Breaking News

Thursday, December 1, 2016

Malware removal: liveadexchange, nonestops.org, smartnewtab, cpmofferconvert

Keywords: liveadexchange.com removal, get.easyvpn.biz removal, smartnewtab.com removal, cpmofferconvert.com removal, trk.servedbytrackingdesk.com removal, nonestops.org removal

Problem

Web browser randomly (almost on every mouse click) being redirected to a different site. When infected with this mal(ad)ware, advertising banners are injected with advertisement hyperlinks, browser popups appear which recommend fake updates, AdBlocker(plus) or other addons does not work.


Took me a while (~an hour) but finally nailed it.



Quick steps (if in a hurry, and tired of looking around!)

  1. Start-->run-->Regedit (admin mode) 
  2. File menu-->Edit-->Find 
  3. Find what: nonestops.org 
  4. Look at (checkbox): Data 
  5. Click on Find next button (or F3) 
  6. Delete whatever you find; I found 4/5 locations. 
Once done, under internet options (control panel)-->connections tab, remove all proxy/settings.

Interesting detail

  1. Its hidden in hex so you wouldn’t really (usually) look at that. 
  2. Keys to look at: 
  • DefaultConnectionSettings, 
  • SavedLegacySettings 
  • Folder: ManualProxies 
  • AutoConfigProxy 
  • AutoConfigUrl 
  • Value: 0http://nonestops.org/wpad.dat?531a434ffc29bf57af85d92d405c3e1f18644609 (Did you notice, that url starts with a zero?) 
  1. Popular redirects 
  • a. liveadexchange.com 
  • b. http://get.easyvpn. biz/jdmnXmaN8QM%2Bkr1eeMy/JnzjvCMv8eo%3D 
  • c. http://www.smartnewtab. com/watch?key=0cdb16b7667982280fbb05007a35eb39 
  • d. http://cpmofferconvert. com/out?zoneId=968177&htatb=1 
  • e. http://trk.servedbytrackingdesk. om/579722c14a90a4640e4b6e7d/go?t=01580d5b47e8088f01000001&u=http%3A%2F%2Fcopybinary.com%2F%3Fclickid%3D01580d5b47e8088f01000001

Screenshots: 





Have a happy day!

3 comments:

  1. Needed to compose one little word yet thanks again for the suggestions that you are contributed here...
    Best Online Software Training Institute | Salesforce CRM Training

    ReplyDelete
  2. Appreciation for really being thoughtful and also for deciding on certain marvelous guides most people really want to be aware of.

    Spark Training in Chennai
    Spark with Scala Training in Chennai

    ReplyDelete

  3. 192.168.0.1 D-Link Login is a private IP address (sometimes it could be mistyping to 192.168.o.1 or 192.168.0.l ), familiar to every router-user, who is setting up LAN-network

    ReplyDelete

Designed By Published.. Blogger Templates