View Full Version : Nsis

2006-11-16, 21:08
With the latest Definition updates S&D wrongly flags the NullSoft Install System (http://nsis.sourceforge.net/Main_Page) by the creators of WinAmp as Spyware.

Product: NSIS Media Extension
Threat: Adware

NSIS Media Extension installs in a hidden process on the computer and creates a lot of pop ups when the user is surving the internet.

The NSIS by winamp is a harmless installation program which allows you to create installers, it does nothing else.

The following is the NSIS reg enterys i have:

Windows Registry Editor Version 5.00

@="C:\\Program Files\\NSIS"

"0"="C:\\delphi\\Original War\\OW\\Finals\\1.07\\NSIS\\Copy of OW Patch.nsi"
"1"="C:\\delphi\\Original War\\OW\\Finals\\1.07\\NSIS\\OW Patch.nsi"
"2"="C:\\delphi\\Original War\\OW\\Finals\\1.06\\NSIS\\OW Patch.nsi"
"3"="C:\\delphi\\Original War\\OW\\Finals\\1.06\\NSIS\\OW Full.nsi"
"4"="C:\\delphi\\Original War\\OW\\Finals\\NSIS_Installation\\OW Full.nsi"


md usa spybot fan
2006-11-16, 21:56
Please see:
NSIS Media Extension
Is this the same detection?

md usa spybot fan
2006-11-16, 22:32
Your thread has been move from the Spybot-S&D (http://forums.spybot.info/forumdisplay.php?f=4) forum to the False Positives (http://forums.spybot.info/forumdisplay.php?f=16) forum so it doesn't get overlooked.

If the reference that I posted above is not related to the detection that you received, perhaps it would also be helpful if you also included the actual Spybot-S&D detections that you reveive during the scan, the Spybot-S&D version and the update level in addition to the detailed information that you did provide. To do that:
Run another scan.
When the scan completes, right click on the results list, select "Copy results to clipboard".
Then paste (Ctrl+V) those results to a new post in this thread.

2006-11-17, 00:08
Its the same.

md usa spybot fan
2006-11-17, 00:55
Check your scan again after tomorrow’s updates and see if the false positive has been resolved. If not, please post again.

Thanks for actively participating in the effort.

2006-11-17, 18:38
17-11-06 Update has fixed it.

2006-11-18, 11:07
I just received the identified NSIS Media Extension entry only after applying the Nov. 17th update to Spybot:


I've run several "Search and Destroy" tests during the past few weeks with all previous updates, none of which produced this entry.

I ran the CHECK.BAT per the instructions in this thread (http://forums.spybot.info/showthread.php?t=8859&highlight=nsis+media+extension) and the logit.txt file was empty.

Here's the Spybot results report:


NSIS Media Extension: Settings (Registry key, nothing done)

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (
2005-05-31 SpybotSD.exe (
2005-05-31 TeaTimer.exe (
2005-08-15 unins000.exe (
2005-05-31 Update.exe (
2006-02-06 advcheck.dll (
2005-05-31 aports.dll (
2005-05-31 borlndmm.dll (
2005-05-31 delphimm.dll (
2005-05-31 SDHelper.dll (
2006-02-20 Tools.dll (
2005-05-31 UnzDll.dll (
2005-05-31 ZipDll.dll (
2006-11-17 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-11-17 Includes\DialerC.sbi (*)
2006-11-03 Includes\Hijackers.sbi (*)
2006-11-17 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-11-17 Includes\KeyloggersC.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-11-17 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-11-17 Includes\PUPSC.sbi (*)
2006-11-17 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-11-17 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-11-17 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-11-17 Includes\Trojans.sbi (*)
2006-11-17 Includes\TrojansC.sbi (*)

Is this NSIS Media Extension entry still to be considered a false positive?

Thanks in advance!

-- Victjar

2006-11-21, 02:27
"Is this NSIS Media Extension entry still to be considered a false positive?"

If check.bat results were empty and you are not seeing NSIS popups then yes it is probaly a false possitive.

Could we see the contents of nsis registry key please ?
Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it nsis.bat > file types *all files*> and save it to desktop.

start NSIS.txt

Run nsis.bat and post back with the text that will open

2006-11-22, 02:47
Thanks for your reply, Lonnie.

Here's the nsis.bat output:



"InstDir"="C:\\Program Files\\Common Files\\NSIS\\"

2006-11-22, 07:14
Let SpyBot fix that item.

It is Defiantly a leftover malware item.

2006-11-22, 14:10
Will do, Lonny. Thanks again for your help!

-- Victjar

2006-11-23, 20:18
Yes this is a serious issue, it's in fact a trojan, according to spy sweeper, I'm currently running that on a clients system at the moment, waiting for it to finish so I can finally remove this pesky pos. This turns up on every reboot after removing via a spybot scan. It just regenerates. I manually remove the registry entry and the folder x:\program files\common files\NSIS and it just regenerates after a reboot. Not a fun issue to resolve. I prefer to use just spybot and adaware pro in tandem, as I have for years, it would suck to have to move to another product over one problem that cant be resolved.