-
All replies
-
Helpful answers
-
Dec 2, 2014 2:41 PM in response to Wiscchick5by Linc Davis,★HelpfulYou may have installed one of the common types of ad-injection malware. Follow the instructions on this Apple Support page to remove it.
Back up all data before making any changes.
One of the steps in the article is to remove malicious Safari extensions. Do the equivalent in the Chrome and Firefox browsers, if you use either of those. If Safari crashes on launch, skip that step and come back to it after you've done everything else.
If you don't find any of the files or extensions listed, or if removing them doesn't stop the ad injection, ask for further instructions.
Make sure you don't repeat the mistake that led you to install the malware. It may have come from an Internet cesspit such as "Softonic" or "CNET Download." Never visit either of those sites again. You might also have downloaded it from an ad in a page on some other site. The ad would probably have included a large green button labeled "Download" or "Download Now" in white letters. The button is designed to confuse people who intend to download something else on the same page. If you ever download a file that isn't obviously what you expected, delete it immediately.
Malware is also found on websites that traffic in pirated content such as video. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.
In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.
Still in System Preferences, open the App Store or Software Update pane and check the box marked
Install system data files and security updates
if it's not already checked.
-
Dec 2, 2014 2:55 PM in response to Wiscchick5by Kappy,★HelpfulHelpful Links Regarding Malware Problems
If you are having an immediate problem with ads popping up see The Safe Mac » Adware Removal Guide, AdwareMedic, or Remove unwanted adware that displays pop-up ads and graphics on your Mac - Apple Support.
Open Safari, select Preferences from the Safari menu. Click on Extensions icon in the toolbar. Disable all Extensions. If this stops your problem, then re-enable them one by one until the problem returns. Now remove that extension as it is causing the problem.
The following comes from user stevejobsfan0123. I have made minor changes to adapt to this presentation.
Fix Some Browser Pop-ups That Take Over Safari.
Common pop-ups include a message saying the government has seized your computer and you must pay to have it released (often called "Moneypak"), or a phony message saying that your computer has been infected, and you need to call a tech support number (sometimes claiming to be Apple) to get it resolved. First, understand that these pop-ups are not caused by a virus and your computer has not been affected. This "hijack" is limited to your web browser. Also understand that these messages are scams, so do not pay any money, call the listed number, or provide any personal information. This article will outline the solution to dismiss the pop-up.
Quit Safari
Usually, these pop-ups will not go away by either clicking "OK" or "Cancel." Furthermore, several menus in the menu bar may become disabled and show in gray, including the option to quit Safari. You will likely have to force quit Safari. To do this, press Command + option + esc, select Safari, and press Force Quit.
Relaunch Safari
If you relaunch Safari, the page will reopen. To prevent this from happening, hold down the 'Shift' key while opening Safari. This will prevent windows from the last time Safari was running from reopening.
This will not work in all cases. The shift key must be held at the right time, and in some cases, even if done correctly, the window reappears. In these circumstances, after force quitting Safari, turn off Wi-Fi or disconnect Ethernet, depending on how you connect to the Internet. Then relaunch Safari normally. It will try to reload the malicious webpage, but without a connection, it won't be able to. Navigate away from that page by entering a different URL, i.e. www.apple.com, and trying to load it. Now you can reconnect to the Internet, and the page you entered will appear rather than the malicious one.
An excellent link to read is Tom Reed's Mac Malware Guide.
Also, visit The XLab FAQs and read Detecting and avoiding malware and spyware.
See these Apple articles:
Mac OS X Snow Leopard and malware detection
OS X Lion- Protect your Mac from malware
OS X Mountain Lion- Protect your Mac from malware
OS X Mavericks- Protect your Mac from malware
If you require anti-virus protection Thomas Reed recommends using ClamXAV. (Thank you to Thomas Reed for this recommendation.)
-
Dec 2, 2014 4:45 PM in response to Wiscchick5by thomas_r.,The Cinema Plus adware is, unfortunately, not covered by Apple's adware removal page. For instructions on removing Cinema Plus, see my Adware Removal Guide.
(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com, in the form of buttons allowing for donations. Donations are not required to use my site or software.)
-
Dec 2, 2014 6:13 PM in response to Linc Davisby Linc Davis,Removing unknown Safari, Chrome, and Firefox extensions should resolve the problem. If not, ask for further instructions.
-
Dec 2, 2014 6:35 PM in response to Linc Davisby thomas_r.,Linc Davis wrote:
Removing unknown Safari, Chrome, and Firefox extensions should resolve the problem. If not, ask for further instructions.
Actually, that's not adequate for Cinema Plus, some variants of which install a number of LaunchAgent files.
-
Dec 2, 2014 7:04 PM in response to thomas_r.by Linc Davis,Then the further instructions will resolve the problem.
-
Dec 2, 2014 7:06 PM in response to Linc Davisby thomas_r.,Linc Davis wrote:
Then the further instructions will resolve the problem.
...or the instructions I already gave will resolve the problem now.
-
Dec 2, 2014 7:16 PM in response to thomas_r.by Linc Davis,Perhaps, if the questioner chooses to repeat the same behavior that caused the problem in the first place: running an unknown application with unknown effects.
-
Dec 2, 2014 7:37 PM in response to Linc Davisby Kappy,Or listen to an unknown person provide unknown information that may have unknown effects.
-
Apr 22, 2015 10:12 AM in response to Wiscchick5by raspberryaddiction,easy enough to uninstall the filthy app somehow put on your system called cinema pro. I just wonder where the heck I
downloaded it from. Disguised as an extension?
-
May 1, 2015 9:18 PM in response to Wiscchick5by OrcJorc,Download Adware Medic (donation ware). It works, worth a donation
-
Jun 5, 2015 8:14 AM in response to Linc Davisby triggersnappy,tried a bunch of virus protection downloads but this totally worked. Can cancel my Genius Bar appmt now - thanks for your advise!
-
Jun 5, 2015 9:36 AM in response to Wiscchick5by Linc Davis,For others who may find this discussion, here are updated instructions for removing the "CinemaPlus" ad-injection malware. This procedure may leave a few small files behind, but it will permanently deactivate the malware (as long as you never reinstall it.)
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.
Back up all data before proceeding.
Step 1
From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall any extensions you don't know you need, including one called "Cinema-Plus." If in doubt, uninstall all extensions. Do the equivalent in the Chrome browser, if you use it.
Step 2
Triple-click anywhere in the line below on this page to select it:
~/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/144ee21a-8997-41ab-96a6-b13f40648ffd@1ab45825-655a-4789-a375-a283ea7ca5c5.comRight-click or control-click the line and select
Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.
If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
A folder may open with an item selected. It will have a long name ending in ".com". Move it to the Trash.
Step 3
Reveal this folder in the same way:
~/Library/LaunchAgents
There may be files in the folder with a name beginning in either of the following ways:
cinemas-+-plus
cinema-plus
Move them to the Trash too.
Step 4
Open this folder in the same way as above:
~/Applications
This is not the usual Applications folder, but a different one inside your home folder. Look for an application with a name beginning like this:
Cinema-Plus
and move it to the Trash, if present.
Step 5
Log out or restart the computer and empty the Trash.
This malware is sometimes distributed with another kind of ad-injection malware called "SearchProtect" or "Trovi." If applicable, follow the instructions on this Apple Support page to remove it.
-