Q: Safari ads and pop ups
-
May 4, 2014 10:38 AMby Gnomish8,Does this happen in both a different browsers and another user, or just Safari? If it happens universally, it sounds like your hosts file or DNS settings have been hijacked.
Given that it SOUNDS like the popups happen no matter where you go on any browser, it sounds like your /etc/hosts file or your DNS settings have been edited by some malicious software. There are a couple ways to browse to the hosts file, one is through terminal, the other requires 3rd party apps (like textwrangler).
Here's a thread that touches on how to access the hosts file:
See Barney-15E's responses.Something else to add, as I've had a host file hijack before, make sure you browse the full file. In my instance, my hosts file looked just fine, but that's because the hijacked links were added after about a thousand line breaks. So scroll scroll scroll to make sure there's nothing "hiding" in there.
For DNS settings, follow this Apple article:
HT5343If this isn't universal:
Check for startup/login items. Check for any Safari extensions. The more info you provide, the better we can help!
-
May 4, 2014 10:57 AMby manuelf1996,I do not have another browser but i have deleted uneccessary extensions and ive tried turning off the extensions but the ads and pop up windows are still there. I have also tried reseting safari but they still appear. I have also uninstalled utorrent and cant seem to find any trace of it in any files on my mac.
-
May 4, 2014 11:29 AMby Allan Jones,I susepct you have this bit of malware that is commonly spread through torrents (get rid of torrnets if you want a stable Mac).
http://www.thesafemac.com/arg-downlite/
We can verify if you run a diagnostic.Please download and install this free utility:
http://www.etresoft.com/etrecheck
It is secure and written by one of our most valued members to allow users to show details of their computer's configuration in Apple Support Communities without revealing any sensitive personal data.
Run the program and click the "Copy report to clipboard" button when it displays the results. Then return here and paste the report into a response to your initial post. It can often show if any harmful files/programs are dragging down your performance. It usually picks up adware/malware.
-
May 4, 2014 12:13 PMby manuelf1996,I really need help now Allan Jones. I followed the link: thesafemac.com and did what it said. I moved to the trash the vlaunch and the daemons etc. and restarted it. But before removing from trash I saw that Safari wasn't working. Sites like apple, hotmail and other websites are not working. So I moved the stuff I deleted back where they were and restarted the computer again. But it still doesn't work. Only google searches works. What should I do?
-
May 4, 2014 12:33 PMby manuelf1996,Ok i fixed the safari problem the http proxy was turned on. Are you sure its safe to follow the steps in the link first link you provided (http://www.thesafemac.com/arg-downlite/)
-
May 4, 2014 12:42 PMby manuelf1996,Here is the infomation from etresoft.com
Hardware Information:
MacBook Pro (13-inch, Early 2011)
MacBook Pro - model: MacBookPro8,1
1 2.3 GHz Intel Core i5 CPU: 2 cores
4 GB RAM
Video Information:
Intel HD Graphics 3000 - VRAM: 384 MB
System Software:
OS X 10.9.2 (13C1021) - Uptime: 0 days 0:44:48
Disk Information:
Hitachi HTS545032B9A302 disk0 : (320.07 GB)
EFI (disk0s1) <not mounted>: 209.7 MB
Macintosh HD (disk0s2) / [Startup]: 319.21 GB (137.31 GB free)
Recovery HD (disk0s3) <not mounted>: 650 MB
MATSHITADVD-R UJ-8A8
USB Information:
Apple Computer, Inc. IR Receiver
Apple Inc. Apple Internal Keyboard / Trackpad
Apple Inc. BRCM2070 Hub
Apple Inc. Bluetooth USB Host Controller
Apple Inc. FaceTime HD Camera (Built-in)
Thunderbolt Information:
Apple Inc. thunderbolt_bus
Gatekeeper:
Mac App Store and identified developers
Kernel Extensions:
[not loaded] com.NovatelWireless.driver.NovatelWirelessUSBCDCECMControl (3.0.13) Support
[not loaded] com.NovatelWireless.driver.NovatelWirelessUSBCDCECMData (3.0.13) Support
[not loaded] com.ZTE.driver.ZTEUSBCDCACMData (1.3.8) Support
[not loaded] com.ZTE.driver.ZTEUSBMassStorageFilter (1.3.8) Support
[not loaded] com.novamedia.driver.IceraUSB_MSD_Bypass (1.3.0) Support
[not loaded] com.novatelwireless.driver.3G (3.0.13) Support
[not loaded] com.novatelwireless.driver.3GData (3.0.13) Support
[not loaded] com.novatelwireless.driver.DisableAutoInstall (3.0.13) Support
[not loaded] com.option.driver.Option72 (2.15.0) Support
[not loaded] com.option.driver.OptionHS (3.26.0) Support
[not loaded] com.option.driver.OptionMSD (1.21.0) Support
[not loaded] com.option.driver.OptionQC (1.11.0) Support
[kext loaded] com.rim.driver.BlackBerryUSBDriverInt (0.0.67) Support
[not loaded] com.rim.driver.BlackBerryUSBDriverVSP (0.0.67) Support
[not loaded] com.roxio.TDIXController (1.7) Support
[not loaded] com.vodafone.driver (3.0.9) Support
[not loaded] com.vodafone.driver.Data (3.0.9) Support
[not loaded] com.wdc.driver.1394HP (1.0.9) Support
[not loaded] com.wdc.driver.USBHP (1.0.11) Support
[not loaded] com.zte.driver.cdc_ecm_qmi (1.0.1) Support
[not loaded] com.zte.driver.cdc_usb_bus (1.0.1) Support
[not loaded] de.novamedia.driver.NMSamsung (0.0.2) Support
[not loaded] de.novamedia.driver.NMSmartplugSCSIDevice (1.0.1) Support
[not loaded] de.novamedia.driver.NMUSBCDCACMControl (3.2.12) Support
[not loaded] de.novamedia.driver.NMUSBCDCACMData (3.2.12) Support
[not loaded] de.novamedia.oem.vodafone.vtp.huawei.cdc (0.0.2) Support
[not loaded] net.kromtech.kext.AVKauth (2.3.6 - SDK 10.8) Support
[not loaded] net.kromtech.kext.Firewall (2.3.6 - SDK 10.8) Support
Launch Daemons:
[loaded] com.adobe.fpsaud.plist Support
[loaded] com.genieoinnovation.macextension.client.plist Support
[loaded] com.microsoft.office.licensing.helper.plist Support
[loaded] com.oracle.java.Helper-Tool.plist Support
[loaded] com.oracle.java.JavaUpdateHelper.plist Support
[not loaded] com.teamviewer.teamviewer_service.plist Support
[not loaded] com.vsearch.daemon.plist Support
[running] com.vsearch.helper.plist Support
[running] com.zeobit.MacKeeper.AntiVirus.plist Support
[failed] org.glimmerblocker.proxy.plist Support
Launch Agents:
[running] com.epson.epw.agent.plist Support
[running] com.genieoinnovation.macextension.plist Support
[loaded] com.oracle.java.Java-Updater.plist Support
[not loaded] com.teamviewer.teamviewer.plist Support
[not loaded] com.teamviewer.teamviewer_desktop.plist Support
[running] com.vsearch.agent.plist Support
[running] de.novamedia.VodafoneDeviceObserver.plist Support
[loaded] org.glimmerblocker.updater.plist Support
User Launch Agents:
[loaded] com.divx.agent.postinstall.plist Support
[loaded] com.facebook.videochat.[redacted].plist Support
[loaded] com.google.keystone.agent.plist Support
[running] com.microsoft.LaunchAgent.SyncServicesAgent.plist Support
[running] com.spotify.webhelper.plist Support
[running] com.zeobit.MacKeeper.Helper.plist Support
User Login Items:
Spotify
Genieo
Internet Plug-ins:
FlashPlayer-10.6: Version: 13.0.0.206 - SDK 10.6 Support
QuickTime Plugin: Version: 7.7.3
Flash Player: Version: 13.0.0.206 - SDK 10.6 Support
OVSHelper: Version: 1.1 Support
DivXBrowserPlugin: Version: 2.2 Support
Default Browser: Version: 537 - SDK 10.9
SharePointBrowserPlugin: Version: 14.0.0 Support
Unity Web Player: Version: UnityPlayer version 3.4.1f5 - SDK 10.5 Support
Silverlight: Version: 4.0.60531.0 Support
JavaAppletPlugin: Version: Java 7 Update 55 Check version
Safari Extensions:
GoPhoto.it V9.0: Version: 1.222
AdBlock: Version: 2.6.30
DivX Plus Web Player HTML5 <video>: Version: 2.1.2.145
Audio Plug-ins:
BluetoothAudioPlugIn: Version: 1.0 - SDK 10.9
AirPlay: Version: 2.0 - SDK 10.9
AppleAVBAudio: Version: 203.2 - SDK 10.9
iSightAudio: Version: 7.7.3 - SDK 10.9
iTunes Plug-ins:
Quartz Composer Visualizer: Version: 1.4 - SDK 10.9
User Internet Plug-ins:
Picasa: Version: 1.0 Support
3rd Party Preference Panes:
DivX Support
Flash Player Support
Java Support
Time Machine:
Skip System Files: NO
Auto backup: YES
Volumes being backed up:
Macintosh HD: Disk size: 297.29 GB Disk used: 169.41 GB
Destinations:
My Passport [Local] (Last used)
Total size: 0 B
Total number of backups: (null)
Size of backup disk: Too small
Backup size 0 B < (Disk used 169.41 GB X 3)
Time Machine details may not be accurate.
All volumes being backed up may not be listed.
Top Processes by CPU:
9% WindowServer
5% com.apple.WebKit.WebContent
4% Safari
2% hidd
1% PluginProcess
Top Processes by Memory:
319 MB com.apple.WebKit.WebContent
213 MB Safari
209 MB AntiVirus
143 MB com.apple.IconServicesAgent
102 MB Spotify
Virtual Memory Information:
195 MB Free RAM
1.65 GB Active RAM
1.25 GB Inactive RAM
928 MB Wired RAM
414 MB Page-ins
0 B Page-outs
-
May 4, 2014 12:46 PMby Linc Davis,You installed the "DownLite" trojan, perhaps under a different name. Remove it as follows.
Malware is constantly changing to get around the defenses against it. The instructions in this comment are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.
Back up all data.Triple-click anywhere in the line below on this page to select it:
/Library/Application Support/VSearch
Right-click or control-click the line and select
Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.* A folder should open with an item named "VSearch" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.
Repeat with each of these lines:
/Library/LaunchAgents/com.vsearch.agent.plist /Library/LaunchDaemons/com.vsearch.daemon.plist /Library/LaunchDaemons/com.vsearch.helper.plist /Library/LaunchDaemons/Jack.plist /Library/PrivilegedHelperTools/Jack /System/Library/Frameworks/VSearch.framework
Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.
Restart and empty the Trash. Don't try to empty the Trash until you have restarted.
From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall any extensions you don't know you need, including any that have the word "Spigot" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.
This trojan is distributed on illegal websites that traffic in pirated movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect much worse to happen in the future.
You may be wondering why you didn't get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that the DownLite developer has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing, has not done so, even though it's aware of the problem. It must be said that this failure of oversight is inexcusable and has seriously compromised the value of Gatekeeper and the Developer ID program. You cannot rely on Gatekeeper alone to protect you from harmful software.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
