As a computer programmer, I never get malware installed on my computer and when I do, I usually can get rid of it. But this one has got me.
About a week ago, I started getting popups when running Firefox.
The popups are launch with explorer.exe, not with IE and they randomly launch while using IE, Firefox and Maxthon browsers. They don't launch while using Opera however.
The popups are blank probably because they are either blocked by my host file or another one of my security programs (NOD32, SpySweeper, Spybot, SpywareBlaster, Sygate Pro).
The dialog box on the header displays "Advertisment - NSIS Media"
mis-spelled.
Malware Info:
Location- C:\Program Files\Common Files\NSIS
Files in the folder- uninst.exe, ns24.dll
Actions that I have tried:
1.Ran the "uninst.exe" in the above folder, it says NSIS Media Extention is uninstalled and computer must reboot. I reboot, then the problem is still there but now there is another file in the same folder "ns48.dll".
Each time I run the "uninst.exe" another file appears in that same
folder. (ns68.dll, example ns+two random numbers+dll).
2. Turn Off System Restore and Deleted the above folder in safe mode and emptied the Recycle Bin. Used the Registry Editor and manually deleted all keys, subkeys and values for NSIS. The folder and files still come back after reboot.
3. Scanned my computer with NOD32, SpySweeper, Ad-Aware, Spybot, TrojanHunter, BitDefender online, McAfee online, TrendMicro HouseCall online, Symantec online, McAfee Stinger. Nothing was found except for the "uninst.exe" by TrojanHunter it said it was "Adware.PurityScan.312" and removed it, but it still came back after reboot.
4. Ran HijackThis and nothing was found.
5. Check running programs with ProcessExplorer and that how I found out that it uses explorer.exe to launch, but still can't find the string. Nothing else shows up in the Task Manager.
I know this has to be either a hiden trojan or hiden worm. I have no idea how it got installed or how it got passed by security programs.
I have searched all of the web trying to find some info, but there is not much there that can help.
Any help would be appreciated.
Thanks.:icon_thum
Since you know it has attached itself to explorer, did you try regedit to find any reg. keys for Explorer's browser feature that they could expolit?
P.S. Of course, as you know that you should make a backup copy of all reg. keys before you make any changes!
stop running the uninstall in that folder....reason think of the uninstal.exe as trojan.exe and each time you run it..you reinstall or restart it. that's my suspicion.
can u go into safe mode and unregister the dll?
does it show up in msconfig?
can u stop it from running automatically with msconfig...does it pop these screens up as soon as u open a browser..or is there a particuliar webpage or website that pops this nsis message up?
without googling I have no idea what that nsis is...but i'd imagine it was something to do with a nullsoft installer software..other than that I can't think of anything else it could be associated with unless norton antivirus
the two random numbers u mention are definitely calls to certain funtions within the dll. they can be as simple as calling an icon from the dll or calling the messagebox window u report seeing.
there are two programs for examing the dll file...one is well known and works with most 32bit dll files the other only works on 16bit dll files. this is probably a 32 bit dll file.
but yeah searching the registry for 'uninst.exe' or 'nsis' is good idea....anything that runs has to be launched from somewhere...usually it will be done in the registry and if u can find and delete the key that calls this file it won't associate itself with explorer anymore or run on its own.
its a lot of hard work manually searching ur registry urself..make sure u have show all file extensions ticked even hidden and system files and keeping hitting 'f3' to cycle through searches in ur registry editor until u find all instances of it.
startup monitor or startup cop should show u what registry key is calling this...i thought hijack this did too..if it does than it would be easy to delete this key...sometimes as u know there may be another program with an indiscreet name that is called to recreate the trojan..example:
something calling uninstal.dat or someothername.cab to be recreated or renamed each time the system is booted.
did u google 'nsis' and the uinstal.exe?
Edit I see u done all or most of the above.
Now just delete the uninstal.exe and dll file ur self..don't try double-clicking on the 'uninstal.exe' as that may be what's reinstalling the trojan...a troj disguised an an uninstaller for its self...clever.
if u don't remember installing this..get rid of it..odds are u don't need it..if u do have problems with a particuliar program after removing it..u can always reinstall whatever application it is that needs it if one needs it but i bet u won't.
"They make a good read over a smoke and coffee,
while waiting for your life to download."
Ok guys the good news, the objects in the NSIS folder have been deleted for good.
I went into safe mode and deleted the dlls and the uninst.exe, then I simply Denied permissions on that folder set only to read. I can't delete the folder or the objects will come back.
The bad news, for some unknown reasons, I'm still getting popups from NSIS Media.
Yes something is still launching explorer.exe to display the blank popups. But so far no other computer problems.
Rescanned my computer in Safe Mode with all of the scanners plus I installed SUPERAntiSpyware but it didn't find anything either.
This must be something new because of the lack of info.
Thanks for the help.:icon_prof
They seem to be trying to help a lot of people with something that comes up with NSIS all over it here -
http://forums.spywareinfo.com/index....ghlite=%2Bnsis
I linked to the search page there for NSIS
Ok, I had to reinstall Windows to remove this malware. But I found out what caused it.
I installed Foxie Browser Suit with Security Firewall. The Firewall was a worm.
Do NOT install Foxie Browser Suit it's a fake program with a worm that uses the firewall.exe to download more malware.
Here is my posts on Wilders Security Forum- http://www.wilderssecurity.com/showthread.php?t=138307
Foxie's websites-getfoxie.com , spreadfoxie.com
Don't install unless you want to reinstall Windows.
Thanks.:icon_thum
That one's scary. Hope those guys you submitted it to figure it out.
i use to have the same problem with NSIS. i heard that you could find it in the Add/Remove Programs. so i tried it and to my suprise there it was. so i uninstalled it but while i was uninstalling it, "uninst.exe' made a hidden launch. i'm almost possitive that its a worm that launchs once it is uninstalled to reinstall it self. luckly i have Kaspersky Lab Anti-Virus that nailed the launch before it could continue. I stoped it and now i havent had any problems. haven't seen NSIS in a while. i first noticed that a week ago that soemthing kept making a hidden launch of "exploer.exe". kaspersky caught 90% of the time but a few slipped through. i was getting sick of it so i decided to do soemthing (i no i'm lazy). i checked out the forums that came up from google and most had no idea what to do. some said that someone could get rid of it by simply uninstalling it from add/remove programs. i think you can just make sure that uninst.exe cant launch itself. i sure thats y it keeps appearing on your computer even after you think u get rid of it.
I sent out copies of this malware to Sunbelt's CounterSpy, Symantec (Norton), Nod32, Kaspersky, McAfee, AVG, Avast, BitDefender, Ewido's AntiSpyware, Microsoft's Windows Defender, SpyBot S&D and Lavasoft's Ad-Aware. I couldn't find a way to send it to Webroot SpySweeper or PC Tools Spyware Doctor.
The only ones that replied are Symantec- said it was an unknown internet worm and said they are working on detection and removal. They reccommended that anyone infected with this to do a system recovery with your Windows disks. Because the damage is unknown at this time.
Sunbelt's CounterSpy- Also said that it was an unknown malware program maybe a worm or a virus or trojan downloader. Still working on classification and detection.
Ewido said they could find any problems but there are still working on it.
Thanks.:icon_thum
:icon_thum kudos, on the discovery and for following up on it, littlebits.
"They make a good read over a smoke and coffee,
while waiting for your life to download."
so meaning you reinstalled your windows littlebits?Originally Posted by littlebits
i thinks its really late from my side:
i got "almost" same problem, its something like
spyware= "trustinbar.exe" and it has own folder in my C:\ drive
my AVG first detected it, so put in vault
then i run windows defender= still same result, so i click delete or something
(AD-aware did not detected)
not yet finished
then i run SPYBOT S&D, same result, i immunized
i thot its really finished, then few days after, my AVG detected it again
so i run again same as above, same result as above
so i did same as you, i look for its folder, then try to delete it, no luck
then safe mode, same=no luck to delete it
what i did is:
(im getting a little knowledge in HJT, only for my pc scan)
SAFE mode:
i run CCLEANER, run window washer,
run
AVG- deleted that "trustinbar.exe" and connected to it
SPYBOT S&D- scan and fixed problem and immunized all
i run HJT, checked all the file connected to that "trustinbar.exe" and fixed them
then i looked that folder, then i try to delete that and VOILA it works:icon_thum
so then, for to be sure i run again CCLEANER, run window washer
(remember)im still in SAFE MODE, i Disable System-Restore>>>Reboot>>>Renable System-Store
(the purpose for this is, so that some malware that are leaving remnants in C:\System Volume Information will be flush and surely will not comeback)
then i looked that folder, then i try to delete that and VOILA it works:icon_thum
so for the others getting "same" problem, maybe try to follow what i did regarding "disable system restore"
:icon_sunn infoseeker :icon_sunn
suck utorrent/bittorrent
Infoseeker, you problem was much easier to solve since it is a known adware program.
http://service.symantec.com.tw/avcen...rustinbar.html
http://www3.ca.com/securityadvisor/p...x?id=453098075
I'm glad you got rid of it without having to reinstall Windows. Hijack This would have got rid of it also.
However the NSIS malware is an unknown worm or virus, the safe mode doesn't work with it because it changes your Windows system files and can't be detected even by Hijack This.
Update: Symantec has identified part of the malware infection, It installs in your "Hard Drive\Program Files\Mozilla Firefox\chrome" the file is "NSIS.jar" (an exe in a java file). It bypasses your firewall and makes copies of itself in many different folders and enbeds itself into windows system files. Because no matter how you delete it, it will come back unless you know where all the files that are infected are located. One of the system files that is know to be infected is "svchost.exe" Microsoft Service Host Process. Once it infects this system file, it has complete access to connect to the internet and do its nasty work.
It's possible that dsncaching.net is the malware's server where it gets its nasties. Adding dsncaching.net to your host file might block part of the infection.
The overall damage is still unknown at this time, it could steal your passwords, private info and no telling what else.
A system recovery was the best option for me.
Thanks.:icon_salu
After much blood, sweat, tears, trial and error (i wasn't going to let it beat me because I DID NOT want to reload), I have figured out what was causing my NSIS media pop-ups.
In my %win%\system32 directory, I had the following 2 files:
krnsvr32.dll
wmdmb32.dll
Neither of these are Windows files and mine are dated 2001. I couldn't delete them, but I was able to MOVE them (accomplishes the same thing huh??) to a temp folder, then rename them. Once this was completed, I manually removed the NSIS stuff (folder and registry entries) ... rebooted and it was gone. I put the files back ... reboot .... it's back.
Hope this will help some of you.
Also, if you are one of the people who "uninstalled" it ... you had better check because the folder location (maybe) and the file names change!!
Ah, bless you wattsja, and your children, and your children's children .....
I have been working on this problem for weeks (you can read my exercises in futility in the Winamp support forums on this subject,) yet no matter what I did, the NSIS folder was always returned on reboot, with a new dll file (NSxx) and the uninstall worm (let's call a spade a spade.)
Having failed all other attempts, and with all suggestions failing, I elected to open the existing NS DLL in a text utility, and changing a few characters to hopefully corrupt the file. This stopped the popups, but I wanted this thing GONE. I was just going to wait for one of the anti-spyware folks to get on the stick with this problem and offer a fix or a removal tool or something, rather than risk having it insinuate itself further into my registry by my attempts to remove it.
Your suggestion seems to have worked perfectly! I found those two files, with the same date stamp, and I 86'd them to a limbo file as you suggested. I had to use JVC to unload registry entries under the NSIS Media Extension heading, as it seems to find every media related piece of software on the drives, and then unload NSIS media references and keys with a registry tool, but I'm happy to say for the first time in a long time, that damn NSIS folder and the self-perpetuating DLL are gone! Thanks for figuring it out. God knows I couldn't.
Problem now is, did it linger elsewhere? This is the rottenest piece of malware I've ever seen, and has defied all other attempts to purge it, even though the amount of infections seems rather small from Google searches. My fear is that something like this could be used for something far more malicious than simply getting a few blank pop-up windows past our blockers. Most of the people who have had this seem fairly savvy, so this got past our firewalls and virus protection and spyware blockers, and then when installed, couldn't be found, let alone removed. Let's hope someone nails this down definitively so a protection can be put in place, and we know where it came from. Thanks again.
I've been following this thread, and others, with interest since I too have been plagued with this nasty little trojan for almost 2 weeks now.
As mtaylor0617 points out, a great many people infected with this aren't novice users but are actually pretty computer savy. I've been using computers since the mid 70's and I've got this thing, but can't for the life of me figure out from where. I've seen Foxie bandied about as an almost certain carrier but I've never downloaded or installed it, so I'm stumped. I just built this system so there are only a small list of programs that I've gotten online: Firefox, Thunderbird, Open Office, AVG Free Edition, Zone Alarm, Adobe Acrobat Reader, Photobie, QuickTime Player, Frostwire, Painkiller demo 1, and the Prey demo. That's it. I'm not sure if I want to go into the registry and systen files to surgically remove this thing until I know what program was carrying it in the first place. I'm hoping that one othe antivirus or spyware companies will have an eureka moment soon and provide and explanation. I'll give it another week. For now I guess I'll put up with the Party Poker pop ups.
Posting Permissions
Reply With Quote
Bookmarks