View Full Version : False Positive?
Tattenbach
2006-11-10, 20:36
Hello,
After new the definitions today (Nov 10th 2006) SpyBot detects in my PC "NSIS Media Extension" and points to the registry entry "HKEY_LOCAL_MACHINE\SOFTWARE\NSIS". In this key the default entry is "C:\Program Files\NSIS".
I believe this a false positive since this folder belongs to the open source program NSIS (Nullsoft Scriptable Install System).
http://nsis.sourceforge.net/Main_Page
I have no problems with pop-ups and no other program detects this, including SpyBot before today's update.
The file "ns78.dll" is not in my system.
Could you please advise?
Thanks
MfG
LonnyRJones
2006-11-10, 20:42
Hi
Could we see the results of running this batch please
Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.
@echo off
Echo.
Echo searching please wait....
(
findstr /L /I /M /C:"*" "%CommonProgramFiles%\NSIS\*.*"
findstr /L /I /M /C:"cydoor_shell_project" %windir%\system32\*.dll
if exist %windir%\system32\msidext.dll echo %windir%\system32\msidext.dll
dir /b /s "%programfiles%\nsis.jar"
)>>logit.txt 2>nul
start notepad logit.txt
Run check.bat and post back with the text that will open.
Tattenbach
2006-11-10, 20:50
Thanks for taking care . . .
*********************
Log file was empty after running check.bat 3 times.
Thanks again.
LonnyRJones
2006-11-10, 20:53
Thanks
The detections team will comment in a day or two, in the meantime Post a SpyBot results report.
Run SpyBot check for problems, when its finished right click and choose copy results (not full report) to clipboard and past that back here please.
Tattenbach
2006-11-10, 21:19
**********************************
Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0
NSIS Media Extension: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\NSIS
Common Dialogs: History (2 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU
7-Zip: Folder history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\7-ZIP\FM\FolderHistory
7-Zip: Last used folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\7-ZIP\FM\PanelPath0!=
Ahead Nero Burning Rom: Save tracks directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Ahead\Nero - Burning Rom\SaveTrackOptions\Stdflist!=B=
MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0
MS DirectDraw: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=
MS Office 11.0 (Word): Recent file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Microsoft\Office\11.0\Word\Data\Settings
MS Regedit: Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey!=
Windows Explorer: User Assistant history IE (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count
Windows Explorer: User Assistant history files (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count
Windows Explorer: Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU
Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Cookie: Cookie (1) (Cookie, nothing done)
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-06-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-10-10 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-11-10 Includes\Cookies.sbi (*)
2006-10-06 Includes\Dialer.sbi (*)
2006-11-10 Includes\DialerC.sbi (*)
2006-11-03 Includes\Hijackers.sbi (*)
2006-11-10 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-11-10 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-06 Includes\Malware.sbi (*)
2006-11-10 Includes\MalwareC.sbi (*)
2004-08-11 Includes\plugin-ignore.ini
2006-10-06 Includes\PUPS.sbi (*)
2006-11-10 Includes\PUPSC.sbi (*)
2003-11-12 Includes\QA Tests.sbi (*)
2006-11-10 Includes\Revision.sbi (*)
2006-10-06 Includes\Security.sbi (*)
2006-11-10 Includes\SecurityC.sbi (*)
2006-10-06 Includes\Spybots.sbi (*)
2006-11-10 Includes\SpybotsC.sbi (*)
2003-11-21 Includes\Temporary.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2006-11-03 Includes\Trojans.sbi (*)
2006-11-10 Includes\TrojansC.sbi (*)
**********************************
Tattenbach
2006-11-11, 13:52
Hello,
Please don't forget to verify this.
Wouldn't it be enough to install NSIS (Nullsoft) in a previously checked (and clean) machine and then run SpyBot to see if it flags it?
MfG
Tattenbach
2006-11-13, 12:54
Although you never answered I guess the response was given by Yodama in another similar post.
LonnyRJones
2006-11-13, 18:01
Im glad you saw that
http://forums.spybot.info/showthread.php?t=8877