MidoriSocks - two suspicous files in windows directory

[hkuhlmann]

As my protection software noted me that a program mswtl32.exe want's to
have access to the internet I found the following two files in my
c:\winnt:

111.616 MSWTL32.exe
111.616 msxmidi.exe

In properties/version there are the following informations:

internal name MidoriSocks
original file name MidoriSocks.EXE
product name MidoriSocks Application
product version 1,0,0,1
language English (USA)

Furthermore the file mswtl32.exe is started automatically by the
registry entry:

....HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSWTL32

Since I found no clear description of these components in internet, I
would appreciate any comment regarding malignity of these exe's.

 

[David H. Lipman]

From: <[email protected]>

| As my protection software noted me that a program mswtl32.exe want's to
| have access to the internet I found the following two files in my
| c:\winnt:
|
| 111.616 MSWTL32.exe
| 111.616 msxmidi.exe
|
| In properties/version there are the following informations:
|
| internal name MidoriSocks
| original file name MidoriSocks.EXE
| product name MidoriSocks Application
| product version 1,0,0,1
| language English (USA)
|
| Furthermore the file mswtl32.exe is started automatically by the
| registry entry:
|
| ...HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\MSWTL32
|
| Since I found no clear description of these components in internet, I
| would appreciate any comment regarding malignity of these exe's.


Please submit samples to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

 

[hkuhlmann]

Please submit samples to Virus Total --

http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

Thank you Dave, I uploaded the file to Virus Total and got the
following positiv results:

Complete scanning result of "MSWTL32.exe", received in VirusTotal at
09.26.2006, 10:47:32 (CET).
Antivirus Version Update Result
AntiVir 7.2.0.18 09.26.2006 TR/Proxy.Agent.KX
AVG 386 09.25.2006 Proxy.FWY
Ewido 4.0 09.26.2006 Proxy.Agent.kx
Fortinet 2.82.0.0 09.26.2006 suspicious
Kaspersky 4.0.2.24 09.26.2006 Trojan-Proxy.Win32.Agent.kx
McAfee 4859 09.25.2006 Proxy-Agent.a
Norman 5.90.23 09.25.2006 W32/Agent.AGXB
Sophos 4.10.0 09.26.2006 Mal/Behav-044
TheHacker 6.0.1.081 09.26.2006 Trojan/Proxy.Agent.kx
UNA 1.83 09.25.2006 TrojanProxy.Win32.Agent.8623
VBA32 3.11.1 09.25.2006 suspected of Trojan.Agent.69
VirusBuster 4.3.7:9 09.25.2006 Trojan.PR.Agent.PRR

It seems Agent.KX has infected my PC.

 

[David H. Lipman]

From: <[email protected]>

|
| Thank you Dave, I uploaded the file to Virus Total and got the
| following positiv results:
|
| Complete scanning result of "MSWTL32.exe", received in VirusTotal at
| 09.26.2006, 10:47:32 (CET).
| Antivirus Version Update Result
| AntiVir 7.2.0.18 09.26.2006 TR/Proxy.Agent.KX
| AVG 386 09.25.2006 Proxy.FWY
| Ewido 4.0 09.26.2006 Proxy.Agent.kx
| Fortinet 2.82.0.0 09.26.2006 suspicious
| Kaspersky 4.0.2.24 09.26.2006 Trojan-Proxy.Win32.Agent.kx
| McAfee 4859 09.25.2006 Proxy-Agent.a
| Norman 5.90.23 09.25.2006 W32/Agent.AGXB
| Sophos 4.10.0 09.26.2006 Mal/Behav-044
| TheHacker 6.0.1.081 09.26.2006 Trojan/Proxy.Agent.kx
| UNA 1.83 09.25.2006 TrojanProxy.Win32.Agent.8623
| VBA32 3.11.1 09.25.2006 suspected of Trojan.Agent.69
| VirusBuster 4.3.7:9 09.25.2006 Trojan.PR.Agent.PRR
|
| It seems Agent.KX has infected my PC.

You can start with the McAfee or Sophos module in the below tool.

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.

You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm

Additional Instructions:
http://pcdid.com/Multi_AV.htm


* * * Please report back your results * * *