MidoriSocks - two suspicous files in windows directory

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
As my protection software noted me that a program mswtl32.exe want's to
have access to the internet I found the following two files in my
c:\winnt:

             111.616 MSWTL32.exe
             111.616 msxmidi.exe

In properties/version there are the following informations:

internal name          MidoriSocks
original file name     MidoriSocks.EXE
product name           MidoriSocks Application
product version        1,0,0,1
language               English (USA)

Furthermore the file mswtl32.exe is started automatically by the
registry entry:

...HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSWTL32

Since I found no clear description of these components in internet, I
would appreciate any comment regarding malignity of these exe's.


Re: MidoriSocks - two suspicous files in windows directory


| As my protection software noted me that a program mswtl32.exe want's to
| have access to the internet I found the following two files in my
| c:\winnt:
|
|              111.616 MSWTL32.exe
|              111.616 msxmidi.exe
|
| In properties/version there are the following informations:
|
| internal name          MidoriSocks
| original file name     MidoriSocks.EXE
| product name           MidoriSocks Application
| product version        1,0,0,1
| language               English (USA)
|
| Furthermore the file mswtl32.exe is started automatically by the
| registry entry:
|
| ...HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSWTL32
|
| Since I found no clear description of these components in internet, I
| would appreciate any comment regarding malignity of these exe's.


Please submit samples to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it.  In addition,
unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: MidoriSocks - two suspicous files in windows directory

Quoted text here. Click to load it

Thank you Dave, I uploaded the file to Virus Total and got the
following positiv results:

Complete scanning result of "MSWTL32.exe", received in VirusTotal at
09.26.2006, 10:47:32 (CET).
Antivirus    Version    Update    Result
AntiVir    7.2.0.18    09.26.2006    TR/Proxy.Agent.KX
AVG    386    09.25.2006    Proxy.FWY
Ewido    4.0    09.26.2006    Proxy.Agent.kx
Fortinet    2.82.0.0    09.26.2006    suspicious
Kaspersky    4.0.2.24    09.26.2006    Trojan-Proxy.Win32.Agent.kx
McAfee    4859    09.25.2006    Proxy-Agent.a
Norman    5.90.23    09.25.2006    W32/Agent.AGXB
Sophos    4.10.0    09.26.2006    Mal/Behav-044
TheHacker    6.0.1.081    09.26.2006    Trojan/Proxy.Agent.kx
UNA    1.83    09.25.2006    TrojanProxy.Win32.Agent.8623
VBA32    3.11.1    09.25.2006    suspected of Trojan.Agent.69
VirusBuster    4.3.7:9    09.25.2006    Trojan.PR.Agent.PRR

It seems Agent.KX has infected my PC.


Re: MidoriSocks - two suspicous files in windows directory


|
| Thank you Dave, I uploaded the file to Virus Total and got the
| following positiv results:
|
| Complete scanning result of "MSWTL32.exe", received in VirusTotal at
| 09.26.2006, 10:47:32 (CET).
| Antivirus Version Update Result
| AntiVir 7.2.0.18 09.26.2006 TR/Proxy.Agent.KX
| AVG 386 09.25.2006 Proxy.FWY
| Ewido 4.0 09.26.2006 Proxy.Agent.kx
| Fortinet 2.82.0.0 09.26.2006 suspicious
| Kaspersky 4.0.2.24 09.26.2006 Trojan-Proxy.Win32.Agent.kx
| McAfee 4859 09.25.2006 Proxy-Agent.a
| Norman 5.90.23 09.25.2006 W32/Agent.AGXB
| Sophos 4.10.0 09.26.2006 Mal/Behav-044
| TheHacker 6.0.1.081 09.26.2006 Trojan/Proxy.Agent.kx
| UNA 1.83 09.25.2006 TrojanProxy.Win32.Agent.8623
| VBA32 3.11.1 09.25.2006 suspected of Trojan.Agent.69
| VirusBuster 4.3.7:9 09.25.2006 Trojan.PR.Agent.PRR
|
| It seems Agent.KX has infected my PC.

You can start with the McAfee or Sophos module in the below tool.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode.  It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.  http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * *   Please report back your results  * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline