Nsis

[Stucuk]

With the latest Definition updates S&D wrongly flags the NullSoft Install System by the creators of WinAmp as Spyware.

Company:
Product: NSIS Media Extension
Threat: Adware


Description
NSIS Media Extension installs in a hidden process on the computer and creates a lot of pop ups when the user is surving the internet.

The NSIS by winamp is a harmless installation program which allows you to create installers, it does nothing else.

The following is the NSIS reg enterys i have:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS]
"MakeNSISWCompressor"=""
"MakeNSISWPlacement"=hex:2c,00,00,00,00,00,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,d0,02,00,00,24,01,00,00,f7,04,00,00,e2,02,00,\
00
@="C:\\Program Files\\NSIS"
"VersionMajor"=dword:00000002
"VersionMinor"=dword:0000000a
"VersionRevision"=dword:00000000
"VersionBuild"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\MRU]
"0"="C:\\delphi\\Original War\\OW\\Finals\\1.07\\NSIS\\Copy of OW Patch.nsi"
"1"="C:\\delphi\\Original War\\OW\\Finals\\1.07\\NSIS\\OW Patch.nsi"
"2"="C:\\delphi\\Original War\\OW\\Finals\\1.06\\NSIS\\OW Patch.nsi"
"3"="C:\\delphi\\Original War\\OW\\Finals\\1.06\\NSIS\\OW Full.nsi"
"4"="C:\\delphi\\Original War\\OW\\Finals\\NSIS_Installation\\OW Full.nsi"

[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\Symbols]

[md usa spybot fan]

Please see:

• NSIS Media Extension
  http://forums.spybot.info/showthread.php?t=8877

Is this the same detection?

[md usa spybot fan]

Your thread has been move from the Spybot-S&D forum to the False Positives forum so it doesn't get overlooked.

If the reference that I posted above is not related to the detection that you received, perhaps it would also be helpful if you also included the actual Spybot-S&D detections that you reveive during the scan, the Spybot-S&D version and the update level in addition to the detailed information that you did provide. To do that:

• Run another scan.
• When the scan completes, right click on the results list, select "Copy results to clipboard".
• Then paste (Ctrl+V) those results to a new post in this thread.

Thanks

[Stucuk]

Its the same.

[md usa spybot fan]

Check your scan again after tomorrow’s updates and see if the false positive has been resolved. If not, please post again.

Thanks for actively participating in the effort.

[Stucuk]

17-11-06 Update has fixed it.

[Victjar]

I just received the identified NSIS Media Extension entry only after applying the Nov. 17th update to Spybot:

HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\Media

I've run several "Search and Destroy" tests during the past few weeks with all previous updates, none of which produced this entry.

I ran the CHECK.BAT per the instructions in this thread and the logit.txt file was empty.

Here's the Spybot results report:

_______________________

NSIS Media Extension: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\Media

--------------------
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-08-15 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-11-17 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-11-17 Includes\DialerC.sbi (*)
2006-11-03 Includes\Hijackers.sbi (*)
2006-11-17 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-11-17 Includes\KeyloggersC.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-11-17 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-11-17 Includes\PUPSC.sbi (*)
2006-11-17 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-11-17 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-11-17 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-11-17 Includes\Trojans.sbi (*)
2006-11-17 Includes\TrojansC.sbi (*)
_______________________

Is this NSIS Media Extension entry still to be considered a false positive?

Thanks in advance!

-- Victjar

[LonnyRJones]

"Is this NSIS Media Extension entry still to be considered a false positive?"

If check.bat results were empty and you are not seeing NSIS popups then yes it is probaly a false possitive.

Could we see the contents of nsis registry key please ?
Copy the contents of the code box below into a new notepad document (not wordpad).
Click file> save as...> call it nsis.bat > file types *all files*> and save it to desktop.

Code:

regedit /e /a NSIS.txt "HKEY_LOCAL_MACHINE\SOFTWARE\NSIS"
start NSIS.txt

Run nsis.bat and post back with the text that will open

[Victjar]

Thanks for your reply, Lonnie.

Here's the nsis.bat output:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS]

[HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\Media]
"Stub"="ns65.dll"
"InstDir"="C:\\Program Files\\Common Files\\NSIS\\"
"Clsid"="{5BACC17E-BDF7-405B-BC68-ECB506395118}"
"AffId"="1074"

[LonnyRJones]

Victjar
Let SpyBot fix that item.

It is Defiantly a leftover malware item.