Adware PUA

NSIS:Adware-NR [PUP] removal instruction

Malware Removal

The NSIS:Adware-NR [PUP] is considered dangerous by lots of security experts. When this infection is active, you may notice unwanted processes in Task Manager list. In this case, it is adviced to scan your computer with GridinSoft Anti-Malware.

GridinSoft Anti-Malware

Gridinsoft Anti-Malware

Removing PC viruses manually may take hours and may damage your PC in the process. We recommend using GridinSoft Anti-Malware for virus removal. Allows to complete scan and cure your PC during the trial period.
DOWNLOAD NOW
6-day free trial available.

What NSIS:Adware-NR [PUP] virus can do?

  • SetUnhandledExceptionFilter detected (possible anti-debug)
  • Behavioural detection: Executable code extraction – unpacking
  • Attempts to connect to a dead IP:Port (1 unique times)
  • Yara rule detections observed from a process memory dump/dropped files/CAPE
  • Creates RWX memory
  • Anomalous file deletion behavior detected (10+)
  • Guard pages use detected – possible anti-debugging.
  • Dynamic (imported) function loading detected
  • A named pipe was used for inter-process communication
  • Starts servers listening on 127.0.0.1:0
  • Enumerates running processes
  • Reads data out of its own binary image
  • A process created a hidden window
  • Authenticode signature is invalid
  • Uses Windows utilities for basic functionality
  • Behavioural detection: Injection (inter-process)
  • A possible heap spray exploit has been detected
  • Steals private information from local Internet browsers
  • Detects Bochs through the presence of a registry key
  • Attempts to create or modify a Browser Helper Object
  • Attempts to modify proxy settings
  • Harvests cookies for information gathering

How to determine NSIS:Adware-NR [PUP]?



File Info:

name: 3F4B431CE044CC935B9E.mlw
path: /opt/CAPEv2/storage/binaries/2ce67f2780490980d5c098267ae623bf12bfd9fcc12bc71b3163a903e8ca0b46
crc32: 0B0914DB
md5: 3f4b431ce044cc935b9ec6c5c8ee97a7
sha1: c1b264fb283b4345cdad2556ffa81cd65cf32a85
sha256: 2ce67f2780490980d5c098267ae623bf12bfd9fcc12bc71b3163a903e8ca0b46
sha512: bb1ee2f5c4b6be0ff10a167e6f6a3c52b36b858af417d08bd0ed471249043945eece43c335ea14dd88ab964ae0c160cba6c23e69a06e89bbd44a2c5cebe03413
ssdeep: 12288:vsk9lAmjG4GQTq4OaQQTYJ8eP4/L5uO7D3f5BIq4kaBQTcJ8ePx/r5uO7zU26OBT:vsknrjG4GQm4OaHYJ8eP4D5uOHBB94kq
type: PE32 executable (GUI) Intel 80386, for MS Windows
tlsh: T16DE423158FA1412AC3CBB6F98725F380D277DB19B131174B0F6C2ADA8AF75909D8A3D1
sha3_384: 92c60efcfb6a5b419c3ececc9a38252f5ade650c6393b470d2d8d6352877047cf63b4878ddf247e9db303d841524b565
ep_bytes: 81ec8001000053555633db57895c2418
timestamp: 2009-12-05 22:50:52


Version Info:

CompanyName: Rich Media View
CompanyWebsite: 
FileDescription: 
FileVersion: 1.1
LegalCopyright: 
ProductName: Rich Media View release 774
ProductVersion: 1.1
Translation: 0x0000 0x04e4

NSIS:Adware-NR [PUP] also known as:

Elasticmalicious (high confidence)
DrWebTrojan.Amonetize.8
MicroWorld-eScanDropped:Application.Bundler.EV
FireEyeDropped:Application.Bundler.EV
CAT-QuickHealAdware.BetterSurf.B5
McAfeeArtemis!3F4B431CE044
CylanceUnsafe
VIPREAdware.Bettersurf (fs)
SangforAdware.Generic-JS.Save.d510efc3
CrowdStrikewin/grayware_confidence_100% (D)
AlibabaAdWare:Win32/Amonetize.e5071bc1
K7GWRiskware ( 0040eff71 )
K7AntiVirusRiskware ( 0040eff71 )
VirITAdware.Win32.RichMedia.B
CyrenW32/Medfos.AE.gen!Eldorado
SymantecAdware.WebexpEnhanced
ESET-NOD32multiple detections
TrendMicro-HouseCallTROJ_SPNR.0BFL14
AvastNSIS:Adware-NR [PUP]
ClamAVWin.Adware.Bettersurf-12
Kasperskynot-a-virus:AdWare.Win32.BetterSurf.b
BitDefenderDropped:Application.Bundler.EV
NANO-AntivirusRiskware.Win32.BetterSurf.cxsilt
SUPERAntiSpywarePUP.MediaView/Variant
TencentWin32.Adware.Bettersurf.Lmbj
Ad-AwareDropped:Application.Bundler.EV
TACHYONTrojan-Clicker/W32.BetterSurf.673740
ComodoMalware@#14dydhgfx5wtq
ZillyaTool.Bundler.Win32.32574
TrendMicroTROJ_SPNR.0BFL14
McAfee-GW-EditionBehavesLike.Win32.AdwareBSurf.jc
EmsisoftDropped:Application.Bundler.EV (B)
Paloaltogeneric.ml
GDataWin32.Adware.Amonetize.M
JiangminAdWare.Amonetize.arcr
WebrootW32.Adware.Gen
AviraADWARE/Adware.Gen7
Antiy-AVLTrojan/Generic.ASMalwNS.2956
KingsoftWin32.Troj.BetterSurf.b.(kcloud)
MicrosoftTrojan:Win32/Occamy.C
CynetMalicious (score: 100)
AhnLab-V3Adware/Win32.BetterSurf.C233448
Acronissuspicious
VBA32Adware.Amonetize
ALYacDropped:Application.Bundler.EV
MAXmalware (ai score=100)
MalwarebytesPUP.Optional.Amonetize
APEXMalicious
RisingAdware.BetterSurf/JS!1.C2D5 (CLASSIC:bWQ1OhFcI3BMooGIeAs0jYGPMZE)
YandexPUA.BetterSurf!gdPNe5Pets8
SentinelOneStatic AI – Malicious PE
eGambitGeneric.Malware
FortinetRiskware/Moat.DABEE755
AVGNSIS:Adware-NR [PUP]
Cybereasonmalicious.ce044c
PandaTrj/OCJ.E

How to remove NSIS:Adware-NR [PUP]?

NSIS:Adware-NR [PUP] removal tool
  • Download and install GridinSoft Anti-Malware.
  • Open GridinSoft Anti-Malware and perform a “Standard scan“.
  • Move to quarantine” all items.
  • Open “Tools” tab – Press “Reset Browser Settings“.
  • Select proper browser and options – Click “Reset”.
  • Restart your computer.

You may also like

About the author

Paul Valéry

I'm a cyber security analyst and data science expert with 5+ years of experience with security software contractors.

View all posts

Leave a Comment