dialer generic

Discussion in 'ewido anti-spyware forum' started by stapp, Jan 12, 2006.

Thread Status:
Not open for further replies.
  1. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
    Could someone PLEASE help with this problem, I have the paid for version ( I have been in touch with ewido twice but no reply.)
    Each time I scan I get the following, it is cleaned and is then back the next day. I had a hjt done and they said it was clean.

    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 14:24:39, 12/01/2006
    + Report-Checksum: 51028F2A

    + Scan result:

    HKLM\SYSTEM\ControlSet002\Control\SPPInfo\PPSE1IDesc -> Dialer.Generic : Cleaned with backup


    ::Report End
     
  2. spartak

    spartak Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    21
    Do you have a dialup or broadband connection;
     
  3. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
    Broadband, XP, SP2. Ewido, e-trust,and sptwareblaster.
     
  4. spartak

    spartak Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    21
    If you have broadband you do not have to worry about dialers!
     
  5. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
    why is ewido giving this result ever time I scan then?
    I notice it's always after I have re-booted.
     
  6. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    Maybe something is re-installing it after each reboot?

    Give yourself an online scan to see if that throws anything up:-

    http://www.kaspersky.com/downloads/kws/kavwebscan.html

    You should also check the Startup tab of msconfig to ensure nothing nasty is set to autostart from there.
     
  7. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
    I just did a scan in safe mode, it was there again as I had to reboot to do it.
    Could not see anything unusual in the startup. (msconfig)
    STILL no reply from ewido after 3 e-mails.
    Been reading a microsoft article about controlsets. Perhaps ewido is recognising the last good configeration (controlset002) as a threat?
    I don't know enough about the registry is figure it out.

    Thanks for the replies:)
     
  8. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    i would check the registry to confirm that ewido removed the regkey..

    assuming that ewido does remove the regkey, and that some malware is restoring it, you could try using "sysinternal's" "regmon" to try to see what is writing the regkey..

    also, you could try ghostsecurity's "regdefend".. maybe that is another way to see what is writing the regkey..

    here is a link to "regmon":

    http://www.sysinternals.com/Utilities/Regmon.html

    here is a link to "regdefend":

    http://www.ghostsecurity.com/index.php?page=regdefend

    incidentally, i don't have a "HKLM\SYSTEM\ControlSet002" in my registry, running win xpsp2..
     
    Last edited: Jan 14, 2006
  9. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
    Thanks for your reply redwolf. The key is always at that address, ewido says removed and cleaned each time, have even tried running it in safe mode.
    The info I have on controlset002 (which I don't really understand! ) has been obtained from this microsoft article

    http://support.microsoft.com/?kbid=100010

    I don't really know if I am competent enough to use the things you suggested. I would just love ewido to reply to all my e-mails about this problem. I paid for ewido and had hoped for more support from them.
     
  10. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    First of all, sorry for the late reply - I will check what happened!

    Could you please open regedit.exe, navigate to

    HKLM\SYSTEM\ControlSet002\Control\SPPInfo

    right click on SPPInfo, select "Export" and send the created .reg file to submit@ewido.net with a short notice about this thread here?
     
  11. redwolfe_98

    redwolfe_98 Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    581
    Location:
    South Carolina, USA
    stapp, you could try to get some help in the forums at "dslreports"..

    there are probably other forums where you could try to get help; that is just one forum that i am familiar with..

    there are some routines that they want you to go through before asking for help with cleaning, so read the articles where it says "read before posting"..

    here is a link to the "security forum", but notice that there is another forum for help with "cleaning", "security cleanup" (mentioned in the "sticky", at the top of the forum), and there is a tab for the "security cleanup" forum..

    http://www.dslreports.com/forum/security
     
  12. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
    Have sent reg.file as requested Peter.
     
  13. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
    Have discovered that the controlset002\control\sspinfo\ppse1idesc thing is in CURRENT controlset as well sometimes, although ewido never gives that reg. address as being a problem.
     
  14. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    Thanks for the file... However, we were not yet able to reproduce it on our test machines, could be an engine bug :(
     
  15. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
    Here is another one Peter someone got me to copy from the registry, this may be better.
     

    Attached Files:

  16. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    contents of output.txt file for ease of following:

    Hey stapp,

    Just for future reference in case it helps to understand....the ControlSet002 key is "the last known good control set, or the control set that last successfully booted"

    What are Control Sets? What is CurrentControlSet?
     
  17. beetlejuice69

    beetlejuice69 Registered Member

    Joined:
    Mar 16, 2005
    Posts:
    780
    Thanks for that bubba. Learn something new everyday...at least for me. :)
     
  18. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
    Thanks Bubba for doing that and the info.

    The gentleman who helped me get that info above says ewido may also need this info below I will paste in, to help them to find the source of the problem....


    I cannot recreate the problem you are having, Ewido deletes the key on mine and it doesnt come back, Ewido doesnt remove the SPPInfo key but does remove the PPSE1IDesc subkey which is all it seems to target but its strange that it doesnt detect the exact same key in CurrentControlSet, the ControlSet002 entry must be written into their definitions and they must not of included the CurrentControlSet entry.

    Regarding the permissions if I remove permissions for everyone on that subkey then Ewido shows this in the scan:

    + Created on: 15:31:58, 16/01/2006
    + Report-Checksum: D93BCFF

    + Scan result:

    HKLM\SYSTEM\ControlSet002\Control\SPPInfo\PPSE1IDesc -> Dialer.Generic : Error during cleaning

    ::Report End


    If I enable permissions for Admin with Full Control then Ewido shows this:

    + Created on: 15:36:16, 16/01/2006
    + Report-Checksum: AAECEBA

    + Scan result:

    HKLM\SYSTEM\ControlSet002\Control\SPPInfo\PPSE1IDesc -> Dialer.Generic : Cleaned with backup

    ::Report End

    And I can see by checking the registry that it does remove the PPSE1IDesc subkey plus Im able to delete those keys manually without problems

    Can you create a new user account then try deleting the key using that account, maybe best to write the path to the key down so you can still find it with the new account as it will not load your settings or any text files you have saved.

    Goto Control Panel (Start menu > Control Panel ) and then double click User Accounts

    Choose 'Create a New Account' Name it anything and click Next, For Account Type choose 'Computer Administrator' then click 'Create Account'

    Reboot and then log into the new account then open Regedit and try to manually remove the keys by right clicking SPPInfo and choosing Delete:

    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SPPInfo]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SPPInfo]

    Reboot back to your own account then delete the new account you just created by going to user accounts again and clicking the new account name then choose 'Delete Account' and 'delete files'.

    Hope this helps


    It is unlikly I will be able to to follow these instuctions myself!
     
  19. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
    IT'S GONE!!
    To bring people up to date . I followed the instuctions above, created a new user, went to regedit, found controlset002, it wouldn't let me delete SSPInfo key. Next I went to currentcontrolset and YES it let me delete the SSPInfo key,.
    I rebooted , scanned and it's gone. No SSPInfo folder now in either controlset002 or currentcontrolset reg entries.

    I just wish ewido had helped me do it, I've still had no reply from the 5 e-mails I've sent them.

    Thanks to all here who did reply.
     
  20. peter.ewido

    peter.ewido former ewido team

    Joined:
    Nov 10, 2003
    Posts:
    737
    Location:
    Brno, Czech Republic
    That is because we do not want to discuss issues at several places (forum AND email) to avoid confusion... The main thing that caused the delay is that we do not have a definition for HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SPPInfo\PPSE1IDesc
    and until Bubba posted the whole tree, we could not reproduce the detection... We are still on it, that's for sure :)
     
  21. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
    Thanks for the reply Peter. When you find out the dialer any chance you could let me know?
    P.S. Just to make it clear, I think ewido is a GREAT prog. which is why I bought it. ( just in case I didn't make this clear !)
     
  22. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    It is very clear and I'm sure no one at ewido doubted that ;)

    BTW....I will be following a few threads I have found concerning this same issue in particular this thread.

     
  23. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
    Bubba, you have found me out, Hazelnut is me!! A lady!!

    The gentleman you quoted in ccleaner was very helpful and did make some suggestions as to where this may have come from as I am sure you noticed.
    ccleaner forum is a strong supporter of ewido and indeed it is included in their malware package suggestions for download before hjt logs are submitted.
     
  24. EdeNilno

    EdeNilno Registered Member

    Joined:
    Jun 27, 2006
    Posts:
    1
    Thank you very much. Obviously I had the same vexing problem and your "cure" helped immediately. :D
     
  25. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,267
    Location:
    England
    So glad it helped you. It drove me mad at times 'til I got that fix for it from a guy called Andy Manchesta over on ccleaner forums.
    Are you still on ewido 3.5?
    If so I would give ewido 4 a go, I think it's a HUGE all round improvement.
     
Thread Status:
Not open for further replies.