Skip navigation

How to clear computer of tracking999 trojan.

1501 Views 18 Replies Latest reply: Jan 5, 2013 8:57 AM by Vero-D RSS
1 2 Previous Next
p.lonj Calculating status...
Currently Being Moderated
Nov 25, 2012 11:48 PM

I'm using OS 10.6.8 and recently started having issues with tracking999 while using Firefox.  Any advice as to how to get this removed (all solutions I've found don't seem to help with Mac OSX users).

Mac OSX, Mac OS X (10.6.8)
  • Klaus1 Level 8 Level 8 (43,415 points)
    Currently Being Moderated
    Nov 26, 2012 3:24 PM (in response to p.lonj)

    Try installing the Ghostery extension for Firefox.

  • hotmetal_UK Calculating status...
    Currently Being Moderated
    Nov 30, 2012 8:02 AM (in response to Klaus1)

    I have the same issue since this morning.

     

    It is some kind of DNS redirect I think. I have changed my DNS prefs in Network Settings to OpenDNS, but this did not help.

     

    I used Time Machine to go back a couple of days in case it was something I inadvertently downloaded recently. Also no help.

     

    I have installed Ghostery on all my browsers in all user accounts. Still getting redirects. This seems to be a recent phenomenon for most people according to my Google searches. I hope someone can shed some light on this soon.

  • thomas_r. Level 7 Level 7 (26,960 points)
    Currently Being Moderated
    Nov 30, 2012 9:37 AM (in response to p.lonj)

    Can you be more specific about what issues you are seeing and how "tracking999" is related? Are you having pop-up windows, or being redirected from one page to a tracking999.com page? Does this happen on all sites or only certain specific sites? Does it happen on all networks, or only on one particular network?

  • hotmetal_UK Level 1 Level 1 (10 points)
    Currently Being Moderated
    Nov 30, 2012 10:01 AM (in response to thomas_r.)

    Hi Thomas.

    In my case, this just started happening as of this morning. My girlfriend was trying to watch an episode of Homeland on the internet and I'm guessing that she may have clicked on a bad link instead of the legitimate TV company link.

     

    Since then, regardless of which browser I use and what website I visit, after a brief second or two, the page I had intended to visit is replaced by "the document has been moved, redirecting…" (or similar) and then it takes me to a completely unknown website such as "allwaysearch" or "tracking999", but not limited to these. It's not a popup or popunder, it literally stops you from visiting the page you want and takes you somewhere bad. I also have WOT (Weboftrust) installed and this is showing 'red' even at the Google search results page, so I think it has already lined up redirects?

     

    I have read that this Tracking99 is related to something called Luxemil (which I have no knowledge of) but basically it seems to have hijacked my browsers and continually redirects to dubious sites. This may be 'black hat' pay-per-click or even sites that will install more malware, so I am concerned.

     

    I am in the process of restoring the entire system (10.6.8 on my Mac Pro) from a TM backup of a couple of days ago.

     

    If (and I don't advise it!) you were to visit the tracking999 site, it says something like "Test. This is to test traffic to check the quality of something for  the benefit of our advertisers".

     

    According to Google Safe Browsing diagnostic page:

    Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, tracking999.com appeared to function as an intermediary for the infection of 40 site(s) including (edited out obviously!)

    Most of the Google references to this problem relate to PCs and encourage you to download all sorts of 'malware removal tools' but I would think that these too are unlikely to be trustworthy.

  • thomas_r. Level 7 Level 7 (26,960 points)
    Currently Being Moderated
    Nov 30, 2012 10:12 AM (in response to hotmetal_UK)

    Did your girlfriend install any "video plug-ins" to play the video? I'm unaware of any current Mac malware that uses that trick, but that trick has been used in the past by the RSPlug (aka DNSChanger) trojan. That trojan is extinct at this point, though, so that's not the problem.

     

    However, it is possible that she may have installed some junk software that added an internet plug-in that is doing this. Copy the following command and past it into the Terminal (found in /Applications/Utilities):

     

    ls -al ~/Library/Internet\ Plug-Ins; ls -al /Library/Internet\ Plug-Ins

     

    Paste the output of that command into a new message here.

     

    Also, just out of curiosity, what does your hosts file look like? The following Terminal command will tell you:

     

    more /etc/hosts
  • hotmetal_UK Level 1 Level 1 (10 points)
    Currently Being Moderated
    Nov 30, 2012 10:25 AM (in response to thomas_r.)

    My MacPro is half an hour away from a total restore from Time Machine being finished, so I can't try those suggestions just yet. I will do when it restarts, but hopefully that will have reset everything anyway.

     

    I don't think she did install anything because she hit a page that said "You need Adobe Flash, click here to install" and she asked me if she should. Of course I said "NOO!" and closed that page down but maybe it was too late. She did watch the video but swears she didn't install anything. Can webpages install malware without you clicking 'install'? I mean just by visiting a page or watching a video? I think we were logged in as me (i.e. Admin privileges). I'm a bit jumpy because my Mac Pro is what I use for my business and internet banking.

  • thomas_r. Level 7 Level 7 (26,960 points)
    Currently Being Moderated
    Nov 30, 2012 10:30 AM (in response to hotmetal_UK)

    Can webpages install malware without you clicking 'install'? I mean just by visiting a page or watching a video?

     

    Nope, not if you have the machine properly updated. There have been a few things that could install without user interaction through older versions of Java, which contained vulnerabilities, but if you have Java disabled in your web browser or have installed all OS updates, that can't happen.

  • hotmetal_UK Level 1 Level 1 (10 points)
    Currently Being Moderated
    Nov 30, 2012 12:00 PM (in response to thomas_r.)

    D'oh! It seems that Java was enabled. I have now restored my entire system, a bit of a PITA because I had to reload a bunch of photos into iPhoto, reconfigure Mail etc. But it seems as if the problem has gone.

     

    I have now disabled Java and reinstalled Ghostery in my browsers.

     

    I think there's no point at the moment posting up what's in my Terminal because I already restored the system.

    Hopefully that's the end of the issue. My 'fix' was a sledgehammer to crack a nut (if indeed it fixed it, which time will tell).

     

    Many thanks for your help Thomas. Hope this helps the original poster and others too. I guess it might have been more informative if I could have captured the Terminal info before I started my restore, but I was getting pretty bothered about my security and wanted it shut down as soon as poss.

  • thomas_r. Level 7 Level 7 (26,960 points)
    Currently Being Moderated
    Dec 3, 2012 3:53 AM (in response to p.lonj)

    The plug-ins that I don't have on my system are:

     

    drwxr-xr-x   3 root     wheel   102 Jan 30  2011 AdobePDFViewer.plugin

    drwxr-xr-x   3 root     wheel   102 May  2  2012 AdobePDFViewerNPAPI.plugin

    drwxrwxr-x   3 root     admin   102 Nov 25  2010 DFusionWebPlugin.plugin

    drwxrwxr-x   3 root     admin   102 Nov 25  2010 DFusionWebPluginS64.plugin

    drwxr-xr-x   3 root     admin   102 May  2  2012 GarminGpsControl.plugin

    drwxr-xr-x@  5 macbook  admin   170 Jan 20  2010 Google Earth Web Plug-in.plugin

    -rwxrwxr-x@  1 root     admin  4752 Feb  7  2006 NP-PPC-Dir-Shockwave

    lrwxr-xr-x   1 macbook  admin    68 Feb 18  2010 RealPlayer Plugin.plugin -> /Applications/RealPlayer.app/Contents/MacOS/RealPlayer Plugin.plugin

    drwxrwxr-x@  3 root     admin   102 Aug 25  2010 SharePointBrowserPlugin.plugin

    drwxrwxr-x   3 root     admin   102 Aug 25  2010 SharePointWebKitPlugin.webplugin

    drwxrwxr-x   3 root     admin   102 Nov 20  2011 Silverlight.plugin

    drwxrwxr-x   3 root     admin   102 Jul 28  2010 TVUPlugin.webplugin

    drwxr-xr-x   3 root     admin   102 Jan 28  2010 VeetleBroadcast-0.9.16

    drwxr-xr-x   3 root     admin   102 Jan 25  2010 VeetleTVCore-0.9.16

    drwxr-xr-x   3 root     admin   102 Jan 28  2010 VeetleTVPlayer-0.9.16

     

    These are all in the Internet Plug-Ins folder in the Library folder at the root level of your hard drive. If you're not sure where to find that, choose Go -> Go To Folder in the Finder and enter the following path:

     

    /Library/Internet Plug-Ins

     

    You can quit your web browsers, move suspicious plug-ins to the desktop, then re-open your browser and test. If the problem goes away, the issue is caused by one of the things you removed. Test until you figure out which plug-in is the culprit.

     

    Also, note that if you are not having exactly the same problem (redirects in all browsers), and it's happening only in one browser, try looking for browser-specific extensions. In Safari, for example, you should look in the Extensions pane of Safari's preferences.

  • bazamba Calculating status...
    Currently Being Moderated
    Dec 6, 2012 2:34 AM (in response to p.lonj)

    hi

    i have the same problem since 3 days in firefox.

    here from my terminal:

    Andy-MacBook-Pro:~ andy$ ls -al ~/Library/Internet\ Plug-Ins; ls -al /Library/Internet\ Plug-Ins

    total 0

    drwx------+  2 andy  staff    68 19 Okt 20:05 .

    drwx------@ 45 andy  staff  1530  3 Nov 22:50 ..

    total 16

    drwxr-xr-x  18 root  wheel   612 10 Nov 17:49 .

    drwxr-xr-x+ 70 root  wheel  2380 20 Okt 22:20 ..

    drwxrwxrwx   2 andy  admin    68 20 Okt 00:24 Disabled Plug-Ins

    drwxrwxr-x   3 root  admin   102 27 Jul 01:54 DivXBrowserPlugin.plugin

    drwxrwxr-x   3 root  wheel   102 10 Nov 17:49 Flash Player.plugin

    drwxrwxr-x   3 root  admin   102 19 Okt 23:47 Flip4Mac WMV Plugin.plugin

    drwxrwxr-x   3 root  admin   102 19 Okt 23:41 Flip4Mac WMV Plugin.webplugin

    drwxrwxr-x   5 root  admin   170 19 Okt 22:56 Google Earth Web Plug-in.plugin

    drwxr-xr-x   3 root  wheel   102  2 Nov 14:10 JavaAppletPlugin.plugin

    drwxr-xr-x   3 andy  staff   102 20 Okt 00:07 Mozillaplug.plugin

    drwxr-xr-x   3 root  admin   102 19 Okt 23:32 OVSHelper.plugin

    drwxr-xr-x   3 root  wheel   102 21 Jun 06:50 Quartz Composer.webplugin

    drwxr-xr-x   3 root  wheel   102 21 Jun 06:18 QuickTime Plugin.plugin

    lrwxr-xr-x   1 root  wheel    68 20 Okt 00:22 RealPlayer Plugin.plugin -> /Applications/RealPlayer.app/Contents/MacOS/RealPlayer Plugin.plugin

    drwxrwxr-x   4 root  admin   136 19 Okt 23:37 SpeedDownload Browser Plugin.plugin

    -rw-rw-r--   1 root  admin   856 29 Okt 09:32 flashplayer.xpt

    drwxrwxr-x   3 root  admin   102 20 Okt 00:05 iPhotoPhotocast.plugin

    -rw-r--r--   1 root  wheel  2394 22 Jul 10:23 nsIQTScriptablePlugin.xpt

    for windows i can find lots of removal tips/tools, but for mac i find nothing !?

  • thomas_r. Level 7 Level 7 (26,960 points)
    Currently Being Moderated
    Dec 6, 2012 4:10 AM (in response to bazamba)

    here from my terminal:

     

    Rather than keep telling folks what's unusual, here's a list of the items that should normally be found in the /Library/Internet Plug-Ins folder:

     

    drwxr-xr-x  12 root    wheel   408 Nov  7 16:45 .
    drwxr-xr-x+ 65 root    wheel  2210 Dec  2 13:33 ..
    lrwxr-xr-x   1 root    wheel    79 Oct 11 13:16 JavaAppletPlugin.plugin -> /System/Library/Java/Support/CoreDeploy.bundle/Contents/JavaAppletPlugin.plugin
    drwxr-xr-x   3 root    wheel   102 Jun 20 18:50 Quartz Composer.webplugin
    drwxr-xr-x   3 root    wheel   102 Sep  5 20:38 QuickTime Plugin.plugin
    drwxrwxr-x   3 root    admin   102 Nov 17  2009 iPhotoPhotocast.plugin
    -rw-r--r--   1 root    wheel  2394 Oct 11 13:19 nsIQTScriptablePlugin.xpt

     

    The ~/Library/Internet Plug-Ins folder should be empty by default, so anything in there can be removed.

     

    Of course, some items are quite normal to see. For example, the Flash Player.plugin and flashplayer.xpt files are normal if you have Adobe Flash installed.

     

    bazamba, in your case, I don't see anything terribly suspicious other than SpeedDownload. That software is crap, and you should uninstall it, but I wouldn't expect it to be causing this particular problem. Did you check Firefox's add-ons? Choose Tools -> Add-ons and check both Plugins and Extensions in the window that opens.

  • bazamba Level 1 Level 1 (0 points)
    Currently Being Moderated
    Dec 6, 2012 11:57 AM (in response to p.lonj)

    hey thank you, thats help, i remove this stupid speed download, and the problem is gone.

    i dont no how this plugin com on my mac.

     

    lol, and i search houers removal tools for nothing.

     

    big thank you

  • Vero-D Calculating status...
    Currently Being Moderated
    Jan 4, 2013 7:43 AM (in response to p.lonj)

    Hi!

     

    I have been having this problem for a while. It was gone for a while after I reseted firefox, but now it's back and even when I do a reset the problem keeps going. This is a shared computer and even when I tell them not to installl anything, I'm sure they do.

     

    This is what I have on Terminal:

     

    Last login: Sun Mar 15 07:35:30 on console

    Lauras-MacBook:~ Laura$ ls -al ~/Library/Internet\ Plug-Ins; ls -al /Library/Internet\ Plug-Ins

    total 24

    drwx------+  8 Laura  staff   272 Jan  4 09:33 .

    drwx------+ 52 Laura  staff  1768 Nov  6 09:40 ..

    -rw-------@  1 Laura  staff  6148 Jan  4 09:33 .DS_Store

    drwxr-xr-x@  3 Laura  staff   102 Aug  4  2010 BrowserPlus_2.9.8.plugin

    drwxrwxr-x   3 Laura  admin   102 Mar 31  2010 ClickToFlash.webplugin

    lrwxr-xr-x   1 Laura  staff    96 Jul 11 16:45 FacebookVideoCalling.bundle -> /Users/Laura/Library/Application Support/Facebook/video/1.2.0.158/FacebookVideoCalling.webplugin

    drwxr-xr-x@  3 Laura  admin   102 Oct 14  2009 Move-Media-Player.plugin

    drwxr-xr-x   3 Laura  staff   102 Aug 12  2010 Picasa.plugin

    total 80

    drwxrwxr-x  31 root   admin   1054 Dec 22 10:11 .

    drwxrwxr-t+ 60 root   admin   2040 Dec 24  2011 ..

    -rw-rw-r--@  1 Laura  admin  15364 Oct 30 21:32 .DS_Store

    drwxr-xr-x   3 root   wheel    102 Oct 25  2010 AdobePDFViewer.plugin

    drwxr-xr-x   3 root   wheel    102 Apr 12  2012 AdobePDFViewerNPAPI.plugin

    lrwxr-xr-x   1 Laura  admin     92 Mar  5  2012 AmazonMP3DownloaderPlugin.plugin -> /Applications/Amazon MP3 Downloader.app/Contents/Resources//AmazonMP3DownloaderPlugin.plugin

    lrwxr-xr-x   1 root   admin     91 Aug  4 13:15 AmazonMP3DownloaderPlugin1017265.plugin -> /Applications/Amazon MP3 Downloader.app/Contents/Resources/AmazonMP3DownloaderPlugin.plugin

    drwxrwxr-x   3 root   admin    102 Sep 20  2011 CouponPrinter-FireFox_v2.plugin

    drwxrwxr-x   3 root   admin    102 Sep 20  2011 CouponPrinter-Safari.webplugin

    drwxrwxr-x   3 root   admin    102 Jan 30  2012 DirectorShockwave.plugin

    drwxrwxr-x   4 root   admin    136 Oct 30 21:35 Disabled Plug-Ins

    drwxrwxr-x   3 root   admin    102 Dec 10 18:51 DivXBrowserPlugin.plugin

    drwxrwxr-x   3 root   admin    102 Nov 13 21:36 Flash Player.plugin

    drwxrwxr-x   3 root   admin    102 Jun 30  2011 Flip4Mac WMV Plugin.plugin

    lrwxr-xr-x   1 root   admin     77 Jul  7  2011 JavaPluginCocoa.bundle -> /System/Library/Frameworks/JavaVM.framework/Versions/A/JavaPluginCocoa.bundle

    drwxr-xr-x   3 root   admin    102 Jan 17  2012 OVSHelper.plugin

    drwxrwxr-x   3 root   wheel    102 Feb 14  2012 PDF Browser Plugin.plugin

    drwxr-xr-x@  3 root   admin    102 Mar 30  2010 PandoWebInst.plugin

    drwxrwxr-x   3 root   admin    102 Sep 24  2007 Quartz Composer.webplugin

    drwxrwxr-x   3 root   admin    102 Nov  5 12:18 QuickTime Plugin.plugin

    drwxrwxr-x   3 root   admin    102 Jun 14  2008 QuickTime Plugin.webplugin

    lrwxr-xr-x   1 Laura  admin     68 Apr  8  2009 RealPlayer Plugin.plugin -> /Applications/RealPlayer.app/Contents/MacOS/RealPlayer Plugin.plugin

    drwxrwxr-x   3 root   admin    102 Apr 11  2012 Silverlight.plugin

    drwxr-xr-x   3 root   admin    102 Jan 28  2010 VeetleBroadcast-0.9.16

    drwxr-xr-x   3 root   admin    102 Jan 25  2010 VeetleTVCore-0.9.16

    drwxr-xr-x   3 root   admin    102 Jan 28  2010 VeetleTVPlayer-0.9.16

    drwxrwxr-x   3 root   admin    102 Dec 12  2007 VerifiedDownloadPlugin.plugin

    drwxr-xr-x@  4 Laura  admin    136 Nov 28  2007 Yahoo! Installer 3.plugin

    -rw-rw-r--   1 root   admin    856 Oct 30 12:50 flashplayer.xpt

    drwxrwxr-x   3 root   admin    102 Jul 14  2008 iPhotoPhotocast.plugin

    -rw-rw-r--   1 root   admin   2394 Jun 25  2011 nsIQTScriptablePlugin.xpt

    Lauras-MacBook:~ Laura$

     

    Can anybody help me? Tell me what should I do to solve this? Thanks.

1 2 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.