NSIS Media Popups

Discussion in 'Spyware' started by littlebits, Jul 7, 2006.

This thread is being watched by 52 users.
  1. littlebits

    littlebits Member Established Member

    As a computer programmer, I never get malware installed on my computer and when I do, I usually can get rid of it. But this one has got me.

    About a week ago, I started getting popups when running Firefox.

    The popups are launch with explorer.exe, not with IE and they randomly launch while using IE, Firefox and Maxthon browsers. They don't launch while using Opera however.

    The popups are blank probably because they are either blocked by my host file or another one of my security programs (NOD32, SpySweeper, Spybot, SpywareBlaster, Sygate Pro).

    The dialog box on the header displays "Advertisment - NSIS Media"

    Malware Info:

    Location- C:\Program Files\Common Files\NSIS
    Files in the folder- uninst.exe, ns24.dll

    Actions that I have tried:

    1.Ran the "uninst.exe" in the above folder, it says NSIS Media Extention is uninstalled and computer must reboot. I reboot, then the problem is still there but now there is another file in the same folder "ns48.dll".

    Each time I run the "uninst.exe" another file appears in that same
    folder. (ns68.dll, example ns+two random numbers+dll).

    2. Turn Off System Restore and Deleted the above folder in safe mode and emptied the Recycle Bin. Used the Registry Editor and manually deleted all keys, subkeys and values for NSIS. The folder and files still come back after reboot.

    3. Scanned my computer with NOD32, SpySweeper, Ad-Aware, Spybot, TrojanHunter, BitDefender online, McAfee online, TrendMicro HouseCall online, Symantec online, McAfee Stinger. Nothing was found except for the "uninst.exe" by TrojanHunter it said it was "Adware.PurityScan.312" and removed it, but it still came back after reboot.

    4. Ran HijackThis and nothing was found.

    5. Check running programs with ProcessExplorer and that how I found out that it uses explorer.exe to launch, but still can't find the string. Nothing else shows up in the Task Manager.

    I know this has to be either a hiden trojan or hiden worm. I have no idea how it got installed or how it got passed by security programs.

    I have searched all of the web trying to find some info, but there is not much there that can help.

    Any help would be appreciated.

  2. DigitalJunkie

    DigitalJunkie Still learning.........!

    Since you know it has attached itself to explorer, did you try regedit to find any reg. keys for Explorer's browser feature that they could expolit?

    P.S. Of course, as you know that you should make a backup copy of all reg. keys before you make any changes!
  3. Dark Messenger

    Dark Messenger Naruto Fan Established Member

    stop running the uninstall in that folder....reason think of the uninstal.exe as trojan.exe and each time you run it..you reinstall or restart it. that's my suspicion.
    can u go into safe mode and unregister the dll?
    does it show up in msconfig?
    can u stop it from running automatically with msconfig...does it pop these screens up as soon as u open a browser..or is there a particuliar webpage or website that pops this nsis message up?

    without googling I have no idea what that nsis is...but i'd imagine it was something to do with a nullsoft installer software..other than that I can't think of anything else it could be associated with unless norton antivirus

    the two random numbers u mention are definitely calls to certain funtions within the dll. they can be as simple as calling an icon from the dll or calling the messagebox window u report seeing.

    there are two programs for examing the dll file...one is well known and works with most 32bit dll files the other only works on 16bit dll files. this is probably a 32 bit dll file.

    but yeah searching the registry for 'uninst.exe' or 'nsis' is good idea....anything that runs has to be launched from somewhere...usually it will be done in the registry and if u can find and delete the key that calls this file it won't associate itself with explorer anymore or run on its own.

    its a lot of hard work manually searching ur registry urself..make sure u have show all file extensions ticked even hidden and system files and keeping hitting 'f3' to cycle through searches in ur registry editor until u find all instances of it.

    startup monitor or startup cop should show u what registry key is calling this...i thought hijack this did too..if it does than it would be easy to delete this key...sometimes as u know there may be another program with an indiscreet name that is called to recreate the trojan..example:

    something calling uninstal.dat or someothername.cab to be recreated or renamed each time the system is booted.

    did u google 'nsis' and the uinstal.exe?

    Edit I see u done all or most of the above.

    Now just delete the uninstal.exe and dll file ur self..don't try double-clicking on the 'uninstal.exe' as that may be what's reinstalling the trojan...a troj disguised an an uninstaller for its self...clever.

    if u don't remember installing this..get rid of it..odds are u don't need it..if u do have problems with a particuliar program after removing it..u can always reinstall whatever application it is that needs it if one needs it but i bet u won't.
  4. littlebits

    littlebits Member Established Member

    Ok guys the good news, the objects in the NSIS folder have been deleted for good.
    I went into safe mode and deleted the dlls and the uninst.exe, then I simply Denied permissions on that folder set only to read. I can't delete the folder or the objects will come back.

    The bad news, for some unknown reasons, I'm still getting popups from NSIS Media.

    Yes something is still launching explorer.exe to display the blank popups. But so far no other computer problems.

    Rescanned my computer in Safe Mode with all of the scanners plus I installed SUPERAntiSpyware but it didn't find anything either.

    This must be something new because of the lack of info.

    Thanks for the help.:icon_prof
  5. littlebits

    littlebits Member Established Member

    Ok, I had to reinstall Windows to remove this malware. But I found out what caused it.

    I installed Foxie Browser Suit with Security Firewall. The Firewall was a worm.

    Do NOT install Foxie Browser Suit it's a fake program with a worm that uses the firewall.exe to download more malware.

    Here is my posts on Wilders Security Forum- http://www.wilderssecurity.com/showthread.php?t=138307

    Foxie's websites-getfoxie.com , spreadfoxie.com
    Don't install unless you want to reinstall Windows.

  6. That one's scary. Hope those guys you submitted it to figure it out.
  7. help arrived?

    i use to have the same problem with NSIS. i heard that you could find it in the Add/Remove Programs. so i tried it and to my suprise there it was. so i uninstalled it but while i was uninstalling it, "uninst.exe' made a hidden launch. i'm almost possitive that its a worm that launchs once it is uninstalled to reinstall it self. luckly i have Kaspersky Lab Anti-Virus that nailed the launch before it could continue. I stoped it and now i havent had any problems. haven't seen NSIS in a while. i first noticed that a week ago that soemthing kept making a hidden launch of "exploer.exe". kaspersky caught 90% of the time but a few slipped through. i was getting sick of it so i decided to do soemthing (i no i'm lazy). i checked out the forums that came up from google and most had no idea what to do. some said that someone could get rid of it by simply uninstalling it from add/remove programs. i think you can just make sure that uninst.exe cant launch itself. i sure thats y it keeps appearing on your computer even after you think u get rid of it.
  8. littlebits

    littlebits Member Established Member

    I sent out copies of this malware to Sunbelt's CounterSpy, Symantec (Norton), Nod32, Kaspersky, McAfee, AVG, Avast, BitDefender, Ewido's AntiSpyware, Microsoft's Windows Defender, SpyBot S&D and Lavasoft's Ad-Aware. I couldn't find a way to send it to Webroot SpySweeper or PC Tools Spyware Doctor.

    The only ones that replied are Symantec- said it was an unknown internet worm and said they are working on detection and removal. They reccommended that anyone infected with this to do a system recovery with your Windows disks. Because the damage is unknown at this time.

    Sunbelt's CounterSpy- Also said that it was an unknown malware program maybe a worm or a virus or trojan downloader. Still working on classification and detection.

    Ewido said they could find any problems but there are still working on it.

  9. Dark Messenger

    Dark Messenger Naruto Fan Established Member

    :icon_thum kudos, on the discovery and for following up on it, littlebits.
  10. infoseeker

    infoseeker Fear me!!! PLEASSSSEEE..

    so meaning you reinstalled your windows littlebits?

    i thinks its really late from my side:

    i got "almost" same problem, its something like
    spyware= "trustinbar.exe" and it has own folder in my C:\ drive
    my AVG first detected it, so put in vault
    then i run windows defender= still same result, so i click delete or something
    (AD-aware did not detected)

    not yet finished
    then i run SPYBOT S&D, same result, i immunized

    i thot its really finished, then few days after, my AVG detected it again

    so i run again same as above, same result as above

    so i did same as you, i look for its folder, then try to delete it, no luck
    then safe mode, same=no luck to delete it

    what i did is:
    (im getting a little knowledge in HJT, only for my pc scan)
    SAFE mode:
    i run CCLEANER, run window washer,
    AVG- deleted that "trustinbar.exe" and connected to it
    SPYBOT S&D- scan and fixed problem and immunized all

    i run HJT, checked all the file connected to that "trustinbar.exe" and fixed them

    then i looked that folder, then i try to delete that and VOILA it works:icon_thum

    so then, for to be sure i run again CCLEANER, run window washer

    (remember)im still in SAFE MODE, i Disable System-Restore>>>Reboot>>>Renable System-Store
    (the purpose for this is, so that some malware that are leaving remnants in C:\System Volume Information will be flush and surely will not comeback)

    then i looked that folder, then i try to delete that and VOILA it works:icon_thum

    so for the others getting "same" problem, maybe try to follow what i did regarding "disable system restore"

    :icon_sunn infoseeker :icon_sunn
  11. littlebits

    littlebits Member Established Member

    Infoseeker, you problem was much easier to solve since it is a known adware program.



    I'm glad you got rid of it without having to reinstall Windows. Hijack This would have got rid of it also.

    However the NSIS malware is an unknown worm or virus, the safe mode doesn't work with it because it changes your Windows system files and can't be detected even by Hijack This.

    Update: Symantec has identified part of the malware infection, It installs in your "Hard Drive\Program Files\Mozilla Firefox\chrome" the file is "NSIS.jar" (an exe in a java file). It bypasses your firewall and makes copies of itself in many different folders and enbeds itself into windows system files. Because no matter how you delete it, it will come back unless you know where all the files that are infected are located. One of the system files that is know to be infected is "svchost.exe" Microsoft Service Host Process. Once it infects this system file, it has complete access to connect to the internet and do its nasty work.

    It's possible that dsncaching.net is the malware's server where it gets its nasties. Adding dsncaching.net to your host file might block part of the infection.

    The overall damage is still unknown at this time, it could steal your passwords, private info and no telling what else.

    A system recovery was the best option for me.

  12. wattsja

    wattsja Member

    Problem Solved ??

    After much blood, sweat, tears, trial and error (i wasn't going to let it beat me because I DID NOT want to reload), I have figured out what was causing my NSIS media pop-ups.

    In my %win%\system32 directory, I had the following 2 files:

    Neither of these are Windows files and mine are dated 2001. I couldn't delete them, but I was able to MOVE them (accomplishes the same thing huh??) to a temp folder, then rename them. Once this was completed, I manually removed the NSIS stuff (folder and registry entries) ... rebooted and it was gone. I put the files back ... reboot .... it's back.

    Hope this will help some of you.

    Also, if you are one of the people who "uninstalled" it ... you had better check because the folder location (maybe) and the file names change!!
  13. mtaylor0617

    mtaylor0617 Member

    Ah, bless you wattsja, and your children, and your children's children .....

    I have been working on this problem for weeks (you can read my exercises in futility in the Winamp support forums on this subject,) yet no matter what I did, the NSIS folder was always returned on reboot, with a new dll file (NSxx) and the uninstall worm (let's call a spade a spade.)

    Having failed all other attempts, and with all suggestions failing, I elected to open the existing NS DLL in a text utility, and changing a few characters to hopefully corrupt the file. This stopped the popups, but I wanted this thing GONE. I was just going to wait for one of the anti-spyware folks to get on the stick with this problem and offer a fix or a removal tool or something, rather than risk having it insinuate itself further into my registry by my attempts to remove it.

    Your suggestion seems to have worked perfectly! I found those two files, with the same date stamp, and I 86'd them to a limbo file as you suggested. I had to use JVC to unload registry entries under the NSIS Media Extension heading, as it seems to find every media related piece of software on the drives, and then unload NSIS media references and keys with a registry tool, but I'm happy to say for the first time in a long time, that damn NSIS folder and the self-perpetuating DLL are gone! Thanks for figuring it out. God knows I couldn't.

    Problem now is, did it linger elsewhere? This is the rottenest piece of malware I've ever seen, and has defied all other attempts to purge it, even though the amount of infections seems rather small from Google searches. My fear is that something like this could be used for something far more malicious than simply getting a few blank pop-up windows past our blockers. Most of the people who have had this seem fairly savvy, so this got past our firewalls and virus protection and spyware blockers, and then when installed, couldn't be found, let alone removed. Let's hope someone nails this down definitively so a protection can be put in place, and we know where it came from. Thanks again.
  14. Sick Boy

    Sick Boy Member

    I've been following this thread, and others, with interest since I too have been plagued with this nasty little trojan for almost 2 weeks now.

    As mtaylor0617 points out, a great many people infected with this aren't novice users but are actually pretty computer savy. I've been using computers since the mid 70's and I've got this thing, but can't for the life of me figure out from where. I've seen Foxie bandied about as an almost certain carrier but I've never downloaded or installed it, so I'm stumped. I just built this system so there are only a small list of programs that I've gotten online: Firefox, Thunderbird, Open Office, AVG Free Edition, Zone Alarm, Adobe Acrobat Reader, Photobie, QuickTime Player, Frostwire, Painkiller demo 1, and the Prey demo. That's it. I'm not sure if I want to go into the registry and systen files to surgically remove this thing until I know what program was carrying it in the first place. I'm hoping that one othe antivirus or spyware companies will have an eureka moment soon and provide and explanation. I'll give it another week. For now I guess I'll put up with the Party Poker pop ups.
  15. littlebits

    littlebits Member Established Member

    The NSIS malware is related to the Nullsoft Scriptable Install System- http://nsis.sourceforge.net/Main_Page
    It is an open source project where anyone can create their own installers. Many popular programs are using this system to install their products. This means either there is a bug in the Nullsoft Scriptable Install System to allow other malware to install or some bad programmers are using this system to inject malware into their products. I have read all of the internet about this strange NSIS malware, some of the people that got infected didn't install anything but trusted programs but many of these trusted programs used the Nullsoft Scriptable Install System.

    Like myself, at the time I got infected with it there were only a few programs that I installed. Two of which used the Nullsoft installer, one was Foxie. I had Nod32 all modules enabled and Webroot SpySweeper running with all shields. Sygate Pro firewall on stealth mode. But I screw up by letting Foxie connect with its firewall.
    I also had SpywareBlaster updated to restrict bad products and Spybot's Immunize activated.

    It really is a mystery how that malware got passed all this protection.

  16. mtaylor0617

    mtaylor0617 Member

    I'm a Maxthon user, and have been for a number of years. I always have their excellent suite of ad and pop-up blockers enabled, as well as the ActiveX blocker.

    Just prior to this NSIS prob, I had a small problem in opening my IE browser. This had a small effect on the Maxthon, but I could easily work around it. In any event, we don't like our computers operating not up to snuff if we can help it, and I resolved to troubleshoot the IE glitch. Fearing that I might make things worse (not impossible!) I downloaded the Firefox browser for the first time, as it had an independent engine, and I didn't want to lose Internet access. I used it just long enough to configure it to some degree, and check it out while I had it on my drive. I am almost certain that this is when I first started getting those blank NSIS media popups. I think at the time, I just figured it was a "Firefox thing," (their blockers weren't as effective, for instance,) and didn't worry about it too much. It was when I went back to Maxthon and IE and got the popups that I first started going, "uh-oh!"

    I thought there was a general problem with known browser PU-blockers causing this, so while I was trying to deal with it from the browser end, I didn't realize for quite a few days that this NSIS crap had been installed on my drive. I have never had a piece of malware, a worm, or virus that has caused me any problem. I've had stuff turn up, sure, with scans, but never anything that had been doing any damage yet. This was my first real infection, and it was a doozy, not so much for what it did (hopefully the popups were the extent of its purpose) but because it seemed almost supernatural in its ability to remain on the drive. When you look at my scan from JVC registry cleaner when removing "NSIS Media Extension" from the startup menu via the registry (on the Winamp forum) you can see how many keys were involved. Mostly A/V media software, but even image software like Google's Picassa. None of these keys or entries even MENTIONS NSIS, and I rely on the JVC to tell me they had been compromised. Then, there's the basic NSIS media keys (titled as such) that need to be purged from the registry.

    I am wondering, from all that I've read so far, if a small amount of Firefox browser install files had this infection for a short period of time. I say small amount, as this thing doesn't appear to be running wild, at least yet, unless there are a lot of people out there who accept popups as part of everyday life on the web. In any event, one of the first things I did was uninstall Firefox and take every reference out of the registry. It didn't help at the time, but I still have the feeling that this is where it came from. I can understand, Sick Boy, how you may not want to attack system or registry files without having all information available, but moving and renaming those two files in the system folder really did solve the problem. Whether that would work without also wiping out the registry entries, I don't know, but if you want to do something as minimally as possible to try and stop the popups, that might be the way to go, (and delete the NSIS folder too.) I suspect that NS**.dll file HAS to be present for the whole package to work, which is why so much time was spent on designing this monster in such a way that you can't delete it, or even rename it. (Well, you CAN rename it, but then there is another NS**.dll sitting beside your renamed DLL on the next reboot. Grrrr.)

    Good luck anyway, and hope you can send this thing to Malware Hell before too long. Don't know if you're noticing this too, but in addition to the popups, I also had a much slower computer; a lot of disk activity, as if an intense process was running in the background all the time, although I couldn't find it even with real-time system process monitors. I think it was hooked into SVCHOST.EXE in some way, so it probably looked legit to me. As soon as I got rid of this, my machine went back to normal operating and boot-up speeds.
  17. TomC26

    TomC26 Member

    I've had this pesky malware on my system for a couple of days now.
    Of the software listed by Sick Boy I'm running Firefox, Thunderbird, Open Office, Adobe Acrobat Reader, and QuickTime Player.
    The most recent ones to be updated were Open Office (to 2.0.3) and Firefox Allow Right Click extension, both a couple of days before the NSIS Media popups started to appear.
    They show up whenever I use Firefox (my default browser) after a variable delay of several minutes. Yesterday they only showed up a few times, today it's more like every 10 minutes.
    Hope this helps someone to track it down.
  18. Definitely a bad one...

    and definitely from "Foxie" in my case. I've tried pretty much everything mentioned here. I also wrote a little VBScript to delete the NSIS folder on startup but the popups continue. I'm beginning to think the folder and the dll may have little to do with the real infection. On another forum someone mentioned that the folder seemes to be created on shutdown rather than on startup which may be the case. I've seen different registry entries, one refers to something called "flockstd" I believe. The thing certainly seems to have infected one or more system files and there doesn't seem to be any obvious place in the registry where it's getting called. I referred it to Mark at SysInternals, the guy who outed the Sony rootkit but with incredible bad timing, they just got bought by Microsoft so I doubt I'll be hearing from him. It's good to know that some of the AV companies are looking into it.

    Whoever wrote this damned thing knew what they were doing. That raises the question - if the purpose is to serve ads, why is it so easy to block the ad content itself when the rest of it is so sophisticated? It makes me worry that the real purpose is something more sinister - but then again, why call attention to it with the ad windows? As you can see this is driving me crazy. At this point, I think the best way to nail it down would be installing Foxie on a clean system with RegMon, FileMon and every other surveillance gizmo running and try to find out what it's doing when it gets its hooks into a system.
  19. Sick Boy

    Sick Boy Member

    I agree with you Nathan Detroit. I tend to think that the ad serving part of this little beast might be a cover for something else. This has all the hallmarks of something more malicious. Most adware tends to be sneaky, and hard to remove, but it doesn't usually propegate itself throughout your system when you try to uninstall it. That particular feature is more virus-like. Some people have had success getting rid of the popups using the supplied uninstaller, some haven't. The ones that still get popups are reporting that this thing is pretty invasive. I think that the ones that aren't getting popups anymore probably assume that they've fixed the problem and haven't gone in to check if this thing is still lurking. I just find it hard to believe that something that sneaky and persistent would actually disarm itself with its own uninstaller. I think that mtaylor0617 may have discovered how to break this thing, but it's hard to tell without knowing exactly what it's doing.

Share This Page