Need help - urgent!

Discussion in 'Trojan Defence Suite' started by 996TT, Jul 9, 2004.

Thread Status:
Not open for further replies.
  1. 996TT

    996TT Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    8
    Today I ran a "routine" check with TDS-3 and I had a pretty bad surprise when it showed me the following:

    12:14:19 [Mutex Memory Scan] Started...
    12:14:24 [Mutex Memory Scan] Trojan mutex(es) found:
    12:14:24 [Mutex Memory Scan] ... mutex found for TrojanDownloader.Win32.Adi
    12:14:24 [Trace Scan] Started...
    12:14:27 [Trace Scan] Finished.

    Then, it showed in the lower window the following:

    Positive identification (embedded in file): 5SW.Hn.Win32.DelFiMythoC-KþòÑ·»
    File: c:\programme\gemeinsame dateien\symantec shared\ccsetmgr.exe
    Positive identification (embedded in file): 5SW.Hn.Win32.DelFiMythoC-KþòÑ·»
    File: c:\programme\gemeinsame dateien\symantec shared\ccevtmgr.exe
    Positive identification (embedded in file): 5SW.Hn.Win32.DelFiMythoC-KþòÑ·»
    File: c:\programme\gemeinsame dateien\symantec shared\ccproxy.exe
    Positive identification (embedded in file): 5SW.Hn.Win32.DelFiMythoC-KþòÑ·»
    File: c:\programme\gemeinsame dateien\symantec shared\ccapp.exe
    Positive identification (embedded in file): 5SW.Hn.Win32.DelFiMythoC-KþòÑ·»
    File: c:\programme\norton internet security professional\norton antivirus\opscan.exe
    File Trace: Default trojan filename: Worm.Capside please submit
    File:
    File Trace: Default trojan filename: Worm.Capside please submit
    File:

    Suprised by the findings, I did a complete TDS-3 scanning check on my hdd c: and what a surprise, TDS-3 tells me in the lower window that ALL .exe files are infected. I have dozens of different programs installed, not to speak about the Windows .exe files. I highly doubt that ALL .exe files on my hdd c: are infected.

    I also have Norton Internet Security 2004 Pro, NOD32 and Trojanhunter 3.9 running in the background. But I never had problems.

    So now I need HELP: are really ALL .exe files infected or is it just a problem with TDS-3 I'm not aware of? I don't want to format my hdd and re-install everything again, I hate to do this because I have a lot of work to do.

    The other programs like NIS/NAV 2004, NOD32 and TH3.9 aren't detecting any viruses or trojans and funny, even their .exe files seem to be infected according to TDS-3

    What should I do, PLEASE, I need help. o_O
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi 996TT, This a case of User v Admin, You probably installed as an Admin but then logged on as a normal user, this would account for the errors.
    If you run TDS3 from a normal user account you must "run as" an administrator.

    HTH Pilli
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Please post back if this solved the problem, or we might have to look even deeper into it
     
  4. 996TT

    996TT Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    8
    I'm afraid things are not that simple:
    I installed the program as an Admin and I also run it as an Admin (I have only one single account on my Win XP Pro laptop).
    However I tried as you said and I right-clicked on the TDS-3 icon and selected "run as...".
    Then I selected Administrator and entered the password.
    After TDS-3 started, it found no more trojan muxes in memory.
    But still in all .exe files. :(

    Should I uninstall TDS-3 and install it again? Maybe this helps?

    Right now I'm really starting to get desperate because I have to use the laptop for important work but I'm afraid to write mails, enter passwords and other sensitive data as long as the TDS-3 issue isn't cleared. :'(

    Any further ideas what I could doo_O Thanks.
     
  5. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    edit.. see jooske's post below

    Cheers, TAS
     
    Last edited: Jul 9, 2004
  6. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    see jooske's post below...

    ;)

    TAS
     
    Last edited: Jul 9, 2004
  7. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    http://support.centralcommand.com/cgi-bin/command.cfg/php/enduser/std_adp.php?p_faqid=531

    If you have the capside worm, here is a description. It is possible it has other payloads.

    Please try not to reboot yet, so it would not be a good idea to uninstall and re-install TDS as that requires a reboot.

    Is there anything unknown in the TDS Process list or windows task manager?
    I would look for a windows\capside.exe for instance.

    Do you have HijackThis?
    Wait a moment, did you have any other scanner running or with resident protection during your TDS scan?
    If so, which scanner was that and could you please completely close that including it's resident protection and try a new TDS scan?

    Please post back soon, as i look also deeper into it.

    BTW: i don't know if your laptop is at the moment connected to anything else but the internet for this communication, make sure it is not connected to any shares or network outside that! (to avoid infections if there are)
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Before reinstalling i have one more option (i really try to avoid the reboot)
    Which radius update site is your first one in your update.cfg?
    I had a little problem updating today and grabbed it manually from the Turmanies site from the update mirrors, which i know is OK.
    http://radius.turvamies.com/radius.td3
    So you might like to rename the current radius.td3 with an extra extension like *.old and get manually that Turnamies update, see if that solves it; your file might be corrupt, mayyyyyybe.

    These are the easy things to try first and look for results before a re-install.
     
    Last edited: Jul 10, 2004
  9. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Just see Tassie's postings edited again;
    You said a reboot in many cases solves a lot, agree completely with that, certainly as a win98SE user!
    And you said IF you decide to uninstall TDS first uninstall it's exec protection, save away the keyfile, and i would add any other personal datafiles like scripts you might have included in the meantime, your configuration file, any other files you edited like the Full System Scan .txt, CRC scans.txt etc.
    and then uninstall TDS, reboot, install TDS again (fresh download)
    copy back the files including keyfile, reboot
    and see if this helped.

    If all this not we go to the HijackThis steps, but first want to know the results from the former options.

    Thanks to Tassie for jumping in and reminding of the other options, had not seen you posting during my long monologues :)
     
    Last edited: Jul 10, 2004
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Other option the Norton is on the loose!
    I see you have that shared somehow.
    So close that Norton completely with all resident protection till you know what's wrong.

    Were all the exe files infected or showing NTFS ADS streams?

    Maybe you can post a part of the scandump to have an impression?

    Hope you did not have NIS/NAV and NOD32 and TH all with their resident protections up together at the same time, that could lead to fights and would really advice to have one with that last and others scanning on demand. The TDS Exec Protection you should leave on all time and is no problem with any other scanners running a scan.

    If the any of the former parts helped --looks like it was scanning some of the other databases!-- you can start your most preferred protection again and see if TDS accepts that again, before you might think of adding a next.
    And certainly if that scan was nice and clean you can reboot if you like, see if it is all still nice and smooth.
    Then you can decide which other scanner you might like to fire up beside it, but really not all 4 or 5 at a time actively.
     
    Last edited: Jul 10, 2004
  11. 996TT

    996TT Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    8
    Now I think we're getting somewhere: I manually copied the radius update file to the TDS-3 install folder and restarted the scan. It still shows "mutex found for Trojandownloader.win32.adi" in the Memory Mutex Scan but the .exe files alarm disappeared as if there never has been anything.

    I have to say that I'm impressed with the many answers, thanks a lot!!! :)

    Yes, I have NIS/NAV 2004, NOD32 and TH3.9 real-time scanning active and never had problems with it. Sometimes NAV showed a malicious file and sometimes NOD32, it always worked without problems.
    Today I uploaded (through LiveUpdate) a Symantec ReDirector file and after a reboot a Internet Security Signature File, maybe this is how the problems started, I really don't know. :(

    I tried to de-activate NIS/NAV 2004, NOD32 and TH3.9 but TDS-3 still shows the memory mutex thing. :(

    There is no Capside virus on my computer but I also did a scan with Spy Sweeper and there seems to have been a chinese trojan trace in the registry but no files. Strange.
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Congratulations thus far, you saved yourself lots of work with reinstalling etc.
    Now you might like to reboot and see if all is still the same.

    A next time when scanning with TDS, please close other scanners so TDS has free access everywhere.
    I'm trying to find info about that mutex thing, hope somebody knows more about that one or Gavin himself as he added the detection for it.

    Maybe using the DiamondCS APM from their free tools on the products page, does show up that mutex file if you look a little with that from Explorer .exe in the upper window for instance as it might either be a process which is properly hidden or no longer there.
    Make sure all your files are showing in folder options, including known extensions and system files, everything, no hidden files allowed.

    Honestly said i thought of those symantec filenames as if chinese or russian or such, so............. ... your NIS and NAV are running properly again?

    Somewhere above in my book (:D) here for you i mentioned the HiJackThis too.
    In thread [thread]15913[/thread] you can see how to get the file to create a log with it to see if you see anything suspicious, and if you would not have SpybotS&D and Ad-Aware yet there are download links to those two too in that same posting.
    Since you like to solve problems, you might like to look in the DiamondCS AutoStartViewer too, withh all options checked so it shows in the log everything starting or what even could think to be starting.
    That one you might either like to post or for privacy reasons send to support@diamondcs.com.au with mentioning this thread so the tech guys can tell you if there is anything wrong and if so where and what it is.

    In between of all this don't forget to add a lovely cup of coffee or something fresh to your to drink list but don't smudge the keyboard!
    You deserved it with all this hard working!
     
  13. 996TT

    996TT Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    8
    I tried EVERYTHING you told me...and even more.
    Finally I uninstalled TDS-3 and re-installed it again.
    When I started it immediately after a fresh install (and a reboot of course after the install) without a Database update, it didn't show the memory mutex found in the Mutex Memory Scan.
    After I applied the Database update, TDS-3 again showed me mutex found for Trojandownloader.Win32.Adi. :(

    All other programs, NIS/NAV 2004, NOD32, TH3.9, Spysweeper 3.0, Ad-aware 6, Spybot S&D 1.3, Spywareblaster 3.2, HiJackThis 1.97.7, etc. work just fine, no problems reported. :(
    I also tried to stop all memory resident stuff, including some of the above but also AnyDVD 3.8.2.3 which might also be responsible for a problem.
    Nothing changed, TDS-3 still reports the memory mutex thing.

    I'm getting more and more nervous: do I have a trojan hidden somewhere or is it just a problem with TDS-3? As long as I don't have a final answer, I can't work with my laptop. :'(
    I'm gonna mail this thread to Diamond Support, thanks for the hint and thanks again for your help, I really appreciated that. :)

    I also uploaded the asviewer.txt file but I don't see anything suspicious.
     

    Attached Files:

  14. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Are you sure you clicked all 3 options for the ASViewer log? Seems so short!

    There was no need for TDS re-install, but ok, trying it could not harm either.
    From when was your former TDS update not showing the mutex and now in the last it does?
    There must have been added new mutex code to be detected between those two, as i suppose you kept all the other programs as they were and with their last updates during this last test.
    That TDS does see it as only one doesn't mean TDS is wrong, it's just a very sensitive program with it's own ways of detecting things which others keep unseen, probably Gavin added that mutex detection code for the last update, if i understand your test results.
    It could be symantec added something to their last databases TDS picks up with the last radius update, --let's think of Symantec because of your first alerts-- although it could be an update from any of your other scanners too!
    You might ever have been infected with something cleansed out by any of your scanners and now TDS picks up the last code parts.


    Tassie in the meantime had a good advice to have also a good cleansing of your registry. As Tassie mentioned a person who posted over 400 files about symantec issues in DSLR forum.

    You have SpybotS&D too eh? If you set that to look for everything there is, does that show up such registry keys or anything with that mutex name?


    There is no live trojan on your system, as TDS and other scanners would have found it.
    So in fact i would advice to do your important and urgent work, look at the system's behavior, not sure if you need to email it all now or that you could prepare it and set ready for sending out till you have confirmation what to do with the mutex?
    When you're ready go look further in the mutex problem. In the meantime keep TDS and whatever protection you like to have activated on.
     
  15. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    HI 996TT....

    I think it would be safe to continue your work like Jooske says, and do whatever you need to do with it.

    It seems unlikely that there is a trojan with all the other scans you have done. Sounds like a remnant left over in memory.

    Jooske and I thought it *could* have been a corrupt Mutex.exe dl, but I just unloaded and reloaded mine and no errors.

    If you have a registry cleaner, run that also, clean a lot of old/useless junk out.

    Couple good ones to get are RegCleaner here:

    RegCleaner

    or RegSupreme [try the trial version of this one, it's not free] Also it's similar to above. It was jv16 power tools but bought out by Macecraft

    RegSupreme

    or

    RegSupreme Info Here

    Cheers, TAS

    PS: Have you gone back the site and get a *new* download of radius file... just to make sure?
     
  16. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    In adddition to what Jooske & TD suggested can you please ensure that your current radius file displays the same quantities in the console window as follows:

    09:12:36 [Init] • Systems Initialised [35725 references - 13968 primaries/9984 traces/11773 variants/other]
    09:12:36 [Init] Radius Systems loaded. <Databases updated 09-07-2004>


    Cheers. Pilli
     
  17. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    http://www.diamondcs.com.au/index.php?page=apm
    Can somebody confirm if with the APM it is possible to look at individual mutexes and if there close them one by on, and if it would give an overview of the possible process responsible for it, if any?
    If so this could be a great help as a last check.
     
  18. 996TT

    996TT Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    8
    I bought the mentioned RegSupreme Pro but I'm afraid it gets stuck when it has to remove over 1700 bad or invalid entries. :(
    When I remove single entries (even a couple of dozens), it works fine. But as soon as I choose MARK ALL and I want to fix them, the program gets stuck in this, it doesn't move on for hours. No, it doesn't freeze, it just doesn't continue the fixing operation. :(

    Maybe I should have tried it for a longer period of time before buying. :(

    I removed some suspicious entries (especially from temp files) but nothing changed, TDS-3 still shows the mutex memory thing. :(

    Yes, I have the newest radius file from 10/07/04.

    I mailed this thread to DiamondCS support and I just wait to see what they have to say. I also think that there is no threat left on my laptop (I really scanned my computer with all possible scanners) but you never know, maybe it is something new...I hope not. :doubt:

    THANKS AGAIN to everybody who tried to help! :D
     
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    The newest from 10-7-2004, does tell you like Pilli asked
    [35725 references - 13968 primaries/9984 traces/11773 variants/other]
    as there were little issues yesterday with the update?

    Surely i hope you can solve the registry entry cleaning and your system still runs ok after that!
    It might be loading a copy of the full registry into it's own memory and place back after cleansing it? Certainly when the file has grown it can take a while.


    I don't think something new on your system, but detection for it newly added, like you said 2 days ago update didn't see it and the last does.

    Hope your work will be ok too!


    Did you make sure your hidden files are all showing and did you give the APM a try (free tool) for detection?
     
  20. 996TT

    996TT Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    8
    APM didn't help much.

    But something is interesting:
    my radius file (database updated 10-07-2004) shows the following:
    [33571 references - 11814 primaries/9984 traces/ 11773 variants/other]

    I'll try again a manual update and see what happens. :(
     
  21. TheQuest

    TheQuest Registered Member

    Joined:
    Jun 9, 2003
    Posts:
    2,301
    Location:
    Kent. UK by the sea
    Hi, 996TT

    Try a reload or reboot that might fix it, if not download it manually and save to TDS Directory. [where you installed TDS.]

    Take Care,
    TheQuest :cool:
     
  22. 996TT

    996TT Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    8
    I saved the file manually from the first source and I got the same result.
    Then I copied a file from the pc-techie.info source and now it shows the correct references and primaries figures but...I still have that damn mutex memory trojandownloader thing. :(
     
  23. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Right that you have now the right update, and still showing the mutex detection, so it was not in the latest databbase only.
    OK, get the APM tool from the DiamondCS products page and see if you can find it with that. It has the option to find and close all mutexes, so with that it should be possible to locate it and deal with it.


    In the meantime nav100 told me to have been cleansed out with the HJT log at hand and several tools, see the whole horror story here
    https://www.wilderssecurity.com/showthread.php?t=40679
    in which i recommend first only look and read, you have most probably other things and lots of things not and other filenames, but the read is interesting and to see what could be done too, most of all the last few postings.


    Knowing you a little now, i think it's an unnecessary question to ask if you did cleanse out the caches and TIF files in the meantime too, empty recyclebins, etc? Spares lots of time for all scanners and it could have been a file was hidden or deleted there.
    I hope most of your APM results at the moment.
     
    Last edited: Jul 11, 2004
  24. 996TT

    996TT Registered Member

    Joined:
    Jul 9, 2004
    Posts:
    8
    Seems I started something...wow. ;)

    I downloaded the "good" and "valid" database radius file to my TDS-3 installation and all the trojan warnings, including the mutex thing, disappeared.
    What I find very strange: I had two different database files with the same size and both seemed to be valid. But both had different CRC32 and MD5 values. One caused the weird problems and the other one didn't.

    I can't help it but...did somebody do it by purpose to create a lot of problems to TDS-3 users and of course to DiamondCS or what it just a file error problem.
    No matter what it was: doesn't TDS-3 have some kind of internal "verification" programming to check if the update radius files are valid or not? If not, this could be a way how to "infiltrate" TDS-3 and render it useless.
    I'm no tech/programmer and I might talk BS but I'm curious... ;)
     
  25. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    You might like to read Wayne's explanation on the case.
    (in the sticky thread about the 12-07-2004 update).
    should not happen again!
     
Thread Status:
Not open for further replies.