Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Wow. I have a whole new kind of Malware on my computer. "NSIS Media"
New Posts  All Forums:Forum Nav:

Wow. I have a whole new kind of Malware on my computer. "NSIS Media" - Page 2

post #11 of 18
Thread Starter 
Quote:
Originally Posted by uberjon View Post
thats what they got us for pull an all nighter once a month just to fix their pc

back on topic... have you tried booting in safemode and scaning for spyware/etc?
You underestimate me padawan . This is a smart malware product. Basic troubleshooting isn't going to cut it here. I'm getting SOPHOS anti-spyware now. I'll let you all know if it works.
Murphy's Law
(13 items)
 
  
CPUMotherboardGraphicsRAM
Phenom X4 9850 BE Gigabyte GA-MA790GP-DS4H HIS Radeon HD 4850 512MB IceQ4 Edition 2x2GB OCZ Reaper DDR2 1066Mhz 
Hard DriveOptical DriveOSMonitor
2x1TB Seagates in RAID 1 Sony DRU-530A DVD-RW XP Pro SP3 Samsung 957MB 
KeyboardPowerCaseMouse
Saitek Eclipse Antec NeoPower Blue 650W Lian-Li PC-65B Logitech MX518 v2.0 
Mouse Pad
Custom Bansheepad 
  hide details  
Reply
Murphy's Law
(13 items)
 
  
CPUMotherboardGraphicsRAM
Phenom X4 9850 BE Gigabyte GA-MA790GP-DS4H HIS Radeon HD 4850 512MB IceQ4 Edition 2x2GB OCZ Reaper DDR2 1066Mhz 
Hard DriveOptical DriveOSMonitor
2x1TB Seagates in RAID 1 Sony DRU-530A DVD-RW XP Pro SP3 Samsung 957MB 
KeyboardPowerCaseMouse
Saitek Eclipse Antec NeoPower Blue 650W Lian-Li PC-65B Logitech MX518 v2.0 
Mouse Pad
Custom Bansheepad 
  hide details  
Reply
post #12 of 18
Let us know if it does
    
CPUMotherboardGraphicsRAM
FX8320 Asus M5A78L-M/USB3 XFX AMD Radeon HD 7950 Graphics Card 3GB Corsair CMX8GX3M2A1333C9 XMS3 16GB (4x4GB) 
Hard DriveHard DriveCoolingOS
Samsung F3 1TB Hard Drive Crucial CT128M4SSD2 128GB SSD Coolermaster Hyper 212 EVO Windows 7 Professional  
MonitorMonitorPowerCase
Samsung SyncMaster BX2431 1080p PCBank PB2700 1440p IPS Be Quiet! Dark Power Pro 550W PSU  Xigmatek Giggas 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
FX8320 Asus M5A78L-M/USB3 XFX AMD Radeon HD 7950 Graphics Card 3GB Corsair CMX8GX3M2A1333C9 XMS3 16GB (4x4GB) 
Hard DriveHard DriveCoolingOS
Samsung F3 1TB Hard Drive Crucial CT128M4SSD2 128GB SSD Coolermaster Hyper 212 EVO Windows 7 Professional  
MonitorMonitorPowerCase
Samsung SyncMaster BX2431 1080p PCBank PB2700 1440p IPS Be Quiet! Dark Power Pro 550W PSU  Xigmatek Giggas 
  hide details  
Reply
post #13 of 18
One thing can do it for sure!, "Hijackthis.exe" download that and you can list what all dll's and extentions are started with windows. All you have to do is mark off what looks to be obviously malware/adware etc, clean it and it'll disable it the next time your computer boots.

If you need help take a screen shot of what it lists and I or somebody here can most likely help.

http://www.majorgeeks.com/download3155.html
post #14 of 18
Thread Starter 
Quote:
Originally Posted by accskyman View Post
One thing can do it for sure!, "Hijackthis.exe" download that and you can list what all dll's and extentions are started with windows. All you have to do is mark off what looks to be obviously malware/adware etc, clean it and it'll disable it the next time your computer boots.

If you need help take a screen shot of what it lists and I or somebody here can most likely help.

http://www.majorgeeks.com/download3155.html
Thanks for your help, but please read the link in the original thread! They discuss everything from what they scanned with to the exact .dlls they encountered. Once again, this is not basic troubleshooting!

I finally got through the pain of getting to Sophos' software (you have to fill out all kinds of crap to download)

Sophos found it! The very fact that it found it is a good sign as most antiviruses (none others that I know of) even have a definition for it:

Murphy's Law
(13 items)
 
  
CPUMotherboardGraphicsRAM
Phenom X4 9850 BE Gigabyte GA-MA790GP-DS4H HIS Radeon HD 4850 512MB IceQ4 Edition 2x2GB OCZ Reaper DDR2 1066Mhz 
Hard DriveOptical DriveOSMonitor
2x1TB Seagates in RAID 1 Sony DRU-530A DVD-RW XP Pro SP3 Samsung 957MB 
KeyboardPowerCaseMouse
Saitek Eclipse Antec NeoPower Blue 650W Lian-Li PC-65B Logitech MX518 v2.0 
Mouse Pad
Custom Bansheepad 
  hide details  
Reply
Murphy's Law
(13 items)
 
  
CPUMotherboardGraphicsRAM
Phenom X4 9850 BE Gigabyte GA-MA790GP-DS4H HIS Radeon HD 4850 512MB IceQ4 Edition 2x2GB OCZ Reaper DDR2 1066Mhz 
Hard DriveOptical DriveOSMonitor
2x1TB Seagates in RAID 1 Sony DRU-530A DVD-RW XP Pro SP3 Samsung 957MB 
KeyboardPowerCaseMouse
Saitek Eclipse Antec NeoPower Blue 650W Lian-Li PC-65B Logitech MX518 v2.0 
Mouse Pad
Custom Bansheepad 
  hide details  
Reply
post #15 of 18
So...it actually worked?
    
CPUMotherboardGraphicsRAM
FX8320 Asus M5A78L-M/USB3 XFX AMD Radeon HD 7950 Graphics Card 3GB Corsair CMX8GX3M2A1333C9 XMS3 16GB (4x4GB) 
Hard DriveHard DriveCoolingOS
Samsung F3 1TB Hard Drive Crucial CT128M4SSD2 128GB SSD Coolermaster Hyper 212 EVO Windows 7 Professional  
MonitorMonitorPowerCase
Samsung SyncMaster BX2431 1080p PCBank PB2700 1440p IPS Be Quiet! Dark Power Pro 550W PSU  Xigmatek Giggas 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
FX8320 Asus M5A78L-M/USB3 XFX AMD Radeon HD 7950 Graphics Card 3GB Corsair CMX8GX3M2A1333C9 XMS3 16GB (4x4GB) 
Hard DriveHard DriveCoolingOS
Samsung F3 1TB Hard Drive Crucial CT128M4SSD2 128GB SSD Coolermaster Hyper 212 EVO Windows 7 Professional  
MonitorMonitorPowerCase
Samsung SyncMaster BX2431 1080p PCBank PB2700 1440p IPS Be Quiet! Dark Power Pro 550W PSU  Xigmatek Giggas 
  hide details  
Reply
post #16 of 18
To download it what do you select on http://www.sophos.com/support/updates/sbs/sss.html
    
CPUMotherboardGraphicsRAM
FX8320 Asus M5A78L-M/USB3 XFX AMD Radeon HD 7950 Graphics Card 3GB Corsair CMX8GX3M2A1333C9 XMS3 16GB (4x4GB) 
Hard DriveHard DriveCoolingOS
Samsung F3 1TB Hard Drive Crucial CT128M4SSD2 128GB SSD Coolermaster Hyper 212 EVO Windows 7 Professional  
MonitorMonitorPowerCase
Samsung SyncMaster BX2431 1080p PCBank PB2700 1440p IPS Be Quiet! Dark Power Pro 550W PSU  Xigmatek Giggas 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
FX8320 Asus M5A78L-M/USB3 XFX AMD Radeon HD 7950 Graphics Card 3GB Corsair CMX8GX3M2A1333C9 XMS3 16GB (4x4GB) 
Hard DriveHard DriveCoolingOS
Samsung F3 1TB Hard Drive Crucial CT128M4SSD2 128GB SSD Coolermaster Hyper 212 EVO Windows 7 Professional  
MonitorMonitorPowerCase
Samsung SyncMaster BX2431 1080p PCBank PB2700 1440p IPS Be Quiet! Dark Power Pro 550W PSU  Xigmatek Giggas 
  hide details  
Reply
post #17 of 18
Thread Starter 
Quote:
Originally Posted by Niko-Time View Post
To download it what do you select on http://www.sophos.com/support/updates/sbs/sss.html
To answer your question... I'm not exactly sure. I signed up for three different ones and finally got an email that gave me a direct link instead of a stupid username/password that didn't work (dumb "verification"... 1 hour my butt....)
I *think* this is it... not sure..: http://www.sophos.com/products/small...nti-virus/eval

_____________________________________

Anyway...

Here's what all I've done and I think it's worked.... Keep in mind that based on other peoples' experiences... this malware can vary WIDELY. A lot of specific file names people mentioned didn't even exist on my computer. Some people can remove it with bocleaner etc... Some can't. It's a really evil one.

-Turned off system restore
-Scanned system with SOPHOS and deleted found files... it was only one and was found in the C:\\Program Files\\Common Files\\NSIS\
s35.dll <- that number will vary from 0 to 99 and will be 20kb.
-Deleted other file in the folder (the "uninstall" file)
-Searched registry for all NSIS keys and deleted all necessary keys (don't just delete them all... some keys will have words like "consist" in them)
-Logged out of that user and logged into another user to see if it was dead.
-NSIS had reinstalled keys and common files folder

-I then found a site that mentioned that it will make a file of a random number between 0 and 99. I made blank .dll files in notepad named ns0.dll, ns1.dll... ... ... ns99.dll then made the entire NSIS folder read only, hidden, and encrypted.
-logged out, logged back in.

-I found that one of the files was no longer 0kb... it was 20kb... it was being used by NSIS...

-Loaded hijackthis! and checked everything. Couldn't find anything suspicious... couldn't find anything I could single out in the running tasks in taskmanager....

I then read more junk online and saw that some people had actually found an entry in the Add/Remove programs. I checked and found nothing. So, I went to the folder where the uninstall file was (in the ...Common Files\\NSIS folder)

I then double-clicked the uninstall icon, but cancelled when it asked if I was sure (becuase I figured actually using their uninstaller might be asking for more trouble). All of a sudden windows created an add/remove entry. I used add/remove and BLAMMO... No more registry entries... no more common files folder.

Thanks windows XP... I don't know what the crap you did, but it seems to have worked.

In other words, I think I've finally vanquished this foul beast. Hope some of this helps you! I can really notice speed improvements

PWNED! (Those errors are not bad. They're just encrypted files)
Murphy's Law
(13 items)
 
  
CPUMotherboardGraphicsRAM
Phenom X4 9850 BE Gigabyte GA-MA790GP-DS4H HIS Radeon HD 4850 512MB IceQ4 Edition 2x2GB OCZ Reaper DDR2 1066Mhz 
Hard DriveOptical DriveOSMonitor
2x1TB Seagates in RAID 1 Sony DRU-530A DVD-RW XP Pro SP3 Samsung 957MB 
KeyboardPowerCaseMouse
Saitek Eclipse Antec NeoPower Blue 650W Lian-Li PC-65B Logitech MX518 v2.0 
Mouse Pad
Custom Bansheepad 
  hide details  
Reply
Murphy's Law
(13 items)
 
  
CPUMotherboardGraphicsRAM
Phenom X4 9850 BE Gigabyte GA-MA790GP-DS4H HIS Radeon HD 4850 512MB IceQ4 Edition 2x2GB OCZ Reaper DDR2 1066Mhz 
Hard DriveOptical DriveOSMonitor
2x1TB Seagates in RAID 1 Sony DRU-530A DVD-RW XP Pro SP3 Samsung 957MB 
KeyboardPowerCaseMouse
Saitek Eclipse Antec NeoPower Blue 650W Lian-Li PC-65B Logitech MX518 v2.0 
Mouse Pad
Custom Bansheepad 
  hide details  
Reply
post #18 of 18
Quote:
Originally Posted by TheInformationator View Post
To answer your question... I'm not exactly sure. I signed up for three different ones and finally got an email that gave me a direct link instead of a stupid username/password that didn't work (dumb "verification"... 1 hour my butt....)
I *think* this is it... not sure..: http://www.sophos.com/products/small...nti-virus/eval

_____________________________________

Anyway...

Here's what all I've done and I think it's worked.... Keep in mind that based on other peoples' experiences... this malware can vary WIDELY. A lot of specific file names people mentioned didn't even exist on my computer. Some people can remove it with bocleaner etc... Some can't. It's a really evil one.

-Turned off system restore
-Scanned system with SOPHOS and deleted found files... it was only one and was found in the C:\\Program Files\\Common Files\\NSIS\
s35.dll <- that number will vary from 0 to 99 and will be 20kb.
-Deleted other file in the folder (the "uninstall" file)
-Searched registry for all NSIS keys and deleted all necessary keys (don't just delete them all... some keys will have words like "consist" in them)
-Logged out of that user and logged into another user to see if it was dead.
-NSIS had reinstalled keys and common files folder

-I then found a site that mentioned that it will make a file of a random number between 0 and 99. I made blank .dll files in notepad named ns0.dll, ns1.dll... ... ... ns99.dll then made the entire NSIS folder read only, hidden, and encrypted.
-logged out, logged back in.

-I found that one of the files was no longer 0kb... it was 20kb... it was being used by NSIS...

-Loaded hijackthis! and checked everything. Couldn't find anything suspicious... couldn't find anything I could single out in the running tasks in taskmanager....

I then read more junk online and saw that some people had actually found an entry in the Add/Remove programs. I checked and found nothing. So, I went to the folder where the uninstall file was (in the ...Common Files\\NSIS folder)

I then double-clicked the uninstall icon, but cancelled when it asked if I was sure (becuase I figured actually using their uninstaller might be asking for more trouble). All of a sudden windows created an add/remove entry. I used add/remove and BLAMMO... No more registry entries... no more common files folder.

Thanks windows XP... I don't know what the crap you did, but it seems to have worked.

I've had SOPHOS scanning for a long time now and so far there are no signs of it. It should have shown up a LONG time ago because I'm all the way on my G drive (it takes forever to scan my bazillion GB of HD space....)

In other words, I think I've finally vanquished this foul beast. Hope some of this helps you! I can really notice speed improvements
CONGRATS!!!
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Wow. I have a whole new kind of Malware on my computer. "NSIS Media"