TDS file or a Trojan??

I've had TDS3 for over a year and today for the first time a file called MSXMIDI.exe tried to access the net.

One copy of this is in C:/Windows another in TDS folders.
File creation date is today, 6,656 bytes

Googling only finds pest patrol site which lists this as a hijacker.

So, my question is whether this is a legit TDS file or something dropped into TDS folder to fool TDS

 

It is a hijacker not a Trojan, it is not a TDS file: http://www.pestpatrol.com/PestInfo/m/msxmidi.asp
It may pay you to post in the hijack forum here at wilders https://www.wilderssecurity.com/index.php?board=17

Sounds like you stopped it

Have you downloaded the latest radius file & done a full scan just in case there were other things attached?

Can you please submit a zipped copy to submit@diamondcs.com.au Gavin can then add it to his database.


HTH Pilli

 

That is what I found, but the file listed by pest patrol is much larger, this one on my PC is only 6.5 KB.

And why of all folders would it be present in TDS/xDynamic/TDS.Unpk folder.

I'll e-mail it to them and see what they say.

By the way, it tried to contact the Diamond CS site. So it looks like a legitimate file, but this is the very first time it tried to dial out in a year, that is what makes me suspicious.

 

That folder is where TDS unpacks files for checking, usually they are deleted after a scan unless they are corrupted in some way or the scan did not complete for some reason.

Are you sure it was that file that tried to get out or the TDS updater which is set for auto on Fridays and Mondays?

Please send it to Gavin - Thanks

 

Remember: the file in that folder is a copy of an original which has been somewhere else on your system if it is not removed in the meantime.
I see in the computercops forum the file not removed from a HJT log, so maybe the file can be legit as well, could be your file got infected itself (interesting option), so the submission to await Gavin's opinion is good, especially as you think it is calling out:
with Port Explorer up you can see which process exactly is the one calling out and look at packets or kill it.
You might like to zip it before handling it further, so the calling stops. Further you might like to have a look for yourself in the meantime at the file by going to www.kaspersky.com/remoteviruschk.html at the bottom submit the file and get in a few seconds there on line a first opinion.

 

Kaspersky on-line check says that file is infected with winshow trojan downloader ( I think it's adware, kaspersky doesn't specify, my Norton even though updated says nothing about the file, says it's clean ) :

Current object: msxmidi.exe

msxmidi.exe Packed: UPX
msxmidi.exe Infected: TrojanDownloader.Win32.WinShow.p

Actually it looks like I was wrong, firewall reported the destination IP to be the same as the one dialed by TDS3 that's why I thought it was dialing diamondcs.site, but it's not actually , it's just my ISP.

It looks like this file is not the actual winshow virus/adware, but tried to download it and got caught.

 

Gavin will definitely tell you more about the file, as now we all want to know! You did submit it, did you?
You did not find another original on your system somewhre else? Maybe deleted already (i hope) --
you last sentense: "tried to download it but got caught"
Do you mean you think the file was trying to download it or you yourself?
If the file was trying to call, it means it would be active on your system; one reason more to zip it and send it in to Gavin. And to do another scan to make sure you're really clean!

 

The original file was in the windows directory and my firewall alarmed me that it was trying to dial out.

I did a search to find the file ( by name given by firewall ) and search returned 2 files, exactly the same, one was in the windows folder which I assume is the original and the second one was in TDS/xDynamic/TDS.Unpk folder.

I did submit both ( renamed one to msxmidiWin ) just in case there was a difference between the two.


I think this file was downloaded somehow and then it tried to download the actual trojan which seems to be winshow.dll ( from what I found out researching winshow ). There is no winshow on my PC, I guess because firewall stopped msxmidi from downloading it. So it looks like I'm clean.

 

Right, now you tell about the second copy or better said the original elsewhere on your system the story fits exactly. The one in the TDS Unpk folder is the copy of the same, there for being unpacked and scanned and normally should have been deleted after that action or with the next scan. Now Gavin has his copies you can delete the one in the Unpk folder anyway, the other if you would think it could be part of a program which will stop functioning without the file on your system you can rename, for instance by adding an extention behind it, msxmidi.exe.tmp which can't run, or keep it zipped, or after Gavin's reaction delete it. Sounds like a good catch!

 

So with this to make sure also get Hijackthis and post in the HJT forum to see if everything is alright and if you really did not get the whole nasty on your system.
Or from the DCS sites the AutoStartViewer if the HJT is still unreacheable.