on that?

OldRebel

16 Posts

March 27th, 2006 02:00

OK. Thanks. I found per your instructions the location and how to clear the event log. But before I do that, I am wondering how would just clearing the log change the action that is causing the alerts? What is the purpose of DDMI2.sys? You say it's a driver trying to access RA<. What driver? For what purpose? Why can't I find a clear answer anywhere for that?

OldRebel

16 Posts

March 27th, 2006 03:00

I found the following information on a Windows Defender newsgroup. Now I am left wondering if I am failing to get important updates from Dell because I uninstalled Dell cyber coach when I got angry and uninstalled mywaysearch assistant. Here is what another Dell owner said to Mircosoft:

Although I
> have not taken the time to contact Dell for verification (hoping MS has a
> faster path to someone knowledgeable than I), it appears this software is
> part of the Dell Support 3.x system from Gteko Ltd. Other parts are found
> in
> C:\Program Files\WebCyberCoach\
>
> A quick Google shows a bit of confusion about these files by users of
> various spyware utilities at times, so Microsoft isn't the first and won't
> be
> the last.

I have software support from Dell, but when I called and aksed them about it, all I got was a runaround and no meaninful answer. If I have removed something that I need, why don't they say so? Or mabe I don't really need it at all. Maybe it IS spyware!!!

bamajim

10.4K Posts

March 27th, 2006 14:00

OldRebel

All of the warnings you indicated in your first post were from your antispyware program, not from the System error from Windows.

Now if you have deleted some things, (maybe some things you shouldn't have) this could have created a problem

As far as clearing the event log, my purpose was 2 fold. One this log as well as all files and folders are scanned by most antispywarre programs. And two, it would give a fresh look at current problems.

Your question regarding "which driver" you may need to do a little looking, because I do not know what all you have on your system

Rt click - Mycomputer- properties - hardware tab - click device manager.

This will open device manager window: AS AN EXAMPLE - click to expand display adapters (in the left pane) - the driver will be listed under that. Highlight and rt click - properties. And it will give you the status of that driver with other options, i.e. troubleshoot, update driver, etc.

If you still feel it may be a spyware problem please reply

bamajim

10.4K Posts

March 27th, 2006 15:00

OldRebel

I know that there are several questions unanswered so far, as it were. However I'm trying to help you narrow down a problem to whether this is a hardware/software issue or a spyware issue. I'm hopeful we can help you with this. I only ask that we do this a step or two at a time.

So far after looking at your posts, I've noticed

Your receiving error messages

A vast number of antivirus tools and fixes you've tried ( which may be causing a conflict themselves)

You've "uninstalled" various programs

Your looking for information on SSDM12

Your looking at issues regarding browsers installed by Dell

And a number of other things all at the same time. I will be glad to continue to work with you on this, but please, can we do this a step or two at a time.

If you feel your system is "infected"

Then go here and download Hijackthis

http://dsvs.org/5/HijackThis.exe

Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents here. To the link below

http://forums.us.dell.com/supportforums/board?board.id=si_hijack

and let someone look at your log

Please do not be tempted to "fix" on your own. Hijackthis is a very powerful tool, if used incorrectly can cause system problems.

bamajim

OldRebel

16 Posts

March 27th, 2006 15:00

Maybe I don't understand, but I don't thing that this and similar log entries were from Defender:

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date:  3/26/2006
Time:  12:29:37 PM
User:  N/A
Computer: XXXXXX
Description:
The SDDMI2 service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I thought only the WinDefend entries were from Defender.

I will try your suggesed solution, but doubt that it will stop the event viewer entries.

Also, my inquiries about the purpose of DDMI2.sys and its relation to Dell Cyber Coach have not been answered. I have read that it can be used for remote access to computer controls and downloads and that it can bypass the firewall. I have a reason to be concerned. Dell's history with what appear to users to be browser hijacks is rather questionable:

http://forum.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=42328&query.id=707323#M42328

http://forum.us.dell.com/supportforums/board/message?board.id=si_virus&message.id=51092

All I want is full information and a way to replace anything missing that I might need.

OldRebel

16 Posts

March 27th, 2006 16:00

I have cleared the application and system event logs, turned off the Dell Support program, and rebooted. Subsequently, there were no error messages or WinDefend alerts in the Event Viewer logs at all. I really do not believe that I have malware, and I have already done HJT analysis elsewhere. I do think that my Dell Support program is the source of the error messages and the WinDefender alerts. I can ignore Defender w/o a problem because it does not require any action in regards to Dell Support, and, as far as I can tell, is not interferng with Dell Support. However, I just turned Dell Support back on, and as soon as I did, I had new error messages in the Event Viewer under "system":

Event Type: Error
Event Source: Service Control Manager
Event Category: None
Event ID: 7000
Date:  3/27/2006
Time:  1:35:33 PM
User:  N/A
Computer: XXXXXX
Description:
The SDDMI2 service failed to start due to the following error:
The system cannot find the file specified.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I have been told not to worry about this by Dell Help Desk, but I am concerned that my Dell Support program is malfunctioning and is basically useless to me. What is the proper forum or resource to get more info or help with the Dell Support program?

bamajim

10.4K Posts

March 27th, 2006 18:00

OldRebel

Here is your link to the Dell Support Program forum

http://forums.us.dell.com/supportforums/board?board.id=sw_dellsup

It sounds as if you have narrowed it down some. I still think its a software conflict/driver conflict

The link above addresses issues with the program you mentioned

bamajim

OldRebel

16 Posts

March 27th, 2006 21:00

Update: I talked with Dell Help Desk again, and uninstalled Dell Support 3.1. Then I downloaded and installed another copy of 3.1 from the Dell web site. I am still getting the annoying alerts in the Event View system log from WinDefend about SSDMI2, but the SSDMI2 service is now being started successfully w/o problems and the Dell Support Utility has been granted Internet access and seems to be functioning properly. I also have a new Dell web cyber coach program installed in add/remove programs. As long as Dell Support functions, I can ignore Defender.

Event Type: Information
Event Source: Service Control Manager
Event Category: None
Event ID: 7035
Date:  3/27/2006
Time:  5:47:42 PM
User:  JUDITH\Paul
Computer: JUDITH
Description:
The SDDMI2 service was successfully sent a start control.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

bamajim

10.4K Posts

March 27th, 2006 23:00

OldRebel

I would be curious to see if the error occours with the printer disconnected, if you don't mind of course.

bamajim

OldRebel

16 Posts

March 27th, 2006 23:00

And of course my keyboard. I have never had a camera or video plugged into it.

bamajim

10.4K Posts

March 27th, 2006 23:00

Old Rebel

Glad to hear some of your problems have been resolved. I did some checking this afternoon and found this error code being involved with USB port issues. Just out of curiousity do you have anything pluged into a USB port on startup?

bamajim

OldRebel

16 Posts

March 27th, 2006 23:00

The only things plugged into my PC are my printer (USB port) and the monitor and speakers.

View All

No Events found!

Virus & Spyware

SSDMI2 and DDMI2.sys -What is it? Is it Spyware?