Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Obscene ad posts on many web pages

Many times over the past two months, when I go to a web page, I get an ad on the webpage (sometimes more than one on a page) on the top, side or bottom for a ***** enlargement drug. I have never solicited such a product or been involved with this ad in any way. It is rather disturbing because there are various ads for this one product, Vimax, that appear quite frequently on webpages that I go to - every page from Yahoo to Barney.com. The ads have explicit pictures on it as well. The ads are not pop-ups - rather they are directly on these webpages. I have tried using various browsers to see if that would make a difference - internet explorer, safari, firefox - the problem exists on them all. I don't understand it and I can't explain it. I am hoping someone can advise me how to address this so I do not see these ads again. I have not been able to allow my kids on the computer for this very reason also. I am a computer novice - so I would need quite a bit of guidance. Please help me if you can. Thank you. **********@ ********.com

<Edited by Moderator>

Mac OS X (10.4.11)

Posted on Nov 28, 2008 2:03 PM

Reply
37 replies

Nov 28, 2008 2:38 PM in response to ensmithtown

You have very little control over which ads get served to you. The ad companies try to target ads, so they think you're interested in such products.

About the only option you have to (try and) get rid of them is to reset your browser - this deletes all cookies, preferences, history, etc.

You can do this by either creating a new user account on the system (which I'd actually recommend anyway - use separate accounts for your kids), or by using Safari's 'Reset Safari' menu option.

Nov 28, 2008 2:54 PM in response to ensmithtown

I wonder if you may be subject to the below. It redirects you to websites other than the ones you intended to visit (P.S. the Discussions Hosts will remove your email address in your original post to prevent bots searching the web for email addresses to send you spam and add to your troubles):

DNSChanger Trojan

From MacWorld, January 10, 2008:

SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:


[ http://www.securemac.com >



The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X. Called DNSChanger Trojan and also known as OSX.RSPlug. A Trojan Horse the software attacks users attempting to play a fake video file.


Upon attempting to play the video, the victim receives the following message:


“Quicktime Player is unable to play movie file.
Please click here to download new version of codec.”
Upon running the installer, the user's DNS records are modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's DNS records stay modified on a minute-by-minute basis.


SecureMac's DNSChanger Removal Tool allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.


There may be other ways of guarding against Trojans, viruses and general malware affecting the Mac. A white paper has recently been published on the subject by SubRosaSoft, available [here| http://www.macforensicslab.com/ProductsAndServices/index.php?main page=document_general_info&cPath=11&productsid=174]


Message was edited by: Limnos

Nov 29, 2008 1:13 PM in response to ensmithtown

I'm getting these ads too. It wouldn't be a big deal but they're really annoying and sometimes graphic. To re-iterate what the original poster said these ads are placed within the sites I visit regularly, so this isn't some kind of program that redirects a search or anything. I have used DNSRemover, Macscan, Intego, etc... to no avail. I have reset Safari ( my browser of choice) and deleted all my cookies. The ads also show up in firefox. Does anyone have further suggestions on what I can do to get rid of these stupid ads? Thanks!

edit: this problem is also being discussed here http://discussions.apple.com/thread.jspa?messageID=8286821&#8286821

Message was edited by: Whit555

Nov 29, 2008 1:54 PM in response to Scott T.

For completeness, I should also add that some ads are "Flash" ads and those are different. If it is a "Flash" ad, you might also need to remove the flash player from your system. There are usually 2 files for this. If you open your main hard drive, then go to "Library" then go to "Internet Plug-ins". Delete anything with the word "Flash" in it.

Unfortunately this will also cause some problems with legitimate sites, but you have to weigh the trade-offs.

Nov 29, 2008 1:55 PM in response to Scott T.

I don't think most people know this, but Firefox has built-in ad blocking technology.

Really? Since which version? I am running 2.0.0.18 and the only thing I see in control+click is an Adblock feature which is part of Adblock Plus. I distinctly remember installing AdBlock Plus as an added plugin on Firefox; it was not part of Firefox. I know popup blocking was built-in.

Nov 29, 2008 3:32 PM in response to Whit555

Ah, but is it even on your computer? I don't know how Adblock works but I suspect it just tells Firefox to not download anything from such-and-such address. It is there on the website (if you are truly looking at the site that the header purports to be, which I question earlier) but the only way to stop that is not to visit that web site. Although we still haven't determined if these are really the web sites they claim to be, part of the arrangement is websites will put have features and if you want to browse them without those features then the onus is up to us to find a way to do so. I find animated GIFS and flash animations to be an invasion of my computer resources, but just start to look at the Discussions pages now!

Incidentally, I use Hotmail and lots of other sites and have not seen anything "explicit" (admittedly in the eye of the beholder) which is what still causes me to question if you are really seeing these sites that are normally pretty restrained in what they show.

Are these things still on the sites? Sites have been known to be hijacked before. Some webpages do not make their own ads, they just get what is served to them from ad agencies and if that central server is hacked then they get what is supplied.

Nov 29, 2008 5:34 PM in response to Limnos

Before reading this I suggest reading the discussion on a thread which is similar to this one where this problem was discussed a month ago. I also posted this comment there and it is the same one Whit555 linked to above. It can be found here: ( http://discussions.apple.com/thread.jspa?messageID=8286821&#8286821)

I'm in the same boat as Whit555. These ads started popping up this morning. Since then I've deleted all cookies in both Firefox and Safari (I have the latest versions of both browsers Firefox 3.0.4 and Safari 3.2.1). I downloaded MacScan and VirusBarrier, but neither of them have detected anything. Similarly the DNSChanger Removal Tool did me no good. I did the terminal work suggested in the cited macworld article ( http://www.macworld.com/article/60823/2007/10/trojanhorse.html) and it looks like I'm clean of a root cron job "no crontab for root" and my DNS servers match my GUI. (Of note the article about the new variant of the RSPlug trojan ( http://www.tuaw.com/2008/11/18/new-variant-of-rsplug-trojan-making-the-rounds/) was published on 11/18, the day the makers of VirusBarrier sent them an alert about the trojan horse. I only downloaded the trial version of VirusBarrier. It's definitions were installed on the 7/15 and I cannot update them without purchasing the application. So it is definitely possible (if not likely) that the full version of VirusBarrier has a solution for this... it would be nice if they would update the trial version)

As everyone has deduced this is very clearly not an issue with the websites themselves and is some sort of malware on my computer. The New York Times, MLB.com, macworld.com, and countless other respectable sites were not simultaneously compromised. On top of that I have visited these sites simultaneously with a friends computer and my own and on his computer they are completely clean. I hope everyone can take this as a definitive test that this is a problem of malware and my compromised computer -- not compromised websites. (Although, curiously I did see the ads on nytimes.com this morning but can't seem to get them again). And for clarity's sake I will mention that the ads are always replacing the spaces on websites where normal ads would sit and I have yet to see one in a pop-up window and they certainly aren't spawning pop-up windows of their own.

Also, the ads show up in every browser you try, including obscure ones (did anyone else know that RealPlayer has a web browser?). Perhaps of note, Firefox has slowed to an absolute crawl. While Safari runs fairly normal, Firefox will take 5 minutes to load a page (probably a Javascript battle going on?) and by the time it actually loads the Vimax ads do not appear -- the normal ones do. (Note: this is not due to ad-blocking which I will discuss below. When the ads are blocked a blank spot appears where the Vimax ad would be. In my super slow running Firefox after the 5 minute load, the real ads appear. Yet I believe the slow load times are directly owing to the malware as Safari runs at approximately normal speed). Safari is my primary browser, so I can't give a very accurate account if Firefox was actually showing the ads or has been running slow the whole day, but it certainly has been running extremely slow for the past few hours and I think, but I'm not sure, that it was showing the ads as well earlier in the day.

Like Whit555 I'm curious how this ended up on my computer. I just noticed it this morning, but I haven't really downloaded anything in the past few days. I do recall updating VLC media player, but I'm sure I was prompted to download an update from within the application itself. And I certainly haven't downloaded p*rn.

I'm not very interested in blocking these ads -- I'm interested in removing the malware from my computer. A month ago a strategy for blocking these ads was mentioned here: ( http://aalaap.blogspot.com/2008/10/block-annoying-vimax-ads.html) where you add a fake DNS entry for the host of the images: "127.0.0.1 b1.adv.net". I think it is important to note that this seems to be a new version of the malware as the host of the images seems to change depending upon when you open a website and which website. I have gotten images from hosts "b2.adv.net", "b4.adv.net", "b12.adv.net", "b13.adv.net" and "b18.adv.net" and that is just in the last 10 minutes since I've been checking. (Also perhaps of note, the ads on any one page can be sent from different host servers -- so b2 and b13 could both be displaying on mlb.com).

If someone is only interested in blocking these adds they can incrementally just add a new fake DNS entry for every single host they encounter. (You can find this by right clicking on the image and select "Copy Image Address". For example one of my adds yielded this: http://b18.adv.net/wim/300x250/300x250_10.gif. Obviously the host you input to block this ad is "b18.adv.net"). One could probably live with the malware by just blocking everything from b1 to b20. But like I said I want this off of my computer.

I am slightly concerned that this could be more harmful than just offensive ads. A minute ago when I was testing the fake DNS stuff with my horribly slow Firefox Max OS X force quit. The screen slowly dimmed and then it froze and said I needed to manually restart by holding the power button. No matter what, it seems clear that this problem existed a month ago and the solutions to fix that version of the malware exist with MacScan or the DNSChanger Removal Tool. However, considering that these ads are now served up by variable hosts and it doesn't seem as if that was documented before and considering that no plugin.settings or cron job exists (see linked macworld article), it seems as if this is a new and different version of the malware.

Like Whit555 I would appreciate any help resolving this issue. I've tried to document it as accurate as possible. Hopefully this will help.

Nov 30, 2008 9:35 AM in response to Whit555

Some DNS have been hijacked at the DNS. In other words they are the ones directing you to a false web site. Try putting these DNS addresses into your Preferences>Network>TCP/IP>DNS Servers:

208.67.222.222
208.67.220.220

This is OpenDNS which I believe has been patched against this vulnerability. not all ISP DNS have this patch.

Obscene ad posts on many web pages

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.