I've had TDS3 for over a year and today for the first time a file called MSXMIDI.exe tried to access the net.

One copy of this is in C:/Windows another in TDS folders.
File creation date is today, 6,656 bytes

Googling only finds pest patrol site which lists this as a hijacker.

So, my question is whether this is a legit TDS file or something dropped into TDS folder to fool TDS

It is a hijacker not a Trojan, it is not a TDS file: http://www.pestpatrol.com/PestInfo/m/msxmidi.asp
It may pay you to post in the hijack forum here at wilders http://www.wilderssecurity.com/index.php?board=17

Sounds like you stopped it :)

Have you downloaded the latest radius file & done a full scan just in case there were other things attached?

Can you please submit a zipped copy to submit@diamondcs.com.au Gavin can then add it to his database.


HTH Pilli

That is what I found, but the file listed by pest patrol is much larger, this one on my PC is only 6.5 KB.

And why of all folders would it be present in TDS/xDynamic/TDS.Unpk folder.

I'll e-mail it to them and see what they say.

By the way, it tried to contact the Diamond CS site. So it looks like a legitimate file, but this is the very first time it tried to dial out in a year, that is what makes me suspicious.

That folder is where TDS unpacks files for checking, usually they are deleted after a scan unless they are corrupted in some way or the scan did not complete for some reason.

Are you sure it was that file that tried to get out or the TDS updater which is set for auto on Fridays and Mondays?

Please send it to Gavin - Thanks ;D

Remember: the file in that folder is a copy of an original which has been somewhere else on your system if it is not removed in the meantime.
I see in the computercops forum the file not removed from a HJT log, so maybe the file can be legit as well, could be your file got infected itself (interesting option), so the submission to await Gavin's opinion is good, especially as you think it is calling out:
with Port Explorer up you can see which process exactly is the one calling out and look at packets or kill it.
You might like to zip it before handling it further, so the calling stops. Further you might like to have a look for yourself in the meantime at the file by going to www.kaspersky.com/remoteviruschk.html at the bottom submit the file and get in a few seconds there on line a first opinion.

Kaspersky on-line check says that file is infected with winshow trojan downloader ( I think it's adware, kaspersky doesn't specify, my Norton even though updated says nothing about the file, says it's clean ) :

Current object: msxmidi.exe

msxmidi.exe Packed: UPX
msxmidi.exe Infected: TrojanDownloader.Win32.WinShow.p

Actually it looks like I was wrong, firewall reported the destination IP to be the same as the one dialed by TDS3 that's why I thought it was dialing diamondcs.site, but it's not actually , it's just my ISP.

It looks like this file is not the actual winshow virus/adware, but tried to download it and got caught.

Gavin will definitely tell you more about the file, as now we all want to know! You did submit it, did you?
You did not find another original on your system somewhre else? Maybe deleted already (i hope) --
you last sentense: "tried to download it but got caught"
Do you mean you think the file was trying to download it or you yourself?
If the file was trying to call, it means it would be active on your system; one reason more to zip it and send it in to Gavin. And to do another scan to make sure you're really clean!

The original file was in the windows directory and my firewall alarmed me that it was trying to dial out.

I did a search to find the file ( by name given by firewall ) and search returned 2 files, exactly the same, one was in the windows folder which I assume is the original and the second one was in TDS/xDynamic/TDS.Unpk folder.

I did submit both ( renamed one to msxmidiWin ) just in case there was a difference between the two.


I think this file was downloaded somehow and then it tried to download the actual trojan which seems to be winshow.dll ( from what I found out researching winshow ). There is no winshow on my PC, I guess because firewall stopped msxmidi from downloading it. So it looks like I'm clean.

Right, now you tell about the second copy or better said the original elsewhere on your system the story fits exactly. The one in the TDS Unpk folder is the copy of the same, there for being unpacked and scanned and normally should have been deleted after that action or with the next scan. Now Gavin has his copies you can delete the one in the Unpk folder anyway, the other if you would think it could be part of a program which will stop functioning without the file on your system you can rename, for instance by adding an extention behind it, msxmidi.exe.tmp which can't run, or keep it zipped, or after Gavin's reaction delete it. Sounds like a good catch!

winshow downloader is a part of the cws hijacker family

the way it gets on the computer is via an infected applet on a malicious website

the only cure is to make sure you are updated and patched against the exploit called a byte verifyer exploit, either by installing the M$ virtual machine update from windows update or by uninstalling it completely and instaling SUN java which is immune to the bug

to be sure of being clean from it as there are several hundred variants and winshow is only one of them do this

First download CWshredder from http://www.merijn.org/cwschronicles.html
then
Run CWSHREDDER, check you have the current version, press check for update and let it update
Close all browser windows, click on the cwshredder.exe then click "FIX" (Not "Scan only") and let it do it's thing.
and make sure you follow the advice about the security updates listed at the bottom of the page, in order to prevent re-infection, otherwise you will be continually reinfected
the patches are :
http://support.microsoft.com/default.aspx?kbid=828026
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-011.asp
*Note: The simplest way to make sure you have all the security patches is to go to Windows update (http://v4.windowsupdate.microsoft.com/en/default.asp) and install all "Critical Updates & service Packs"

If Merijn.org is still down due to the DDOS attack on it, the alternative download sites for cwshredder are:
http://www.wilderssecurity.com/attachments/cwshredder1510.zip
http://www.thespykiller.co.uk
http://www.majorgeeks.com/downloads31.html

you might like to read more about it here
http://www.wilderssecurity.com/showthread.php?t=14086

So with this to make sure also get Hijackthis and post in the HJT forum to see if everything is alright and if you really did not get the whole nasty on your system.
Or from the DCS sites the AutoStartViewer if the HJT is still unreacheable.

-{ Quote: " quoting: Jooske link=board=5;threadid=23063;start=0#msg137590 date=1078069859]
So with this to make sure also get Hijackthis and post in the HJT forum to see if everything is alright and if you really did not get the whole nasty on your system.
Or from the DCS sites the AutoStartViewer if the HJT is still unreacheable.
" }-

For future info HJT is always available from these forums and if you are viewing them then they haven't been attacked

http://www.wilderssecurity.com/showthread.php?t=12516

Unfortunately many of the CWS entries do not show in a hijackthis log, or autostart viewer in TDS either,especially in XP/2000/2003 The only Known way of fixing or finding them all is CWshredder. TDS finds & cures some, Adaware/SPybot find & cure some and most antiviruses cure some of them

It is the most pernicious/devious problematic ad spawning trojan ever invented