Trojan  Yes or No

Hello,All

Has anyone had this problem when i

updated TDS & i did a reboot i keep

geting this  Mutex Memory Scan

Trojan Mutex(es) Found:

When before the new update i would see

Mutex Memory Scan  no Trojan Mutex(es) Found:

Now when i go & do a Full system scan

i get no Alarms at all  so do have a problem

here or is it the update

oh this is happning on Both Win98 & WinXP

Thank You

 

Mutex infection could for instance be a Nimda infection, to name one of the many; that one you can test at the DCS web site
http://www.diamondcs.com.au/source/
at the bottom of that page.
It would not alarm easily if nothing is there.

Trying now the mutex test, just updated till 11903 refs...
It just says
"Trojan mutex(es) found: "
and stops there, so that means we are clean.
Looking in older logs, indeed there it said:
Mutex Memory Scan] Started...
[Mutex Memory Scan] Finished (no trojan mutexes found)."
which is less confusing.
With this, you don't seem infected at all, for in that case the name would have been displayed.
So don't worry, most of all as all further does function right and nothing came up with the Full System Scan.

 

Hello,Jooske

first i like to say thank you for

the help & reply & keep up the

good work

Thanks

 

You're welcome AAPlus
and you too! Keep in touch.
Does it further run ok on both your systems? XP is for many still a whole new experience i read in the fora (not using that myself).

 

Just noticed the text is now again
Finished (No trojan mutexes found)
Better feeling, doesn't it?

 

Hello,Jooske

Yes i now have  Finished (No trojan mutexes found)

but i have a new problem when i updated TDS

again now when i do a Full system Scan i get this

Alarm:    Positive identification <Adv>: Possible keylogger

File: x:\03\dcsmutex.dll

now i tryed to Delete this file but TDS

keeps puting it back do i hve a problem

oh this is on Both Win98 & WinXP

Thanks

 

Yeah, whole internet is talking about it.
Gavin posted they added lots of new keylogging detections to the references, so i think they put it on the highest detection. As you've seen it says Possible keylogger <adv> so the file has some code parts in it, which could have been used by a real keylogger too.
Be asured there is no problem with the file, as that is the thing testing the mutexes and i guess registry keys, looking at it's name, so it could be the two things, meaning this detection and the text change come very close together.
I have the file long time on the system and now we all after these new additions have the same alert, so imagine the hundreds of worried people emailing about it.
Posted in the private as well, nothing to worry about till there would be said Positive identification keylogger blabla version ...
I compare this with a generic or heuristic scanning which often gives alarms which need to be looked deeper at but in many cases are ok. With our remarks they'll be able to refine the database.

Not any need to delete it and you better don't as it has to do with the mutexes testing. It's a vital TDS element, so you can't delete it.
In other cases, if you would be worried, better copy such a thing to a safe place or zip it.
First scan the thing with your other av/at scannings as well. Others have discovered it already as a false positive so for sure this will be corrected first occasion possible.

 

Hey,Jooske

Once again thanks for the reply

& help keep up the hard work

i thank you

 

You're welcome,
enjoy the rest of this beautiful weekend!

Edited:
In the meantime reply from Wayne:
my answer is right for the keylogger kind of code.
In the new update the correction has been made, as you will notice with your next scan after you grabbed it.

 

To expand on that a little more, here's a copy-and-paste (with his permission of course) from Wayne:

"Yes this is a false positive -- we create dcsmutex.dll and TDS3, so there is no chance of that file or files like it ever being anything other than a false alarm. One of the mutexes that dcsmutex.dll was looking for had strings often found only in keyloggers which is why the alarm was triggered. Normally dcsmutex.dll is compressed so such strings don't exist in the file, but it somehow escaped compression on Friday! We apologise for any confusion, but the file has now been recompressed and an additional routine has been added here to ensure that such a thing cannot happen in future - if you update your database now, things should be back to normal, with no false alarm on dcsmutex.dll

We apologise for our absence over Saturday/Sunday, we spent the weekend upgrading our server and and hard drives here before Easter - we like to upgrade our hardware before crashes occur

Best regards,
Wayne


__________________
Wayne Langlois / DiamondCS
wayne@diamondcs.com.au"

Hope that clears it up for everyone (especially since it's straight from the source).

The update did indeed remove the false positive. Pete