nethtsrv.exe

amisrv

The application nethtsrv.exe has been detected as a potentially unwanted program by 21 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Network HTTP Support Service”. It bundles adware offers using the Amonetize, a Pay-Per-Install (PPI) monetization and distribution download manager. The software offerings provided are based on the PC's geo-location at the time of install.
Product:
amisrv

Version:
1.2.0.5

MD5:
e6c069576cfb51852c4b66fd098228c0

SHA-1:
65ac1a46f64cead18a5abdfd5628f634aa116c71

SHA-256:
a119f67434679fc882188040800284f57c7a103d75be9e3997f2cf334fce7acd

Scanner detections:
21 / 68

Status:
Potentially unwanted

Analysis date:
12/26/2024 12:08:25 PM UTC  (today)

Scan engine
Detection
Engine version

Lavasoft Ad-Aware
Gen:Variant.Adware.Netfilter.2
451

Agnitum Outpost
PUA.Amonetize.Gen.YU
7.1.1

AhnLab V3 Security
PUP/Win32.Amonetize
2015.08.16

Avira AntiVirus
ADWARE/Amonetize.Gen7
8.3.1.6

Arcabit
Trojan.Adware.Netfilter.2
1.0.0.425

avast!
Win32:Amonetize-HF [PUP]
2014.9-151110

AVG
BundleApp_r
2016.0.2929

Baidu Antivirus
Adware.Win32.Amonetize
4.0.3.151110

Bitdefender
Gen:Variant.Adware.Netfilter.2
1.0.20.1570

Comodo Security
Application.Win32.Amonetize.DAX
23013

Emsisoft Anti-Malware
Gen:Variant.Adware.Netfilter
8.15.11.10.02

ESET NOD32
Win32/Amonetize.AZ potentially unwanted (variant)
9.12099

F-Prot
W32/S-571d2047
v6.4.7.1.166

F-Secure
Gen:Variant.Adware.Netfilter
11.2015-10-11_3

G Data
Gen:Variant.Adware.Netfilter
15.11.25

Malwarebytes
PUP.Optional.Amonetize
v2015.11.10.02

MicroWorld eScan
Gen:Variant.Adware.Netfilter.2
16.0.0.942

Panda Antivirus
Trj/Genetic.gen
15.11.10.02

Reason Heuristics
PUP.Amonitize.Meta (M)
15.11.10.14

Sophos
Amonetize (PUA)
4.98

VIPRE Antivirus
Amonetize
42904

File size:
342 KB (350,208 bytes)

Product version:
1.2.0.5

Copyright:
(c) 2012-2014, All rights reserved.

Original file name:
amisrv.exe

File type:
Executable application (Win32 EXE)

Language:
English (United Kingdom)

Common path:
C:\Windows\System32\nethtsrv.exe

File PE Metadata
Compilation timestamp:
8/2/2015 8:32:55 AM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows Console

Linker version:
10.0

CTPH (ssdeep):
6144:Q6wTVfQbHJXcoMScSNXgH8eFzgFN7Igf9SoqoOjvwkRk5xTMs6GV:Q6wpfQbHJXDMScGwH8eF2N7Igf9Soqov

Entry address:
0x20375

Entry point:
E8, 08, D6, 00, 00, E9, 95, FE, FF, FF, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 20, 28, 45, 00, 33, C5, 50, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B, 64, 24, 0C, 53, 56, 57, 89, 28, 8B, E8, A1, 20, 28, 45, 00, 33, C5, 50, 89, 65, F0, FF, 75, FC, C7, 45, FC, FF, FF, FF, FF, 8D, 45, F4, 64, A3, 00, 00, 00, 00, C3, 50, 64, FF, 35, 00, 00, 00, 00, 8D, 44, 24, 0C, 2B...
 
[+]

Code size:
272.5 KB (279,040 bytes)

Service
Display name:
Network HTTP Support Service

Service name:
NetHttpService

Description:
This service sends network activity notifications to user mode processes. If this service is disabled, any other services that explicitly depend on this service will fail to operate properly.

Type:
Win32OwnProcess


The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to s3-website-us-west-2.amazonaws.com  (54.231.176.175:80)

Remove nethtsrv.exe - Powered by Reason Core Security