Trojan.NSIS.StartPage_7abdcabf9a

not-a-virus:Downloader.Win32.Agent.edeg (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS) Behaviour: Trojan The description has been automatically generated by Lavasoft Ma...
Blog rating:1 out of5 with1 ratings

Trojan.NSIS.StartPage_7abdcabf9a

by malwarelabrobot on April 29th, 2017 in Malware Descriptions.

not-a-virus:Downloader.Win32.Agent.edeg (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 7abdcabf9ac276867325d795d8d9c47a
SHA1: c238d9cf613978f2086928ff1de436405921df67
SHA256: d8031d7580519206a57e39e99c983acfc7d54100c2812a58efd3e80462a82992
SSDeep: 1536:iCaIoX1oYOcbTMV88TXJLEu42EsCGu3SzRG:iCaZ2Yrb0VTXJYWEsCGuiY
Size: 75696 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-25 07:01:29
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

ns409A.tmp:1388
InstGameInfoHelperMSN.exe:2924

The Trojan injects its code into the following process(es):

MSNGamesSetup.exe:3400
%original file name%.exe:2180

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process ns409A.tmp:1388 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\InstGameInfoHelperMSN.exe (466 bytes)

The process MSNGamesSetup.exe:3400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\InstGameInfoHelperMSN.exe (10092 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\nsExec.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\ftdownload.dat (512 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\modern-header.bmp (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\version.txt (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\ns409A.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\System.dll (23 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\ns409A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp (0 bytes)

The process InstGameInfoHelperMSN.exe:2924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\tn_feat.jpg (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\6899031132227113883[1].txt (808 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\gm-config[1].xml (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\gametitle.txt (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\tn_feat[1].jpg (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\tn_feat.bmp (22 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DF65BCD43C300A89FB.TMP (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\6899031132227113883[1].txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\gm-config[1].xml (0 bytes)

The process %original file name%.exe:2180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\MSNGamesSetup.exe (269559 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\nsisdl.dll (30 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\ftdownload.dat (512 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsw1A14.tmp (0 bytes)

Registry activity

The process InstGameInfoHelperMSN.exe:2924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\InstGameInfoHelperMSN_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\InstGameInfoHelperMSN_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\InstGameInfoHelperMSN_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\InstGameInfoHelperMSN_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\InstGameInfoHelperMSN_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\InstGameInfoHelperMSN_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\InstGameInfoHelperMSN_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\InstGameInfoHelperMSN_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
2963e74c4e6fc1424a23465ca8c141be c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\MSNGamesSetup.exe
960a5c48e25cf2bca332e74e11d825c9 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\System.dll
a5a4cee2eb89d2687c05ef74299f0dba c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\nsisdl.dll
0025cd88501fa44e826bc9ed4bdef2fb c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\InstGameInfoHelperMSN.exe
c17103ae9072a06da581dec998343fc1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\System.dll
acc2b699edfea5bf5aae45aba3a41e96 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\nsExec.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23146 23552 4.44842 8781c451557a4626018483faabe438d0
.rdata 28672 4558 4608 3.62903 640f709ec19b4ed0455a4c64e5934d5e
.data 36864 108472 1024 3.37017 c9a433d4fe67308d6a5942cfb667cbe7
.ndata 147456 32768 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 180224 17000 17408 2.69684 654ac01907b168453e2702f516512acd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 354
3d5af80433c098ec5a5279653d721ee6
58b7dabb1c0c5b7a879a4dfe91ab9160
b7d1388177731a516185db5d876fb879
ed26313c2c7f56ad71d8b0b23db8a6db
997badd1759139b57d5c4b2181b8e830
f300e81c7ea2b7923ee9f75e2a8f8c83
2e920f5611ebdc0122788f9b4177adb9
ddbc065eb3e95f9fa91759f994703cd2
a479a66d4346d496a3765523392fc396
ba1b0191a29eecc25132b174596261e7
82a15979f13bfa89a4e7d9f2c1c37a41
83dcf2c1dd49ba3178474970b8aa0ce4
439e46a7317ffa13d2109fb46fbca5a9
b122d451db13b7c87d078ec13c0bf887
7903a44783f4ba3395edce6cf30f3f73
83dfb5ce5c06f6db3804aba12e74c545
3c59cc1fa95753948faa2453fb74e7e8
3dbe031fd577ced541b484a1d4141099
a68f5cc4a85750ccc58214c48aa22760
e3337a8f4cb3e35cf516a6cd25e3b36b
98d93354cbc05a5e0c1669fb9f033c99
496d3662fae891f0fffede06a6b87d0c
8099875fae28a872c4936155386bf9e7
f2e16b4d4f7fab5b3d15cc77f6ab3ee7
9f1b97faa0d586db25123fbe94bf4991

URLs

URL IP
hxxp://stamp-vpc-aws-iwin-com-1981998893.us-east-1.elb.amazonaws.com/msngames/MSNGamesSetup.exe
hxxp://msn-iwin-com-121665791.us-east-1.elb.amazonaws.com/gm-config
hxxp://msn-iwin-com-121665791.us-east-1.elb.amazonaws.com/arcade/rawinfo/1734336651647603319/6899031132227113883
hxxp://cdn-vpc-aws-iwin-com-1060965153.us-east-1.elb.amazonaws.com/images/product/1734336651647603319/tn_feat.jpg
hxxp://gm-msn.iwin.com/arcade/rawinfo/1734336651647603319/6899031132227113883 52.70.238.198
hxxp://gm-msn.iwin.com/gm-config 52.70.238.198
hxxp://dl.iwin.com/msngames/MSNGamesSetup.exe 52.201.155.224
hxxp://img.iwin.com/images/product/1734336651647603319/tn_feat.jpg 34.192.37.181


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper)
ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

GET /msngames/MSNGamesSetup.exe HTTP/1.0
Host: dl.iwin.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=14400
Content-Type: application/x-msdos-program
Date: Fri, 28 Apr 2017 08:55:00 GMT
Expires: Fri, 28 Apr 2017 12:55:00 GMT
Last-Modified: Tue, 16 Feb 2016 08:50:08 GMT
Server: Apache/2.2.22 (Ubuntu) mod_perl/2.0.5 Perl/v5.14.2
Content-Length: 3556392
Connection: Close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................Z...........0.......p....@.........
.................P........6......................................s....
.......Y..........8.6..0..............................................
.............p...............................text....X.......Z........
.......... ..`.rdata.......p.......^..............@..@.data...x.......
.....p..............@....ndata.......@...........................rsrc.
...Y.......Z...t..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u
...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..
M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...
Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@.
.vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r
@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.
......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<< skipped >>>


GET /images/product/1734336651647603319/tn_feat.jpg HTTP/1.1
User-Agent: iWin GameInfo Installer Helper
Host: img.iwin.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Access-Control-Allow-Headers: X-Requested-With, Accept
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Origin: *
Access-Control-Max-Age: 86400
Age: 430841
Cache-Control: max-age=86400, s-maxage=2592000
Content-Type: image/jpeg
Date: Fri, 28 Apr 2017 08:55:10 GMT
ETag: "c8ff15145f5dc5108a784f2dac5d86e1"
Last-Modified: Thu, 01 May 2014 17:00:50 GMT
Server: AmazonS3
Via: 1.1 img.iwin.com
Via: 1.1 varnish
x-amz-id-2: JFTON3aaukZsu6ViSPoByoXSu ty2S8VnwL0307JzKE9M275e0S6O11asJkGWuFWvt7nWFm4P2M=
x-amz-request-id: 7F0F9715F82D1242
X-Varnish: 352310139 349775567
Content-Length: 1645
Connection: keep-alive
......



GET /gm-config HTTP/1.1
User-Agent: iWin GameInfo Installer Helper
Host: gm-msn.iwin.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Age: 402
Cache-Control: max-age=7200
Content-Type: application/xml;charset=utf-8
Date: Fri, 28 Apr 2017 08:55:09 GMT
Last-Modified: Sun, 17 Aug 292278994 07:12:55 GMT
P3P: CP="NOI CURo ADMo DEVo TAIo OUR NOR IND COM NAV"
Server: nginx/1.4.6 (Ubuntu)
Vary: iWin-App
Via: 1.1 varnish
X-Varnish: 1097389207 1097386197
Content-Length: 5034
Connection: keep-alive
<?xml version="1.0" encoding="utf-8"?><gm-url-config xmlns="h
ttp://VVV.iwin.com/schemas/catalog" xmlns:xsi="hXXp://VVV.w3.org/2001/
XMLSchema-instance"><site-host>msnprod.oberon-media.com</s
ite-host><gm-host>gm-msn.iwin.com</gm-host><url-sign
in>hXXps://gm-msn.iwin.com/Login.do</url-signin><url-about
-icoins>hXXp://gm-msn.iwin.com/membership</url-about-icoins>&
lt;url-my-account>hXXps://gm-msn.iwin.com/account/icoins</url-my
-account><url-signout>hXXps://gm-msn.iwin.com/Logout.do</u
rl-signout><url-search>hXXp://gm-msn.iwin.com/search?q=</u
rl-search><url-part-rawInfo>/arcade/rawinfo/</url-part-raw
Info><url-update-arcade>hXXp://gm-msn.iwin.com/dgu?game=ARCD&
amp;ver=</url-update-arcade><url-update-game>hXXp://gm-msn
.iwin.com/dgu?game=</url-update-game><url-ws-services-slog>
;hXXp://ws-msn.iwin.com/services/slog?</url-ws-services-slog><
;url-ws-services-dlog>hXXp://ws-msn.iwin.com/services/dlog?act=<
/url-ws-services-dlog><url-ws-services-ulog>hXXp://ws-msn.iwi
n.com/services/ulog?lid=</url-ws-services-ulog><url-ws-icoins
>hXXp://gm-msn.iwin.com/account/icoins-safe.xml;jsessionid=%s</u
rl-ws-icoins><url-part-more-game>/calendar/games/new</url-
part-more-game><url-part-top-game>hXXp://gm-msn.iwin.com/arca
de/home</url-part-top-game><url-part-ad1>/arcade/panel/bot
tom</url-part-ad1><url-part-ad2>/arcade/panel/right<
<<< skipped >>>

GET /arcade/rawinfo/1734336651647603319/6899031132227113883 HTTP/1.1


User-Agent: iWin GameInfo Installer Helper
Host: gm-msn.iwin.com


HTTP/1.1 200 OK
Accept-Ranges: bytes
Age: 0
Cache-Control: no-cache, private, max-age=0, s-max-age=0, must-revalidate
Content-Type: text/plain;charset=utf-8
Date: Fri, 28 Apr 2017 08:55:10 GMT
P3P: CP="NOI CURo ADMo DEVo TAIo OUR NOR IND COM NAV"
Server: nginx/1.4.6 (Ubuntu)
Vary: MSN-App
Via: 1.1 varnish
X-Varnish: 178954948
Content-Length: 808
Connection: keep-alive
gameid|1734336651647603319|skuid|6899031132227113883|title|Rise of Atl
antis|tryLink|hXXp://download.iwincdn.com/gg/pf/iwin/17343366516476033
19/acd_-1m_pogoiwin_gas0/iwin/RiseofAtlantisSetup.exe|desc|Find a way 
to bring the legendary continent of Atlantis back to the surface. In t
his extraordinary puzzle game with spectacular new features, handy bon
uses and explosive power-ups, you set out on an adventurous quest arou
nd the ancient lands of Greece, Troy, Phoenicia, Babylon, Egypt, Carth
age and Rome to gather the seven greatest powers of the patron god of 
the Atlanteans - Poseidon. With 77 captivating levels of fantastic gam
e play, truly unique twists and the ability of continuous replay this 
game will keep you entertained for weeks!|activation_code||pid||email|
|price|999|trial_time|0|allaccess|trueHTTP/1.1 200 OK..Accept-Ranges: 
bytes..Age: 0..Cache-Control: no-cache, private, max-age=0, s-max-age=
0, must-revalidate..Content-Type: text/plain;charset=utf-8..Date: Fri,
 28 Apr 2017 08:55:10 GMT..P3P: CP="NOI CURo ADMo DEVo TAIo OUR NOR IN
D COM NAV"..Server: nginx/1.4.6 (Ubuntu)..Vary: MSN-App..Via: 1.1 varn
ish..X-Varnish: 178954948..Content-Length: 808..Connection: keep-alive
..gameid|1734336651647603319|skuid|6899031132227113883|title|Rise of A
tlantis|tryLink|hXXp://download.iwincdn.com/gg/pf/iwin/173433665164760
3319/acd_-1m_pogoiwin_gas0/iwin/RiseofAtlantisSetup.exe|desc|Find a wa
y to bring the legendary continent of Atlantis back to the surface. In
 this extraordinary puzzle game with spectacular new features, han
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2180:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
hu2.iu
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\MSNGamesSetup.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\nsisdl.dll
\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp
\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\nsisdl.dll
.%U~O<2y
.reloc
WSOCK32.dll
NSISdl.dll
invalid URL
Host: %s
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u minutes remaining)
(%u seconds remaining)
Downloading %s
Execute: C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\MSNGamesSetup.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp
MSNGamesSetup.exe
MSNGAM~1.EXE
dm\AppData\Local\Temp\nsm1A25.tmp\MSNGamesSetup.exe
sers\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp
c:\%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsw1A14.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0a2</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>

%original file name%.exe_2180_rwx_10004000_00001000:

callback%d

MSNGamesSetup.exe_3400:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
hu2.iu
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
s\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\tn_feat.bmp
r.bmp
.msn.com.
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\version.txt
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp
00C.tmp\ftdownload.dat
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\modern-header.bmp
=yt.gN!(
Z%S,4
A/%sW
ftdownload.dat
FTDOWN~1.DAT
sers\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\MSNGamesSetup.exe
%Program Files%\MSN Games
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp
MSNGamesSetup.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsr400B.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
MSN Games Manager powered by iWin is required to launch and play Rise of Atlantis and other games from games.msn.com.
436863518
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

MSNGamesSetup.exe_3400_rwx_10004000_00001000:

callback%d


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ns409A.tmp:1388
    InstGameInfoHelperMSN.exe:2924

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\InstGameInfoHelperMSN.exe (466 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\nsExec.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\ftdownload.dat (512 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\modern-header.bmp (26 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\version.txt (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\ns409A.tmp (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\tn_feat.jpg (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\6899031132227113883[1].txt (808 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\gm-config[1].xml (5 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\gametitle.txt (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\tn_feat[1].jpg (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr400C.tmp\tn_feat.bmp (22 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\MSNGamesSetup.exe (269559 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\nsisdl.dll (30 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm1A25.tmp\ftdownload.dat (512 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 1 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now