BOOTHWRKS

Q: My new macbook has a bug. The pop-up is xb11766.com. any suggestions?

I must have picked up a bug on my new macbook pro.

I have constant pop-ups. The main site is xb11766.com.

 

Any help getting rid of this?

MacBook Pro with Retina display, iOS 9.3.1

Posted on Apr 1, 2016 11:50 AM

Close

Q: My new macbook has a bug. The pop-up is xb11766.com. any suggestions?

  • All replies
  • Helpful answers

  • by lllaass,

    lllaass lllaass Apr 1, 2016 12:16 PM in response to BOOTHWRKS
    Level 10 (189,285 points)
    Desktops
    Apr 1, 2016 12:16 PM in response to BOOTHWRKS

    First try

    How to install (Really remove) adware

    Stop pop-up ads and adware in Safari

    Adware Removal Guide : Identification

    Next if necessary:                                       

    Malwarebytes Anti-Malware for Mac

  • by Linc Davis,

    Linc Davis Linc Davis Apr 1, 2016 3:33 PM in response to BOOTHWRKS
    Level 10 (207,995 points)
    Applications
    Apr 1, 2016 3:33 PM in response to BOOTHWRKS

    You may have installed ad-injection malware ("adware").

    Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

    Back up all data first.

    Some of the most common types of adware can be removed by following Apple's instructions. But before you follow those instructions, you can attempt an automatic removal.

    If you're not already running the latest version of OS X ("El Capitan"), updating or upgrading in the App Store may cause the adware to be removed automatically. If you're already running the latest version of El Capitan, you can nevertheless download the current updater from the Apple Support Downloads page and run it. Again, some kinds of malware will be removed—not all. There is no such thing as automatic removal of all possible malware, either by OS X or by third-party software. That's why you can't rely on software to protect you.

    If the malware is removed in your case, you'll still need to make changes to the way you use the computer to protect yourself from further attacks. Ask if you need guidance.

    If the malware is not removed automatically, and you can't remove it yourself by following Apple's instructions, see below.

    This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.

    Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.

    If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. That will disable the malware temporarily.

    Step 1

    Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

    ~/Library/LaunchAgents

    In the Finder, select

              Go Go to Folder...

    from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.

    If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.

    There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.

    Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.

    Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.

    Leave the folder open for now.

    Step 2

    Do as in Step 1 with this line:

    /Library/LaunchAgents

    The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.

    Step 3

    Repeat with this line:

    /Library/LaunchDaemons

    This time the folder will be named "LaunchDaemons."

    Step 4

    Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.

    Step 5

    If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.

  • by ~Bee,

    ~Bee ~Bee Apr 1, 2016 4:12 PM in response to BOOTHWRKS
    Level 7 (31,792 points)
    Mac OS X
    Apr 1, 2016 4:12 PM in response to BOOTHWRKS

    I second IIIaass' recommendation.  It was developed by another long-time, respected helper here.  It's free & and it works like a charm.

    https://www.malwarebytes.org/antimalware/mac

  • by Grant Lenahan,

    Grant Lenahan Grant Lenahan Apr 1, 2016 4:16 PM in response to BOOTHWRKS
    Level 4 (1,468 points)
    Mac OS X
    Apr 1, 2016 4:16 PM in response to BOOTHWRKS

    I Dont mean to be unsympathetic, but you allowed it to install itself - through the sites you visited and -- this is important -

    by allowing a process to go ahead. You were likely tricked, but you need to look for tricks (let's not talk about predatory mortgages shall we?)

     

    Stay away from shady sites.

     

    Never say "yes" to something being installed without serious thought and reading.

     

    Then you wont have these things.

     

    Grant

  • by encrpriv,

    encrpriv encrpriv Jun 8, 2016 3:14 AM in response to BOOTHWRKS
    Level 1 (12 points)
    Mac OS X
    Jun 8, 2016 3:14 AM in response to BOOTHWRKS

    Same problem, trying to solve it but no luck yet. No support from Apple whatsoever on this.

     

    I keep trying to start a new thread because these are old but somebody keeps deleting it Is Apple trying to hide the fact that Macs get Malware too or what? I can keep reposting ALL day.

     

    I've got something that is causing problems in both Safari and FireFox (the only two browsers I have installed).  I cannot figure out how to fix it.  It is opening popups and other ads from xb11766.com and possibly others. It does through unknown methods and also I can see it that intercepts the websites I open and replaces the legitimate original links inside the with links to crap on xb11766.com, today57.com, and others.

     

    I am not sure but I don't think there is anything suspicious in either of my "Internet Plug-Ins" directories but my LaunchDaemons definitely looks suspicious.  What can I do about this?  I have already gone through updating everything, disabled and deleted plugins I don't recognize and there are no extensions in Safari.

     

    ~/Library/LaunchAgents

    Screen Shot 2016-06-08 at 16.43.24.png

    /Library/LaunchAgents

    Screen Shot 2016-06-08 at 16.43.53.png

    /Library/LaunchDaemons

    Screen Shot 2016-06-08 at 16.45.32.png

  • by dialabrain,

    dialabrain dialabrain Jun 8, 2016 3:29 AM in response to encrpriv
    Level 5 (6,310 points)
    Mac App Store
    Jun 8, 2016 3:29 AM in response to encrpriv

    encrpriv wrote:

     

    I keep trying to start a new thread because these are old but somebody keeps deleting it Is Apple trying to hide the fact that Macs get Malware too or what? I can keep reposting ALL day.

    FWIW, it's because you are posting duplicate posts of this one. Nothing to do with Apple.

  • by Esquared,

    Esquared Esquared Jun 8, 2016 3:39 AM in response to encrpriv
    Level 6 (8,422 points)
    Mac OS X
    Jun 8, 2016 3:39 AM in response to encrpriv

    ~/Library/LaunchAgents: delete everything related to ZipCloud (suspect cloud storage service)


    /Library/LaunchDaemons: delete everything from top to com.jangly.net-preferences.plist.


    Reboot afterwards and hope for the best.


  • by Linc Davis,

    Linc Davis Linc Davis Jun 8, 2016 6:52 AM in response to encrpriv
    Level 10 (207,995 points)
    Applications
    Jun 8, 2016 6:52 AM in response to encrpriv

    A

    You installed one or more variants of the "VSearch" trojan. Please inactivate them as follows. This procedure will leave a few small files behind, but they have no effect, and trying to remove them all would be a lot more trouble than it's worth.

    This malware has many variants. Anyone else finding this comment should not expect it to be applicable.

    Back up all data before proceeding.

    Step 1

    The VSearch variant that you have regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.

    Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.

    Step 2

    While running in safe mode, load this web page and then triple-click anywhere in the line below to select it:

    /Library/LaunchDaemons

    In the Finder, select

              Go Go to Folder...

    from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

    A folder named "LaunchDaemons" will open. Press the key combination command-2 to select list view, if it's not already selected.

    There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within a few minutes, so they will be clustered together when you sort the folder this way, making them easy to identify.

    Step 3

    Inside the LaunchDaemons folder, there may be one or more files with a name of this form:

              com.apple.something.plist

    where something is a random, meaningless string of letters, different in every case.

    Note that the name consists of four words separated by periods. Typical examples:

              com.apple.builins.plist

              com.apple.cereng.plist

              com.apple.nysgar.plist

    There may also be one or more items with a name of this form:

              com.something.plist

    Again, something is a random, meaningless string—not necessarily the same one that appears in any of the other file names.

    These names consist of three words separated by periods. Typical examples:

              com.semifasciaUpd.plist

              com.ubuiling.plist

    Besides all the above, you have one file belonging to an older variant of VSearch. Its name has this form:

              com.something.net-preferences.plist

    Drag all such items to the Trash. You may be prompted for your administrator login password.

    Restart the computer and empty the Trash.

    If you're not sure whether a file is part of the malware, order the folder contents by modification date, not by name. The malware files will be clustered together. There could be more than one such cluster. A file dated far in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.

    If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Go back to Step 1 and try again.

    Step 4

    Reset the home page in each of your web browsers, if it was changed. In Safari, first load the home page you want, then select

              Safari Preferences... General

    and click

              Set to Current Page

    If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.

    Step 5

    The malware enables web proxy discovery in the network settings. If you know that the setting was already enabled for a good reason, skip this step. Otherwise you should revert the change.

    Open the Network pane in System Preferences. If there is a closed padlock icon in the lower left corner of the window, click it and authenticate to unlock the settings. Click the Advanced button, then select Proxies in the sheet that drops down. Uncheck the box marked Auto Proxy Discovery if it's checked. Click OK, then Apply.

    Step 6

    This step is optional. Open the Users & Groups pane in System Preferences and click the lock icon to unlock the settings. In the list of users, there may be some with random names that were added by the malware. You can delete those users. If you're not sure whether a user is legitimate, don't delete it.

    B

    "ZipCloud," sometimes named "JustCloud," is purportedly a cloud-storage client that either is, or is closely associated with, malware.

    To remove ZipCloud, please start by backing up all data (not with ZipCloud itself, of course.)

    This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

    Quit the "ZipCloud" or "JustCloud" application, if it's running, and drag it from the Applications folder to the Trash. Don't try to empty yet.

    Triple-click anywhere in the line below on this page to select it:

    ~/Library/LaunchAgents

    Right-click or control-click the highlighted line and select

              Services Open

    from the contextual menu.* A folder named "LaunchAgents" should open.

    In the folder, there may be one or more files with a name beginning as follows:

               com.jdibackup.

    Move all such files to the Trash.

    Log out or restart the computer and empty the Trash.

    *If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination  command-C. In the Finder, select

              Go Go to Folder...

    from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

  • by edubbwitthevdub,

    edubbwitthevdub edubbwitthevdub Jun 28, 2016 4:02 PM in response to Linc Davis
    Level 1 (4 points)
    Mac OS X
    Jun 28, 2016 4:02 PM in response to Linc Davis

    Hi Linc, I'm having the same issue. Here are my screenshots:

     

    /Library/LaunchAgents

    Screen Shot 2016-06-28 at 3.59.21 PM.png

    ~/Library/LaunchAgents

    Screen Shot 2016-06-28 at 3.59.45 PM.png

    /Library/LaunchDaemons

    Screen Shot 2016-06-28 at 3.58.36 PM.png

     

    Any help would be great.

     

    Thanks!

  • by Linc Davis,

    Linc Davis Linc Davis Jun 28, 2016 4:26 PM in response to edubbwitthevdub
    Level 10 (207,995 points)
    Applications
    Jun 28, 2016 4:26 PM in response to edubbwitthevdub

    What exactly do you mean by the "same issue?" Is more than one browser affected? Any extensions? Did the problem start when you installed "Avast" or "Spotify?"