Hi LonnyRJones!

I have had this problem as described by the previous poster since early August (but I didn't realize until this week that all the NSIS advertisements I kept getting were not actually just valid site popups, but is actually an adware/spyware/trojan).

Because I have read on other forums that this thing duplicates itself upon every failed attempt to get rid of it, I have waited to do anything until I have found something I am confident will work on the first try.

If I follow the same instructions that you gave the previous member, will that work for me, or do I need to post a log file too so it can be made specific for my case (I hear there are many mutations of this thing)?

Thanks so much in advance!

Welcome to the forum

Do you have any idea where you picked it up ? most likely it came in with a supposedly free program.

Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.


@echo off
Echo.
Echo searching please wait....
(echo off
For %%i in (%systemdrive%) do findstr /S /M /C:"mediastub.dll" %%i\*.dll
For %%i in (%systemdrive%) do findstr /S /M /C:"mediastub.dll" %%i\*.exe
For %%i in (%systemdrive%) do findstr /S /L /I /M /C:"cydoor_shell_project" %%i\*.dll
For %%i in (%systemdrive%) do findstr /S /L /I /M /C:"cydoor_shell_project" %%i\*.exe
)>>logit.txt 2>nul
start notepad logit.txt

Run check.bat and post back with the text that will (eventualy) open

This topic is closed due to lack of a response.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original topic starter.

Welcome to the forum

Do you have any idea where you picked it up ? most likely it came in with a supposedly free program.

Run check.bat and post back with the text that will (eventualy) open

Hi LonnyRJones,

Sorry for not getting back to you sooner...I didn't realize this forum doesn't send out reply-to-thread notices by default.

Attached is the logit.txt file. Looks like it found two files.

I can't say for sure what caused it, but I do often download utilities from download.com, so that's my best guess. From looking at other forums, openwares is a suspected company, and that sounds awefully familiar...I may have downloaded one of them off download.com. I can't say for sure which program that was, though. From doing a search for that company in download.com today, the only thing I have installed is the XviD codec. That may be what it came with. From checking the date stamps on that codec install files and the .dll in my C:/Program Files/Common/NSIS folder, it looks like I installed that codec 4 days before the NSIS .dll appeard (at least, that's what the date stamps indicate). Do you recommend uninstalling that codec?

I really look forward to getting rid of this :) !

Thanks in advance!

Go attach this file at thespykiller please
C:\WINDOWS\system32\coltea.dll
http://www.thespykiller.co.uk/forum/index.php?board=1.0

I suggest any programs from openware be uninstalled

Hi NoSpywarePlease and Lonny,

I checked the app you downloaded and it seems as your NSIS came from there. When you install it, it asks you to accept the privacy of NSIS... :devilpoin:

NoSpywarePlease, could you tell me which version of firefox you are using? Did you use the app in a special way? Did you downloaded any additional software from openwares? Every detail could be important ;)

Thank you,
Markus :bigthumb:

Go attach this file at thespykiller please
C:\WINDOWS\system32\coltea.dll
http://www.thespykiller.co.uk/forum/index.php?board=1.0

I suggest any programs from openware be uninstalled
Lonny, I uploaded the file over at http://www.thespykiller.co.uk/forum/index.php?topic=2900.0 .


I checked the app you downloaded and it seems as your NSIS came from there. When you install it, it asks you to accept the privacy of NSIS... :devilpoin:

Whoops! Bummer, now I know...sneaky folks (that's an appropriate devil emoticon)!


NoSpywarePlease, could you tell me which version of firefox you are using? Did you use the app in a special way? Did you downloaded any additional software from openwares? Every detail could be important ;)

Actually, I have never installed Firefox or any other browser at all other than IE6 via windows updates. From reading other forums, NSIS seems closely tied to Firefox, but I can assure you that my case is not.



The three codecs I have downloaded similar to XviD are
* DivX
* XviD
* 3ivX

I downloaded 3ivX from a non-download.com source (and this was just in the last week). My ns24.dll in my C:\Program Files\Common Files\NSIS folder is dated 8/2/2006, which I believe is about the time this started. So I doubt 3ivX is related.

I downloaded DivX from either the divx website or from download.com, but in either case the publisher was DivX, not openwares. I just went to download.com and checked, and the listing I would have downloaded was made by DivX.

I am 95% confident that XviD was the only program made by openwares that I downloaded.

Hope this info helps solve this. From reading other posts, it sounds like this spyware is so nasty, that it just gets worse if you don't nail it on the first attempt to uninstall it. Should I uninstall the XviD codec now, or wait to hear how to remove NSIS before uninstalling XviD?

I can hardly wait to get rid of this...I look forward to hearing from you :bigthumb:!

Yes Uninstall any programs you got from download.com that came from openwares.org.


Download Pocket Killbox to the desktop (version 2.0.0.648)
http://www.downloads.subratam.org/KillBox.exe
If you already have killbox ensure it is the latest version. ?
Start Killbox place a tick next to [x]Delete on reboot Press the ALL Files button
Copy this whole list into the windows clipboard, all the Bolded below.

C:\Program Files\Common Files\NSIS\ns24.dll
C:\WINDOWS\system32\coltea.dll

Back in Killbox go > file > paste from clipboard,
Click the red highlighted X button and say yes to the prompt to restart the pc.
Once windows has restarted
C:\Program Files\Common Files\NSIS < delete folder

Hi Lonny,

I did as you said (first unistalled the XviD codec, then ran KillBox, then deleted the NSIS folder), and it appears the problem has gone so far (I have rebooted several times and the folder has not reappeared).

However, I would have thought that there were registry entries associated with this program, so I did a registry search for NSIS. I ran across at least 5 entries that specifically had references to that C:/Program Files/Common Files/NSIS folder. Are these entries harmless now, or do I need to do something to remove them?

BTW: I will post back in a few days just to confirm that I have not gotten anymore NSIS popups.

A big ThankYou from me! :bigthumb:
David Schwegler

Its registry entries are harmless now, but you should update and check for problems with SpyBot/fix them. it will get a few and will get more I believe when the next update is out, thanks to MisterW and the others on the detections team.

If this file is present it can be safely deleted
c:\windows\system32\msidext.dll

Its registry entries are harmless now, but you should update and check for problems with SpyBot/fix them. it will get a few and will get more I believe when the next update is out, thanks to MisterW and the others on the detections team.

Okay, that's good news! I will run S&D right away. Great work guys! :bigthumb:


If this file is present it can be safely deleted
c:\windows\system32\msidext.dll


I have a msident.dll, but not that one you mentioned. I assume that isn't what you mean.

By the way, KillBox put those .dll's it removed into a C:\!KillBox folder. Can those files and that folder be safely deleted now?

Thanks again!

Only delete msidext.dll if present not similur files
Yes you should delete the C:\!killbox folder and killbbox to if there are children around.

Surf safe

It's been 3 days and not one problem...all traces are still gone. Looks like you guys nailed it! :yahoo:

You guys are the best! :bow: :flowers: :bighug: :2thumb:

Thanks again.

Great

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.

If you should need to post another log for the same PC let one of us know via a PM (personal message).