Additional info.
Hi, just wanted to report that I am still NSIS free using the above described method. Also, I think that i got infected by downloading some dvd-ripper Openwares from Download.com. Its the only thing I can think of. Also, there is no reason to switch to Opera if you follow the above method, or to reboot your computer. If you donwload the latest FireFox FROM the actual Mozilla website, you will be fine.
Also, I recommend doing the things that were mentioned above regarding the registry. Run "regedit" from the "run" feature on the start bar, then got to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \Cur rentVersion\Explorer\ShellExecuteHooks" If there is a key there titled "default" it is fine, but bware of anything else, especially long strings of letter/number combos (as OJdrinker indicated above) I deleted the other two that showed up in mine. Also, Use the "find" feature under the "edit" menu. Type in "NSIS" in the finder field and click search. It should show a few other instances of NSIS Media extension under the "Uninstaller" tab. Those keys are directed to files that hould have been deleted using my method above, so they are theoretically harmless, but I would remove them from the registry altogether.
Finally, I noticed there were still some keys related to some of the suspicious programs i had deleted previously, so I removed those keys as well, to be safe.
I think that is it. For those who are thinking "His explanations seemed to be aimed towards complte idiots", that is because they are, in a way. There are a lot of people with no or relatively no experience with this stuff suffering from the NSIS bug. They are probably trying trials or paying some "Geek Squad" to fix this problem, when they could actually do it on their own. So forgive my wordy explanations.
Corianton
Apologies for my previous post saying it had gone, it came back but not untill i had shut down a couple of times? weird, but anyway a free trial of trojan hunter identified it and removed it and thats it totally gone now.
Thanks for all the info on this thread, its been most usefull.
A note to LITTLEBITS ! you listed three possible sources of infection from your installation date logs, and the only one I have in common is jet audio which i installed a couple of weeks back because itunes 7 was such a disaster! i think i got it from download.com cnet since thats where I go for most things i am unsure of.....
anyway thanks again
:icon_salu
1. Open folder C:\Program Files\Common Files\NSIS
2. Cut all files from that folder to "Desktop"
3. Make two files in the folder by "right click > new> text document
4. rename both files to:
-- ns10.dll --
and
-- uninst.exe --
make sure you have option to see your files extensions to aboid double extension names.
>in "Folder Options" > "View" > "Hide extensions for known file types" must be UNchecked.
5. now you have two files in folder with exectly the same name that was before, which was installed
without your permission by NSIS media, so make these files READ ONLY,
by right click on file > Properties > Check box "Read only" make checked.
6 Make folder "NSIS" = Read Only (step 5)
7. If you can not delete files from your desktop you moved earlier in step (2) then rename them to
anything without extension.
8. Restart the computer and delete these files from Desktop permanently.
Remember do not delete NSIS folder or you will have it back again, no ad-blocking software nore Utility will fix it for you. "Windows Live OneCare" actually will prevent from installing it, so I recomend it.
:icon_salu
I send spy sweeper an e-mail re: NSIS . They sent me a program "nsisremove.exe" via e-mail attachment. I ran the program and no pop-ups for 4 days now. The NSIS folder in common files is gone and has not returned after many re-boots. I think they got it. My computer is running alot better too. FYI
Does anyone have a working removal tool? A standalone removal tool would be a plus.
ive been using opera since my last post but yesterday I though I'd give firefox another go because I miss site advisor and within 10 minutes of me installing the latest firefox (not the beta) and site advisor I got this damned media worm again. 10 minutes!!! All I had done is vist a kids famous toy site with my son and it came back. not sure if its something do with my zone alarm firewall or my dell laptop but there is something seriously up here. I spent about 3 hours battling with it deleting the common programs folder,deleting firefox chrome,purging my registry and scannning with trojan hunter but I got rid of it (trojan hunter doesnt do it on its own) I can't even remember in which order I done these things in. does anyone know (apart from spy sweeper and trojan hunter) if any major anti spyware players have come up with an easy solution because I have spyware doctor and norton and they have'nt helped at all. Thanks guys
When I put NSIS media into google I had been expecting to find a simple solution to the problem that had plagued my PC for a few weeks. It was only then that I realised other people were equally as fuct off with the thing as me. After several hours reading the past three month of this forum I think I've managed to kill the trojan and I can't even put into words how satisfying it is to have finally removed it for good (fingers crossed).
I went to re-install firefox and my Mcafee warned me that several Mozilla downloads - from the mozilla homepage itself featured adware. If I download from Mozilla I'm worried that I'll be plagued by it again. Is there anywhere I can download an old version of it before this damn Trojan was developed or anywhere I can download a guaranteed clean version. Think I probably picked up NSIS in the first place from downloads.com so don't really want to venture there again.
Any recos for good download sites would be much appreciated.
Thanks for the advice in helping to get this thing cracked in the first place. Weird thing is that NSIS only really plaued me when I was surfing hi volume sites yahoo, ebay etc. I'd assumed it was something generated by viewing certain common pages because it would be very common when viewing some sites and then would never appear when viewing smaller scale more obscure web pages. Has anyone else found this?
Smouty
I haven't been following this thred closely since I got rid of NSIS but I see that many/most of the dlls that end up being the culprits always begin with 'W,' including this webhits.dll. In my case, it was wmudrv.dll. If you use Process Explorer, be very suspicious of any w something .dll, especially if it is 6 or 7 characters. At first, I thought the pattern was wm something but webhits kills that - the leading 'w' still looks possible though.
Well, it's a nice thought, but not quite true. Mine was coltea.dll in my c:\windows\system32 folder.Originally Posted by Nathan Detroit
Whatever naming convention they used, it sure is tricky.
This method works for me so far...
Thanks abruzil33 for your help, it seems to have worked with my system : xp sp2.
I'd also remove the nsis folder in C:\Program Files\Mozilla Firefox\chrome
This folder seems to be generated to open pop up windows.
I'd also emptied the trash.
Until now (oct 29th c.e.t.), no pop up windows, the remained files in the NSIS have not been modified.
[QUOTE=Seiji]Hello!
........."But, I just did a system restore and downloaded the newest version from getfoxie.com Looks like I'm going to have to do another, but I feel this still doesn't solve the problem if someone else uses the same technique (looks like I have no choice).".........
I'm hopping in here, even though this is an older thread because I just started reading it myself - I just got infected with it, myself, and am reading about 20 different forums about this bugger. In case someone else, at a later date, is playing catch-up, I wanted to warn you- be careful of system restore as a solution. This nasty file lurks for awhile, before it activates, and if you read the date on the file, you'll think a system resore before that date is a safe one. I've tried 5 different adware scans to identify and isolate this, and only one of them found it in (4 different) system restore points. Be careful which one you use. I think it comes from a multitude of places. I don't have most of the ones mentioned, but I DID download an Xvid codec.
I sure hope someone has solved it by the end of this thread, because this thing is frightening. Some forums are suggesting that there's more going on than just annoying pop-ups- sure hope that's not the case. Good luck, everybody....
oops. this was supposed to go after Seiji's post from back in July. maybe I'll see if I can put it back there, too.
I still haven't seen an always working version of a fix. Is there any good ways to remove this thing?
Well yes there is a working fix, if you have your Windows disks, backup all of your important files to CD and do a System Recovery.
Try some of the solutions in the thread, some work for different infections.
It really sucks, because you will have to reinstall everything again. Starting with all those Windows Updates.
In my case that was the best option, it was actually faster to do that then to look for another way to remove it. I spent more time trying to find a solution for removing the NSIS Trojan, then the time it took me to backup my files and do a System Recovery.
Thanks.:icon_salu
I'd rather have a removal tool or something like that because I get the feeling I will get it again sometime and it's too timeconsuming to reinstall everytime.
Posting Permissions
Reply With Quote
Bookmarks