NSIS Media Popups

[tobacco]

Thanks to everyone especially 'Pieter' for contributing to a solution in removing this nasty. Question if i may.

Pieter

Is there anything else that needs to be done- i.e.- Deletion of files, folders, etc. before or after running your script.

Thanks.

[Pieter_Arntz]

Hi tobacco,

Hard to tell untill we have tried it on a live infection.
I do not know in which processes the dll gets injected.
If it is only explorer and iexplore then the script should work without any special preparations.
(Ofcourse it's always advisable to close as many programs as possible)

Regards,

Pieter

[LonnyRJones]

It loads under explorer, and any exe it wants to.

We need samples and more info on what it is that installs this thing.
the programs mentioned here and eslwhere dont anymore or it could be it wont on virtual machines

[LP-Listener]

This is my result:

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}" 19-10-2006 21:52:56



[HKEY_USERS\S-1-5-21-1004336348-1960408961-839522115-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
"{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4} {000214E8-0000-0000-C000-000000000046} 0x401"=hex:01,\

jan

[Irma]

I finally found the apparent source of NSIS.
It comes from Nullsoft, in my case with the Winamp player. It is a plug-in of sorts. After I uninstalled Winamp, rebooted, all my scans and searches came out negative. It still did not come back.

If anyone is interested , here is the URL for the NSIS download and description of it;
http://nsis.sourceforge.net/EclipseN...in_for_Eclipse

http://nsis.sourceforge.net/Support

plus
http://nsis.sourceforge.net/Main_Page"
Spyware Terminator Homepage

Search

Search in our database
Search in the web

Homepage
Software Database
N
Nullsoft, Inc.
Nullsoft, Inc.
Software Developer Detail
Info: Nullsoft, Inc. develops one of the most popular media players - Winamp and plug-ins for it. Its other products include SHOUTcast - media streaming and directory system, NTV - global streaming television, NSIS - installer system for Windows, JNetLib - asynchronous C++ network abstraction library, NetMon - network latency monitor for Windows nad other open source software.
URL: http://www.nullsoft.com
Phone: 703-265-0094

Maybe this can shed some light on this.

[LonnyRJones]

Dont confuse Nullsoft Scriptable Install System
http://nsis.sourceforge.net/Support

With NSIS media Extension which couses adware popups

[Irma]

Hi,
all I know is, that after uninstalling Winamp player, cleaning the registry of the left over keys, all my scans came out negative, no more traces and keys and files found, and most important of all, NO MORE POP UPS!

Since then, I restarted my pc at least 10 times, and just in case did the scans,and I am still negative, and my computer is running just fine.

[pwp007]

For what it's worth - I tried something completely different to trick this one sinec no 2 people seem to be having the same luck in getting this thing.....

1. First I went to Program Files\Common Files\NSIS Media then I deleted the 2 files in the directory.

2. Then I went to START -> RUN -> Regedit <ENTER> then I searched for NSIS and deleted the registry key.

3. Then I went back to Program Files\Common Files, made the NSIS Media directory (now empty) Hidden and Read Only.

4. Then I went into the directory and creates a ns00.dll empty (0 kb) file and an unist.exe empty (0 kb) file.

5. Then I replicated the ns00.dll file 100 times and renamed them in sequence until I had ns00.dll through ns100.dll completed.

6. Then I made all files in the directory Hidden and Read Only.

7. Rebooted the computer and went back to check Regedit and the Program Files\Common Files directories to make sure nothing changed.

8. Thats it (took about 30 mins to complete since creating blank DLL and EXE files prooved tricky (Those not sure can create a blank text file by the correct name, go to Command Prompt mode (CMD), use CD PROGRA~1 then CD COMMON~1 then CD NSIS, then RENAME *.txt *.dll, then DIR to make sure they look right.

It seems to work for me anyhow....

[Mcgruff]

Quote:

Originally Posted by Sam-the-Sly

Ok, so here's how it is:

My problem: getting pop-ups in IE labelled Advertisement- NSIS Media Extensions (or something like that )

The cause:
They appeared after installing Foxie Security Suite

Files Presumably Responsible:
C:\Program Files\Common Files\NSIS\ns**.dll
C:\Program Files\Common Files\NSIS\uninst.exe

What happens:
When the user clicks on uninst.exe, the program removes all of it, but then when the user clicks on the prompt to restart, it sets for those deleted files to be restored on shutdown (or startup in some varieties).

My solution:
I found that if I crashed my computer (e.g pulling out the power cable crash lol) at the restart prompt when uninstalling it, when I boot up, it's gone. I then did a search (start\search) for any file on my computer containing "nsis". I deleted any found. I then did a registry search (start\run\"regedit"\ then click on edit, find) for the same, and cleared anything found.

(it helped me)

This worked for me!!! I got it from a CNET download "Classic Arcade Pack" from Openwares.org... I removed that first, then I removed the NSIS and crashed the system at the click OK prompt... Seems to have done the trick. thx Sammy

[ninja9]

had anyone try stopzilla.........http://www.stopzilla.com/

i haven't try the registered version so it full functioning to the removal but it seems this program can detect nsis media as an malware............

i was infected and did these for removal...

1. uninstall nsis media from add and remove

2. delete the nsis registry key using registry editor

3. scan using trojan hunter.. did found trojan.. (my mcafee antivirus running in the background keep telling that there are viruses in folder /localsetting/temp... but it is not there.. i don't know about this)

4. delete the chrome folder..........and install the firefox again...

... now my firefox run normally....

[LonnyRJones]

SpyBot Search & Destory fix's it as of two weeks ago
Updates 2006-11-10 - Safer Networking Forums: http://forums.spybot.info/showthread.php?t=8850

[novi]

Nice info LonnyRJ.Spybot cleared it,or i hope that it's removed now coz the results of scanning are "negative" on this junk .Thats why i posted reply here,I just want to be sure is it totally removed from pc.Is there someone who used spybot few days or weeks ago,i would like to hear does it come back (that junk) after some timeI read here that this softver was made for spying credit card codes in online shoping.Is it safe now to use cards for online shoppingThanks Lonny once again,and thanks in advance if someone answer.

[Longboard]

A bit OT:

Been watching here;
Always interesting to me that SB seems to perform poorly on "magazine tests", yet all the peeps who have some expertise regard it as a great tool.

There is a message there

(As an aside I recently registered at one magazine 'Webuser' forum who had given very positive reviews about PrevX and Spysweeper.
I actually recently dumped SS but am licensed PX member.
I wrote posts scathingly critical of both utilities and lo and behold both posts were pulled without notice or explanation )

[LonnyRJones]

Novi

Nsis is relatively harmless, only does popups as far as i know,
It seams to be on a timer, so if its no completely gone, (should be) it will come back in a week or two.
From what Ive see it only gets installed with supposedly free software
That IS mentioned (this software is brought to you by NSIS media, or similar notice), you'd have to agree to have it installed.
As littlebits mentions earleyer in this thread

Longbourd
SpyBot S&D
Ad-Aware
avg antispyware
prevx
Spysweeper
windows defender
all good programs, unfortunatley we need more than one.

[novi]

Thank you Lonny for your answer .I tought that its much more dangerous by the reviews I read here,but if you say that its harmless I'll take your opinion then.Mmm,week or two you said (b4 popups again start to show up) if its not completely removed from system.So,since yesterday no popups again,one day without that scum is success for me .Just in case,I removed firefox 1.508,codecs and filters for video-audio streaming and some games i downloaded like freeware in past days (all that seems to be potentially entries of Nsis on system).I hope that its gone for ever,but if it shows up again I'll post reply here,so that we could continue fight against it .

[stevenf12801]

This NSIS seemed to be such a problem, with both Firefox & IE, IE I couldn't even open up. The big hammer on for Firefox to generate this, I think is wrong. Symantic had known about this since 3/21/05, where in another forum others think it's a newbe. Spybot located and removed it but obvious as to others it came back. I removed Ad-aware, and nullsoft (is associated with NSIS) also winamp.... removed it manually in regedit, through program files, ad remove programs...with the ns** file #'s changing on it's return. Cleaned the registry with numerous cleaners, it still came back...even "crashed" the system by unpulgging after a 'cleaning'. Still returned! Going to my computer\program files\common files\ I opened the folder NSIS to a ns**file and a uninst.exe...I clicked on uninst.exe, it opened to uninstall, I went for it...that's all it took to clean it out!!! Simple! I went through in regedit, there was a folder there, removed it, checked program file\common file...it's gone, also ad-remove, gone!!! Cleaned the registry, and Halleluyah!!! Cleaned!!! IE opened right up!!! I've seen where others had it easy removal also....I didn't read all the postings in this forum. So may the nightmare not continue! Steve

[siliconman01]

The site below provides some useful info on this NSIS infection:

http://kichik.net/

[PaulBB]

the NSIS Media Uninstaller by NSIS Media himself:
hxxp://nsismedia.net/uninstall/