Archive: NSIS Media worm


NSIS Media worm
This worm comes from the NSIS compiler from Sourceforge. I do not have any other NSIS products, but within a week of downloading the compiler, the popups of "NSIS Media" start and don't go away until I uninstall the NSIS Compiler.

Is there some way to get the NSIS compiler without the sneaky adware?


Just installed NSIS and it didn't instally any Spyware. Your system might have gotten infected by alternate means, but it doesn't appear that the NSIS is the source.

Also, for any issues with NSIS, please use the NSIS forum, as this it not related to Winamp in any way.


It isn't spyware, and it doesn't show up in scanners. I have a popup on my screen right now, and kaspersky and sophos don't recognize it. It takes about two weeks before it starts popups from installing the NSIS compiler. Just keep it installed and wait.


"NSIS Media" is not related to the Nullsoft Scriptable Install System. Just because they share a common name, doesn't mean they are the same thing. Nobody here has any control if a Spyware company chooses to use that name or not.

But the NSIS download from the official Sourceforge site is 100% spyware/adware free. If you got infected, it probably came from someother source.


NSIS Media comes with fake Firefox extensions as far as I can tell. A quick Google search (including the groups search) should tell you which files needs to be purged.

Of course, as drewbar said, it has nothing at all to do with our NSIS. They just used the same name, probably as a disguise. NSIS is open-source and contains no malware of any kind. If you don't trust the compiled downloads, you can also build it yourself from source.


There is another thread in this forum on this "NSIS Media" beast where poor Winamp and (legit) NSIS gets blamed for carrying this:

http://forums.winamp.com/showthread....85#post1979685

NEITHER of these apps infected me. If there is one consistent element of this difficult malware, it is that those who get it have had a hard time finding the common source where it originated.

I eventually managed to purge this from my system by deleting two suspicious DLL's from my system folder, but I have been following it's evolution ever since. I see that some anti-viral software is now identifying this thing, but I have to say, NONE of the descriptions offered on these sites exactly matches what I had, or what I ended up with.

It appears to either mutate, or install variants for each infection so that everyone has their own "personal adventure" in getting rid of the damn thing.

If there is one apparent absolute, DO NOT use the enclosed installation file in the NSIS Media folder, as this will simply propagate the infection.