# NSIS Removal Directions!!! I figured it out!



## ilcasastronza (Sep 20, 2006)

NSIS Removal Directions by Il Casa Stronza (**********).

Like many of you who have been flustered by the unbelievably difficult to remove NSIS Media, I have scoured the internet in search of a solution. No solution did I find. I am in Italy for a semester, don't have my restore disks (They're in the USA), and have no clear access to the internet. I clear my restore points weekly when I don't think there is a problem, so naturally, I don't have a restore point to go to. All in all I do not consider myself a newbie when it comes to computers, but in no means am I a professional. However, being in a country where I pay for the kilobyte of information sent, nor do I want to have my poor old laptop out of commission, I wanted the NSIS Media pain-in-the-butt off my computer ASAP.

With that said, I have found a solution. It may not work for everybody, but heck, it has been about 10 reboots since, have used the internet a few times, and just all in all wonderful without it. So give it a try, the worst that can is you lose to an already trojan/worm infested computer. (That came out so negatively...). If this destroys your computer, I take no responsability in this, I did the steps below, compiled by be, and have been fine. If it crashes...you've got other problems. 

Here goes. 

*Software needed.* There are only two tools that I downloaded, and no it isn't HijackThis. The first is a program called *CCleaner,* which I'm sure many of you have used since you're reading this, so I will not bother to link it. The second, which is lesser known, is called *Lexunware RegScrubXP*. You can probably just Google it...I think I got mine a year ago on Majorgeeks or some site of the sort.
You will also make good use of your regular *Regedit* and *Windows Explorer. * 

Step 1 - MS Config/Startup/System Restore

First of all, anytime you see directions for a solution from Symantec or something, you see shut off your system restore. In this case, I would agree, cause goodness knows where else NSIS could end up on your system. 

From the start menu, go to RUN and use "msconfig." Copy your startup setup, (I know I customized mine) in the Startup Tab. Write it down on a slip of paper, it'll be easier that way. Then, under the General tab, use the Diagnostic Startup. It may take a few seconds (mine I think took a bit longer, my computer is older) to kind of cycle. Once this finishes cycling, click OK and RESTART YOUR PC NOW. Once it restarts, first thing you'll notice is that your computer boots up really fast! (OK, that's what I noticed). 

***Reason for doing this step: this way when you shut down or boot up, you're not loading anything that NSIS can possibly use against you. You'll have a nice clean boot when you do the next few steps. For the system restore, I think that's explained above.

Step 2 - Internet Explorer/Network

If you have your network on at this point, disconnect it by either just pulling the plug or disabling the network adapter. 
Clear your IE temporary internet folders, cache, history, SSL state, etc. 

***Reason: If you are connected to the network, more than likely, NSIS can just go get a new copy of everything from the internet. Clearing the cache, cookies, passwords, forms, and the SSL state, you lessen the risk of allowing NSIS from already knowing what to look for; the fact that a cookie can lead a program anywhere it wants. 

Step 3 - Mozilla Firefox Uninstall
In Windows Explorer (My Computer) go into your Program Files directory and get into the Firefox sub-directory. If you normally use Firefox as your regular default browser, remember to backup your bookmarks, cause we're going to uninstall Firefox. After it uninstalls, delete the Mozilla Firefox folder and all its contents. Do a Control+Alt+Delete, Go into the Processes tab, end the task Explorer.EXE. You read that right, end explorer.exe. Then re-run explorer by (in the Task Manager menu) clicking on File, "New Task". You will get a dialogue box asking to open which file, just type in "explorer.exe". DO NOT RESTART YOUR PC. Then go into your c:\Documents and Settings\User\Application Data folder and delete Mozilla Firefox folders and contents. Do the same thing in the c:\documents and settings\user\local settings\Application Data folder as well. Both must be deleted

***Reason: If you have been reading any of the other solutions like I have, or have browsed through the Chrome Folder of Firefox, you would have seen NSIS.JAR in there. IF you opened the JAR file up, you would have seen a list of links and the like...Those links equal bad. Second, the majority of the problem seemed to have started with people and Firefox, so I think that maybe, just maybe, it would be prudent to get rid of it altogether. Third, with the deletion of the files in the Documents and Settings folders, you lessen the risk of having something else stored in there. 

(take two sips of espresso cause you're not done there)


Step 4 - NSIS Uninstall, sort of 
Go back into My Computer, go to your Program Files folder (c:\program files\) and go into the Common Files folder. In there you'll find the NSIS folder and in there an uninstall executable. Open the uninstall.exe file. Yes, I know that many have tried it and failed, but I'm doing something different with it. After you go through the usual jargon of "do you really want to uninstall," it'll ask for you to restart your PC. Don't do it. DO NOT RESTART YOUR PC WHEN IT ASKS YOU TO, NSIS WILL JUST GO BACK AND REINSTALL ITSELF. Instead, hit CTRL+Alt+DEL and in the Processes tab, end the uninstall task (it'll be one of the only USER files listed). This will close out the uninstall (more like install) program and leave you barebones. Once this is done, do like you did with Firefox, end Explorer.exe and then re-run it again. Get back into the Common Files folder and delete the NSIS folder and everything inside it. You may have to change the "Read Only" setting to not be checked. 

***Reason: I've noticed in my time with this hellish trojan/malware/thing that if you uninstall the file or just plain delete it from the system, it'll come back on reboot. This way, you're killing the application from trying to run its own re-installation files. When it asks you to reboot, all it is doing is putting files inside other places. Its like saying YES I want it to reinstall, just worded differently. Luckily, killing the app allows you to keep going at it. 

Step 5 - Temp Files
Go into c:\documents & settings\user\local settings\temp folder and delete every file you can. I know I had one file that would not let me delete it, but got all the others (I had to, on some, delete them one at a time, change their read-only settings). Just get whatever you can. 

***Reason: When you do the uninstall of NSIS and Mozilla, they create files in the temp folder that do not always get deleted. In NSIS Media's situation, they are deliberately put there so that when you reboot, they load up. So by deleting them, you're almost there in getting this thing completely out of your system. 

Step 6, part A - CCleaner
Run CCleaner. Its an awesome tool. There are 3 tools in here that you should use, and make sure that all boxes are checked. The first is the Windows Cleaner. Run that one first. Then do the Applications one. Lastly, select Issues. Make sure all boxes are checked, and run that too. When it asks you to "Fix" everything, more often than not it will delete it. Just select Fix All. Once you are done, close the program

Step 6, part B - RegScrubXP
Open up the program. It is probably in your Start menu. RegScrubXP is similar to CCleaner in that it will scan your registry and find problems that it things are there. It will also automatically determine how to fix them. On the Top, there are a number of buttons. Click on the one that says RegScrubXP Finds Problems. It will take about a minute or two to cycle through the registry. You'll see the number of registry problems just racking up like chips on the side of your favorite BlackJack dealer. When the process is completed, look on the bottom of the screen and click on "Select All Problems" and then "Fix Selected". May take a minute or so, depending on the number of problems and your processor. 

Step 6, part C/D - You can do steps A and B again. I did it twice I think. Just sort of goes back and forth fixing problems they find, not always the same ones. 

***Reason: NSIS and Mozilla have things in the registry, in case you haven't noticed. They bury themselves deep, and have their own file settings that get changed when they are installed/uninstalled. The registry cleaners clean these deep caverns of doggy doo and either delete the registry key or do something of that nature. In Ccleaner's case with the fist two tools in that program, it runs through and cleans out any gunk either left behind, like cache files, that not only slow your computer down, but can have some malicious little pieces of code stuck in them. Regscrub and Ccleaner can be used not only with this situation, but can be a part of your, hopefully, regular maintanence routine. Since about one month ago when I found it, it has been.

Step 7 - Regedit
Here is where you want to backup your registry. Make sure "My Computer" is highlighted, click on File, Export, and save it somewhere as a copy..."registrybackup.reg" or something. Might take a second or two. Then do a search of NSIS by either using the shortcut (CTRL+F) or by going up to Edit, Find. Make sure its looking at keys, values, and data. The few places I know of specifically are in "Software" in both Current User and Local Machine. There is also one inside the Windows Explorer shells as well...If you have more, delete those. Pay attention to what you're deleting. I know sofware like Nero may have information in ISO's and the like, which sometimes get gobbled up in the search, so don't go delete happy. The easiest way to get to the next piece to search is use your F3 button. Be patient. If you screw up, you always have the backup.

***Reason: CCleaner and RegScrubXP don't always get what you want necessarily. So you have to go in manually to do so. If you are unsure of what is exactly going on in there, hopefully you can borrow a buddy's computer and send me an email or maybe an administrator to help you with this. 

Step 8 - CCleaner/RegScrubXP revisited
Run these again, just to be on the safe side, once a piece should be good enough.

Step 9 - Windows Explorer
Do a computer search of NSIS on your PC. If you see any instances of it, delete it. Be careful please not to delete something you shouldn't...Send it to your recycle bin, not outright deletion of the file if you are not sure.

Step 10 - Restart

Exactly as it says. Restart. Keep the same boot settings as was done in the beginning. When you get back into Windows, check to see if the NSIS folder is back in the Common Files folder. It should be gone. We hope. 

Assuming everything has gone according to plan, you can put your startup settings back in order from Diagnostic to Normal or Selective, whichever you do normally. After I did this, I did a system Defrag, system error check, virus scan, and adware type scan (whichever is your favorite, Spyroot, Ad-Aware, Microsoft's tool, or a combination of all of them). I'm just about to do a system backup here in a few minutes onto DVDs. I really don't want to have to go through this whole ordeal ever again.

You can all repost these directions to other places if they work for you all. There should be no one who has to go through it like I'm sure we all have. I like to think of these directions like Open Source: they should be shared and shared alike, when someone has a modification, post it somewhere. Please though, give me some feedback if it works and if you are going to post it. Also, please show my name/email address somewhere on the page. I think I deserve that much. 

For those of you who this doesn't work for, I'm truly sorry, and hopefully you can find a way, too, to do something to counter this malicious junk. Post it with mine, that's fine (it rhymes...hehe). People should be aware of how to remove it. 

OK?

Il Casa Stronza
*******


----------



## sUBs (May 5, 2005)

Thread moved from the HJT Log Help forum. *It should not be posted there*

I'm busy now but I shall have some comments later. 

Regards,
sUBs


----------



## ilcasastronza (Sep 20, 2006)

*Sorry*

Thought that since it was relative to all the other threads in there that it should be posted in Hijack This...My applogies. 
Hopefully they're....good comments?

~Il Casa Stronza


----------



## ilcasastronza (Sep 20, 2006)

*Oops*

A few things,

I tried installing the new Firefox last night from mozilla.com. As soon as I did that, NSIS returned. Could it be something with the new version of Firefox? Because no sooner did I install it, after I made a triple sweep of my PC, that it returned. There was nothing inside of the user agreement for it, so I don't know. Maybe I didn't get rid of NSIS afterall, or that it was waiting for a re-installation of Firefox as its primary source...I think I may start using the Opera browser, Mozilla itself (sans firefox), or try that bare-bones firefox fit for a thumb/USB drive. 

Second, when I posted those directions the other day, I forgot to include clearing the Prefetch. Can't remember when I did it.


----------



## sUBs (May 5, 2005)

ilcasastronza, 

Do you have any of the NSIS infected files? If so, please submit them to this webpage: http://www.bleepingcomputer.com/submit-malware.php?channel=4

It's not really a Firefox issue but rather the way Java is configured on Firefox.
What version of Java do you have installed? The latest is (JRE) 5.0 Update 8 - http://java.sun.com/javase/downloads/index.jsp


----------



## ilcasastronza (Sep 20, 2006)

I have sent the file to Bleeping Computer. It is labled "NSIS Infected.zip". It however is without the files from Firefox, because I had already uninstalled it prior to your file request. 

As for Java, I had it set not to accept Java, Activex, and set the javascript to be only for inside a page (didn't allow resizing, opening new window, etc).

****
Just a thought, has anyone tried to disassemble the uninstall file or any of the DLLs? If its a Java program, if that in a way is what you're implying above, I'll see if I can take a crack at it, or at least see if a friend of mine who has a masters in CS can take a snag...


----------



## Meztiso (Jul 25, 2006)

*Wondering...*

I am wondering why Registry Cleaners are being used instead of specific manual registry key deletion. Is it because you don't know exactly which registry keys need to be removed ?

I've quit using registry cleaners because they don't seem to solve any problems and I have had several problems caused by them, so the idea of using one to "fix" a software problem seems a little "iffy" to me.


----------



## ilcasastronza (Sep 20, 2006)

*Good Question, glad to answer it*

The reason for using Registry Cleaners instead of just going into Regedit and doing it manually was just something I was doing in the rush to get rid of NSIS completely and utterly. I did go back and look through the registry, and I'll put a list of the few that I found below as an example, and delete the registry keys, or at least the ones I could find. Using RegscrubXP or Ccleaner, also helped in removing some miscellaneous keys that maybe I could miss. Registries are big things, remember. For instance, Ccleaner removes many of the leftover keys, data, and values that are leftover from uninstalling a file. In the directions above, I use the NSIS uninstaller against itself, by doing a CTRL+ALT+DEL to get into the process list and ending the uninstall task so that I can delete the temp files. Once this happens, NSIS reloads itself into the registry, which is why so many of us have been having problems with it. I could go on about that...but that seems to be enough...

As for not using a registry cleaner, heck that's up to you. I just find it easier when I'm doing a regular checkup to get rid of some of the clutter that comes with a person who uninstalls and installs software in beta testing regularly. That and it really speeds up your computer. But if manually going in and deleting keys works, so be it then go at it. 

I haven't had a problem using RegscrubXP as of yet, and I've been using it for a while. Even put it on my dad's machine (he's a programmer at a company in the states) and uses it regularly as well, says when you boot your machine back up, you can actually see the difference in speed at times. CCleaner I haven't been using for long, but others seem to have taken a shining to it, and it does an extra trick that I didn't have software for before that. 

As for those keys, here are a few that I logged from my uninstall of NSIS.

My Computer\Hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks\{F28439F2-4996-41B8-8BD0-22789780DE81}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NSISMedia

HKEY_LOCAL_MACHINE\SOFTWARE\NSIS

Does that answer it?


----------



## Meztiso (Jul 25, 2006)

*Another Registry Question...*

In another thread, I mention that we seem to "make up" theories about what is happening with the O/S "behind the scenes" when we do things like delete malware by rote instruction and/or trial & error.

I have one such "half-baked" theory I would like to check, as it seems you know quite a bit about the Registry in general.

My theory is that the Registry Keys are "cross-linked", and that a particular program may have many spread through-out the registry. Some are critical, and by removing those you prevent whatever software from running. But then there may be others that are left behind, with "links" to keys that are/were "critical" and are now missing.

The Registry "cleaners" identify those key "networks" that have missing and critical pieces missing, and deletes them (since they are non-functional anyways).

Is this a good, "half-baked" understanding of what is happening ?


----------



## ilcasastronza (Sep 20, 2006)

I agree with you, we really do make up theories on what is happening with the OS registry. Especially with MS Windows, no matter what version, because nothing ever seems clear, especially with the bad memory management and data management that Microsoft seems to push. 

However, in these "half-baked" theories, most of mine at least come from trial and error. When I was a kid (realize that I'm 22 and have had a computer since 1986), my dad would get completely p***ed when I would screw up the computer and destroy the registry, because that meant he or I would be sitting in front of the computer with a whole stack full of Windows 3.11 floppy disks, reinstalling the system. Today with System Restore, makes it a bit easier....

Back to the information at hand, in destroying the computer I have learned what works and what doesn't. While my method isn't perfect and far from over, I see a few things happening. 

For instance. Take a regular, non-malware program. I dunno...uh...Winamp for an example (no relation to the current NSIS problem). If I install Winamp, it puts registry keys into the Current User and Local Machine, where you can explicitly see a Winamp folder. When you uninstall Winamp, you still have the folder in the registry in the Local Machine. Not even just that, but it spreads out throughout the system. Even if you delete the Local Machine folder in the registry (which should not effect any other files/programs on your computer) you still have a bunch of keys that remain in the file system. Most aren't malicious, they just say that if you go back and install Winamp it'll know that its been on your computer before, even if all the files in your C:\program files\winamp\ folder have been deleted. 

Now. If you delete some keys with the program still running, you may or may not delete a key that is critical. There is a key for Google Toolbar, that I know of specifically, that if you delete this particular key, you just get rid of the number that you normally would see in the Google Toolbar in IE. So instead of showing ...99 Blocked, it would go back to 0 (zero) automatically when you go back into IE. However, if you were to delete a reference key (a key that "links" to another file) you may have problems. 

This is why I've been using cleaners. I mean, it won't get rid of a whole registry "folder" many times, but it can help clean up some of the clutter that other programs left behind. 

For the NSIS problem, which I ended up getting NSIS back as soon as I installed Firefox again (had to try it just one more time), I went back and tried to delete all of the NSIS registry keys. Now NSIS had some keys that it installed ALL OVER the registry. What a hindrance. It installs some a shell execute folder of Explorer, has a folder in Local Machine and Current User. And a bunch of other places. Actually I found one key last night. Inside of it it has this (sorry to jump from idea to idea...Attention Deficit stinks)

\??\C:\Program Files\Common Files\NSIS\uninst.exe

\??\C:\Program Files\Common Files\NSIS\

\??\C:\DOCUME~1\ANDREW~2\LOCALS~1\TEMPOR~1\Content.IE5\index.dat

\??\C:\DOCUME~1\ANDREW~2\Cookies\index.dat

\??\C:\DOCUME~1\ANDREW~2\LOCALS~1\History\History.IE5\index.dat

It was in a key that said, something to the effect of "PendingFileRename" so its taking files in those particular folders and playing with them. Convenient, no?

But back to the cleaners thing, they'll get rid of such junk, not all of it, but enough so we don't have to do all of the work, and may make your computer more efficient in the process.

If any of this is wrong by a more experienced computer user, please put me in my place.


----------



## ilcasastronza (Sep 20, 2006)

*The battle is not over, NSIS is up 2-1*

While I thought I had this thing beat, I am however sadly mistaken. It worked for a few shutdowns, then came back as soon as I installed Firefox again. Now, even as I try to use the same procedure I used the last time, NSIS Media has won once again. For some reason, its either embedding itself deeper, or has somewhat evolved (scenes from a black and white Frankenstein movie pops into my head...ITS ALIVE!). 

I submit once again to greater powers that be and ask once again, unfortunately, for help. HELP.

I guess no news yet from an actual spyware/antivirus company, eh?

Signed, 
a very disgraced, Il Casa Stronza


----------



## sUBs (May 5, 2005)

ilcasastronza, 

Have you got anymore NSIS infected files? The files you submitted the other day are for uninstall purposes. I couldnt simulate an infection on my test box. 

From what little I know of this infection, it comes bundled with one of your installed programs. Problem is which one? Your efforts to disinfect are successful each time but when you run the aforementioned program, it will reinstall NSIS again. I suggest that you get some Registry monitoring software & set it to flag/alert when those NSIS reg entries gets created. That way, you can track which program is responsible reinstalling the infection. Fix the source & that will end your miseries.


----------



## ilcasastronza (Sep 20, 2006)

Yes, since it returned, I will try and re-submit them. Would you like a copy of the registry keys I have found as well? If I knew how to replicate the problem, I could find a solution. 

I don't know what programs I could have downloaded recently that could re-activate it. I could send a hijack this log, but from what I can see, nothing is coming out of the ordinary. The only programs I have installed since I first discovered it are Java, reinstalling firefox, cdex, and something from Nero. That's just about it really. I first noticed infection around the last week of August.

From those renamed keys that I posted above, the files refuse to be deleted, even in safe-mode. They don't have any read-only properties and I don't have a binary code viewer. Since they seem to be re-written by NSIS...


----------



## sUBs (May 5, 2005)

> From those renamed keys that I posted above, the files refuse to be deleted, even in safe-mode. They don't have any read-only properties and I don't have a binary code viewer.


Please list those keys


----------



## POADB (Jul 28, 2004)

ilcasastronza,

Could you do a search on your computer for these files and let us know if they exist:

*krnsvr32.dll
wmdmb32.dll *

If they are present, please provide their location. (i.e - C:\Winodws\System32)


----------



## ilcasastronza (Sep 20, 2006)

I will upload the keys and the files as soon as I get a chance, my internet access at my apartment in Italy is no better than dialup. In fact...I think dialup may be slightly better.

As for those files, krnsvr and wmdmb, no they are not present on my computer. Someone on another forum had posted that as well, tried it a while back to see if they were there too...nothing showed up either when I first had it.


----------



## POADB (Jul 28, 2004)

OK thanks, I just wanted to see if they were related.


----------



## ilcasastronza (Sep 20, 2006)

They could be, but from what I've read, there may be a few varients of it. The varient I think I have is hijacking normal index.dat files in my cookies and temp folers. 

Subs, is there a program you recommend to monitor my registry? I've never heard/seen one of those before. Sounds useful, nonetheless. Free and efficient would be best. 

Second for Subs, what files are you looking for exactly?


----------



## ilcasastronza (Sep 20, 2006)

OK, here is a list of registry keys that I've found. The files themselves will be bundled as soon as I get faster net access.

HKEY_LOCAL_MACHINE\SOFTWARE\NSIS
HKEY_LOCAL_MACHINE\SOFTWARE\NSIS\Media

In there, there are four Data names. They are (Name/Type/Data)

AFFid/Reg_SZ/1299
Clsid/Reg_SZ/{F28439F2-4996-41B8-8BD0-22789780DE81}
InstDir/Reg_SZ/C:\Program Files\Common Files\NSIS\
Stub/Reg_SZ/ns58.dll

Amazingly, its not listed in my HKey_Current_User\Software\

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\NSISMedia

Changed\Reg_DWord\0x00000000 (0)
SlowInfoCache\Reg_Binary\ *** here there is a whole bunch of binary***

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

{F28439F2-4996-41B8-8BD0-22789780DE81}\Reg_SZ\NSIS Media Extension

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NSISMedia

DisplayIcon\Reg_SZ\C:\Program Files\Common Files\NSIS\uninst.exe,0
DisplayName\Reg_SZ\NSIS Media Extension
DisplayVersion\Reg_SZ\5.6.1
UnInstallString\Reg_SZ\C:\Program Files\Common Files\NSIS\uninst.exe

The Pending rename key is not listed, may have only when I was trying to uninstall the program....


----------



## ilcasastronza (Sep 20, 2006)

*No bundled files, but...*

I couldn't find any sort of files...If I could have found the trace outright, I think I may have been able to find the source. However, since NSIS seems to have hidden itself in a nice little way without being detected easily, nothing seemed to have gotten rid of it. I tried making a copy of the index.dat that the "pending file rename" thing in the registry, but for some reason I couldn't copy it at all, it would say its in use. 

However, I did break down the other day and downloaded the 30 day trial of Trojan Hunter. Many other seem to have found this little utility helpful; I am now one of them. While it didn't identify the NSIS specifically, in fact it didn't even think the uninstaller was a problem, it did find a little file in my system32 directory, the pathname is as follows:

C:\WINDOWS\system32\avirpa.dll (Adware.Cydoor.100)

That adaware.cydoor name came from the Trojan Hunter log file. As soon as it tried to quarantine it, my system mysteriously crashed...NSIS had been doing some serious crashing of my browser that day anyways, but I found it odd when I wasn't even connected to the web. I restarted, did another search, this time it quarantined it. I deleted any temp folders and cache, this time those pesky index.dat files disappeared, and the file in my temp that would always start again at restart but wouldn't let me copy it too...like D***.dat would wasn't there anymore either. I set CCleaner to do a 7 pass delete on the contents of the NSIS folder in the commonfiles, do do another one on the temp folders...I didn't delete the NSIS folder outright, its still there, but no contents. I did as one person suggested on another site and showed the other bit of hidden files on the windows ntfs...nothing is listed. 

Its now been 4 days without a popup on both my slow internet access at my apartment or the library. 

Anyone find this same file?


----------



## Vikesrock8411 (Jun 11, 2005)

Do you know if this file is still in the Trojan Hunter quarantine?

If it's not too much trouble I know some people would be interested in seeing the results from a quick Registry Search.

*1.* Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name *options.txt* and save as file type: *all files* to your desktop. 



> RegSearch Options File
> 
> [Search]
> avirpa.dll
> ...


*2.* Download Registry Search to your desktop. 
Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
Open the new folder, and double click on *regsearch.exe*
Click "Import" in the lower left corner and browse to the *options.txt* file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
 Please reply here with the entire contents of the Notepad file from RegSearch.


----------



## ilcasastronza (Sep 20, 2006)

*Regsearch for avirpa.dll*

I did a complete search, even went and used regular regedit too along with the program Regsearch, but nothing was found. I've been using Ccleaner and RegscrubXP daily to make sure that nothing has been coming back. So unfortunately for your "interested parties" of people who want to take a look at this DLL file and its trace-routes through the registry, it isn't there. Fortunate for me however becauce it has now been about 4 days and not one sighting of any popups, the NSIS folder has not reppeared in either the Common Files nor the registry, and, thank goodness, not a single popup or slowdown of my PC. 

If I can be so bold to say go check some of the other threads and ask some of them if they have seen this particular file. If the "avirpa.dll" file is the culprit, then maybe, just maybe, we have found a quick and easy solution to this NSIS media problem. 

Thanks for the Regsearch tool, too. It seems like it might come in handy one of these days.


----------



## ilcasastronza (Sep 20, 2006)

Oh, just forgot to reply to your question about the quarantine. I deleted the quarantine like two days ago when I noticed that NSIS wasn't popping up nor was my computer crashing.


----------



## Vikesrock8411 (Jun 11, 2005)

Thanks for checking and glad to hear your problem is solved!


----------



## ilcasastronza (Sep 20, 2006)

*Just thought of something....*

When I have a bit more time tomorrow (I'm between studying for an exam...completely in italian...yikes!), I'll go through some of the old registry changes. I think I have it set for Ccleaner and Regscrub to save a copy of the registry changes. There could be something in there. 

I think finally, after long last, I can be worry free of having to format my PC when I get back to the US. 

Vikesrock: Have there been any other files that, you know of, which might have done the same thing as the avirpa.dll file? I did a search on Google and this is the first instance that I there is of it, it seems...And reading through other forums I don't see anyone listing files like this...


----------



## ilcasastronza (Sep 20, 2006)

*Found avirpa.dll in registry backups*

As promised, I looked through of the remaining registry backups made by RegScrubXP. I found the following entries in one of them. I hope this helps anyone looking for this:


[HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{EAB5FCAA-361E-41EA-AEDA-6DDB8D9A5CDC}\1.0\0\win32]
@="C:\\WINDOWS\\system32\\avirpa.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{EAB5FCAA-361E-41EA-AEDA-6DDB8D9A5CDC}\1.0\0\win32]

[HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{EAB5FCAA-361E-41EA-AEDA-6DDB8D9A5CDC}\1.0\0]

[HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{EAB5FCAA-361E-41EA-AEDA-6DDB8D9A5CDC}\1.0\FLAGS]
@="0"

[HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{EAB5FCAA-361E-41EA-AEDA-6DDB8D9A5CDC}\1.0\FLAGS]

[HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{EAB5FCAA-361E-41EA-AEDA-6DDB8D9A5CDC}\1.0\HELPDIR]
@="C:\\WINDOWS\\system32\\"

[HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{EAB5FCAA-361E-41EA-AEDA-6DDB8D9A5CDC}\1.0\HELPDIR]

[HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{EAB5FCAA-361E-41EA-AEDA-6DDB8D9A5CDC}\1.0]
@="AuthenticationExtExt 1.0 Type Library"

[HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{EAB5FCAA-361E-41EA-AEDA-6DDB8D9A5CDC}\1.0]


----------

