Breaking News

Thursday, December 1, 2016

Malware removal: liveadexchange, nonestops.org, smartnewtab, cpmofferconvert

Keywords: liveadexchange.com removal, get.easyvpn.biz removal, smartnewtab.com removal, cpmofferconvert.com removal, trk.servedbytrackingdesk.com removal, nonestops.org removal

Problem

Web browser randomly (almost on every mouse click) being redirected to a different site. When infected with this mal(ad)ware, advertising banners are injected with advertisement hyperlinks, browser popups appear which recommend fake updates, AdBlocker(plus) or other addons does not work.


Took me a while (~an hour) but finally nailed it.



Quick steps (if in a hurry, and tired of looking around!)

  1. Start-->run-->Regedit (admin mode) 
  2. File menu-->Edit-->Find 
  3. Find what: nonestops.org 
  4. Look at (checkbox): Data 
  5. Click on Find next button (or F3) 
  6. Delete whatever you find; I found 4/5 locations. 
Once done, under internet options (control panel)-->connections tab, remove all proxy/settings.

Interesting detail

  1. Its hidden in hex so you wouldn’t really (usually) look at that. 
  2. Keys to look at: 
  • DefaultConnectionSettings, 
  • SavedLegacySettings 
  • Folder: ManualProxies 
  • AutoConfigProxy 
  • AutoConfigUrl 
  • Value: 0http://nonestops.org/wpad.dat?531a434ffc29bf57af85d92d405c3e1f18644609 (Did you notice, that url starts with a zero?) 
  1. Popular redirects 
  • a. liveadexchange.com 
  • b. http://get.easyvpn. biz/jdmnXmaN8QM%2Bkr1eeMy/JnzjvCMv8eo%3D 
  • c. http://www.smartnewtab. com/watch?key=0cdb16b7667982280fbb05007a35eb39 
  • d. http://cpmofferconvert. com/out?zoneId=968177&htatb=1 
  • e. http://trk.servedbytrackingdesk. om/579722c14a90a4640e4b6e7d/go?t=01580d5b47e8088f01000001&u=http%3A%2F%2Fcopybinary.com%2F%3Fclickid%3D01580d5b47e8088f01000001

Screenshots: 





Have a happy day!

No comments:

Post a Comment

Designed By Published.. Blogger Templates