Hello,

I just bought The Chronicles of Riddick - Assault on Dark Athena on this site, but during setup, my antivirus software (Mycrosoft Security Essentials) throw me an alert on a temporary file created by the installer. The antivirus says that the file is infected by VirTool:Win32/Obfuscator.XZ.

I followed the recommendations of the antivirus software and deleted the file.

Just to make sure, I immediately scanned the installation directory of the game and the antivirus software found there again machin VirTool:Win32/Obfuscator.XZ in the file dvm.dll

I followed again the recommendations of the antivirus software and deleted the file.

But, when I want to play the game, a popup window appears and says it is impossible to start the program because dvm.dll is missing!

Is it a joke? I must accept a rootkit on my computer to play a game I've paid for?

Is there an issue to this problem?

thanks in advance for your help.

Read the other threads below... the file is not infected

'VirTool:Win32/Obfuscator' is a generic warning for files whose code has been encrypted; sometimes this is done to cheat anti-virus software, but sometimes for other purpose, i.e. DRM and such

In this case, the file is a leftover from the (now inactive) TAGES system, and is wrongly detected by MSE as dangerous.
Restore the file, put an exception in the options, and off you go...

The file isn't infected. Restore the deleted file (or reinstall the game if you can't for some reason). Then, add an exclusion in Microsoft Security Essentials:

1 - Open Microsoft Security Essentials
2 - Click the Settings tab
3 - Highlight Excluded files and locations
4 - Add DarkAthena_Launcher.exe (you will have to browse to wherever you installed this file -- C:\Program Files (x86)\GOG.com\ is the default)
5 - Click Save changes

The TAGES system is not inactive.

I made a fake version of dvm.dll, and the TAGES system require to install itself a the first launch of the game.

And if the file is encrypted for good reasons, why it's not signed with a certificate, like others dll in the folder, signed by Atary EU?

I briefly reviewed the file and I can assure you that it appears to behave like a rootkit.

It's not because people proclaim in an authoritative manner, without evidence, that this is not a virus that this is true.

In my point of view, the file don't have an authentication certificate, and behaves like a rootkit. The only evidence to be nearly acceptable, that the file is not a virus, would be a signature by a trusted certificate.

So, is it possible to have a clean or certified version of this dll?

Certificate authenticate the author of the file.
If a file is signed by a genuine certificate, and if this file is infected, it is possible to trace back to those responsible for the situation.

Without signature (or if the certificate used to sign isn't signed itself by a root CA), it's not possible to know where the file come from.

What Wikipedia article are you talking about?

Throughout the threads I've read about, it's always the same answer coming back: the file is not infected, ignore your antivirus software.

if you can provide me a link that contains more information, I would appreciate it, otherwise, none of this is satisfying!

For information, I'm an IT security expert.

Goes to show you that DRM is a virus with a authentication certificate. Another reason not to buy DRM infected games.

In this case, I bought a game on GOG, and it is not supposed to have DRM.

In addition, a rootkit is not a virus.

I prefer the rootkit of a commercial company to that of criminals.

Even if I does not like it, the implications is not the same.

Ur right it's not a virus it is malware. Malware designed to hide the existence of certain processes or programs. So what is worse I'd say both are bad. I don't want any of it on my PC.

Wouldn't that be the exact reason to buy it from Gog? To avoid the DRM altogether.

Tages, SecuRom, Starforce and likely plenty others I don't know the name of act like rootkits. They act like rootkits because if they didn't they'd be too easy to circumvent.

I'd have expected a version without the DRM. Not just a version still carrying the DRM but with a 3rd party tinkering with the .dll file the DRM is reliant on to make it think everything is fine and running.

Sure it won't require activation or a DVD in drive or other thing, but still having to run it through protection algorithms doesn't strike me as all that DRM free. Even if the .dll doesn't require you to install the rootkit system on your computer.

And wasn't using a scene made no-cd crack as an official fix to remove the CD check from a game what got...I believe it was Sony so much critizism back a few years ago when they agreed to remove their CD-check on a game? Just curious.

And you are wrong. A malware is a malicious software whatever the type.

A rootkit is a software dedicated to the obfuscation of the presence and/or the activity of an other software.

A rootkit can be necessary for anti-cheat software, and DRM system. It's not very pleasant, but they are not malwares!

In this case, I see no reason for the presence of a rootik in this game.

Especially a rootkit whose origin is not identified!

Because in this case, it is likely that this rootkit is just there to hide a malware.

I totally agree!

Especially when the tinkering adds a potentially malicious rootkit!

Because, I've recovered the original dvm.dll, and it's not detected as a malware, unlike the dll provided by GOG

It's the correct DLL (the one that your AV deleted) that renders it inactive; i guess that the presence of your fake one triggers the protection code inside the EXE (i don't know the details of how TAGES works, but if it's tightly integrater with the code, it is possible that Atari doen not have a clean EXE) Of course it does, it was part of the DRM... the point is that is was hacked to make the DRM inactive, but the rest of the code by TAGES is still there , and that is what the AV does not like (the combination of obfuscated code by TAGES+thinkering to alter it )

Even the original, unmodified DLL (ie with DRM active) is know to have caused some false detection in the past... you'll find similar reports for other games like the Anno xxxx series, X3 Terran Conflict, Risen1&2...

Edit - I just noticed that the false positive is confirmed by GOG on the official support page:
http://www.gog.com/en/support/the_chronicles_of_riddick_assault_on_dark_athena/virus_warning

So either it is necessary that the source code of this dll is made available (and in a manner sufficient to ensure that we can compile it ourself), either this dll must be digitally signed by the company that created it.

Otherwise how else can we be sure that it is not just a no-cd patch with a virus, took on a pirate site by employees of GOG to save time?
Just as I said before: "It's not a virus, just believe us!"

I've seen this page, but as I already said, a peremptory statement does not satisfy me.

Why would I trust more a company that uses unsigned and encrypted crack than a society that uses DRM?

Then don't play it. The rest of us are enjoying some virus-free Vin Diesel-powered awesomeness. Thanks again, GOG!

/thread

1. Neither StarBreeze, Atari nor GOG encrypted anything.
1.2 Should any company crack a crack, nowadays?
1.3 You should ask yourself where's the source code and why there was never a virgin exe.
2. Signing a Virus would be funny, but obviously OK for you.
3. The copy protection is still intact inside the exe. The dll contained a virtual machine doing the magic.
3.1 Similar to a simple call, the copy protection asked the virtual machine something, in case it didn't gave back the correct answer, the exe would know something was wrong and stop execution.
3.2 Only StarBreeze and Reloaded know what was going on internally.
4. Don't call yourself an Security Expert, believe me, don't do it.
4.1 As a "Security Expert" you would realize that it was a slightly modified dll. While it's the Reloaded crack, someone tried to play with it. "Usefull" things like the PE Import where rearranged...
4.2 "Sarcasm"