Has anyone ever seen this (NSIS.Library.RegTool) before? ??? Located in my Win32 subdirectory. One of my faithful security sentinels (DCS WormGuard (http://wormguard.diamondcs.com.au/)) spotted this one trying to execute today. Happened when restarting my PC just after installing FileAnt (http://www.fileant.com/) (which by the way is a nice appy). Not sure if the two are related or not, but the file had a date of Sept 2004, which makes me think it's not. Just thought I would check. Google (http://www.google.com/) was not much help. Thanks in advance! :)

;Advance counter

StrCpy $R0 0
ReadRegDWORD $R0 HKLM "Software\NSIS.Library.RegTool.v2\UpgradeDLLSession" "count"
IntOp $R0 $R0 + 1
WriteRegDWORD HKLM "Software\NSIS.Library.RegTool.v2\UpgradeDLLSession" "count" "$R0"

;------------------------
;Setup RegTool

ReadRegStr $R3 HKLM "Software\Microsoft\Windows\CurrentVersion\RunOnce" "NSIS.Library.RegTool.v2"
IfFileExists $R3 +3

File /oname=$R2\NSIS.Library.RegTool.v2.exe "${NSISDIR}\Bin\RegTool.bin"
WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\RunOnce" \
"NSIS.Library.RegTool.v2" '"$R2\NSIS.Library.RegTool.v2.exe" /S'

;------------------------
;Add RegTool entry

WriteRegStr HKLM "Software\NSIS.Library.RegTool.v2\UpgradeDLLSession" "$R0.file" "$R1"
WriteRegStr HKLM "Software\NSIS.Library.RegTool.v2\UpgradeDLLSession" "$R0.mode" "${mode}"

Pop $R3
Pop $R2
Pop $R1
Pop $R0

Very funny! Was that supposed to answer my question?

Hi Daisey.

NSIS is an installer program used by some programmers. As far as the entries, maybe we can get Rumpstah to fill us in.

http://nsis.sourceforge.net/

-{ Quote: "NSIS is an installer program used by some programmers..." }-

Hi Ron! So it's not malware, right?

Daisey,

I'll have to defer to Rumpstah on that question. He will be through here soon. :)

Hi Dazed_and_Confused:

Yes, the file in question can be considered malware (installed by FileAnt). It is attempting to install the begin2search toolbar.

I hope this helps. ;)


-{ Quote: "Has anyone ever seen this (NSIS.Library.RegTool) before? ??? Located in my Win32 subdirectory. One of my faithful security sentinels (DCS WormGuard (http://wormguard.diamondcs.com.au/)) spotted this one trying to execute today. Happened when restarting my PC just after installing FileAnt (http://www.fileant.com/) (which by the way is a nice appy). Not sure if the two are related or not, but the file had a date of Sept 2004, which makes me think it's not. Just thought I would check. Google (http://www.google.com/) was not much help. Thanks in advance! :)" }-

Hi Daisey, Boogie2, Ron, Rumpstah,

I am a little bit puzzling about this.

First for your info:
I guess that the posting from Boogie2 was (maybe only part of ?) that NSIS.Library.RegTool.
See for example :
http://cvs.sourceforge.net/viewcvs.py/nsis/NSIS/Include/UpgradeDLL.nsh?rev=1.5

As Ron posted, it is an installer program used by some programmers.
It could be that it is also used by some malware.
As I understood, a related file NSISDl.dll is used by some malware, but that doesn't have to mean that the file itself is malicious.
See for example discussion:
http://forums.winamp.com/showthread.php?threadid=209232

I have not tried that program FileAnt.

Rumpstah,
Are you sure about what you wrote about it:
"Yes, the file in question can be considered malware (installed by FileAnt). It is attempting to install the begin2search toolbar."
Sorry for asking; I do have great respect for you !

Daisey,
Have you perhaps WormGuard set up to log its warnings?
If so, is there perhaps a log entry describing why and about what WormGuard was giving a warning about? Maybe you could copy that log entry?


Well, sorry for all the questions. I was just trying to understand it ;)

PS:
I saw a thread at the Gladiator forum about FileAnt:
http://gladiator-antivirus.com/forum/index.php?showtopic=16758
In case there is something wrong with it, we should let our friends at Gladiator know about it.

I have just now installed FileAnt - and NO such file was installed :o

Hi FanJ:

I downloaded FileAnt and ran it. ;)

Then I took the file in question (which was installed to the Registry RunOnce key) and ran it.

-{ Quote: "Hi Daisey, Boogie2, Ron, Rumpstah,

I am a little bit puzzling about this.

First for your info:
I guess that the posting from Boogie2 was (maybe only part of ?) that NSIS.Library.RegTool.
See for example :
http://cvs.sourceforge.net/viewcvs.py/nsis/NSIS/Include/UpgradeDLL.nsh?rev=1.5

As Ron posted, it is an installer program used by some programmers.
It could be that it is also used by some malware.
As I understood, a related file NSISDl.dll is used by some malware, but that doesn't have to mean that the file itself is malicious.
See for example discussion:
http://forums.winamp.com/showthread.php?threadid=209232

I have not tried that program FileAnt.

Rumpstah,
Are you sure about what you wrote about it:
"Yes, the file in question can be considered malware (installed by FileAnt). It is attempting to install the begin2search toolbar."
Sorry for asking; I do have great respect for you !

Daisey,
Have you perhaps WormGuard set up to log its warnings?
If so, is there perhaps a log entry describing why and about what WormGuard was giving a warning about? Maybe you could copy that log entry?


Well, sorry for all the questions. I was just trying to understand it ;)

PS:
I saw a thread at the Gladiator forum about FileAnt:
http://gladiator-antivirus.com/forum/index.php?showtopic=16758
In case there is something wrong with it, we should let our friends at Gladiator know about it." }-

Hi toadbee and rumpstah,

Thanks to both of you for looking at it and for your info !

Just to make sure we're all talking about the same FileAnt, here is the MD5 checksum of the install file:
MD5 - 301F431233ED933E5179C690549C6599

Due to problems with my own far too old machine, I can't make backups at the moment....
That was the reason that I was hesitating to test it myself; sorry for that!

Cheers, Jan.

Hi FanJ:

Same here:

301F431233ED933E5179C690549C6599 *fileant.exe = rumpstah
301F431233ED933E5179C690549C6599 *FanJ

Additional MD5 from another malware install with the same NSIS file.

01434B348B145909F434B94151252F3A *NSIS.Library.RegTool.exe

From the one installed by FileAnt:
01434B348B145909F434B94151252F3A *NSIS.Library.RegTool.exe

It is not limited to FileAnt. ;)

-{ Quote: "Hi toadbee and rumpstah,

Thanks to both of you for looking at it and for your info !

Just to make sure we're all talking about the same FileAnt, here is the MD5 checksum of the install file:
MD5 - 301F431233ED933E5179C690549C6599

Due to problems with my own far too old machine, I can't make backups at the moment....
That was the reason that I was hesitating to test it myself; sorry for that!

Cheers, Jan." }-

-{ Quote: "...Have you perhaps WormGuard set up to log its warnings?
If so, is there perhaps a log entry describing why and about what WormGuard was giving a warning about? Maybe you could copy that log entry?
" }-

FanJ - Sorry it took me so long to get back to you. I don't think the forum email alerts are not working very good. In any case, to answer your question above, this is an exact extract from the log (personal info removed ***). Between the two events below, I restarted my PC.

FILE: C:\Documents and Settings\My Documents\fileant.exe
CLASS: Application
PARAMS:
FOLDER:
FILE EXECUTION - 13:56:11 07/18/2005 by user ***** on computer *****
---
FILE: C:\WINDOWS\system32\NSIS.Library.RegTool.exe
PARAMS:
FOLDER:
FILE EXECUTION - 13:58:14 07/18/2005 by user ***** on computer *****
MULTIPLE EXTENSION EXECUTION 13:58:14 07/18/2005 by user ***** on computer *****
BLOCKED EXECUTION! 13:59:07 07/18/2005 by user ***** on computer ****

I have not noticed any other signs of infection. I've manually scanned PC with all my defences, including TDS and RootkitRevealer - all negative.

Thanks everyone for their responses! :D

Thanks all sofar !

I call everyone involved to come with the most exact info to prove their statements that:

1.
NSIS.Library.RegTool might be malicious or not.

2.
FileAnt might be malicious or not.


This issue has to be solved once and for all !!!

Thanks,
Jan (retired global moderator of this board).

-{ Quote: "...Additional MD5 from another malware install with the same NSIS file.

01434B348B145909F434B94151252F3A *NSIS.Library.RegTool.exe
" }-

Hello Rumpstah! :)

I also appreciate your efforts. :-*

I'm not sure I understand everything you and FanJ are talking about, but I used Cryptosuite to calculate the MD5 for my NSIS.Library.RegTool.exe file, and it ws exactly the same as yours above (whatever that means). :-\

MD5 - 01434B348B145909F434B94151252F3A

Hi again -
That is the same MD5 checksum I have for Fileant.

I did just download it again, installed it - And it creates no such file for me.

I emailed the author and pointed him to this thread for clarification.

-{ Quote: "That is the same MD5 checksum I have for Fileant.
" }-

Hello, Toadbee! :)

Thanks for all your help. Pardon what might be a stupid question, but how can the NSIS.Library.RegTool file have the same checksum as your Fileant file (I assume you mean Fileant.exe)? I thought that ONLY exactly identical files can have the same checksum. ???

Hi Dazed_and_Confused:

Toadbee can not find the NSIS.Library.RegTool.exe.

Since we are unsure of his security configuration, it is probably running when he reboots (the file erases itself after running).

Toadbee can probably give us more insight if this is his procedure and his configuration.

-{ Quote: "Hello, Toadbee! :)

Thanks for all your help. Pardon what might be a stupid question, but how can the NSIS.Library.RegTool file have the same checksum as your Fileant file (I assume you mean Fileant.exe)? I thought that ONLY exactly identical files can have the same checksum. ???" }-

Hi,

First I have to say sorry because I think that I sounded too unfriendly in my previous posting.

Well, to add to the confusion, this posting is going into another direction.
Don't hold your breath.....

I decided (although I cannot make backup images at the moment) to have a look at it myself.
System W98SE.

I ran file integrity checkers NIS File Check and ADinf32 Pro before installing FileAnt, with the purpose to do that after installing but before rebooting, and to do it after rebooting.
Things went another way....

Installed FileAnt (as usually all running programs closed near the clock and in Ctrl-Alt-Delt except Explorer and Systray).

Installation went OK.
Had a very quick look at FileAnt that had now an icon near the clock.
Closed FileAnt.
Did not reboot (was not even asked to do it).
Ran NIS File Check and ADinf32 Pro.

Rebooted.
Opened FileAnt.
As usually I first wanted to have a look at About in FileAnt.
And now comes the "surprise"....
There was a little window, that gave an option to "Remove Protection"...
Eh, remove protection, what does that mean.....?
Well, I clicked on it to remove that protection (whatever that meant).

WHAM BOClean immediately jumped up

-{ Quote: "
07/22/2005 02:23:38: C:\WINDOWS\ESELLE~1.DLL
Trojan horse was found in above file
ESELLERATE TROJAN STOPPED by BOCLEAN!
Active trojan horse was shut down. System now safe.
Trojan horse was removed, registry cleaned.
" }-


PS:
- FileAnt uninstalled.
- lots of checking will be done.
- Kevin/Nancy will be informed.

Guys, I'm taking a pause (was already the purpose to do so) ;)

Cheers, Jan.

The NSIS files are self contained in the install and update.exe.
They are not viral.
There are some viruses that use names from files in NSIS.

eSellerate is not a trojan, it helps me get a few dollars which keeps the web site and some components paid for. http://www.esellerate.net/

regards, will

just to add
the
NSIS.Library.RegTool and the DL
should be deleted when the setup finishes (maybe after a reboot sometimes).

I will check they do this weekend and get FileAnt to clean them up if they do not.

thx toadbee for pointing me here ;o)

-{ Quote: "
07/22/2005 02:23:38: C:\WINDOWS\ESELLE~1.DLL
Trojan horse was found in above file
ESELLERATE TROJAN STOPPED by BOCLEAN!
Active trojan horse was shut down. System now safe.
Trojan horse was removed, registry cleaned.
" }-

Wow. That was great work, FanJ. :) I have deleted the NSIS.LIBRARY.REGTOOL file from my Win32 directory, and the C:\WINDOWS\ESELLE~1.DLL file as well.

-{ Quote: "
eSellerate is not a trojan, it helps me get a few dollars which keeps the web site and some components paid for. http://www.esellerate.net/
" }-

Based on FileAnt's comments, I am going to hang onto the FileAnt app until I complete my evaluation, unless FanJ (or others) feel strongly that it's a security threat.

FileAnt - Hello. I appreciate you visiting to clear up the issue. Although I stopped using your app after this problem arose, I will jump right back into it because my first impressions of it were positive. Thanks again. :)