Adware on Betternet chrome extension

Sometime when clicking to any urls on internet, chrome redirects to ads sites like http://eltrack.pro/azkzkyvodi or something like this. Also see pornographic ads on new tab

• Mac OS Sierra 10.12.5 (16F73)
• Chrome Version 59.0.3071.109 (Official Build) (64-bit)

TL;DR: Remove Betternet out of chrome

Steps to debug and figure out adware

Step 1. Hold ads site on tab, don’t close it because it’s hard to find logs later

Step 2. Open Chrome DevTools, go to console tab

Step 3. I saw chrome has some unknown logs from insertion.js:189, comes from extension with ID = gjknjjomckknofjidppipffbpoekiipm

Step 4. Goto chrome://extensions/ and find gjknjjomckknofjidppipffbpoekiipm, it’s betternet

Step 5. Figure out more, google search with term “betternet extension adware”, here is best write-up about this https://restoreprivacy.com/betternet-review/

Step 6. Expand source of http://eltrack.pro

• My browser is redirected/injected to a fucking FB campaign, Pixel ID = 1666009176948198

    <!-- Facebook Pixel Code -->
    <script>
    !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function()
    {n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)}
    ;if(!f._fbq)f._fbq=n;
    n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0;
    t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window,
    document,'script','https://connect.facebook.net/en_US/fbevents.js');
    fbq('init', '1666009176948198'); // Insert your pixel ID here.
    fbq('track', 'PageView');
    </script>
    <noscript><img height="1" width="1" style="display:none"
    src="https://www.facebook.com/tr?id=1666009176948198&ev=PageView&noscript=1"
    /></noscript>
    <!-- DO NOT MODIFY -->
    <!-- End Facebook Pixel Code -->
  

• This url tintuc-vn.com in source of ads site

    ❯❯ nslookup tintuc-vn.com
    Server:		8.8.8.8
    Address:	8.8.8.8#53
  
    Non-authoritative answer:
    Name:	tintuc-vn.com
    Address: 136.243.94.239
  

• whois this domain: https://whois.icann.org/en/lookup?name=tintuc-vn.com

• which ports are opened?

    ❯❯ sudo nmap 136.243.94.239
    Password:
  
    Starting Nmap 7.40 ( https://nmap.org ) at 2017-06-25 16:58 +07
    Nmap scan report for static.239.94.243.136.clients.your-server.de (136.243.94.239)
    Host is up (0.53s latency).
    Not shown: 987 closed ports
    PORT     STATE SERVICE
    21/tcp   open  ftp
    22/tcp   open  ssh
    25/tcp   open  smtp
    53/tcp   open  domain
    80/tcp   open  http
    106/tcp  open  pop3pw
    110/tcp  open  pop3
    143/tcp  open  imap
    443/tcp  open  https
    465/tcp  open  smtps
    993/tcp  open  imaps
    995/tcp  open  pop3s
    8443/tcp open  https-alt
  
    Nmap done: 1 IP address (1 host up) scanned in 60.24 seconds
  

What should I do?

• Remove this Betternet chrome extension
• Report to google