Results 1 to 10 of 29

Thread: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

Hybrid View

Previous Post Previous Post   Next Post Next Post
  1. #1
    kallhoff Guest

    Default What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    Like so many other posters, I'm also frustrated with the many new security warnings popping up with the new version. However, I've worked through most of them, except for the warning that $sys$DRMServer.exe is trying to access the internet. I've run a google search on this file, with few results. I've looked for it in windows\system32\$sysfilesystem\ (where ZL thinks it is), but the file is not there. I don't know what this file is and if I should be worried about it. Please help!

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Pro
    Software Version:6.0

  2. #2
    billc Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    I can't find much on it either except references to adware or spyware. One help forum had this posted. BTW, I certainly would not grant 'access' to it.<hr>Try the following:
    Go to start --> Run --> type "msconfig" without quotes in the promted
    dialog box --> Press OK button or Enter key --> the System
    Configuration Utility will run --> go to the StartUp tab --> uncheck
    any reference to the drmserver.exe or $sys$drmserver.exe --> reboot<hr>

  3. #3
    musashi_tzu Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    kallhof,Try this, go to: and run RootkitRevealer, it looks for nasties that use different techniques to hide themselves from the operating system.Keep us posted,Musashi

  4. #4
    kallhoff Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    Thanks for the suggestion.. however, when I do the msconfig command, there is no reference to $sys$DRMServer.exe, and I can't find that executable in any system32 folder, or in fact, anywhere on my system.

    There are references to this in the registry HKEY_Local_Machine\System\ControlSet001\Enum\Root\ LEGACY_$SYS$DRMSERVER, and in HKEY_Local_Machine\System\ControlSet002\Enum\Root\ LEGACY_$SYS$DRMSERVER and in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\R oot\LEGACY_$SYS$DRMSERVER. Do you know what this area of the registry is used for?

    Thanks for any help..


  5. #5
    musashi_tzu Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    That is where the registry keeps information on "services". Services run in the background and can also be set to start automatically. You can manually change if a service starts automatically or even disable it alltogether. To do so, go to Start &gt; Run and type "services.msc" (without the quotes) and then click OK. It's hard to tell what the Name for the service will be listed as in the Services window, because the service name isnt usually the same as its file name. The good news though is that you can select a service, right click it and select properties and tell what executable the service is by looking in the "path to executable" field. Poke around in Services until you find your "$sys$DRMServer.exe". To stop it from automatically starting at boot, you can click the Stop button in the properties window to stop the service and then you can change the "start up type" to either manual or disabled. If you select Manual, the service can still run if needed by a program, but it will not start automatically. If you disable it, the service will not be able to run at all unless you change the "start up type" again to either manual or automatic.DRM stands for Digital Rights Management and is used in controlling protected media files, such as files you download from iTunes and and other MP3 stores. So its entirely reasonable to see something with a name including that. What troubles me though is the $sys$ prefix and the fact that you cant "see" the file. Which makes me think that it could be something nasty. It could be part of some technique to hide it.Musashi

  6. #6
    kallhoff Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    Ok.. thanks for that information. I ran the command to display the services, and can find the $sys$DRMServer.exe in 'Plug and Play Device manager'. The properties say that the path to the executable is Windows\system32\$sys$filesystem\$sys$DRMServer.ex e. However, when I go to that directory and display the files, this file is not present. That seems fishy to me. I ran dir /A H to display hidden files, but it still didn't show this file. Is there another attribute to the dir command which shows hidden files? My daughter did install Itunes software within the past few months, could this be related?

    I'm running the rootkit program you told me about in one of your earlier appends. It's still running, but when it went throught he registry, it did find the registry entries with the $sys$DRMServer.exe. It says it's hidden from Windows API. I've read the help, but am not quite sure what this means. There are other entries in the rootkit results from the registry scan which say 'hidden from Windows API'. They are $sys$aries, $sys$cor, $sys$crater and the famous $sys$DRMserver. I know I'm probably way off topic with this thread, and I don't really mean to use you as technical support, but do I need to be worried about these entries?

  7. #7
    musashi_tzu Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    Please save the RootKit Revealer results click File > Save and name it something and save it where you can find it again. Hiding from the Windows API basically means that it is tricking windows into not seeing it, and thereby you not seeing it. I cannot think of a legitimate program that would do that. Im looking into it more for you. I would disable it through services if possible for the time being and run a virus scan also. Ill be back with more later.


  8. #8
    seblair Guest

    Default Re: Here's how I got rid of it! :o)

    To rid myself of that miserable $sys$DRMServer.exe, I did the following:

    Boot-up in Safe Mode.
    Then do a Search in Advanced Mode with the following boxes checked:

    * Search system folders
    * Search hidden files and folders
    * Search subfolders

    The Search FOUND IT!! It was hidden and locked in the System folder. It is a 300K executeable file. I then deleted the file.
    In the past, I had tried to find the file, but could not (possibly because I wasn't in Safe Mode at the time, and I might not have checked the same boxes (above)). Anyway, WHEW!!! It's finally gone! I hope, if anyone tries this, they have similar good fortune. )

  9. #9
    forum_moderator Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    If any users still have that software on their system and would like to help Zone Labs investigate further, please email - be sure to state that you have this software on your system, what version of ZA you have installed, and what OS you have. We will only need 1 or 2 people for this testing, which will include running a small program on your system for testing purposes (it won't make any everlasting changes). Also, be sure to let us know if you are willing to test a beta version for us.Thank you,MarcusForum Moderator

  10. #10
    Join Date
    Jun 2004

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts