False Positive?

[Tattenbach]

Hello,

After new the definitions today (Nov 10th 2006) SpyBot detects in my PC "NSIS Media Extension" and points to the registry entry "HKEY_LOCAL_MACHINE\SOFTWARE\NSIS". In this key the default entry is "C:\Program Files\NSIS".

I believe this a false positive since this folder belongs to the open source program NSIS (Nullsoft Scriptable Install System).

http://nsis.sourceforge.net/Main_Page

I have no problems with pop-ups and no other program detects this, including SpyBot before today's update.

The file "ns78.dll" is not in my system.

Could you please advise?

Thanks

MfG

[LonnyRJones]

Hi

Could we see the results of running this batch please

Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it check.bat > file types *all files*> and save it to desktop.

Code:

@echo off
Echo.
Echo searching please wait....
(
findstr /L /I /M /C:"*" "%CommonProgramFiles%\NSIS\*.*"
findstr /L /I /M /C:"cydoor_shell_project" %windir%\system32\*.dll
if exist %windir%\system32\msidext.dll echo %windir%\system32\msidext.dll
dir /b /s "%programfiles%\nsis.jar"
)>>logit.txt 2>nul
start notepad logit.txt

Run check.bat and post back with the text that will open.

[Tattenbach]

Thanks for taking care . . .

*********************
Log file was empty after running check.bat 3 times.

Thanks again.

[LonnyRJones]

Thanks
The detections team will comment in a day or two, in the meantime Post a SpyBot results report.
Run SpyBot check for problems, when its finished right click and choose copy results (not full report) to clipboard and past that back here please.

[Tattenbach]

**********************************
Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

NSIS Media Extension: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\NSIS

Common Dialogs: History (2 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

7-Zip: Folder history (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\7-ZIP\FM\FolderHistory

7-Zip: Last used folder (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\7-ZIP\FM\PanelPath0!=

Ahead Nero Burning Rom: Save tracks directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Ahead\Nero - Burning Rom\SaveTrackOptions\Stdflist!=B=

MS Media Player: Anonymous ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Microsoft\MediaPlayer\Preferences\SendUserGUID!=B=0

MS DirectDraw: Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name!=

MS Office 11.0 (Word): Recent file list (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Microsoft\Office\11.0\Word\Data\Settings

MS Regedit: Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey!=

Windows Explorer: User Assistant history IE (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: User Assistant history files (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: Last visited history (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1454471165-492894223-1343024091-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Cookie: Cookie (1) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-06-09 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-10-10 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-11-10 Includes\Cookies.sbi (*)
2006-10-06 Includes\Dialer.sbi (*)
2006-11-10 Includes\DialerC.sbi (*)
2006-11-03 Includes\Hijackers.sbi (*)
2006-11-10 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-11-10 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-06 Includes\Malware.sbi (*)
2006-11-10 Includes\MalwareC.sbi (*)
2004-08-11 Includes\plugin-ignore.ini
2006-10-06 Includes\PUPS.sbi (*)
2006-11-10 Includes\PUPSC.sbi (*)
2003-11-12 Includes\QA Tests.sbi (*)
2006-11-10 Includes\Revision.sbi (*)
2006-10-06 Includes\Security.sbi (*)
2006-11-10 Includes\SecurityC.sbi (*)
2006-10-06 Includes\Spybots.sbi (*)
2006-11-10 Includes\SpybotsC.sbi (*)
2003-11-21 Includes\Temporary.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2006-11-03 Includes\Trojans.sbi (*)
2006-11-10 Includes\TrojansC.sbi (*)
**********************************

[Tattenbach]

Hello,

Please don't forget to verify this.

Wouldn't it be enough to install NSIS (Nullsoft) in a previously checked (and clean) machine and then run SpyBot to see if it flags it?

MfG

[Tattenbach]

Although you never answered I guess the response was given by Yodama in another similar post.

[LonnyRJones]

Im glad you saw that
http://forums.spybot.info/showthread.php?t=8877