Trojan.NSIS.StartPage_6e0ad2cce6

by malwarelabrobot on March 8th, 2016 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6e0ad2cce681ad41e316a21d0e20ceba
SHA1: d4395ec750d2d6f960674b43e846d9b141c5293c
SHA256: 19e76276d71fb9675669367a6448ee2f29c2da2c1956abda834d2b1ceb989672
SSDeep: 1536:SCaIoX1oYOcbTMV88TXJLEu42EsCGu3SzRRTZ:SCaZ2Yrb0VTXJYWEsCGuizZ
Size: 75712 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2013-12-25 07:01:29
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

InstGameInfoHelperMSN.exe:1804

The Trojan injects its code into the following process(es):

%original file name%.exe:320
MSNGamesSetup.exe:1968

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\ftdownload.dat (512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\MSNGamesSetup.exe (349165 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\nsisdl.dll (14 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (0 bytes)

The process InstGameInfoHelperMSN.exe:1804 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IW12486N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5E5RKQG2\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AAQJ40LQ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9QQMZ5AR\desktop.ini (67 bytes)

The process MSNGamesSetup.exe:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns5.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\modern-header.bmp (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ftdownload.dat (512 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\InstGameInfoHelperMSN.exe (10092 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\version.txt (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns5.tmp (0 bytes)

Registry activity

The process %original file name%.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED F8 64 8A FB 60 DC 00 EB CD 6B FD 7B BC 82 6A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process InstGameInfoHelperMSN.exe:1804 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 7A E8 99 0D 47 96 46 D4 F8 F8 E9 BF 8F D5 5D"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process MSNGamesSetup.exe:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 4C BD C8 57 CA 08 4C BD 0D 5A C9 5A 77 CB 53"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
0025cd88501fa44e826bc9ed4bdef2fb c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj4.tmp\InstGameInfoHelperMSN.exe
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj4.tmp\System.dll
acc2b699edfea5bf5aae45aba3a41e96 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj4.tmp\nsExec.dll
2963e74c4e6fc1424a23465ca8c141be c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\MSNGamesSetup.exe
960a5c48e25cf2bca332e74e11d825c9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\System.dll
a5a4cee2eb89d2687c05ef74299f0dba c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx2.tmp\nsisdl.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23146 23552 4.44842 8781c451557a4626018483faabe438d0
.rdata 28672 4558 4608 3.62903 640f709ec19b4ed0455a4c64e5934d5e
.data 36864 108472 1024 3.37017 c9a433d4fe67308d6a5942cfb667cbe7
.ndata 147456 32768 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 180224 17000 17408 2.69684 654ac01907b168453e2702f516512acd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 126
3d5af80433c098ec5a5279653d721ee6
ca018ed1395a5f4b3187d17d773f64e3
d016004fdd61a8dc31802e98e78f486d
fdd888ba00e902f5ca8609f5d5c21fad
962ffd960be802a2754b5321f3c2b31e
960fe821ac46581824470e46010f0cf9
a1729f723a9d79381fec10743b0d28a9
2f80439bd3eadd6936faa64cb2f0fca6
b30f1a1383e1bef2052244fd45a83aa3
f9c1fca77b6df26cfb5ce8069ef9ebfa
da37947b17a4733c59690eb33576d1cf
226c49801bfd2a952e9dfc31eec2b1c0
3a1e99337440e3c4eee15d62ec470abf
bd3a8eb593f97cb393055f7ca5eb1c7c
b0b0a8c4d9722cca4d87197830a5e480
8de8b8a3ba76d0f2745b188380faa63e
6c42ece50107993a7613007752e54eff
aa8d9982fe88a7c25c18c7c20f1f762e
648812305283df15451d4e774c0c301c
d98cb7418587bf9dca413fda21c2a3f2
232d714169a6042cb34a51254bdc17a3
30834450db655ef0280dd35be11e5a7e
8e51a107ea4c6daf1cdf43ed6929e78a
50351979d2c8b93fb1c0c295b3f28977
edb82428dfd5858c9a6a052deb4609f0

URLs

URL IP
hxxp://stamp-vpc-aws-iwin-com-1981998893.us-east-1.elb.amazonaws.com/msngames/MSNGamesSetup.exe
hxxp://msn-iwin-com-121665791.us-east-1.elb.amazonaws.com/gm-config/3077169517353382007
hxxp://gm-msn.iwin.com/gm-config/3077169517353382007 54.174.100.76
hxxp://dl.iwin.com/msngames/MSNGamesSetup.exe 52.22.186.107


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE iwin.com Games/Spyware User-Agent (iWin GameInfo Installer Helper)

Traffic

GET /msngames/MSNGamesSetup.exe HTTP/1.0
Host: dl.iwin.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Accept-Ranges: bytes
Cache-Control: max-age=14400
Content-Type: application/x-msdos-program
Date: Mon, 07 Mar 2016 19:43:41 GMT
Expires: Mon, 07 Mar 2016 23:43:41 GMT
Last-Modified: Tue, 16 Feb 2016 08:50:08 GMT
Server: Apache/2.2.22 (Ubuntu) mod_perl/2.0.5 Perl/v5.14.2
Content-Length: 3556392
Connection: Close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................Z...........0.......p....@.........
.................P........6......................................s....
.......Y..........8.6..0..............................................
.............p...............................text....X.......Z........
.......... ..`.rdata.......p.......^..............@[email protected].......
[email protected][email protected].
...Y.......Z...t..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
..>[email protected].>[email protected]
...Pr@..}[email protected]... M.......M....3.....FQ.....NU..
M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...
[email protected]}[email protected].}.j.W.E......E.......Pp@.
[email protected]@.W...E..E.h [email protected]...\r
@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.
......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[...U.
<<< skipped >>>


GET /gm-config/3077169517353382007 HTTP/1.1
User-Agent: iWin GameInfo Installer Helper
Host: gm-msn.iwin.com


HTTP/1.1 404 Not Found
Accept-Ranges: bytes
Age: 0
Content-Type: text/html;charset=utf-8
Date: Mon, 07 Mar 2016 19:44:00 GMT
Server: nginx/1.1.19
Via: 1.1 varnish
X-Varnish: 1071578413
Content-Length: 11316
Connection: keep-alive
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "htt
p://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">.<html xml
ns="hXXp://VVV.w3.org/1999/xhtml" xmlns:og="hXXp://opengraphprotocol.o
rg/schema/" xmlns:fb="hXXp://VVV.facebook.com/2008/fbml">.<head&
gt;.<meta http-equiv="Content-Type" content="application/xhtml xml;
 charset=utf-8"/>.<meta http-equiv="X-UA-Compatible" content="IE
=8"/>.<link rel="stylesheet" href="//static.iwincdn.com/apps/ROO
T/4.4.9/styles/msn.css" type="text/css"/>.<link rel="shortcut ic
on" type="image/x-icon" href="//static.iwincdn.com/apps/ROOT/4.4.9/ima
ges/msn/favicon.ico"/>.<link rel="icon" type="image/png" href="/
/static.iwincdn.com/apps/ROOT/4.4.9/images/msn/favicon.png"/>.<t
itle>Error retrieving requested page</title>.<meta name="d
escription" content="MSN Games offers the largest selection of free ga
me downloads. Play from popular categories such as hidden object games
, time management games and match 3 games. New download games are upda
ted daily."/>.<link rel="stylesheet" href="//static.iwincdn.com/
apps/ROOT/4.4.9/styles/error404.css" type="text/css"/>.        .   
     <!-- Start Visual Website Optimizer Asynchronous Code -->. 
       <script type='text/javascript'>.        if ('1' === '1') 
{.            var _vwo_code=(function(){.            var account_id=95
83,.            settings_tolerance=2000,.            library_tolerance
=2500,.            use_existing_jquery=false,.            // DO NO
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_320:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp\MSNGamesSetup.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp\nsisdl.dll
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp\nsisdl.dll
.%U~O<2y
.reloc
WSOCK32.dll
NSISdl.dll
invalid URL
Host: %s
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u minutes remaining)
(%u seconds remaining)
Downloading %s
Execute: C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp\MSNGamesSetup.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp
MSNGamesSetup.exe
MSNGAM~1.EXE
1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp\MSNGamesSetup.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp
c:\%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0a2</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>

%original file name%.exe_320_rwx_10004000_00001000:

callback%d

MSNGamesSetup.exe_1968:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj4.tmp\modern-header.bmp
.msn.com.
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj4.tmp\version.txt
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj4.tmp
sj4.tmp\ftdownload.dat
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj4.tmp\modern-header.bmp
=yt.gN!(
Z%S,4
A/%sW
ftdownload.dat
FTDOWN~1.DAT
ME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp\MSNGamesSetup.exe
%Program Files%\MSN Games
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx2.tmp
MSNGamesSetup.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
MSN Games Manager powered by iWin is required to launch and play and other games from games.msn.com.
940180378
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

MSNGamesSetup.exe_1968_rwx_10004000_00001000:

callback%d


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    InstGameInfoHelperMSN.exe:1804

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\ftdownload.dat (512 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\MSNGamesSetup.exe (349165 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp\nsisdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IW12486N\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\5E5RKQG2\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\AAQJ40LQ\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\9QQMZ5AR\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns5.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\modern-header.bmp (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ftdownload.dat (512 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\InstGameInfoHelperMSN.exe (10092 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\version.txt (4 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now