Before reading this I suggest reading the discussion on a thread which is similar to this one where this problem was discussed a month ago. I also posted this comment there and it is the same one Whit555 linked to above. It can be found here: (
http://discussions.apple.com/thread.jspa?messageID=8286821�)
I'm in the same boat as Whit555. These ads started popping up this morning. Since then I've deleted all cookies in both Firefox and Safari (I have the latest versions of both browsers Firefox 3.0.4 and Safari 3.2.1). I downloaded MacScan and VirusBarrier, but neither of them have detected anything. Similarly the DNSChanger Removal Tool did me no good. I did the terminal work suggested in the cited macworld article (
http://www.macworld.com/article/60823/2007/10/trojanhorse.html) and it looks like I'm clean of a root cron job "no crontab for root" and my DNS servers match my GUI. (Of note the article about the new variant of the RSPlug trojan (
http://www.tuaw.com/2008/11/18/new-variant-of-rsplug-trojan-making-the-rounds/) was published on 11/18, the day the makers of VirusBarrier sent them an alert about the trojan horse. I only downloaded the trial version of VirusBarrier. It's definitions were installed on the 7/15 and I cannot update them without purchasing the application. So it is definitely possible (if not likely) that the full version of VirusBarrier has a solution for this... it would be nice if they would update the trial version)
As everyone has deduced this is very clearly not an issue with the websites themselves and is some sort of malware on my computer. The New York Times, MLB.com, macworld.com, and countless other respectable sites were not simultaneously compromised. On top of that I have visited these sites simultaneously with a friends computer and my own and on his computer they are completely clean. I hope everyone can take this as a definitive test that this is a problem of malware and my compromised computer -- not compromised websites. (Although, curiously I did see the ads on nytimes.com this morning but can't seem to get them again). And for clarity's sake I will mention that the ads are always replacing the spaces on websites where normal ads would sit and I have yet to see one in a pop-up window and they certainly aren't spawning pop-up windows of their own.
Also, the ads show up in every browser you try, including obscure ones (did anyone else know that RealPlayer has a web browser?). Perhaps of note, Firefox has slowed to an absolute crawl. While Safari runs fairly normal, Firefox will take 5 minutes to load a page (probably a Javascript battle going on?) and by the time it actually loads the Vimax ads do not appear -- the normal ones do. (Note: this is not due to ad-blocking which I will discuss below. When the ads are blocked a blank spot appears where the Vimax ad would be. In my super slow running Firefox after the 5 minute load, the real ads appear. Yet I believe the slow load times are directly owing to the malware as Safari runs at approximately normal speed). Safari is my primary browser, so I can't give a very accurate account if Firefox was actually showing the ads or has been running slow the whole day, but it certainly has been running extremely slow for the past few hours and I think, but I'm not sure, that it was showing the ads as well earlier in the day.
Like Whit555 I'm curious how this ended up on my computer. I just noticed it this morning, but I haven't really downloaded anything in the past few days. I do recall updating VLC media player, but I'm sure I was prompted to download an update from within the application itself. And I certainly haven't downloaded p*rn.
I'm not very interested in blocking these ads -- I'm interested in removing the malware from my computer. A month ago a strategy for blocking these ads was mentioned here: (
http://aalaap.blogspot.com/2008/10/block-annoying-vimax-ads.html) where you add a fake DNS entry for the host of the images: "127.0.0.1 b1.adv.net". I think it is important to note that this seems to be a new version of the malware as the host of the images seems to change depending upon when you open a website and which website. I have gotten images from hosts "b2.adv.net", "b4.adv.net", "b12.adv.net", "b13.adv.net" and "b18.adv.net" and that is just in the last 10 minutes since I've been checking. (Also perhaps of note, the ads on any one page can be sent from different host servers -- so b2 and b13 could both be displaying on mlb.com).
If someone is only interested in blocking these adds they can incrementally just add a new fake DNS entry for every single host they encounter. (You can find this by right clicking on the image and select "Copy Image Address". For example one of my adds yielded this:
http://b18.adv.net/wim/300x250/300x250_10.gif. Obviously the host you input to block this ad is "b18.adv.net"). One could probably live with the malware by just blocking everything from b1 to b20. But like I said I want this off of my computer.
I am slightly concerned that this could be more harmful than just offensive ads. A minute ago when I was testing the fake DNS stuff with my horribly slow Firefox Max OS X force quit. The screen slowly dimmed and then it froze and said I needed to manually restart by holding the power button. No matter what, it seems clear that this problem existed a month ago and the solutions to fix that version of the malware exist with MacScan or the DNSChanger Removal Tool. However, considering that these ads are now served up by variable hosts and it doesn't seem as if that was documented before and considering that no plugin.settings or cron job exists (see linked macworld article), it seems as if this is a new and different version of the malware.
Like Whit555 I would appreciate any help resolving this issue. I've tried to document it as accurate as possible. Hopefully this will help.