NSIS Media Popups

Discussion in 'malware problems & news' started by littlebits, Jul 7, 2006.

Thread Status:
Not open for further replies.
  1. littlebits

    littlebits Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    262
    NSIS Media Popups- (Resolved caused By Foxie Browser)

    As a computer programmer, I never get malware installed on my computer and when I do, I usually can get rid of it. But this one has got me.

    About a week ago, I started getting popups when running Firefox.

    The popups are launch with explorer.exe, not with IE and they randomly launch while using IE, Firefox and Maxthon browsers. They don't launch while using Opera however.

    The popups are blank probably because they are either blocked by my host file or another one of my security programs (NOD32, SpySweeper, Spybot, SpywareBlaster, Sygate Pro).

    The dialog box on the header displays "Advertisment NSIS Media"
    mis-spelled.

    Malware Info:

    Location- C:\Program Files\Common Files\NSIS
    Files in the folder- uninst.exe, ns24.dll

    Actions that I have tried:

    1.Ran the "uninst.exe" in the above folder, it says NSIS Media Extention is uninstalled and computer must reboot. I reboot, then the problem is still there but now there is another file in the same folder "ns48.dll".

    Each time I run the "uninst.exe" another file appears in that same
    folder. (ns68.dll, example ns+two random numbers+dll).

    2. Turn Off System Restore and Deleted the above folder in safe mode and emptied the Recycle Bin. Used the Registry Editor and manually deleted all keys, subkeys and values for NSIS. The folder and files still come back after reboot.

    3. Scanned my computer with NOD32, SpySweeper, Ad-Aware, Spybot, TrojanHunter, BitDefender online, McAfee online, TrendMicro HouseCall online, Symantec online, McAfee Stinger. Nothing was found except for the "uninst.exe" by TrojanHunter it said it was "Adware.PurityScan.312" and removed it, but it still came back after reboot.

    4. Ran HijackThis and nothing was found.

    5. Check running programs with ProcessExplorer and that how I found out that it uses explorer.exe to launch, but still can't find the string. Nothing else shows up in the Task Manager.


    I know this has to be either a hiden trojan or hiden worm. I have no idea how it got installed or how it got passed by security programs.


    I have searched all of the web trying to find some info, but there is not much there that can help.


    Any help would be appreciated.


    Thanks.:D
     
    Last edited: Jul 12, 2006
  2. betauser2

    betauser2 Guest

    download and run http://www.superantispyware.com

    If you havn't run scanners in safe mode then do so (i.e anti-spyware).

    If you have a restore program use it (i.e system restore Win XP)

    Otherwise post a hijackThis log at a dedicated forum
     
  3. betauser2

    betauser2 Guest

    by googling I've found people removing it by Control Panel > Add/Remove
    Programs
     
  4. littlebits

    littlebits Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    262
    I already ran all my scanners in safe mode and my HijackThis log has already been examined and has no malware.


    I'm staring to think it is my "win.ini" is affected, all other startup registry keys have been checked.

    I will try SuperAntiSpyware and see if it finds anything.

    It doesn't show up on the Add or Remove Programs list.


    Thanks for your help.:D
     
  5. PaulBB

    PaulBB Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    708
    Few weeks ago i got the same NSIS Media crap, unfortunately i don't remember well what i did to get rid of it. Try to run a scan with X-Cleaner or Dr Web CureIT!.
     
  6. littlebits

    littlebits Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    262

    I sure wished you knew what you did to get rid of it, Xblock and DrWeb found nothing.

    SuperAntiSpyware just found a few spyware cookies.

    Thanks.:D
     
  7. PaulBB

    PaulBB Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    708
    1. Click Start > Run > Type in: %appdata% - look for the NSIS Media folder and delete it.

    2. If NSIS Media it doesn't show up on the Add or Remove Programs list try to install CCleaner > click on tools and look for the NSIS Media uninstaller.

    3. Enable System Restore and run again a full scan with Dr Web CureIT!
     
    Last edited: Jul 8, 2006
  8. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Welcome to the forum littlebits!

    I'm sure there is a definitive removal method for what your experiencing. Being a programmer I would gather you having no trouble tracking down the offender utilizing both "reg" from the cmdline (see's what regedit cannot) and SysInternals Regmon (excellent article if your OS matches). From there and from what I understand some of the expert's over on experts-exchange saying about the matter is to selectively use registry and/or file (PE allows this) permission's to remove access for these types of "stealth" problem files, ie; denying all after a (registry) export as to prevent them from further running. Then deleting, editing out unwanted's, and re-merging the corrected and updated key. Finally re-setting permission's after re-booting if all went accordingly.
    Lacking experience, please don't ask the particular's.

    That your now suspecting the win.ini, I suppose it's possible some code-injection may be responsible though I'm sorry to say no answer's can come from me where this is concerned (thought that was your cup of tea :D). Perhap's a later reply will provide the solution you seek.

    Best of luck!


    GF
     
  9. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    As an afterthought .... Regmon allow's boot-logging. If you can then determine which files in explorer are at fault and you have the Recovery Console based on OS, supply the required registry edit's to "set allowallpaths = true" (RC must be installed, should be applicable as well on Win2K though I cannot verify). This would allow you to remove read-only file attributes, re-name, and delete item's outside the %systemroot% directory, and outside Window's itself where most of these thing's run.

    GF
     
  10. littlebits

    littlebits Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    262
    Ok, that folder and files comes back after every reboot even in safe mode reboot. I try every way to find out what's causing it. I went into save mode and deleted the exe and dill files within that folder. Then I denied permissions to that folder to only be able to read. Then I found all the registy keys for NSIS, deleted all subkeys and values. Then I denied permissions on those keys to write any subkeys or values. Ok, after that I restarted and it took my computer forever to startup, one process of svchost.exe had to be killed because it was locking up my computer.

    Besides that, the NSIS folder was empty and the regisrty keys were blank.
    I thought that might stop the NSIS popups, but to my disappointment, they started coming back.

    What I know is that they are loaded with javascript and launch explorer.exe.
    Still blank popups, but I can't find what's causing them.

    I'm going to try Regmon's boot loging and see what I can find.


    I already tried CCleaner, RegVac and Regisrt First Aid and cleaned my registry. It did no good.



    Thanks everyone for your help.:D
     
  11. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Try the following:
    Boot using BartPE / Ultimate Boot CD for Windows, and delete the files, dlls etc.
    Look for any suspicious folder or folders that might be stealthed when normally booted - usually rootkits and such - and delete them. Then reboot normally and see what happens.
    Mrk

    P.S. Any idea how you got infected?
     
  12. littlebits

    littlebits Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    262
    Well guys thanks for all the advice.:D
    Even after booting from my Windows disk, the malware still came back.
    This has to be an unknown virus, worm or trojan.
    I finally just did a system recovery with my Windows disks.
    I got to save all my documents had to take ownership and move them to the new account and I got to save some programs, just had to reinstall
    all of those Windows Updates 48 altogather including SP2. Had to reinstall Nod32, Sygate and SpySweeper. Now I'm still setting my computer back up the way I want it.

    I did find the source of the infection, it was in my Local Settings\Temp folder on my old user account. I encripted it to a zipped folder with password locked in Safe Mode and move it to My Documents. It was called "A~NSISu_.exe" I'm going to summit it to be examined.


    Anyone know some websites where I can summit this malware?


    Thanks.:)
     
    Last edited: Jul 10, 2006
  13. GlobalForce

    GlobalForce Regular Poster

    Joined:
    Jun 30, 2004
    Posts:
    3,581
    Location:
    Garden State, USA
    Sorry to hear it came down to a re-install, though nothing wrong with that. Personally, I'd have done the same knowing it can get quite frustrating spending too much time trying to resolve what can be alleviated with a simple reload. The other thought I suspect works well is viewing the infected system from another computer. Good to hear you moved the problem right along littlebits, taking the most direct route considering the circumstance. ;) Many other's would have preferred beating the proverbial dead horse!

    If you'd like to submit, here's the info for NOD and/or Ewido.


    GF
     
  14. littlebits

    littlebits Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    262
    Ok, I submited the file to Nod32 and Ewido. I gave them my email. Maybe they will contact me. I will will let you all know. I would like to submit it to others as well.


    Thanks.:D
     
  15. owziee

    owziee Registered Member

    Joined:
    Oct 3, 2003
    Posts:
    74
    My gf had the same NSIS pop-up crap and I uninstalled it in add/remove yesterday. Will be interessting to see if it returns. The strange part is that she hasn't installed anything and is running FF 1.5.0.4, NOD32, Latest Java, Latest ZA Pro and they just pop-up & ZA Pro does nothing! Not even a allow/block question.

    Before I found the uninstall option I scanned with Ad-aware, Counterspy & Spybot S&D, all newest definitions. They found nothing. Strange.
     
  16. littlebits

    littlebits Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    262
    When I first discovered the NSIS popups, I was using Firefox. The last thing that I remember installing was a Firefox extention from download.com. I believe it was the Greenshift Theme. I also noticed when I did a search for "NSIS" on my computer, I found "C:\Program Files\Mozilla Firefox\chrome\nsis.jar". It would also come back after it was deleted after every reboot. It could have been the source of the infection.

    Check this out- http://forums.tomcoyote.org/index.php?showtopic=65519


    Thanks.:D
     
  17. littlebits

    littlebits Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    262
    Edit: I saved the install logs from my computer before I did the recovery. I check all programs with the dates and compaired it to when I first discovered the infection. This took some time, but then I found only three programs that got installed or updated during that time.

    1. Maxthon Browser
    2. JetAudio
    3. Foxie Browser with security firewall.

    Then I did some searching on the web to try the source.


    It all points towards Foxie Browser. One of the reviews on BetaNews says that the Firewall.exe has a worm.

    hxxp://fileforum.betanews.com/detail/Foxie/1125399370/1

    I found several others posts in others security forums indicating malware issues which all had the Foxie Browser with this Firewall in their HiJackThis logs.

    I just installed Foxie and didn't like it and uninstalled it and went back to Firefox. I never knew that it installed malware. On my log files I had several errors about this Firewall.exe but I thought it was referring to Windows Firewall.

    Foxie's websites-getfoxie.com , spreadfoxie.com
    Don't install unless you want to reinstall Windows.


    It appeared to be a good website, and I thought it was a part of Mozilla Firefox but its not.

    Where I made the mistake was letting the firewall.exe connect to the internet through Sygate. I thought the firewall.exe was checking for updates instead it was downloading malware.


    Everyone please spread the word about Foxie, it is not associated with Mozilla Foxfire. Foxie is just an edited version of Firefox with added security plugins and don't forget about this bogos firewall that installs malware, viruses, worms and trojans.


    Thanks.:D
     
    Last edited by a moderator: Jul 10, 2006
  18. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Lesson - don't use unknown programs until you read 10 reviews on at least 2-3 forums you trust. Limit your trust to very few apps.
    Mrk
     
  19. owziee

    owziee Registered Member

    Joined:
    Oct 3, 2003
    Posts:
    74
    This NSIS thing is so strange... Now my gf comp has been infected again and she have only visited 3-4 sites!!! She hasn't installed anything and she have a highly secured system. NOD, ZA Pro, Linksys Wireless Router with firewall, Ad-Aware, Counterspy running & Spybot S&D... She only uses Firefox aswell, I've forbidden her to even touch IE :)

    Nothing seems to detect and stop this annoying malware or whatever it is!
    I can't understand how it can bypass ZA either? It's exe doesn't even show up in ZA Program control so there is no way to block it from poping up & showing advertisements either :(

    I've always braged about never getting any adware or other crap... Our systems been completely clean for years. This one is unstoppable, it somehow gets installed by just browsing around just normal websites. I'm running the NoScript FF extension, maybe that's why my system isn't infected yet.
     
    Last edited: Jul 10, 2006
  20. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    I'm sure if you analyzed your / her actions step by step a perfectly sensible explanation can be found.
    Mrk
     
  21. Sawo

    Sawo Registered Member

    Joined:
    Jul 12, 2006
    Posts:
    1
    Location:
    Czech Republic
    I had same problem. I just removed it with "Easy cleaner" tool (few hours ago), and problem seems to be solved. So try it...
     
  22. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Foxie is NOT related to Mozilla Firefox or Microsoft. It has been added to the rogue programs list on several malware websites and removed from download.com for having added malware. The website that hosts the files for download is dnscaching.net a known malware website that host other edited malware infected applications such as media players, BitTorrent programs, P2P File Sharing programs, game programs and many others.
    The latest version of Foxie comes with a so-called Security Firewall which really is an Internet Worm that downloads malware. As the first sign of infection, you will get popups with Firefox and IE browsers. They will display "Advertisment - NSIS Media" by launching from windows explorer.
     
  23. wattsja

    wattsja Registered Member

    Joined:
    Jul 14, 2006
    Posts:
    7
    Problem Solved ?? (For me, yes ... hopefully for you as well)

    After much blood, sweat, tears, trial and error (i wasn't going to let it beat me because I DID NOT want to reload), I have figured out what was causing my NSIS media pop-ups.

    In my %win%\system32 directory, I had the following 2 files:
    krnsvr32.dll
    wmdmb32.dll

    Neither of these are Windows files and mine are dated 2001. I couldn't delete them, but I was able to MOVE them (accomplishes the same thing huh??) to a temp folder, then rename them. Once this was completed, I manually removed the NSIS stuff (folder and registry entries) ... rebooted and it was gone. I put the files back ... reboot .... it's back.

    Hope this will help some of you.

    Also, if you are one of the people who "uninstalled" it ... you had better check because the folder location (maybe) and the file names change!!
     
    Last edited: Jul 14, 2006
  24. cestor

    cestor Registered Member

    Joined:
    Jul 17, 2006
    Posts:
    1
  25. leew79

    leew79 Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    1
    I also got infected with this, i downloaded a programe called "poker office" from a bit torrent site an have had the nsis pop ups an odd folders since.
    Did a search on google for a fix seeing as spybot an stuff didnt notice it an ended up here an thanks to some of the methods above mines all gone an ok
    i never ran the uninstaller, just deleted the whole folder it was in and the nsis.jar file in the chrome folder , also deleted the two krnsvr32.dll
    wmdmb32.dll files and all the traces of it i could find in the regestry, run ccleaner a couple of times to ,, 3 reboots an hour later an the files an folders are still not on my computer an not one pop up so fingers crossed job done,,
    cheers for shareing all your finds
     
Loading...
Thread Status:
Not open for further replies.