SmartFTP Users: Adware As Of v.2.5.1004.7

[Nighted]

Downloaded this from Filehippo today. It tried to add a runonce to my registry concerning this file: NSIS.Library.RegTool.v2.{C480568F-0B79-433A-8399-52D704BACE84}.exe.

Searching shows that this is verified 100% adware. The company that produces this garbage is here: nsismedia.net

One detailed report here.

It was confusing at first as NSIS to me always means Nullsoft Install System, but my spidey sense told me something else entirely.

[dk70]

I just downloaded and installed SmartFTP from Filehippo. Kaspersky, S&D and I could not recognize NSIS, no file traces. Same version, file is called SFTPNSI.EXE, 3.337.00 bytes.

[f0dder]

Might want to throw in md5 sums as well, for good measure.

Offtopic: nighted, what's the screenshot from? explorer with custom color scheme? looks nice

[dk70]

Since you are infected http://kichik.net/20.../nsis-media-remover/ but other programs should be able to handle it by now. May be some useful info in comments.

[Nighted]

f0dder, yeah it's a 3D Color Changer scheme. The script is attached.

Can't create a checksum, I deleted the file immediately after blocking the entry from entering my registry and taking the screenshot.

[Nighted]

dk70, I'm not infected. I blocked the registry entry that was to be run on the next reboot and I deleted the file.

[dk70]

But if NSIS came from other source than SmartFTP? I dont know. If the regular security programs say you are clean and there are none of those traces I guess you are. NSB133.TMP is also not part of SmartFTP, or I dont have it at least, so who knows what damage have been done.

SmartFTP people cant be that dumb? Would be nice if Filehippo reported back to you and confirmed initial version was infected with adware installation.

[Nighted]

dk70, I think you may be right...I'm going to have to look into this immediately.

I may have stupidly jumped to a conclusion here. I tried the installer sandboxed to see if the files would appear again but no luck. It's just that it coincided with the install of the new SmartFTP revision. 

Here's the MD5 hash of the installer I downloaded in case anyone wants to compare: D2D9547FE2C0A4DD7866EEC6DB10AB1D

[dk70]

Same as mine and same as the one FileHippo list http://www.filehippo...nload_smartftp/tech/

SMARTFTP.KEY is your license file right? I dont have that either. You didnt use a key-thingy to make that file? Crap must come from somewhere so just asking. You can see from Google http://openwares.org./ has been and may be still is a distribution center of this, any downloads from there?

[Nighted]

I put the keyfile there to make it portable in conjunction with an autoit script.

Never downloaded anything from that site. However, I did upgrade Messenger Plus! last night and that may have something to do with it although I didn't select the ad sponsored option. 

[dk70]

I think Messenger Plus have gotten so much attention for being carrier of Adware they would not do such a thing. Many find it bad enough as it is.

Anyway, I checked Spybot&Destroy for NSIS. They added it October last year and have updated many times, last January. So I guess we can assume S&D will catch this. I guess same goes for similar tools. I would scan over and over. From the comments at the NSIS remover page disinfection appears to be hard so grab what you can and attack.

If not successful may be an idea to go through a Hijackthis rutine - post it at some security forum like this http://forums.majorg...orumdisplay.php?f=35 , if not here. Could be necessary to seek geeks if removal is impossible unless following a specific order of actions.

What AV let this happen btw?

[Nighted]

h3h...no AV let this happen. My other machine died, second MSI motherboard dead in a year. (Will never buy anything from MSI again.) I'm on my backup Celeron 850 machine now and turned my virus scanner off last night so I could free up some resources for other things. So, my bad.

I'll have it fixed up as good as new in a few hours.

[KenR]

Ok, I'm confused. According to SmartFTP's homepage, the most recent version of the software is   SmartFTP 2.0 Build 1002. I see nothing about Beta or trial versions. So, how can there even be a  version 2.5.x and where is it coming from?

Thanks, Ken

http://www.smartftp.com/

[dk70]

It is a beta, FileHippo has it. But also available at their site - http://www.smartftp.com/download/ at bottom.

I tend to agree with the SmartFTP guy replying on their forum Nighted. But sure is strange, installation process must have been corrupted in your case or did you cancel during and mistook leftovers for NSIS Media because names are similar? Too much security is problem

[Nighted]

I have no clue what happened. I scanned every drive and found nothing, absolutely zilch. That with fully updated databases for both my virus scanner and malware apps.

My system couldn't be any cleaner. Now it seems most likely it loaded through IE, as IE has always been how I've become infected with malware in the past. I very rarely use it, and the moments my AV was disabled were probably enough to let something get by.

[KenR]

Ok, SmartFTP is now out of Beta. What is the verdict on this topic? Does it contain spyware or not?

Ken

[Nighted]

No Ken, it doesn't. It was just a fluke incident.

[KenR]

Great!!! Thanks very much for letting me know Nighted!

Ken