Adsterra Malware Cleanup: How to Remove Adware from Your Site

Adsterra is an ad-network, arguably popular for shady ads and questionable user-experience, to put it mildly. The internet is full of webmasters and users trying to troubleshoot Adsterra rogue JavaScript redirects to malicious URLs.

And for every result that you’d find on the net, there’s another clarification announcement from Adsterra how they have “Zero Tolerance For Scam and Malicious Advertising”. Essentially their stand basically is that they are merely a platform and are not a source of malware themselves. But that doesn’t absolve them of answerability.

Here are a few screenshots for you if you are facing js redirects by Adsterra malware:

What Does The JavaScript adware code injected by Adsterra look like:

The JavaScript adware injected by Adsterra looks like:

<script type="text/javascript">
    atOptions = {
        'key' : '56ee5ccd1d3112b4a581ca8408f53f17',
        'format' : 'iframe',
        'height' : 90,
        'width' : 728,
        'params' : {}
    document.write('<scr' + 'ipt type="text/javascript" src="http' + (location.protocol === 'https:' ? 's' : '') + '://"></scr' + 'ipt>');

In this specific case, the above piece of code injects an external JavaScript which does some real nefarious stuff. While the code is criminally cryptic, it’s easy to figure out that it triggers malicious actions based on the operating system, device type of the website visitor and redirects them to an endless chain of popups that would look pretty legit to an unsuspecting / frustrated website visitor. Chances are that one may end up clicking one of the buttons and end up downloading malware onto their devices. This may infect the device and potentially cause data loss and / or further malware spread. Here’s the cryptic code that we saw in this specific instance:


click the above thumbnail to view full code

A few other rogue domains where this script redirects: continuousformula dot com, protect-web dot xyz, fostereminent dot com, etc.

How to cleanup malicious JavaScripts injected by Adsterra

In case of WordPress, this adware code may have been injected in the database (by a plugin that you use for configuring and displaying ads) or the theme-template files (in case the developer hardcoded those ads).

  1. Install the free Malcure Malware Scanner plugin.
  2. Update Definitions and Scan your WordPress website for malware.
  3. Once the results are ready, they’d indicate whether the malware is present in the database or the theme / template files.
  4. Use phpMyAdmin to cleanup the database or a code editor over S/FTP to remove the code from your theme template files.

If you are using Adsterra, we’d strongly suggest you consider the long-term business model of your website and extend some thought to the website visitors.

See Also:

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.