-
All replies
-
Helpful answers
-
-
Apr 1, 2016 3:33 PM in response to BOOTHWRKSby Linc Davis,You may have installed ad-injection malware ("adware").
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
Back up all data first.
Some of the most common types of adware can be removed by following Apple's instructions. But before you follow those instructions, you can attempt an automatic removal.
If you're not already running the latest version of OS X ("El Capitan"), updating or upgrading in the App Store may cause the adware to be removed automatically. If you're already running the latest version of El Capitan, you can nevertheless download the current updater from the Apple Support Downloads page and run it. Again, some kinds of malware will be removed—not all. There is no such thing as automatic removal of all possible malware, either by OS X or by third-party software. That's why you can't rely on software to protect you.
If the malware is removed in your case, you'll still need to make changes to the way you use the computer to protect yourself from further attacks. Ask if you need guidance.
If the malware is not removed automatically, and you can't remove it yourself by following Apple's instructions, see below.
This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.
Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.
If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. That will disable the malware temporarily.
Step 1
Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.
If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.
There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.
Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.
Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.
Leave the folder open for now.
Step 2
Do as in Step 1 with this line:
/Library/LaunchAgents
The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.
Step 3
Repeat with this line:
/Library/LaunchDaemons
This time the folder will be named "LaunchDaemons."
Step 4
Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.
Step 5
If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.
-
Apr 1, 2016 4:12 PM in response to BOOTHWRKSby ~Bee,I second IIIaass' recommendation. It was developed by another long-time, respected helper here. It's free & and it works like a charm.
-
Apr 1, 2016 4:16 PM in response to BOOTHWRKSby Grant Lenahan,I Dont mean to be unsympathetic, but you allowed it to install itself - through the sites you visited and -- this is important -
by allowing a process to go ahead. You were likely tricked, but you need to look for tricks (let's not talk about predatory mortgages shall we?)
Stay away from shady sites.
Never say "yes" to something being installed without serious thought and reading.
Then you wont have these things.
Grant
-
Jun 8, 2016 3:14 AM in response to BOOTHWRKSby encrpriv,Same problem, trying to solve it but no luck yet. No support from Apple whatsoever on this.
I keep trying to start a new thread because these are old but somebody keeps deleting it Is Apple trying to hide the fact that Macs get Malware too or what? I can keep reposting ALL day.
I've got something that is causing problems in both Safari and FireFox (the only two browsers I have installed). I cannot figure out how to fix it. It is opening popups and other ads from xb11766.com and possibly others. It does through unknown methods and also I can see it that intercepts the websites I open and replaces the legitimate original links inside the with links to crap on xb11766.com, today57.com, and others.
I am not sure but I don't think there is anything suspicious in either of my "Internet Plug-Ins" directories but my LaunchDaemons definitely looks suspicious. What can I do about this? I have already gone through updating everything, disabled and deleted plugins I don't recognize and there are no extensions in Safari.
~/Library/LaunchAgents
/Library/LaunchAgents
/Library/LaunchDaemons
-
Jun 8, 2016 3:29 AM in response to encrprivby dialabrain,encrpriv wrote:
I keep trying to start a new thread because these are old but somebody keeps deleting it Is Apple trying to hide the fact that Macs get Malware too or what? I can keep reposting ALL day.
FWIW, it's because you are posting duplicate posts of this one. Nothing to do with Apple.
-
Jun 8, 2016 3:39 AM in response to encrprivby Esquared,~/Library/LaunchAgents: delete everything related to ZipCloud (suspect cloud storage service)
/Library/LaunchDaemons: delete everything from top to com.jangly.net-preferences.plist.
Reboot afterwards and hope for the best.
-
Jun 8, 2016 6:52 AM in response to encrprivby Linc Davis,A
You installed one or more variants of the "VSearch" trojan. Please inactivate them as follows. This procedure will leave a few small files behind, but they have no effect, and trying to remove them all would be a lot more trouble than it's worth.
This malware has many variants. Anyone else finding this comment should not expect it to be applicable.
Back up all data before proceeding.
Step 1
The VSearch variant that you have regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.
Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.
Step 2
While running in safe mode, load this web page and then triple-click anywhere in the line below to select it:
/Library/LaunchDaemons
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
A folder named "LaunchDaemons" will open. Press the key combination command-2 to select list view, if it's not already selected.
There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within a few minutes, so they will be clustered together when you sort the folder this way, making them easy to identify.
Step 3
Inside the LaunchDaemons folder, there may be one or more files with a name of this form:
com.apple.something.plist
where something is a random, meaningless string of letters, different in every case.
Note that the name consists of four words separated by periods. Typical examples:
com.apple.builins.plist
com.apple.cereng.plist
com.apple.nysgar.plist
There may also be one or more items with a name of this form:
com.something.plist
Again, something is a random, meaningless string—not necessarily the same one that appears in any of the other file names.
These names consist of three words separated by periods. Typical examples:
com.semifasciaUpd.plist
com.ubuiling.plist
Besides all the above, you have one file belonging to an older variant of VSearch. Its name has this form:
com.something.net-preferences.plist
Drag all such items to the Trash. You may be prompted for your administrator login password.
Restart the computer and empty the Trash.
If you're not sure whether a file is part of the malware, order the folder contents by modification date, not by name. The malware files will be clustered together. There could be more than one such cluster. A file dated far in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.
If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Go back to Step 1 and try again.
Step 4
Reset the home page in each of your web browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.
Step 5
The malware enables web proxy discovery in the network settings. If you know that the setting was already enabled for a good reason, skip this step. Otherwise you should revert the change.
Open the Network pane in System Preferences. If there is a closed padlock icon in the lower left corner of the window, click it and authenticate to unlock the settings. Click the Advanced button, then select Proxies in the sheet that drops down. Uncheck the box marked Auto Proxy Discovery if it's checked. Click OK, then Apply.
Step 6
This step is optional. Open the Users & Groups pane in System Preferences and click the lock icon to unlock the settings. In the list of users, there may be some with random names that were added by the malware. You can delete those users. If you're not sure whether a user is legitimate, don't delete it.
B
"ZipCloud," sometimes named "JustCloud," is purportedly a cloud-storage client that either is, or is closely associated with, malware.
To remove ZipCloud, please start by backing up all data (not with ZipCloud itself, of course.)
This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
Quit the "ZipCloud" or "JustCloud" application, if it's running, and drag it from the Applications folder to the Trash. Don't try to empty yet.
Triple-click anywhere in the line below on this page to select it:
~/Library/LaunchAgents
Right-click or control-click the highlighted line and select
Services ▹ Open
from the contextual menu.* A folder named "LaunchAgents" should open.
In the folder, there may be one or more files with a name beginning as follows:
com.jdibackup.
Move all such files to the Trash.
Log out or restart the computer and empty the Trash.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
-
-
by Linc Davis,Jun 28, 2016 4:26 PM in response to edubbwitthevdub
Linc Davis
Jun 28, 2016 4:26 PM
in response to edubbwitthevdub
Level 10 (207,995 points)
ApplicationsWhat exactly do you mean by the "same issue?" Is more than one browser affected? Any extensions? Did the problem start when you installed "Avast" or "Spotify?"





