dcmutex.exe

Discussion in 'Trojan Defence Suite' started by WilliamP, Feb 25, 2004.

Thread Status:
Not open for further replies.
  1. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I have Abtrusion Protector and it says it won't let C:program files TDS3\dcmutex.exe load . I have gone into Program file TDS3 and can't find that exe. I have to find it to tell AP to allow it. Please help.
     
  2. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi WilliamP, are you sure it is blocking the dcmutex.EXE and not DLL
    The DLL is in the TDS-3 directory. Now i see it's renewed after each startup scan i wonder if there is an exe somewhere too. Hmm.....
     
  3. FanJ

    FanJ Guest

    Hi,

    1.
    Are you sure it is dcmutex.exe and not dcsmutex.exe ?

    2.
    OK, let's assume it is a typo, then indeed the same question as Jooske asked:
    Are you sure it is dcsmutex.exe and not dcsmutex.dll ?

    3.
    I have the file dcsmutex.dll on my system (in the TDS-3 dir), but not a file dcsmutex.exe

    4.
    Hi Jooske, I don't understand what you mean with this:
    "Now i see it's renewed after each startup scan...".
    How do you see that?
    I myself have the file dcsmutex.dll listed in my crcfiles.txt.
    So I will be alerted in case it is changed.
    The only times (as far as I know) when I see such an alert, is when I run the CRC-test after installing a new radius-file that also has an update for dcsmutex.dll.
    Dcsmutex.dll is not updated with every new radius-file.
    DiamondCS updates dcsmutex.dll only when necessary.
    (The same goes for advscan.dll).
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi Jan,
    i looked in my TDS directory and saw the file had yesterday's date, so i assume it is saved like that after each scan?
    I don't think CRC would say there is a change if it is only redated after use, but ...... who knows?
     
  5. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Hi William

    First it is dcmutex.dll. Solution is simple.

    1. Right click on the AP icon in your icon try.
    2. Chose settings.
    3. Then click on files
    4. Leave it on applications and scroll down until you
    find dcmutex.dll. It will be colored Red.
    5. Click on allow and it will turn green
    6. Click on Ok and close.

    This does happen on occasion when you update TDS. When I installed TDS I assigned it a package TDS3 in AP. When I update TDS, I switch AP to the install mode, and given it permission to install in the TDS folder.
    Then I update, and exit install mode.

    This should solve your problem.

    Pete
     
  6. FanJ

    FanJ Guest

    Hi Peter2150,

    Just for my understanding:
    Is it indeed dcmutex.dll (without the character s),
    or is it dcsmutex.dll (with the character s)?

    Thanks !
     
  7. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    Hi folks. According to the box that pops up it is dcsmutex.exe that it stops. I did have System Safety Monitor and it had problems with it also. I have to find it in order to allow it to load. Allways something.
     
  8. FanJ

    FanJ Guest

    Hi Jooske,

    The last days there was an update for dcsmutex.dll.
    (If you have dcsmutex.dll listed in your crcfiles.txt for some time), then look at your TDS-3 logs).
    The CRC-test of TDS-3 will only give an alert in case the CRC32 checksum has been changed.
    I will try to look more closely at its date.
     
  9. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    FanJ I don"t know how to check the TDS3 log. I have found the DCSMUTEX.dll in the TDS files but AP says( exe.) Maybe AP doesn't know what it is talking about.
     
  10. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    First for FanJ. It is indeed DCSMUTEX.DLL. On occasion when TDS is updated, the new version does have to be allowed. It is part of TDS.

    For WilliamP

    First any file once you try and run it can be allowed ini the manner I described.

    Secondly, I don't have a clue what DCSMUTEX.EXE could be. I don't have one in AP, and I just did a search of my hard drive, and I have no such file on my system. I have every DCS product offered installed on my system. This is a puzzle.

    Pete
     
  11. FanJ

    FanJ Guest

    If it is indeed dcsmutex.exe then the explanation could be this (a little bit guessing now, but I think that that is what is happening):

    That dcsmutex.exe file could maybe be a temporary file created and deleted by TDS-3.
    When you let TDS-3 download and install a new radius-file, then TDS-3 checks if it contains an update for dcsmutex.dll (same for advscan.dll).
    If there is an update for dcsmutex.dll in the new radius-file, then TDS-3 unpacks it and the old dcsmutex.dll will be overwritten with the new dcsmutex.dll.
    Maybe during that process there is a temporary file dcsmutex.exe; I don't know.

    PS:
    Now you might ask yourself: what is happening with dcsmutex.dll when you download a new radius-file manually and copy it into your TDS-3 directory?
    Will I then also get a new dcsmutex.dll file in case there was an update for it?
    The answer is: yes.
    According to Gavin (thanks to both Gavin and Pilli for explaining this to me):
    You download radius.td3, the next time you reload/run TDS (or use the commandline "initradius") the new database will be loaded. Everything is unpacked and loaded - if there is an updated ADVScan.dll or dcsmutex.dll its unpacked and overwrites the old file too.
     
  12. FanJ

    FanJ Guest

    Just for the record:
    I really don't know if such a temporary file dcsmutex.exe ever, even temporarily, exists.
    Wayne, Gavin or Jason has to jump in here (please ! ;) ).
    William, are you absolutely sure that AP tells it?
    Do you maybe have or please make a screenshot showing it?
     
  13. FanJ

    FanJ Guest

    William,

    The logs are in the sub-directory Logs of your TDS-3 directory.
    You have to enable the console activity.
    See my screenshot.
     

    Attached Files:

  14. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    Okay guys. Just did a little test.

    1. I denied dcsmutex.dll privileges in AP.
    2. Fired up TDS. It was fine.
    3. Started testing.
    4. When I hit the Mutex Memory Scan. Bingo

    I did indeed get exactly the message WilliamP was describing. AP does indeed block DCSMUTEX.EXE.

    Also TDS reports a mutex trojan.

    5. Going back and allowing DCSMUTEX.DLL in AP and all runs fine.

    I suspect that as part of the mutex scan, this file is created temporarily as part of the scan, and then is deleted. Jason can clarify.

    If I got the screen shot uploaded correctly, you can see 3 mutex scans, the first two with the dll blocked by AP and the 3rd with it running normally.

    Pete

    Okay. I blew the upload.

    BOTTOM LINE.

    WilliamP Allow DCSMUTEX.DLL in the manner I described above and your problem with AP will be solved.
     
  15. FanJ

    FanJ Guest

    For Jooske:

    I shutdown, restarted, shutdown, restarted TDS-3:
    I see no change in date/time of dcsmutex.dll, looking at it via my PowerDesk Pro which is an alternative for Windows Explorer.
     
  16. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I love the help I get on this forum .I did what Pete said and it worked. When I opened TDS3 the AP window didn't pop out. Alls well that ends well. Thank you all for the help.
     
  17. FanJ

    FanJ Guest

    Hi Peter,

    Oops sorry, I'm still confused by what you're saying :rolleyes:

    One time you are talking about dcsmutex.exe and another time about dcsmutex.dll

    What IS it exactly ?

    That's a pity ;)

    I'm glad it's working for you and William !
    Thanks !!!

    BTW:
    For what's it worth:
    I fired up TaskInfo2003 while letting it always stay on top.
    Then I started TDS-3.
    I really see no dcsmutex.exe in TaskInfo2003....
     
  18. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    FanJ, all I know is that AP would pop up a window saying it prevented dcsmutex.exe from loading. When dcsmutex.dll was allowed then everything loaded fine. Now the question I have is why, something must change with that file for AP to disallow it.
     
  19. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
     
  20. FanJ

    FanJ Guest

    OK William and Peter,

    Here comes the proof that you both were right !!!!!!!
    And that deserves a big karma cookie for you both ;)

    I now fired up my WinTasks Pro.
    I configured it to make a log.
    Then I fired up TDS-3.
    Then I started my screen-capture program SnagIt 6 to make a screenshot.
    See now my screenshot of the log of WinTasks Pro :)
     

    Attached Files:

  21. FanJ

    FanJ Guest

    So, what you see there is that indeed during the startup of TDS-3 on my W98 SE box while doing its initial scans (I myself don't run the Process Memory Scan automatically at TDS-3 startup), during a very short periode there is indeed a process running called dcsmutex.exe

    You guys were definitely right :) (or WinTasks Pro is fooling me...).
     
  22. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I am happy that I can now deal with the situation. But I would like to know what changes, that makes AP dislike the file.Or at least it doesn't recognize it.
     
  23. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,040
    For AP to let any file run it must be in AP's database. Apparently in this case if the DLL file is allowed then the exe that is spawned can run, but if the DLL is not allowed then the spawned exe can't run either. This is good.

    Just make sure when you update TDS, that you give TDS temporary install privileges. If you forget then you just need to go in as I related and give the updated file privileges.

    This may be a bit off topic but should answer williamp's question.

    A simple way to test this and see it work, is if you have winzip (if not get an evaluation version at http://www.winzip.com) and zip up something and make a self extracting exe file and name it test.exe. Try and run it and AP will block it. Then allow it in AP and it will run. Now do the same thing zipping something else, make a self extracting exe, and name the new file test.exe
    It will not run, because it's thumbprint is now different and AP will pick that up and block the new file. You will have to allow the new one to get it to run
     
  24. WilliamP

    WilliamP Registered Member

    Joined:
    Jun 1, 2003
    Posts:
    2,201
    Location:
    Fayetteville, Ga
    I had tried SSM and it would key on the same dcsmutex and say that it was not the same file that had been allowed and you had to reallow it. Something changes the file.
     
  25. Vietnam Vet

    Vietnam Vet Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    306
    Hi FanJ,

    I use Goback on this computer and after reading this thread, went back and looked at the logs it creates and comparing with the TDS-3 log, what happens on my system is this:

    10:05:58 [Mutex Memory Scan] Started...
    10:05:59 Dcsmutex.exe created (info from Goback log)
    seconds later: Dcsmutex.tmp created
    10:06:00 [Mutex Memory Scan] Finished (no trojan mutexes found).
    10:06:00 Dcsmutex.tmp deleted (info from Goback log)
    10:06:00 Dcsmutex.exe deleted

    WinTasks Pro is not fooling you!
     
Thread Status:
Not open for further replies.