Annnoying false positive on dmserver.dll

Discussion in 'NOD32 version 2 Forum' started by HeLLBRiNGeR, Nov 3, 2008.

Thread Status:
Not open for further replies.
  1. HeLLBRiNGeR

    HeLLBRiNGeR Registered Member

    Joined:
    Aug 1, 2008
    Posts:
    2
    Hi! I'm having a problem with NOD32 v2.7.39, reporting on the startup scans that dmserver.dll is a virus (Win32/Patched.BU, according to NOD32). I tried to put it on AMON's exclusion list but it detects the file on the startup scan even with it configured as excluded. I'm 99.99% certain that it's the original dmserver.dll file from Microsoft since they share the same MD5 and CRC32 checksums. So, my question is: is there a way to exclude the file from the startup scans?

    Thanks in advance
     
  2. ASpace

    ASpace Guest

    The better way is to take your Windows installation CD and run System File Checker (sfc.exe)

    Start -> Run -> sfc.exe /scannow . Keep the disk handy and place when Windows wants you to do it . No matter you may be infecter or not , this will replace the file with 100% of the original . Reboot the machine after the process is ready.

    https://www.wilderssecurity.com/showpost.php?p=1322437&postcount=2

    If you have problems even after that , temporary disable AMON , get the file and send it to ESET samples@eset.com
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    We don't expect this detection to produce false positives. Please submit the file in question to samples[at]eset.com with this thread's url in the subject as advised above.
     
  4. kanenas

    kanenas Registered Member

    Joined:
    Sep 7, 2002
    Posts:
    14
    I just had the same warning with a 3.x version of Nod32.

    I compared the file (in \system32\) with the same version/date file in C:\WINDOWS\ServicePackFiles\i386\ and they were actually different.

    The active file in System32 had some code in areas that usually have zeroes in them and had a call to a function replaced by a call to a different address (I suppose a jump to the added code).
    I was too lazy to bother with it and just overwrote the file with the good one to keep Nod32 happy.

    I'm curious how they do that though. I had it happen to me once again a few weeks ago. I'd think these type of files would be tracked by the system to avoid tampering but they don't seem to be.
     
Thread Status:
Not open for further replies.