Trojan Mutex(es) found:

Discussion in 'Trojan Defence Suite' started by Grizzly Bear, Nov 12, 2004.

Thread Status:
Not open for further replies.
  1. Grizzly Bear

    Grizzly Bear Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    3
    I have recently started using TDS 3. I have not had any problems before today but just now when I started it up, in the DOS box it says "Trojan Mutex(es) found"!!! I have looked in the log file and it says no more! No information on what it going on or anything! No information agout what Trojan it is or how to deal with it or even if it has been automatically dealt with!

    Please help somebody!

    I have Win XP, sp2, Zone Alarm Pro, TDS 3, Process Guard, Wormguard.
     
  2. Grizzly Bear

    Grizzly Bear Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    3
    It has taken over an hour of panicking but I think I may have found my own answer and solution! Various Scans, nothing, checking various log files, nothing! Thank goodness really!
    I finally came round to check Wormguard and it refused to start, something about the wrong handle or something? anyway I then thought of checking Process Guard and right there under "Security" there was "dcsmutex.exe deny once"! as well as "wguard.exe deny once"! And of course dcsmutex is TDS's own scan for mutexes! I am guessing and hope I am guessing right that the block on the scan was what produced the report "Trojan Mutex(es) found:_______________" I thought it was strange that there was nothing actually reported, no file or path!

    Am I right in thinking that there will be a file name there if something really infects me?

    Please just quickly confirm or deny my suspicions!

    Grizzly Bear GRRRRRRR!
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there, waiting for a ProcessGuard knowledgeable person, but i can tell if there were mutexes found, you would have seen names mentioned.
    In the TDS scan you see normally:
    [Mutex Memory Scan] Started...
    [Mutex Memory Scan] Finished (no trojan mutexes found).
    Guess you should allow those two files to run since they're known own files.
     
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Grizzly Bear, Yes, ProcessGuard should have the "always permit" flag set for DCS mutex.exe but DCSmutex changes probably once a week when you update the radius file. If you then run a scan you should get a PG execution protection pop up to allow for the newly changed DCSmutex.exe.
    By having the deny flag TDS3 would almost certainly mis-report a problem :)
    There is no need to put WGuard.exe in the protection list as it is not a process as such just a hook but ywill require the permit always on Wguard.exe in the security list.

    HTH Pilli
     
  5. Grizzly Bear

    Grizzly Bear Registered Member

    Joined:
    Nov 12, 2004
    Posts:
    3
    Thanks for your info. I didn't think I had changed it! Glad I wasn't wrong! Could the auto-update feature in TDS 3 not re-register it with Process Guard automatically? Presumably the auto update feature has security controls and checks? It's a bit frustrating for a bear to have to reconfigure this every WEEK!

    Presumably this only happens because I have ticked the "block new and changed applications" setting in Process Guard? But I don't want to change that as I have my young bearlings to think about! GRRRR GRRRR GRRRR
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Unfortunately if you require the depth of protection which ProcessGuard affords this is the only way I know of i.e. when TDS3 updates you need to disable Block new or changed programms then give the necessary permission for DCSmutex.exe, this will almost certainly be the same for many other security products including your AV.
    A better policy would be to put your bearlings into a limited user group keeping the Admin privileges for papa or mama bear.

    Cheers. Pilli
    BTW the porridge was nice ;)
     
Thread Status:
Not open for further replies.