PDA

View Full Version : Nsis



Stucuk
2006-11-16, 21:08
With the latest Definition updates S&D wrongly flags the NullSoft Install System (http://nsis.sourceforge.net/Main_Page) by the creators of WinAmp as Spyware.


Company:
Product: NSIS Media Extension
Threat: Adware


Description
NSIS Media Extension installs in a hidden process on the computer and creates a lot of pop ups when the user is surving the internet.

The NSIS by winamp is a harmless installation program which allows you to create installers, it does nothing else.

The following is the NSIS reg enterys i have:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS]
"MakeNSISWCompressor"=""
"MakeNSISWPlacement"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,d0,02,00,00,24,01,00,00,f7,04,00,00,e2,02,00,\
00
@="C:\\Program Files\\NSIS"
"VersionMajor"=dword:00000002
"VersionMinor"=dword:0000000a
"VersionRevision"=dword:00000000
"VersionBuild"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\MRU]
"0"="C:\\delphi\\Original War\\OW\\Finals\\1.07\\NSIS\\Copy of OW Patch.nsi"
"1"="C:\\delphi\\Original War\\OW\\Finals\\1.07\\NSIS\\OW Patch.nsi"
"2"="C:\\delphi\\Original War\\OW\\Finals\\1.06\\NSIS\\OW Patch.nsi"
"3"="C:\\delphi\\Original War\\OW\\Finals\\1.06\\NSIS\\OW Full.nsi"
"4"="C:\\delphi\\Original War\\OW\\Finals\\NSIS_Installation\\OW Full.nsi"

[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\Symbols]

md usa spybot fan
2006-11-16, 21:56
Please see:
NSIS Media Extension
http://forums.spybot.info/showthread.php?t=8877
Is this the same detection?

md usa spybot fan
2006-11-16, 22:32
Your thread has been move from the Spybot-S&D (http://forums.spybot.info/forumdisplay.php?f=4) forum to the False Positives (http://forums.spybot.info/forumdisplay.php?f=16) forum so it doesn't get overlooked.

If the reference that I posted above is not related to the detection that you received, perhaps it would also be helpful if you also included the actual Spybot-S&D detections that you reveive during the scan, the Spybot-S&D version and the update level in addition to the detailed information that you did provide. To do that:
Run another scan.
When the scan completes, right click on the results list, select "Copy results to clipboard".
Then paste (Ctrl+V) those results to a new post in this thread.
Thanks

Stucuk
2006-11-17, 00:08
Its the same.

md usa spybot fan
2006-11-17, 00:55
Check your scan again after tomorrow’s updates and see if the false positive has been resolved. If not, please post again.

Thanks for actively participating in the effort.

Stucuk
2006-11-17, 18:38
17-11-06 Update has fixed it.

Victjar
2006-11-18, 11:07
I just received the identified NSIS Media Extension entry only after applying the Nov. 17th update to Spybot:

HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\Media

I've run several "Search and Destroy" tests during the past few weeks with all previous updates, none of which produced this entry.

I ran the CHECK.BAT per the instructions in this thread (http://forums.spybot.info/showthread.php?t=8859&highlight=nsis+media+extension) and the logit.txt file was empty.

Here's the Spybot results report:

_______________________

NSIS Media Extension: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\Media

--------------------
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-08-15 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-11-17 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-11-17 Includes\DialerC.sbi (*)
2006-11-03 Includes\Hijackers.sbi (*)
2006-11-17 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-11-17 Includes\KeyloggersC.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-11-17 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-11-17 Includes\PUPSC.sbi (*)
2006-11-17 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-11-17 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-11-17 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-11-17 Includes\Trojans.sbi (*)
2006-11-17 Includes\TrojansC.sbi (*)
_______________________

Is this NSIS Media Extension entry still to be considered a false positive?

Thanks in advance!

-- Victjar

LonnyRJones
2006-11-21, 02:27
"Is this NSIS Media Extension entry still to be considered a false positive?"

If check.bat results were empty and you are not seeing NSIS popups then yes it is probaly a false possitive.

Could we see the contents of nsis registry key please ?
Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it nsis.bat > file types *all files*> and save it to desktop.


regedit /e /a NSIS.txt "HKEY_LOCAL_MACHINE\SOFTWARE\NSIS"
start NSIS.txt

Run nsis.bat and post back with the text that will open

Victjar
2006-11-22, 02:47
Thanks for your reply, Lonnie.

Here's the nsis.bat output:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS]

[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\Media]
"Stub"="ns65.dll"
"InstDir"="C:\\Program Files\\Common Files\\NSIS\\"
"Clsid"="{5BACC17E-BDF7-405B-BC68-ECB506395118}"
"AffId"="1074"

LonnyRJones
2006-11-22, 07:14
Victjar
Let SpyBot fix that item.

It is Defiantly a leftover malware item.

Victjar
2006-11-22, 14:10
Will do, Lonny. Thanks again for your help!

-- Victjar

sinner
2006-11-23, 20:18
Yes this is a serious issue, it's in fact a trojan, according to spy sweeper, I'm currently running that on a clients system at the moment, waiting for it to finish so I can finally remove this pesky pos. This turns up on every reboot after removing via a spybot scan. It just regenerates. I manually remove the registry entry and the folder x:\program files\common files\NSIS and it just regenerates after a reboot. Not a fun issue to resolve. I prefer to use just spybot and adaware pro in tandem, as I have for years, it would suck to have to move to another product over one problem that cant be resolved.