NSIS Media

[PaulFXH]

Hi
My machine runs very clean and I very rarely have any virus/spyware
problems of any type.
However, today I kept getting a pop-up appearing without any prompting
whatsoever.
The pop-up was called "Advertisment - NSIS Media" (the spelling error
is in the original).

Given that I always run WOC, SpywareGuard and Spyware Blaster in
addition to very regular on-demand scans with a range of products, I'm
surprised that this "thing" managed to get in !

I then ran SpyBot, Ad-Aware and Ewido (ALL in Safe Mode) and all
reported nothing found.
A Google search showed that others had encountered this malware and
suggested it was relatively easy to remove via Control Panel>Add/Remove
Programs, which I did.

Anybody know anything more about what this is and, particularly, how to
prevent it getting onto my computer in future?

TIA
Paul

Dell 4550 Desktop
WinXP SP2
2.53 GHz CPU
1.0 GB RAM
Int HD 80 GB
Ext HD 160 GB

 

[roman modic]

Hello!

Hi
My machine runs very clean and I very rarely have any virus/spyware
problems of any type.
However, today I kept getting a pop-up appearing without any prompting
whatsoever.
The pop-up was called "Advertisment - NSIS Media" (the spelling error
is in the original).

Given that I always run WOC, SpywareGuard and Spyware Blaster in
addition to very regular on-demand scans with a range of products, I'm
surprised that this "thing" managed to get in !

I then ran SpyBot, Ad-Aware and Ewido (ALL in Safe Mode) and all
reported nothing found.
A Google search showed that others had encountered this malware and
suggested it was relatively easy to remove via Control Panel>Add/Remove
Programs, which I did.

Anybody know anything more about what this is and, particularly, how to
prevent it getting onto my computer in future?

Unbelievable, I've also get infected with "NSIS Media" yesterday.
I've found new folder in "?:\program files\common files" with name
NSIS. There are two files: ns8.dll and uninst.exe.

BTW, properties of ns8.dll shows:
Company: NSIS Media Networks
File Version: 5.6.0.1 , 5.06.0001
Internal Name: mediastub
Original File name: mediastub.dll
Product Name: flockstd

I've found ns8.dll in registry in HKLM\Software and it reveals CSLID
{D0ABAB9C-4F67-46C8-8061-11489EDE03DF}
which appears in HKLM ... ShellExecuteHooks section:
http://windowsxp.mvps.org/Startup.htm

BTW, there is also {AEB6717E-7E19-11d0-97EE-00C04FD91972},
but this is normal (shell32.dll)
http://www.fiveanddime.net/shell-extensions-list.html
http://www.greatis.com/security/registrytracer.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
Description: The ShellExecuteHooks registry key contains the list of COM objects that trap execute commands.
Each object has the GUID.
By default you must have the "shell32.dll".
If you don't see shell32.dll GUID "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" it is not fatal. Your computer will work

Go to "Add/Remove programs" and search for "NSIS Media Extension"
Remove!
http://answers.yahoo.com/question/?qid=20060607080850AAjvpti


Roman

 

[roman modic]

Hello!

addition to very regular on-demand scans with a range of products, I'm
surprised that this "thing" managed to get in !

Me too - do you use P2P software?

Anybody know anything more about what this is and, particularly, how to
prevent it getting onto my computer in future?

http://www.techspot.com/downloads/2811-regrun-security-suite-platinum.html

Roman

 

[PaulFXH]

roman modic escreveu:

Hello!

Hi
My machine runs very clean and I very rarely have any virus/spyware
problems of any type.
However, today I kept getting a pop-up appearing without any prompting
whatsoever.
The pop-up was called "Advertisment - NSIS Media" (the spelling error
is in the original).

Given that I always run WOC, SpywareGuard and Spyware Blaster in
addition to very regular on-demand scans with a range of products, I'm
surprised that this "thing" managed to get in !

I then ran SpyBot, Ad-Aware and Ewido (ALL in Safe Mode) and all
reported nothing found.
A Google search showed that others had encountered this malware and
suggested it was relatively easy to remove via Control Panel>Add/Remove
Programs, which I did.

Anybody know anything more about what this is and, particularly, how to
prevent it getting onto my computer in future?

Unbelievable, I've also get infected with "NSIS Media" yesterday.
I've found new folder in "?:\program files\common files" with name
NSIS. There are two files: ns8.dll and uninst.exe.

BTW, properties of ns8.dll shows:
Company: NSIS Media Networks
File Version: 5.6.0.1 , 5.06.0001
Internal Name: mediastub
Original File name: mediastub.dll
Product Name: flockstd

I've found ns8.dll in registry in HKLM\Software and it reveals CSLID
{D0ABAB9C-4F67-46C8-8061-11489EDE03DF}
which appears in HKLM ... ShellExecuteHooks section:
http://windowsxp.mvps.org/Startup.htm

BTW, there is also {AEB6717E-7E19-11d0-97EE-00C04FD91972},
but this is normal (shell32.dll)
http://www.fiveanddime.net/shell-extensions-list.html
http://www.greatis.com/security/registrytracer.htm

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellExecuteHooks
Description: The ShellExecuteHooks registry key contains the list of COM objects that trap execute commands.
Each object has the GUID.
By default you must have the "shell32.dll".
If you don't see shell32.dll GUID "{AEB6717E-7E19-11d0-97EE-00C04FD91972}" it is not fatal. Your computer will work

Go to "Add/Remove programs" and search for "NSIS Media Extension"
Remove!
http://answers.yahoo.com/question/?qid=20060607080850AAjvpti

Hi Roman,
Thanks for your comments.
I actually had already removed it via Add/Remove Programs after which I
had no more problems although there are still three instances of "NSIS"
in my registry.
One of these is associated with the uninstaller for a small freeware
program I downloaded the very day I got "infected". This was Flashpaste
Lite (which, incidentally, other than its possible association with
whatever this NSIS thing is, is a great program).
Despite these references to NSIS in the registry, I have had no pop-ups
whatsoever.
Indeed, I still don't know how "bad" this NSIS pop-up is. As you have
seen, quite a number of people have posted to various NGs about it, but
nobody has mentioned anything about how serious a threat it is, or not.
nevertheless, i it were a serious threat, I doubt very much if the
designer would have gone to the trouble of including an uninstaller.
Paul

 

[PaulFXH]

roman modic escreveu:

Hello!



Me too - do you use P2P software?

No, I don't although my son had used P2P for a short time about 3
months ago.
As I mentioned in my last post, there seems to be some association
between the NSIS ocurrence and the fact that I downloaded the freeware
Flashpaste Lite.

http://www.techspot.com/downloads/2811-regrun-security-suite-platinum.html

OK, but there is nothing I have seen in this site to indicate that this
product should be any better than any of a myriad of other products in
keeping nasties out of my computer.
Why do you specifically recommend this?
Thanks
Paul

 

[Guest]

NSIS (Nullsoft Scriptable Install System) Check out :-
http://nsis.sourceforge.net
for info. on what this is.

duisky

 

[PaulFXH]

duisky escreveu:

NSIS (Nullsoft Scriptable Install System) Check out :-
http://nsis.sourceforge.net
for info. on what this is.

duisky

Thanks for the reply, duisky.
I had actually stumbled across Nullsoft as a possible explanation which
I had mentioned in another thread on the same subject (see final post
here:
http://groups.google.com.br/group/a...51d63c93d6?q=paulfxh&rnum=11#33502d51d63c93d6)

It's interesting that they have a forum, so I'm going to see if they
can explain why I (and quite a few others) was getting this popup.
Nevertheless, it's reassuring that this seems to have been quite a
benign "infection".
Paul