Could someone PLEASE help with this problem, I have the paid for version ( I have been in touch with ewido twice but no reply.)
Each time I scan I get the following, it is cleaned and is then back the next day. I had a hjt done and they said it was clean.

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 14:24:39, 12/01/2006
+ Report-Checksum: 51028F2A

+ Scan result:

HKLM\SYSTEM\ControlSet002\Control\SPPInfo\PPSE1IDesc -> Dialer.Generic : Cleaned with backup


::Report End

Do you have a dialup or broadband connection;

Broadband, XP, SP2. Ewido, e-trust,and sptwareblaster.

If you have broadband you do not have to worry about dialers!

why is ewido giving this result ever time I scan then?
I notice it's always after I have re-booted.

Maybe something is re-installing it after each reboot?

Give yourself an online scan to see if that throws anything up:-

http://www.kaspersky.com/downloads/kws/kavwebscan.html

You should also check the Startup tab of msconfig to ensure nothing nasty is set to autostart from there.

I just did a scan in safe mode, it was there again as I had to reboot to do it.
Could not see anything unusual in the startup. (msconfig)
STILL no reply from ewido after 3 e-mails.
Been reading a microsoft article about controlsets. Perhaps ewido is recognising the last good configeration (controlset002) as a threat?
I don't know enough about the registry is figure it out.

Thanks for the replies:)

i would check the registry to confirm that ewido removed the regkey..

assuming that ewido does remove the regkey, and that some malware is restoring it, you could try using "sysinternal's" "regmon" to try to see what is writing the regkey..

also, you could try ghostsecurity's "regdefend".. maybe that is another way to see what is writing the regkey..

here is a link to "regmon":

http://www.sysinternals.com/Utilities/Regmon.html

here is a link to "regdefend":

http://www.ghostsecurity.com/index.php?page=regdefend

incidentally, i don't have a "HKLM\SYSTEM\ControlSet002" in my registry, running win xpsp2..

Thanks for your reply redwolf. The key is always at that address, ewido says removed and cleaned each time, have even tried running it in safe mode.
The info I have on controlset002 (which I don't really understand! ) has been obtained from this microsoft article

http://support.microsoft.com/?kbid=100010

I don't really know if I am competent enough to use the things you suggested. I would just love ewido to reply to all my e-mails about this problem. I paid for ewido and had hoped for more support from them.

First of all, sorry for the late reply - I will check what happened!

Could you please open regedit.exe, navigate to

HKLM\SYSTEM\ControlSet002\Control\SPPInfo

right click on SPPInfo, select "Export" and send the created .reg file to submit@ewido.net with a short notice about this thread here?

stapp, you could try to get some help in the forums at "dslreports"..

there are probably other forums where you could try to get help; that is just one forum that i am familiar with..

there are some routines that they want you to go through before asking for help with cleaning, so read the articles where it says "read before posting"..

here is a link to the "security forum", but notice that there is another forum for help with "cleaning", "security cleanup" (mentioned in the "sticky", at the top of the forum), and there is a tab for the "security cleanup" forum..

http://www.dslreports.com/forum/security

{QUOTE-> First of all, sorry for the late reply - I will check what happened!

Could you please open regedit.exe, navigate to

HKLM\SYSTEM\ControlSet002\Control\SPPInfo

right click on SPPInfo, select "Export" and send the created .reg file to submit@ewido.net with a short notice about this thread here? <-QUOTE}
Have sent reg.file as requested Peter.

Have discovered that the controlset002\control\sspinfo\ppse1idesc thing is in CURRENT controlset as well sometimes, although ewido never gives that reg. address as being a problem.

Thanks for the file... However, we were not yet able to reproduce it on our test machines, could be an engine bug :(

Here is another one Peter someone got me to copy from the registry, this may be better.

contents of output.txt file for ease of following:

{QUOTE-> Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SPPInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SPPInfo\PPSE1IDesc]
"OrigInstallTime"="1136577405"
"LastAccess"="1136577466"

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SPPInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SPPInfo\PPSE1IDesc]
"OrigInstallTime"="1136577405"
"LastAccess"="1136577466" <-QUOTE}

Hey stapp,

Just for future reference in case it helps to understand....the ControlSet002 key is "the last known good control set, or the control set that last successfully booted"

What are Control Sets? What is CurrentControlSet? (http://support.microsoft.com/?kbid=100010)

Thanks for that bubba. Learn something new everyday...at least for me. :)

Thanks Bubba for doing that and the info.

The gentleman who helped me get that info above says ewido may also need this info below I will paste in, to help them to find the source of the problem....


I cannot recreate the problem you are having, Ewido deletes the key on mine and it doesnt come back, Ewido doesnt remove the SPPInfo key but does remove the PPSE1IDesc subkey which is all it seems to target but its strange that it doesnt detect the exact same key in CurrentControlSet, the ControlSet002 entry must be written into their definitions and they must not of included the CurrentControlSet entry.

Regarding the permissions if I remove permissions for everyone on that subkey then Ewido shows this in the scan:

+ Created on: 15:31:58, 16/01/2006
+ Report-Checksum: D93BCFF

+ Scan result:

HKLM\SYSTEM\ControlSet002\Control\SPPInfo\PPSE1IDesc -> Dialer.Generic : Error during cleaning

::Report End


If I enable permissions for Admin with Full Control then Ewido shows this:

+ Created on: 15:36:16, 16/01/2006
+ Report-Checksum: AAECEBA

+ Scan result:

HKLM\SYSTEM\ControlSet002\Control\SPPInfo\PPSE1IDesc -> Dialer.Generic : Cleaned with backup

::Report End

And I can see by checking the registry that it does remove the PPSE1IDesc subkey plus Im able to delete those keys manually without problems

Can you create a new user account then try deleting the key using that account, maybe best to write the path to the key down so you can still find it with the new account as it will not load your settings or any text files you have saved.

Goto Control Panel (Start menu > Control Panel ) and then double click User Accounts

Choose 'Create a New Account' Name it anything and click Next, For Account Type choose 'Computer Administrator' then click 'Create Account'

Reboot and then log into the new account then open Regedit and try to manually remove the keys by right clicking SPPInfo and choosing Delete:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SPPInfo]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SPPInfo]

Reboot back to your own account then delete the new account you just created by going to user accounts again and clicking the new account name then choose 'Delete Account' and 'delete files'.

Hope this helps


It is unlikly I will be able to to follow these instuctions myself!

IT'S GONE!!
To bring people up to date . I followed the instuctions above, created a new user, went to regedit, found controlset002, it wouldn't let me delete SSPInfo key. Next I went to currentcontrolset and YES it let me delete the SSPInfo key,.
I rebooted , scanned and it's gone. No SSPInfo folder now in either controlset002 or currentcontrolset reg entries.

I just wish ewido had helped me do it, I've still had no reply from the 5 e-mails I've sent them.

Thanks to all here who did reply.

{QUOTE->
I just wish ewido had helped me do it, I've still had no reply from the 5 e-mails I've sent them. <-QUOTE}

That is because we do not want to discuss issues at several places (forum AND email) to avoid confusion... The main thing that caused the delay is that we do not have a definition for HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SPPInfo\PPSE1IDesc
and until Bubba posted the whole tree, we could not reproduce the detection... We are still on it, that's for sure :)

Thanks for the reply Peter. When you find out the dialer any chance you could let me know?
P.S. Just to make it clear, I think ewido is a GREAT prog. which is why I bought it. ( just in case I didn't make this clear !)

{QUOTE-> P.S. Just to make it clear, I think ewido is a GREAT prog. which is why I bought it. ( just in case I didn't make this clear !) <-QUOTE}It is very clear and I'm sure no one at ewido doubted that ;)

BTW....I will be following a few threads I have found concerning this same issue in particular this thread (http://forum.ccleaner.com/index.php?showtopic=3752).

{QUOTE-> Ewido deletes the key on mine and it doesnt come back, Ewido doesnt remove the SPPInfo key but does remove the PPSE1IDesc subkey which is all it seems to target but its strange that it doesnt detect the exact same key in CurrentControlSet, the ControlSet002 entry must be written into their definitions and they must not of included the CurrentControlSet entry. <-QUOTE}

Bubba, you have found me out, Hazelnut is me!! A lady!!

The gentleman you quoted in ccleaner was very helpful and did make some suggestions as to where this may have come from as I am sure you noticed.
ccleaner forum is a strong supporter of ewido and indeed it is included in their malware package suggestions for download before hjt logs are submitted.

Thank you very much. Obviously I had the same vexing problem and your "cure" helped immediately. :D

So glad it helped you. It drove me mad at times 'til I got that fix for it from a guy called Andy Manchesta over on ccleaner forums.
Are you still on ewido 3.5?
If so I would give ewido 4 a go, I think it's a HUGE all round improvement.