Maciek Lazowski
Level 1 (8 points)
Safari

Q: Unwanted ads in Safari (nothing seems to work)

I have unwanted ads in Safari, some of them lead to MacKeeper site. I'm also unable to login to my Tidal account. I've cleared Safari history and cache, ran Malwarebytes and Avast, checked how to get rid of common malware and none of it worked. I don't seem to have any suspicious extensions or software installed, and yet the ads keep showing. Please help.

I'm using an iMac (2013) with OSX Yosemite 10.10.5 and Safari 9.1.1.

iMac (21.5-inch, Late 2013), OS X Yosemite (10.10.5)

Posted on May 18, 2016 11:42 AM

by Linc Davis,Solvedanswer
Linc Davis Linc Davis
Level 10 (207,931 points)
Applications
A:

Step 1

Please back up all data.

Unlock the Network preference pane, if necessary, by clicking the lock icon in the lower left corner and entering your password.

Cllck Advanced and select the TCP/IP tab in the sheet that drops down. Near the top, you'll most likely see this:

           Configure IPv4: Using DHCP

If that's not what you see, stop here and ask for instructions.

Otherwise, select the DNS tab and delete all the DNS Servers from the list on the left by selecting them and clicking the minus-sign button below. Click OK, then Apply. If the server addresses are grayed out and can't be deleted, go to Step 2.

Select the DNS tab again. The server list should have been automatically repopulated with at least one address, and you should have normal Internet access. If so, you can close the preference pane.

If the server list is empty, go back to the TCP/IP tab and click

            Renew DHCP Lease

Check the DNS server list again. If it's still empty, click the plus-sign button and enter this:

            8.8.8.8

That's Google DNS, which I don't recommend for more than temporary use. Click OK, then Apply, and ask for instructions.

Step 2

Your router has been hacked to direct DNS queries to a malicious server.

Follow the manufacturer's instructions to reset the router to the default state. Usually that involves inserting the end of a straightened paper clip or a similar tool into a pinhole somewhere in the back of the device, and pressing a switch inside for about 15 seconds. The pinhole may be marked "RESET."

Repeat the initial setup process. Make sure the router does not allow remote setup from the Internet (WAN port), if it has that feature—most do. The DNS servers should be set automatically by your ISP. If you still have trouble with those servers selected, contact your ISP.

Check the router manufacturer's website for a firmware update.

If you have a wireless network, it must be secured with WPA 2 encryption. The passwords for the network and the router must each be a string of at least 10 random upper- and lower-case letters and digits, and they should be different. Any password that you can remember is weak.

Posted on May 20, 2016 12:50 PM

Close
Maciek Lazowski

Q: Unwanted ads in Safari (nothing seems to work)

  • All replies
  • Helpful answers

Previous Page 2

  • by Maciek Lazowski,

    Maciek Lazowski Maciek Lazowski May 20, 2016 12:11 PM in response to thomas_r.
    Level 1 (8 points)
    Safari
    May 20, 2016 12:11 PM in response to thomas_r.

    thomas_r. wrote:

     

    That is a bit of a puzzler, but nonetheless, the test is definitive - if the problem is happening in recovery mode, it's happening in a completely separate, clean system and a completely separate, clean copy of Safari, and that means it's not being caused by anything installed on your computer.

     

    I've upgraded my router firmware and changed it's password, restarted the network, once again cleared Safari and the problem still remains

  • by Maciek Lazowski,

    Maciek Lazowski Maciek Lazowski May 20, 2016 12:13 PM in response to Linc Davis
    Level 1 (8 points)
    Safari
    May 20, 2016 12:13 PM in response to Linc Davis

    Linc Davis wrote:

     

    From the menu bar, please select

              ▹ System Preferences... ▹ Network ▹ Advanced... ▹ DNS

    Under DNS Servers you should have one or more numerical addresses, such as “192.168.1.1” or “10.0.0.1”. What are those addresses?

    46.17.101.199 and 8.8.8.8

  • by Linc Davis,Solvedanswer

    Linc Davis Linc Davis May 20, 2016 12:50 PM in response to Maciek Lazowski
    Level 10 (207,931 points)
    Applications
    May 20, 2016 12:50 PM in response to Maciek Lazowski

    Step 1

    Please back up all data.

    Unlock the Network preference pane, if necessary, by clicking the lock icon in the lower left corner and entering your password.

    Cllck Advanced and select the TCP/IP tab in the sheet that drops down. Near the top, you'll most likely see this:

               Configure IPv4: Using DHCP

    If that's not what you see, stop here and ask for instructions.

    Otherwise, select the DNS tab and delete all the DNS Servers from the list on the left by selecting them and clicking the minus-sign button below. Click OK, then Apply. If the server addresses are grayed out and can't be deleted, go to Step 2.

    Select the DNS tab again. The server list should have been automatically repopulated with at least one address, and you should have normal Internet access. If so, you can close the preference pane.

    If the server list is empty, go back to the TCP/IP tab and click

                Renew DHCP Lease

    Check the DNS server list again. If it's still empty, click the plus-sign button and enter this:

                8.8.8.8

    That's Google DNS, which I don't recommend for more than temporary use. Click OK, then Apply, and ask for instructions.

    Step 2

    Your router has been hacked to direct DNS queries to a malicious server.

    Follow the manufacturer's instructions to reset the router to the default state. Usually that involves inserting the end of a straightened paper clip or a similar tool into a pinhole somewhere in the back of the device, and pressing a switch inside for about 15 seconds. The pinhole may be marked "RESET."

    Repeat the initial setup process. Make sure the router does not allow remote setup from the Internet (WAN port), if it has that feature—most do. The DNS servers should be set automatically by your ISP. If you still have trouble with those servers selected, contact your ISP.

    Check the router manufacturer's website for a firmware update.

    If you have a wireless network, it must be secured with WPA 2 encryption. The passwords for the network and the router must each be a string of at least 10 random upper- and lower-case letters and digits, and they should be different. Any password that you can remember is weak.

  • by Maciek Lazowski,

    Maciek Lazowski Maciek Lazowski May 20, 2016 1:01 PM in response to thomas_r.
    Level 1 (8 points)
    Safari
    May 20, 2016 1:01 PM in response to thomas_r.

    thomas_r. wrote:

     

    That is a bit of a puzzler, but nonetheless, the test is definitive - if the problem is happening in recovery mode, it's happening in a completely separate, clean system and a completely separate, clean copy of Safari, and that means it's not being caused by anything installed on your computer.

     

    One possibility is that, in this particular case, it's only designed to affect Safari on Mac OS X, although that would be a bit weird. Another possibility is that there are ad blockers or something similar installed on all those other systems/browsers that are blocking the ads in those cases.

    OK now the ads are showing up on Safari on my iPhone.

  • by Linc Davis,

    Linc Davis Linc Davis May 20, 2016 2:35 PM in response to Maciek Lazowski
    Level 10 (207,931 points)
    Applications
    May 20, 2016 2:35 PM in response to Maciek Lazowski

    That's because your router has been hacked.

  • by thomas_r.,

    thomas_r. thomas_r. May 21, 2016 4:39 AM in response to Maciek Lazowski
    Level 7 (30,889 points)
    Mac OS X
    May 21, 2016 4:39 AM in response to Maciek Lazowski

    Maciek Lazowski wrote:

     

    OK now the ads are showing up on Safari on my iPhone.

     

    Yup, that's the final proof that your network hardware has been hacked. Your iPhone was probably using cached good DNS data, and thus was still working temporarily.

     

    Note that the procedure for cleaning up your hardware will depend on which specific hardware was hacked (which may or may not be the wireless router, depending on your setup), as well as what that hardware is. Changing the password and restarting the device isn't sufficient. Upgrading the firmware usually is, but all network hardware varies, so there are no guarantees. If that does fix it, you may still need to reset the router's settings to remove the remaining traces of the hack.

     

    As mentioned in that link that I sent you, the best way to deal with the problem is to first determine conclusively which device is at fault (if you have separate network devices, rather than one single comprehensive one), then contact the manufacturer of the device for further instructions.

  • by Maciek Lazowski,

    Maciek Lazowski Maciek Lazowski May 22, 2016 10:58 AM in response to Linc Davis
    Level 1 (8 points)
    Safari
    May 22, 2016 10:58 AM in response to Linc Davis

    Ok, you guys were right. It was the router's fault. I've reset it and reconfigured my wi fi network and the ads went away!

     

    thomas_r. and Linc Davis thank you both so much for your help! This problem was driving me nuts for days. Thanks again, you guys are awesome.

  • by Linc Davis,

    Linc Davis Linc Davis May 22, 2016 11:16 AM in response to Maciek Lazowski
    Level 10 (207,931 points)
    Applications
    May 22, 2016 11:16 AM in response to Maciek Lazowski

    Please remember that if you don't fix the vulnerability in the router, the same thing will probably happen again. No default or weak passwords, no insecure network, and no configuration from the Internet side.

Previous Page 2