Hi! I'm having a problem with NOD32 v2.7.39, reporting on the startup scans that dmserver.dll is a virus (Win32/Patched.BU, according to NOD32). I tried to put it on AMON's exclusion list but it detects the file on the startup scan even with it configured as excluded. I'm 99.99% certain that it's the original dmserver.dll file from Microsoft since they share the same MD5 and CRC32 checksums. So, my question is: is there a way to exclude the file from the startup scans?

Thanks in advance

The better way is to take your Windows installation CD and run System File Checker (sfc.exe)

Start -> Run -> sfc.exe /scannow . Keep the disk handy and place when Windows wants you to do it . No matter you may be infecter or not , this will replace the file with 100% of the original . Reboot the machine after the process is ready.

http://www.wilderssecurity.com/showpost.php?p=1322437&postcount=2

If you have problems even after that , temporary disable AMON , get the file and send it to ESET samples@eset.com

We don't expect this detection to produce false positives. Please submit the file in question to samples[at]eset.com with this thread's url in the subject as advised above.

I just had the same warning with a 3.x version of Nod32.

I compared the file (in \system32\) with the same version/date file in C:\WINDOWS\ServicePackFiles\i386\ and they were actually different.

The active file in System32 had some code in areas that usually have zeroes in them and had a call to a function replaced by a call to a different address (I suppose a jump to the added code).
I was too lazy to bother with it and just overwrote the file with the good one to keep Nod32 happy.

I'm curious how they do that though. I had it happen to me once again a few weeks ago. I'd think these type of files would be tracked by the system to avoid tampering but they don't seem to be.