Is this a concern or not

[Kurt Ullman]

Windows XP. NAV resource protector says $sys$drmserver.exe keeps trying
to access symantec Shared/Nmain.exe and keeps getting stopped
Google seems to indicate that this either part of Sony's licensing or
The End Of The World As We Know It. The Google stuff for svchost runs
about the same. Norton and AVG and AdAware and Spybot S&D don't seem
terribly concerned about either one. Should I be or not?

 

[David H. Lipman]

From: "Kurt Ullman" <[email protected]>

| Windows XP. NAV resource protector says $sys$drmserver.exe keeps trying
| to access symantec Shared/Nmain.exe and keeps getting stopped
| Google seems to indicate that this either part of Sony's licensing or
| The End Of The World As We Know It. The Google stuff for svchost runs
| about the same. Norton and AVG and AdAware and Spybot S&D don't seem
| terribly concerned about either one. Should I be or not?

I don't understand what you mean by; $sys$drmserver.exe
Is that supo\psed to be something like;
c:\windows\drmserver.exe
or
c:\windows\system32\drmserver.exe

In any case...

Please submit a sample of "drmserver.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

 

[Kurt Ullman]

From: "Kurt Ullman" <[email protected]>

| Windows XP. NAV resource protector says $sys$drmserver.exe keeps trying
| to access symantec Shared/Nmain.exe and keeps getting stopped
| Google seems to indicate that this either part of Sony's licensing or
| The End Of The World As We Know It. The Google stuff for svchost runs
| about the same. Norton and AVG and AdAware and Spybot S&D don't seem
| terribly concerned about either one. Should I be or not?

I don't understand what you mean by; $sys$drmserver.exe
Is that supo\psed to be something like;
c:\windows\drmserver.exe
or
c:\windows\system32\drmserver.exe

The latter with $sys$drmserver.exe.

In any case...

Please submit a sample of "drmserver.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html

I'll do that, thanks.

 

[Damian]

The latter with $sys$drmserver.exe.

I'll do that, thanks.

Ignore Lipshit, you have installed the Sony Rootkit. Google for removal
instructions.

 

[Gabriele Neukam]

I don't understand what you mean by; $sys$drmserver.exe

This is a certain way of naming files, used by XCP, a copy protection
rootkit made by Sony, that will make everything "invisible" (even with
Windows Explorer set to "show all files"), especially its own services
that makes sure that $specificgame will only run from then original
CDrom.

http://blogs.technet.com/markrussinovich/archive/2005/10.aspx

It is really a hideous story. And remains of that stuff may well be
lying on the original poster's hard disk.


Gabriele Neukam

(e-mail address removed)