NSIS Media Popups

Discussion in 'malware problems & news' started by littlebits, Jul 7, 2006.

Thread Status:
Not open for further replies.
  1. warrenweiss

    warrenweiss Registered Member

    Joined:
    Jul 27, 2006
    Posts:
    1
    Has the malware component always been part of Foxie, or has the Foxie software been hijacked by someone? Because, other than infecting your machine and compromising security, it seems to be a thoughtfully-encoded program...and a great idea, too. Namely, adding some of the better features of Firefox to Internet Exploder.

    Even before I installed the software I noticed that their website had been defaced:

    Knowledge Base: hxxp://www.foxiekb.com/
    Report a Bug: hxxp://www.foxiekb.com/index.php?action=artikel&cat=4&id=1&artlang=en

    But, I assumed that it was only that, a defacement of their website, and not a "warning label" for a campaign of installing spyware.

    I installed the Foxie suite on a WinXP box and soon noticed the NSIS media popups. Both the Foxie suite and "NSIS Media somethingsomething" appeared in the Add/Remove Programs list. I uninstalled both of them, but now I wonder if it would have been sufficient to just uninstall the NSIS media piece and leave Foxie intact.
     
    Last edited by a moderator: Aug 25, 2006
  2. Tom in Victoria

    Tom in Victoria Registered Member

    Joined:
    Aug 11, 2006
    Posts:
    1
    I don't have Firefox or Mozilla but I get the NSIS Media thing.
    SpySweeper detects it and Quarantines it but it comes back everytime.
    I see where some people here are at their wits end having tried all kinds of things to remove it and it still comes back.
    Is it GOOGLE putting this on our machines?
     
  3. rdw46

    rdw46 Registered Member

    Joined:
    Aug 17, 2006
    Posts:
    1
    I went to control and add and remove it fixed my problem with NSIS Media. But when I updated Ad-aware it came back. This time McAfee found it and deleted it and it pointed the problem to AD-Aware.
     
  4. PaulBB

    PaulBB Registered Member

    Joined:
    Jan 2, 2006
    Posts:
    722
    Finally i figured out how to get rid off NSIS MEDIA junk. I installed intentionally the NSIS MEDIA junk through a eMule rip off from Openwares to find a real solution.

    - Surprise, the NSIS MEDIA EXTENSION it's a brand new product from WhenU.:D

    http://img520.imageshack.us/img520/7725/nsismediaextensionye6.th.gif

    Step 1. If you have Firefox installed click on tools -- > extensions --> uninstall WhenU and close Firefox.

    Step 2. If you have CCleaner installed click on ''Tools'' and uninstall the NSIS MEDIA junk , if not go to go to Add Remove pannel and uninstall it from there.
    Step 3. Restart Windows and that's all no more popups.;)

    http://img209.imageshack.us/img209/5608/ccleanernf9.th.gif

    Before i uninstalled all this crap i also maded a backup of the folder with the NSIS MEDIA EXTENSION junk, if anyone from some antivirus/antispyware company is interested i can uploaded it somewhere for analysis.
     
  5. Sam-the-Sly

    Sam-the-Sly Guest

    Ok, so here's how it is:

    My problem: getting pop-ups in IE labelled Advertisement- NSIS Media Extensions (or something like that :) )

    The cause:
    They appeared after installing Foxie Security Suite

    Files Presumably Responsible:
    C:\Program Files\Common Files\NSIS\ns**.dll
    C:\Program Files\Common Files\NSIS\uninst.exe

    What happens:
    When the user clicks on uninst.exe, the program removes all of it, but then when the user clicks on the prompt to restart, it sets for those deleted files to be restored on shutdown (or startup in some varieties).

    My solution:
    I found that if I crashed my computer (e.g pulling out the power cable crash lol) at the restart prompt when uninstalling it, when I boot up, it's gone. I then did a search (start\search) for any file on my computer containing "nsis". I deleted any found. I then did a registry search (start\run\"regedit"\ then click on edit, find) for the same, and cleared anything found.



    DO NOT INSTALL FOXIE AT ALL COSTS!
    If you think that when you install foxie, you give it all security privileges to scan and monitor your computer, and then discover it is malware, think of what it could do... I'm quite sure that firewall.exe is more than it appears to be, and that displaying pop-ups isn't all it does... Will reverse engineer a.s.a.p, in the meantime, hope that helps!
    (it helped me)
     
  6. Dark Soul

    Dark Soul Registered Member

    Joined:
    Aug 22, 2006
    Posts:
    1
    Location:
    Hell Inc.
    I,m like ya'll one day this week all of a sudden this dang pop-up started from nowhere was making mad too cause I,m real careful what I do and where I go but it was driving me nuts I knew it was Adware cause Kaspersky AV Pro and Ewido Spyware Pro run on Auto Protect,so I ran ever spyware, malware, only thing they found was cookies lmao cause I have a Web Site Full of Appz & Warez and it still keeped poping up I have a program called AdsBeGone the only pop-up blocker that stoped it so I did a Google found this forum tried the Add/Remove and its gone even after several reboots so try the uninstall and as I found,its going to reboot theres no stoping that and Run Search after to see if it shows back up and I use MicroSuc IE 6 not Mozilla
    C:\Program Files\Common Files\NSIS


     
    Last edited: Aug 22, 2006
  7. Guro

    Guro Registered Member

    Joined:
    Aug 23, 2006
    Posts:
    2
    hi folks im a newbie here but figured i may add to the nsis stuff.I had to do a system reformat on a comp. i own and was very watch full on every thing loaded on it well needless to say i got hit but the nsis bug also but i didnt seem to have as tuff a go at it as most of you it seems i tryed a few programs and it came back clean but i installed spycatcher express a free program i saved to disc awhile back. i would run spycatcher on anything installed and monitor what it though might be spyware as some times its wrong. but in this case i was lucky it found a file that sudenly appeared wmidext.dll i quarentined it about the same time as this file was found by spycatcher i had down loaded netscape,netscape will be caught by spycatcher also, as nssetdefaultbrowser...i allowed runing of the nsset however the qaurentined wmidext.dll appears to be the means by wich the dreaded pop up takes place no problems in software etc..netscape and internet explorer work fine and no pop up yet....oh what shall tommorrow bring?!...kinda makes ya sick to think of it huh?
     
    Last edited: Aug 23, 2006
  8. Guro

    Guro Registered Member

    Joined:
    Aug 23, 2006
    Posts:
    2


    Update: i found nothing amiss in my system and programs everything runs right so i went back into spycatcher and removed the wmidext.dll then uninstalled the NSIS under the controll panel add remove programs hasnt came back after many many reboots its all good. by the way the computer was a dell deminsion 2400 running windows xp sp2
     
  9. dah145

    dah145 Registered Member

    Joined:
    Jul 3, 2006
    Posts:
    262
    Location:
    n/a
  10. slybu

    slybu Registered Member

    Joined:
    Sep 18, 2006
    Posts:
    1
    NSIS media installed itself when i clicked on a "Firefox Update" pop-up in firefox.
    It looked like the usual popup from firefox when a new update is available...
     
  11. pzsd

    pzsd Registered Member

    Joined:
    Sep 27, 2006
    Posts:
    1
    NSIS media – Advertisement can be removed now – OS: Windows Xp Pro SP2
    =========================================================

    I have tried all methods mentioned in all forums, I have tried over 12 the most popular antispywares and antivirus programs. But no success. In succeeded in following way.
    Really it is shameful that Not even a single antispyware and antivirus program was able to uprooted this Trojan, though many claims that their antispware or antivirus removes NSIS media Trojan but this is absolutely not true. Many people say , run Trojan Hunter. I ran it with latest updates but no success. I have tried all, I say all.
    ----------------------------------------

    There might be different approaches, but I approached in following way successfully:

    Fist of all note that:

    NSIS Trojan though can come through Firefox extensions but this is not the only the single source of NSIS problem but mostly It may come from freewares and in particular from the files downloaded from Cracks sites, Torrents and P2P programs.

    Follow following steps:

    1- Uninstall completely Firefox and also delete Firefox and its profile folder which is located at C:\Documents and Settings\username\Application Data. You can save Profile but without the files given in Extensions and chrome folder. This step No.1 is only necessary if you think that NSIS problem is coming from Firefox or not. To check this, go to Chrome and extensions folders of Mozilla Firefox and frequently check a file named NSIS.* NSIS.Jar or any file that’s name starts from NSIS. If u find that file then you MUST implement the step No. 1. and vice versa.
    2- There is big chance that NSIS came through a bad software. So Think about the program u installed after which This problem started. Before Uninstalling that suspected program, for the time being, cancel its Autostart, and only run autostarts program that u 100% trust. Otherwise after complete cleaning of NSIS Trojan, any bad autostart program will reinstall NSIS again and u will be cought in a closed loop. That what happened with me.
    3- My computer was infected by NSIS media by NSIS.Jar file of Firefox extension. But after removing the firefox 1.506; Installed Firefox 2.0 which is very very secure and accepts only trusted extensions. So at the end of this trouble shooting u can install Firefox 2.0. do not install other old versions. Here uou can use your Firefox profile again (if u like) that was saved in step no.1. Second NSIS media Trojan infection was coming from Roboforms 6.7.8 which was used from a torrent. Most probably it Roboform.dll was infected (deliberately by any devil).
    4- I succeed to clean NSIS Trojan more that 20 times but Whenever I restarted PC, NSIS folder was again there in common folder files. But when I stopped autostart of Roboform. NSIS did not return. Note that genuine roboform software is very clean and does not have any infection. So donot be afraid from genuine softs but from cracked and torrent loaded softs.
    5- Now download a software “Smarty uninstaller – latest version. And run it. Locate program in it “NSIS Media Extension” but do not do any thing now:
    6- Now go to C:\progam files\common folder and delete it – I prefer to clean it with 3-passes secure deletion by Track eraser Pro and any shredder.
    7- Now quickly go to already opened Smartly Uninstaller and right click on it and in context menu, click “Delete Registry entries. This will clean NSIS relevant registry entries. Before doing this step, be sure that NSIS folder is not again written in common files folder; if so delete it again. However smarty uninstaller will not delete one registry (I do not know why). Go to following registry folder and delete a line manually that has inside name NSIS. Be careful! Do not delete following reg folder but only and only NSIS entry in it, if u find. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks.
    8- Disable all suspected sutostarts.
    9- Now use JVC Tools’ registry cleaner and clean registry. At the end of cleaning, select all, and clean. This is safe prog so do not be afraid. – This step is for extra precaustion and is optional.
    10- Now watch for some time If NSIS folder is coming again or not. If it comes again then its mean, there is already a software loaded in memory by mostly by autostart. In this case, disable all suspected autostart programs and restart computer and revise all the steps given above. Now finally, Run CCleaner (a freeware) with secure deltetion option. After that right click on recycle Bin and empty it with CCleaner context menu command. Donot restart but shutdown your PC now. And now u can start it again. Good Luck.
    11- This MUST solve your problem finally. U can contact me for any further help at canjoapk@yahoo.com. It will be my pleasure to help you. We humans at the apex are kids of one father and mother. We must help each other but SINCERELY.

    Regards

    Canjopak

    Some very useful softs which are always helpful to solve problems: ( This is just recommendation).

    Registry Workshop
    JVC tools 2006
    Smarty Uninstaller 2006
    Your Uninstaller 2006
    IP-Tools
    TCP Optimizer – free
    MySpeed PC - free
    Advanced Process termination ver 2.1– free of DIAMONDCS – Strongest killer in the market. But there new version is though beautiful but very bad. Just use ver 2.1.

    Port Explorer – of DiamondCS
    Process viewer – Free (of DiamondCS)
    CCleaner - free
    Track Eraser Pro
    Regrun (only for expert users) – A great soft
    Process explorer, and autorun of Sysinternals
    Extended Task manager

    =============================================
     
  12. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    BoClean nails it.
     
  13. simone

    simone Registered Member

    Joined:
    Sep 30, 2006
    Posts:
    4
    Dear Canjopak,
    I have this pleasant nsis problem on my explorer, not on firefox.
    The only Nsis file I have is the folder in the common files folder.
    I did this:
    1. boot in safe mode
    2. open smarty unistaller
    3. shred the nsis folder (by the way, DO NOT use handybits stuff, they contain spyware!)
    4. erase the reg keys found by smarty unistaller
    5. erase by hand the reg key in the ShellExecuteHooks folder
    6. reboot in safe mode
    It was still there!
    How can it selfreinstall if i reboot in safe mode? it must be hiding in some
    basic windows features...
    You were suggesting to disable all suspect autostart, but when in safe mode, you actually disable all non-basic autostarts, right?
    Also, somebody suggested using boclean, but since this is not freeware, i
    first checked at their list of malware, and nsis is not there...
    Please help!
    Simone
     
  14. littlebits

    littlebits Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    262
    There is not a single program that will remove the NSIS malware in all cases.
    Some people have removed it with TrojanHunter, SpySweeper, BoClean and several different manual methods. The NSIS malware has many different variables.

    You can try a-squared's HijackFree It's a freeware, but you have to check everything manually. It's like HijackThis but has advanced options.


    If all else fails, you may have to do a system recovery with your Windows disks.


    Thanks.:)
     
  15. simone

    simone Registered Member

    Joined:
    Sep 30, 2006
    Posts:
    4
    I got rid of it! The bastard was hiding into java52e.dll in the system32 folder.
    I managed to erase that file once in safe mode, then I shredded the nsis folder and erased the reg keys related to it. Since then I rebooted twice and it is still gone!
    Of course, maybe java won't work anymore, but you know, "ubi major, minor cessat."
    Simone
     
  16. argaunotes

    argaunotes Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    3
    Location:
    FRANCE
    We are facing the same trouble in France !

    One remaining file in System32 folder : jav52e.dll

    Good hunting everybody ;-)
     
  17. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    I found this in a SilentRunnerslog:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
    .
    .
    .
    .
    .
    .

    "{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}" = "JavaExtExt Extension"
    -> {HKLM...CLSID} = "JavaExt Class"
    \InProcServer32\(Default) = "C:\WINDOWS\System32\java52e.dll" [null data]

    Assuming this is the evildoer can one of the former victims do a registry search for this CLSID:
    {B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}

    One way to get this in a nice text file:
    • Download the Registry Search Tool.
    • Unzip the contents of RegSrch.zip to a convenient location.
    • Double-click on RegSrch.vbs.
    • If you have an anti-virus installed it might prompt you about a running script. Please ignore this warning and allow the script to run.
    • In the "Enter search string (case insensitive) and click OK..." box paste this string:
      • {B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}
    • Click "OK" to search the registry for that string.
    • Wait for a few minutes while it completes the search.
    • Click "OK" to open the results in WordPad.
    • Copy and paste the entire results into your next post.

    Thanks in advance for any results that may help us help future victims.

    Regards,

    Pieter
     
  18. argaunotes

    argaunotes Registered Member

    Joined:
    Oct 12, 2006
    Posts:
    3
    Location:
    FRANCE
    Hi,

    http://symatec.security.com found :

    C:\Program Files\INSTAFINK\instafink.dll infected with Adware.InstaFinder
    C:\Windows\System32\cd_clint.dll infected xith Adware.Cydoor

    Results:

    INSTAFINK folder removed; %System32%cd_clint.dll removed; INSTAFINK removed from Registry; %System32%jav52e.dll removed

    May that help !

    Last minute: regcleaner found one more NSIS in registry and got it down and ... I got ride of that bastard (how long o_O) ;-)

    :thumb: from France
     
    Last edited: Oct 12, 2006
  19. Irma

    Irma Registered Member

    Joined:
    Oct 13, 2006
    Posts:
    3
    Re: NSIS Media Pop-ups

    My computer has been infected with NSIS since the end of July, began with large Pop-ups, ran every scan possible, all came out clean except Webroot SpySweeper, which quarantined all the files (1 item and 5 traces), but after every scan it found the same files, their support did everything imaginable to help me, even sending me a "NSIS remover" utility, with instructions, which only helped for the time being, whether it was in Safe Mode or regular. The devil multiplies with every removal. I did all the things suggested in the forums, and now give up.
    Webroot rates NSIS as highly dangerous (phone Home) Trojan, which is suppose to look for banking and credit card numbers and passwords. I actually did not have any problems in this area as of yet, and wonder how dangerous this is, or is it simply advertising? If so, I just have to live with it.

    Just in case, before I connect to the INTERNET, I run Registry First Aid, which shows the registry keys, and after "deleting" it (it comes back), I run Spysweeper x2, the second time it comes out clean, and I am alright until the next time of rebooting.

    DID ANYONE HAVE PROBLEMS WITH THEIR CREDIT CARDS?

    BTW, I did download the FireFox file, but did not install it, so NSIS must be a separate download I suppose?
     
  20. nadirah

    nadirah Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    3,647
    HIPS programs are a good way of stopping this sort of malware from infecting a system in the first place. And always download software only from trusted sources.
     
    Last edited: Oct 14, 2006
  21. simone

    simone Registered Member

    Joined:
    Sep 30, 2006
    Posts:
    4
    Hello Pieter,
    this is the result I got from the research you suggested.
    As I mentioned in my previous post, I got rid of the problem shredding the java52e.dll, however maybe something interesting survived in this log...

    Simone

    REGEDIT4
    ; RegSrch.vbs © Bill James

    ; Registry search results for string "{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}" 14/10/2006 18.16.17

    ; NOTE: This file will be deleted when you close WordPad.
    ; You must manually save this file to a new location if you want to refer to it again later.
    ; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Java.JavaExt\CLSID]
    @="{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Java.JavaExt.1\CLSID]
    @="{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\txtfile\ShellEx\ContextMenuHandlers\JavaExt]
    @="{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\PowerPoint]
    @="{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}"

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
    "{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}"="JavaExtExt Extension"

    [HKEY_USERS\S-1-5-21-2544160391-2464859461-354211306-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
    "{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4} {000214E8-0000-0000-C000-000000000046} 0x401"=hex:01,\



     
  22. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Thank you Simone,

    Based on what you found the following method should work to get rid of this variant.

    Please download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C:) or whatever your primary drive is
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
    Then copy the part in the CODE box below into notepad and save it as NSISjava.bfu
    Set Filetype to "all files"
    Code:
    OptionUnloadShell
    ProcessKill \iexplore.exe|1
    DllUnregister \java52e.dll|1
    
    RegDeleteKey HKCR\CLSID\{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}
    RegDeleteKey HKCR\Java.JavaExt
    RegDeleteKey HKCR\Java.JavaExt.1
    RegDeleteKey HKCR\txtfile\ShellEx\ContextMenuHandlers\JavaExt
    RegDeleteKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\PowerPoint
    RegDelValue HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved|{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}
    
    FileDelete %SYSDIR%\java52e.dll

    Save it in the same folder you made earlier (c:\BFU).

    Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select NSISjava.bfu
    • Press Execute and let it do it’s job. Don't be scared because your taskbar and desktop will disappear for a short while.
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.

    Any feedback or additional information appreciated.

    Regards,

    Pieter
     
    Last edited: Oct 15, 2006
  23. simone

    simone Registered Member

    Joined:
    Sep 30, 2006
    Posts:
    4
    Hello Pieter,
    I followed your suggestions, and here is the report from bfu:

    BFU v1.00.9
    Windows XP SP2 (WinNT 5.01.2600 SP2)
    Script started at 14.03.07, on 15/10/2006

    Option Unload Explorer: Yes
    Failed: DllUnregister \java52e.dll|1 (file not found)
    Script completed.

    Of course it didn't find the dll file because I had already shredded it (let me also remember you that I was able to do that only running in safe mode).
    On the other hand, this is the new report from the registry search tool, after rebooting:

    REGEDIT4
    ; RegSrch.vbs © Bill James

    ; Registry search results for string "{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}" 15/10/2006 14.29.49

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\PowerPoint]
    @="{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4}"

    [HKEY_USERS\S-1-5-21-2544160391-2464859461-354211306-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached]
    "{B9CE503D-03F8-4161-A8A6-C912ADFCF2D4} {000214E8-0000-0000-C000-000000000046} 0x401"=hex:01,\

    Simone


     
    Last edited by a moderator: Oct 15, 2006
  24. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Thank you for testing Simone. :)

    The script missed one that I wanted to delete.
    I'll have to look into that.
    Probably did something wrong with the RegDelValueIfContainsText command.

    Regards,

    Pieter
     
  25. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    I edited the script. If the default value for that key is corrupted anyway, we might as well nuke the entire key. :)
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.