Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

  1. #1
    kallhoff Guest

    Default What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    Like so many other posters, I'm also frustrated with the many new security warnings popping up with the new version. However, I've worked through most of them, except for the warning that $sys$DRMServer.exe is trying to access the internet. I've run a google search on this file, with few results. I've looked for it in windows\system32\$sysfilesystem\ (where ZL thinks it is), but the file is not there. I don't know what this file is and if I should be worried about it. Please help!

    Operating System:Windows XP Home Edition
    Product Name:ZoneAlarm Pro
    Software Version:6.0

  2. #2
    billc Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    I can't find much on it either except references to adware or spyware. One help forum had this posted. BTW, I certainly would not grant 'access' to it.<hr>Try the following:
    Go to start --> Run --> type "msconfig" without quotes in the promted
    dialog box --> Press OK button or Enter key --> the System
    Configuration Utility will run --> go to the StartUp tab --> uncheck
    any reference to the drmserver.exe or $sys$drmserver.exe --> reboot<hr>

  3. #3
    musashi_tzu Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    kallhof,Try this, go to:http://www.sysinternals.com/Utilitie...tRevealer.htmlDownload and run RootkitRevealer, it looks for nasties that use different techniques to hide themselves from the operating system.Keep us posted,Musashi

  4. #4
    kallhoff Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    Thanks for the suggestion.. however, when I do the msconfig command, there is no reference to $sys$DRMServer.exe, and I can't find that executable in any system32 folder, or in fact, anywhere on my system.

    There are references to this in the registry HKEY_Local_Machine\System\ControlSet001\Enum\Root\ LEGACY_$SYS$DRMSERVER, and in HKEY_Local_Machine\System\ControlSet002\Enum\Root\ LEGACY_$SYS$DRMSERVER and in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\R oot\LEGACY_$SYS$DRMSERVER. Do you know what this area of the registry is used for?

    Thanks for any help..

    Kathleen

  5. #5
    musashi_tzu Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    That is where the registry keeps information on "services". Services run in the background and can also be set to start automatically. You can manually change if a service starts automatically or even disable it alltogether. To do so, go to Start &gt; Run and type "services.msc" (without the quotes) and then click OK. It's hard to tell what the Name for the service will be listed as in the Services window, because the service name isnt usually the same as its file name. The good news though is that you can select a service, right click it and select properties and tell what executable the service is by looking in the "path to executable" field. Poke around in Services until you find your "$sys$DRMServer.exe". To stop it from automatically starting at boot, you can click the Stop button in the properties window to stop the service and then you can change the "start up type" to either manual or disabled. If you select Manual, the service can still run if needed by a program, but it will not start automatically. If you disable it, the service will not be able to run at all unless you change the "start up type" again to either manual or automatic.DRM stands for Digital Rights Management and is used in controlling protected media files, such as files you download from iTunes and and other MP3 stores. So its entirely reasonable to see something with a name including that. What troubles me though is the $sys$ prefix and the fact that you cant "see" the file. Which makes me think that it could be something nasty. It could be part of some technique to hide it.Musashi

  6. #6
    kallhoff Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    Ok.. thanks for that information. I ran the command to display the services, and can find the $sys$DRMServer.exe in 'Plug and Play Device manager'. The properties say that the path to the executable is Windows\system32\$sys$filesystem\$sys$DRMServer.ex e. However, when I go to that directory and display the files, this file is not present. That seems fishy to me. I ran dir /A H to display hidden files, but it still didn't show this file. Is there another attribute to the dir command which shows hidden files? My daughter did install Itunes software within the past few months, could this be related?

    I'm running the rootkit program you told me about in one of your earlier appends. It's still running, but when it went throught he registry, it did find the registry entries with the $sys$DRMServer.exe. It says it's hidden from Windows API. I've read the help, but am not quite sure what this means. There are other entries in the rootkit results from the registry scan which say 'hidden from Windows API'. They are $sys$aries, $sys$cor, $sys$crater and the famous $sys$DRMserver. I know I'm probably way off topic with this thread, and I don't really mean to use you as technical support, but do I need to be worried about these entries?

  7. #7
    musashi_tzu Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    Please save the RootKit Revealer results click File > Save and name it something and save it where you can find it again. Hiding from the Windows API basically means that it is tricking windows into not seeing it, and thereby you not seeing it. I cannot think of a legitimate program that would do that. Im looking into it more for you. I would disable it through services if possible for the time being and run a virus scan also. Ill be back with more later.

    Musashi

  8. #8
    kallhoff Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    Thank you so much.. I really appreciate your help. In the rootkit report, there were a number of files listed as living in the windows\system32\$sys$filesystem directory, but I can't see them. Very fishy..

    Again, thanks for the help.

    Kathleen

  9. #9
    musashi_tzu Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    Yeah, if the dir /a:h command doesnt list it, then something is up to no good. I just ran some tests and its not iTunes and its definitely not part of a normal windows install. Fortunately the way Zone Alarm works it can see things that even windows can be fooled into not seeing, and thats why you got the alert and were able to start looking into it. The only google hits i get for it are vauge mentions of malware but nothing specific. The good news then is that you are onto it, the bad news is that this probably isnt a run of the mill garden variety baddie and will probably be hard to get rid of. Like i said, try to disable it first, then run a scan with your antivirus and anti-spyware and see if it gets picked up by something. If no luck Ill give you some more suggestions. Let me know how it goes.Musashi

  10. #10
    kallhoff Guest

    Default Re: What is $sys$DRMServer.exe and why is ZoneLabs 6 warning me about it?

    I booted in safemode.. and low and behold, this file was visible in the windoows\system32\$sys$filesystem directory.
    Then I ran services.msc and the process which uses this file (Plug and Play Device Manager) is no longer running. When booted in regular mode, I could see the process running, but could not stop it. I have another process running called Plug and Play which uses windows\system32\services.exe. This one seems legit.

    I renamed the file $sys$DRMServer.bak and robooted. I didn't want to delete it, since I'm not entirely sure what it is, but thought that if I renamed it, I can see if my system does something strange and I can figure out if this file is legitimate.

    Being pretty computer literate, but not a guru by ANY stretch... what is different about safemode, and can this file be visible in safe mode, but not in regular mode? There were other files visible in the $sys$filesystem when in safemode that also are not visible in regular mode. Do I need to be worried about these too?

    Musashi_tuz, thanks for your suggestions and help figuring out what this stinker is.. I guess I still don't really know what the file is, but I feel better now that I've kind of disabled it for the time being so that I can see what affect it will have. Should I be worried about the registry entries for this file?

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •