Suspicious file creation on D2 startup

Psyrus

Diabloii.Net Member
Suspicious file creation on D2 startup

I don't know if this belongs here, but I guess I'll find out.

This just began today. Almost immediately upon starting up D2, I get a warning from Windows Defender regarding the creation of CmdLineExt03.dll in the /system32 directory classifying it as a trojan named "CmdLineCM." Removing it is successful at every attempt, but it recreates itself everytime I restart D2.

I ran a number of Google searches (dll name + diablo 2) to find out what the deal is, but the result leaves me more confused. I find search results containing people mentioning similar incidents: Half state that it is indeed a trojan and is in relation to game cracks, key generators, desktop hijacks, etc. The other half states that it's involved with CD copy protection and is normal. At this point, I get stuck with many choices from contacting MS support, Blizzard support, and/or posting on a forum. I'm just trying to find out whether if this thing is indeed normal or not, and if it is not, how to get rid of it for good.

Now before you ask about what I mentioned earlier, I have not and never will touch any kind of hack and/or keygen in relation to D2 or not.
 

Inokis

Diabloii.Net Member
This is a copy protection mechanism employed by many other games. There was an update to Windows Defender that now identifies the file. I'd recommend just removing it at every instance that it comes up. I'm hesitant to recommend allowing the file as then any malware that incorporates the same technique would then be ignored.

Remove it when it comes up, don't quarantine it or dii may not run properly.

I've posted at the below link to get the best method on handling the instance as i don't want to give bad advice to anyone, for now just remove it per instance:
http://www.microsoft.com/athome/security/spyware/software/newsgroups/reader/default.mspx?dg=microsoft.private.security.spyware.general&lang=en&cr=US&r=33d293cc-19b6-404b-865b-565a73822c7f
 

kuafu

Diabloii.Net Member
Good to know that it's not just me seeing the error today. To merge threads, see mine for an easier solution than deleting the file every time.
 

Psyrus

Diabloii.Net Member
That's a relief. Thanks for the responses.

I tried quarantining the .dll instead of removing it yesterday, and it seems that it doesn't affect the game any. It just creates a new copy. Having to remove the thing after every instance of starting D2 up will be a bit monotonous though.

Edit: Nevermind, I won't have to. I created a dummy folder/file instead.
 

Inokis

Diabloii.Net Member
You can safely ignore the file when its generated by Diablo II.

What this does is it sends a marker to the program to temporarily ignore the file, so long as it only behaves in the manner when detected. If the file does something different, such as it would with malware etc, then any additional activities would be detected and you would be prompted again for action.

For example, if you ignore it and then try opening it with notepad, it will come up again since that is a new event not coded in the orginal detection.

So long as you currently are only getting this when dii runs, I advise ignoring it and any warnings later you should remove the file.
 

Inokis

Diabloii.Net Member
What's to get fixed?

Windows defender, along with other spyware programs, detect this file due to the fact that it has been used to mask malware. Since the generation of the file isn't tied to the program that generated it, its impossible to allow the file based on programs allowed to run on your system. That I believe is why it triggers the detection.

The software is doing what its supposed to, there's nothing broken.
 
Top