Q: Crossrider Malware?

Adware.CrossRider Removal Guide - malwareremovalguides

Helpful Links Regarding Malware Problems

If you are having an immediate problem with ads popping up see The Safe Mac » Adware Removal Guide and AdwareMedic.

Open Safari, select Preferences from the Safari menu. Click on Extensions icon in the toolbar. Disable all Extensions. If this stops your problem, then re-enable them one by one until the problem returns. Now remove that extension as it is causing the problem.

The following comes from user stevejobsfan0123. I have made minor changes to adapt to this presentation.

Fix Some Browser Pop-ups That Take Over Safari.

Common pop-ups include a message saying the government has seized your computer and you must pay to have it released (often called "Moneypak"), or a phony message saying that your computer has been infected, and you need to call a tech support number (sometimes claiming to be Apple) to get it resolved. First, understand that these pop-ups are not caused by a virus and your computer has not been affected. This "hijack" is limited to your web browser. Also understand that these messages are scams, so do not pay any money, call the listed number, or provide any personal information. This article will outline the solution to dismiss the pop-up.

Quit Safari

Usually, these pop-ups will not go away by either clicking "OK" or "Cancel." Furthermore, several menus in the menu bar may become disabled and show in gray, including the option to quit Safari. You will likely have to force quit Safari. To do this, press Command + option + esc, select Safari, and press Force Quit.

Relaunch Safari

If you relaunch Safari, the page will reopen. To prevent this from happening, hold down the 'Shift' key while opening Safari. This will prevent windows from the last time Safari was running from reopening.

This will not work in all cases. The shift key must be held at the right time, and in some cases, even if done correctly, the window reappears. In these circumstances, after force quitting Safari, turn off Wi-Fi or disconnect Ethernet, depending on how you connect to the Internet. Then relaunch Safari normally. It will try to reload the malicious webpage, but without a connection, it won't be able to. Navigate away from that page by entering a different URL, i.e. www.apple.com, and trying to load it. Now you can reconnect to the Internet, and the page you entered will appear rather than the malicious one.

An excellent link to read is Tom Reed's Mac Malware Guide.

Also, visit The XLab FAQs and read Detecting and avoiding malware and spyware.

See these Apple articles:

  Mac OS X Snow Leopard and malware detection

  OS X Lion- Protect your Mac from malware

  OS X Mountain Lion- Protect your Mac from malware

  OS X Mavericks- Protect your Mac from malware

  About file quarantine in OS X

If you require anti-virus protection Thomas Reed recommends using ClamXAV. (Thank you to Thomas Reed for this recommendation.)

From user Joe Bailey comes this equally useful advice:

The facts are:

1. There is no anti-malware software that can detect 100% of the malware out there.

2. There is no anti-malware that can detect everything targeting the Mac.

3. The very best way to prevent the most attacks is for you as the user to be aware that

     the most successful malware attacks rely on very sophisticated social engineering

     techniques preying on human avarice, ****, and fear.

4. Internet popups saying the FBI, NSA, Microsoft, your ISP has detected malware on

    your computer is intended to entice you to install their malware thinking it is a

    protection against malware.

5. Some of the anti-malware products on the market are worse than the malware

    from which they purport to protect you.

6. Be cautious where you go on the internet.

7. Only download anything from sites you know are safe.

8. Avoid links you receive in email, always be suspicious even if you get something

    you think is from a friend, but you were not expecting.

9. If there is any question in your mind, then assume it is malware.

First follow the instructions on this page. If there's a Firefox extension you can't get rid of, see below.

Back up all data before proceeding.

Triple-click anywhere in the line below on this page to select it:

~/Library/Application Support/Mozilla

Right-click or control-click the line and select

          Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item selected. Quit the application if it's running. Move the selected item to the Trash. Relaunch the application and test.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination  command-C. In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

There is undoubtedly more installed than just those entries in that file. To help you understand what needs to be removed, it would be helpful if you could download my AdwareMedic app and take a system snapshot, then post the results here. (The app will allow you to give a donation, but there is no need to do so, especially for this purpose.)

If you are unwilling to download an unfamiliar app, there are a few other things you can do. First, post a list of all the browser extensions you have installed. For instructions on where to find these, see:

http://www.adwaremedic.com/kb/browserextensions.php

Next, please provide a list of the files in the following folders (choose Go -> Go to Folder in the Finder and paste in each path to open it in a Finder window):

~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons

That will at least give us some of the information that AdwareMedic would gather.

(Fair disclosure: I may receive compensation from links to my site and software, in the form of buttons allowing for donations. Donations are not required to use my site or software.)

Yes, you must back up all data. If you don't already have a backup, that's a much higher priority than the original question.

Mac Basics: Time Machine backs up your Mac

Okay, here are some things I see:

First, you have the Spigot adware installed, probably due to downloading stuff from Download.com. AdwareMedic can remove it for you, or you can just remove the following extensions from Safari (in the Extensions pane of Safari's preferences): Amazon Shopping Assistant, Ebay Shopping Assistant, Searchme and Slick Savings.

You also have something called iTube Studio, which I'm not familiar with... but a Google search raises some red flags. It may be adware, and if so, could have been created by Crossrider.

However, I see no extensions installed in Firefox. You may have had some Crossrider-created browser extension installed in Firefox at some point and removed it.

There are a few other slightly suspicious things... something installed from coupons.com, something called TVShowsHelper by Victor Pimentel and the Torch web browser. (Torch is bad because it includes a torrent downloader, and as such is usually used for downloading things that you shouldn't be downloading, and thus may be a source for adware or malware.) None of those should be related to Crossrider, though.

That is definitely not normal! If you have extensions installed, which you do, they should show up in a list. Even if you don't have extensions installed, though, the list should still be there, but will be empty:

If your window is showing as your screenshot indicates, with the area where the list should be removed, then something is definitely wrong somewhere, but I'm not sure where that might be.

Start by removing all your Safari extensions. Quit Safari, then, in the Finder, choose Go to Folder from the Go menu and paste in the following path:

~/Library/Safari/Extensions/

Then click the Go button. Drag everything inside that folder out. Re-open Safari. Are the ads gone, and do your Extensions preferences display normally?

The "Adwaremedic" application does not correctly determine which Safari extensions are active, due to a programming error.

It does not attempt to determine which ones are ACTIVE, only which ones are installed. It is behaving exactly as intended.

thomas_r. wrote:

 

That is definitely not normal!

Actually, I have to correct myself here... I thought I saw that your extensions were turned on, but the switch is set to off. The appearance is normal in that case. Those extensions are installed, but they are currently disabled and thus not displayed in Safari. Turn the switch back to "on" to manage your extensions through Safari, or use the technique I described for removing them manually.