Trojan  Yes or No

Discussion in 'Trojan Defence Suite' started by AAPlus, Mar 21, 2002.

Thread Status:
Not open for further replies.
  1. AAPlus

    AAPlus Guest

    Hello,All

    Has anyone had this problem when i

    updated TDS & i did a reboot i keep

    geting this  Mutex Memory Scan

    Trojan Mutex(es) Found:

    When before the new update i would see

    Mutex Memory Scan  no Trojan Mutex(es) Found:

    Now when i go & do a Full system scan

    i get no Alarms at all  so do have a problem

    here or is it the update

    oh this is happning on Both Win98 & WinXP

    Thank You
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Mutex infection could for instance be a Nimda infection, to name one of the many; that one you can test at the DCS web site
    http://www.diamondcs.com.au/source/
    at the bottom of that page.
    It would not alarm easily if nothing is there.

    Trying now the mutex test, just updated till 11903 refs...
    It just says
    "Trojan mutex(es) found: "
    and stops there, so that means we are clean.
    Looking in older logs, indeed there it said:
    Mutex Memory Scan] Started...
    [Mutex Memory Scan] Finished (no trojan mutexes found)."
    which is less confusing.
    With this, you don't seem infected at all, for in that case the name would have been displayed.
    So don't worry, most of all as all further does function right and nothing came up with the Full System Scan.
     
  3. AAPlus

    AAPlus Guest

    Hello,Jooske

    first i like to say thank you for

    the help & reply & keep up the

    good work

    Thanks
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're welcome AAPlus
    and you too! Keep in touch.
    Does it further run ok on both your systems? XP is for many still a whole new experience i read in the fora (not using that myself).
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Just noticed the text is now again
    Finished (No trojan mutexes found)
    Better feeling, doesn't it? :p
     
  6. AAPlus

    AAPlus Guest

    Hello,Jooske

    Yes i now have  Finished (No trojan mutexes found)

    but i have a new problem when i updated TDS

    again now when i do a Full system Scan i get this

    Alarm:    Positive identification <Adv>: Possible keylogger

    File: x:\03\dcsmutex.dll

    now i tryed to Delete this file but TDS

    keeps puting it back do i hve a problem

    oh this is on Both Win98 & WinXP

    Thanks
     
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Yeah, whole internet is talking about it.
    Gavin posted they added lots of new keylogging detections to the references, so i think they put it on the highest detection. As you've seen it says Possible keylogger <adv> so the file has some code parts in it, which could have been used by a real keylogger too.
    Be asured there is no problem with the file, as that is the thing testing the mutexes and i guess registry keys, looking at it's name, so it could be the two things, meaning this detection and the text change come very close together.
    I have the file long time on the system and now we all after these new additions have the same alert, so imagine the hundreds of worried people emailing about it.
    Posted in the private as well, nothing to worry about till there would be said Positive identification keylogger blabla version ...
    I compare this with a generic or heuristic scanning which often gives alarms which need to be looked deeper at but in many cases are ok. With our remarks they'll be able to refine the database.

    Not any need to delete it and you better don't as it has to do with the mutexes testing. It's a vital TDS element, so you can't delete it.
    In other cases, if you would be worried, better copy such a thing to a safe place or zip it.
    First scan the thing with your other av/at scannings as well. Others have discovered it already as a false positive so for sure this will be corrected first occasion possible.
     
  8. AAPlus

    AAPlus Guest

    Hey,Jooske

    Once again thanks for the reply

    & help keep up the hard work

    i thank you
     
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You're welcome,
    enjoy the rest of this beautiful weekend!

    Edited:
    In the meantime reply from Wayne:
    my answer is right for the keylogger kind of code.
    In the new update the correction has been made, as you will notice with your next scan after you grabbed it.
     
  10. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    To expand on that a little more, here's a copy-and-paste (with his permission of course) from Wayne:

    "Yes this is a false positive -- we create dcsmutex.dll and TDS3, so there is no chance of that file or files like it ever being anything other than a false alarm. One of the mutexes that dcsmutex.dll was looking for had strings often found only in keyloggers which is why the alarm was triggered. Normally dcsmutex.dll is compressed so such strings don't exist in the file, but it somehow escaped compression on Friday! We apologise for any confusion, but the file has now been recompressed and an additional routine has been added here to ensure that such a thing cannot happen in future - if you update your database now, things should be back to normal, with no false alarm on dcsmutex.dll

    We apologise for our absence over Saturday/Sunday, we spent the weekend upgrading our server and and hard drives here before Easter - we like to upgrade our hardware before crashes occur

    Best regards,
    Wayne


    __________________
    Wayne Langlois / DiamondCS
    wayne@diamondcs.com.au"

    Hope that clears it up for everyone (especially since it's straight from the source).

    The update did indeed remove the false positive. Pete
     
Thread Status:
Not open for further replies.