This discussion is archived
9842 Views 37 Replies Latest reply: Dec 22, 2008 3:07 PM by BDAqua
Currently Being ModeratedNov 28, 2008 2:38 PM (in response to ensmithtown)You have very little control over which ads get served to you. The ad companies try to target ads, so they think you're interested in such products.
About the only option you have to (try and) get rid of them is to reset your browser - this deletes all cookies, preferences, history, etc.
You can do this by either creating a new user account on the system (which I'd actually recommend anyway - use separate accounts for your kids), or by using Safari's 'Reset Safari' menu option.Mac OS X (10.5.4)
Currently Being ModeratedNov 28, 2008 2:54 PM (in response to ensmithtown)I wonder if you may be subject to the below. It redirects you to websites other than the ones you intended to visit (P.S. the Discussions Hosts will remove your email address in your original post to prevent bots searching the web for email addresses to send you spam and add to your troubles):
From MacWorld, January 10, 2008:
SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:
The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X. Called DNSChanger Trojan and also known as OSX.RSPlug. A Trojan Horse the software attacks users attempting to play a fake video file.
Upon attempting to play the video, the victim receives the following message:
“Quicktime Player is unable to play movie file.
Please click here to download new version of codec.”
Upon running the installer, the user's DNS records are modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's DNS records stay modified on a minute-by-minute basis.
SecureMac's DNSChanger Removal Tool allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.
There may be other ways of guarding against Trojans, viruses and general malware affecting the Mac. A white paper has recently been published on the subject by SubRosaSoft, available [here|http://www.macforensicslab.com/ProductsAndServices/index.php?mainpage=document_general_info&cPath=11&productsid=174]
Message was edited by: LimnosG4 Quicksilver dual 800 MHz 2x120 GBHDs 1.5GBRAM dual-boot 10.4.11 9.2.2, 2 G3 beiges, IIci
Currently Being ModeratedNov 28, 2008 2:50 PM (in response to ensmithtown)ensmithtown, welcome to Apple Discussions.
Try using the Firefox browser. It has a pop-up ad blocker (although I occasionally have a pop-up ad). Firefox is a better browser than Safari.
Firefox browser for OS 10.4 (freeware)
Cheers, Tom G4 AGP 400, G3 400 FW Pismo, OS X (10.4 + 10.3), OS 9.2.2, DSL, Zip, Canon LiDE30 Scanner, CD-RW, Canon i960 Printer, Belkin UPS
Currently Being ModeratedNov 28, 2008 2:56 PM (in response to Texas Mac Man)You can also get add-ons for Firefox. Adblock Plus is particularly effective and you can customize it to block specific ads in windows where they are displayed. A few find it over-aggressive so you have to choose.G4 Quicksilver dual 800 MHz 2x120 GBHDs 1.5GBRAM dual-boot 10.4.11 9.2.2, 2 G3 beiges, IIci
Currently Being ModeratedNov 28, 2008 4:06 PM (in response to ensmithtown)
there are various ads for this one product, Vimax, that appear quite frequently on webpages that I go to - every page from Yahoo to Barney.com. The ads have explicit pictures on it as well.
This really does sound like the DNSChanger Trojan that Limnos mentioned.iMac G5 1.8 GHz, Mac OS X (10.4.11)
Currently Being ModeratedNov 29, 2008 1:13 PM (in response to ensmithtown)I'm getting these ads too. It wouldn't be a big deal but they're really annoying and sometimes graphic. To re-iterate what the original poster said these ads are placed within the sites I visit regularly, so this isn't some kind of program that redirects a search or anything. I have used DNSRemover, Macscan, Intego, etc... to no avail. I have reset Safari ( my browser of choice) and deleted all my cookies. The ads also show up in firefox. Does anyone have further suggestions on what I can do to get rid of these stupid ads? Thanks!
edit: this problem is also being discussed here http://discussions.apple.com/thread.jspa?messageID=8286821�
Message was edited by: Whit555Macbook, Mac OS X (10.4.8)
Currently Being ModeratedNov 29, 2008 1:25 PM (in response to Whit555)
Does anyone have further suggestions
No, just the one I made before about using Adblock if you're using Firefox. You can block anything, including non-ads.G4 Quicksilver dual 800 MHz 2x120 GBHDs 1.5GBRAM dual-boot 10.4.11 9.2.2, 2 G3 beiges, IIci
Currently Being ModeratedNov 29, 2008 1:43 PM (in response to ensmithtown)Your best bet is Firefox.
I don't think most people know this, but Firefox has built-in ad blocking technology.
All you have to do is right click on any advertisement and chose to block it.
There are a relatively small number of ad companies out there, so after awhile you can block almost every ad there is.eMac 1.25GHz, 1GB RAM, Mac OS X (10.4.11)
Currently Being ModeratedNov 29, 2008 1:54 PM (in response to Scott T.)For completeness, I should also add that some ads are "Flash" ads and those are different. If it is a "Flash" ad, you might also need to remove the flash player from your system. There are usually 2 files for this. If you open your main hard drive, then go to "Library" then go to "Internet Plug-ins". Delete anything with the word "Flash" in it.
Unfortunately this will also cause some problems with legitimate sites, but you have to weigh the trade-offs.eMac 1.25GHz, 1GB RAM, Mac OS X (10.4.11)
Currently Being ModeratedNov 29, 2008 1:55 PM (in response to Scott T.)
I don't think most people know this, but Firefox has built-in ad blocking technology.
Really? Since which version? I am running 188.8.131.52 and the only thing I see in control+click is an Adblock feature which is part of Adblock Plus. I distinctly remember installing AdBlock Plus as an added plugin on Firefox; it was not part of Firefox. I know popup blocking was built-in.G4 Quicksilver dual 800 MHz 2x120 GBHDs 1.5GBRAM dual-boot 10.4.11 9.2.2, 2 G3 beiges, IIci
Currently Being ModeratedNov 29, 2008 3:32 PM (in response to Whit555)Ah, but is it even on your computer? I don't know how Adblock works but I suspect it just tells Firefox to not download anything from such-and-such address. It is there on the website (if you are truly looking at the site that the header purports to be, which I question earlier) but the only way to stop that is not to visit that web site. Although we still haven't determined if these are really the web sites they claim to be, part of the arrangement is websites will put have features and if you want to browse them without those features then the onus is up to us to find a way to do so. I find animated GIFS and flash animations to be an invasion of my computer resources, but just start to look at the Discussions pages now!
Incidentally, I use Hotmail and lots of other sites and have not seen anything "explicit" (admittedly in the eye of the beholder) which is what still causes me to question if you are really seeing these sites that are normally pretty restrained in what they show.
Are these things still on the sites? Sites have been known to be hijacked before. Some webpages do not make their own ads, they just get what is served to them from ad agencies and if that central server is hacked then they get what is supplied.G4 Quicksilver dual 800 MHz 2x120 GBHDs 1.5GBRAM dual-boot 10.4.11 9.2.2, 2 G3 beiges, IIci
Currently Being ModeratedNov 29, 2008 5:34 PM (in response to Limnos)Before reading this I suggest reading the discussion on a thread which is similar to this one where this problem was discussed a month ago. I also posted this comment there and it is the same one Whit555 linked to above. It can be found here: (http://discussions.apple.com/thread.jspa?messageID=8286821�)
I'm in the same boat as Whit555. These ads started popping up this morning. Since then I've deleted all cookies in both Firefox and Safari (I have the latest versions of both browsers Firefox 3.0.4 and Safari 3.2.1). I downloaded MacScan and VirusBarrier, but neither of them have detected anything. Similarly the DNSChanger Removal Tool did me no good. I did the terminal work suggested in the cited macworld article (http://www.macworld.com/article/60823/2007/10/trojanhorse.html) and it looks like I'm clean of a root cron job "no crontab for root" and my DNS servers match my GUI. (Of note the article about the new variant of the RSPlug trojan (http://www.tuaw.com/2008/11/18/new-variant-of-rsplug-trojan-making-the-rounds/) was published on 11/18, the day the makers of VirusBarrier sent them an alert about the trojan horse. I only downloaded the trial version of VirusBarrier. It's definitions were installed on the 7/15 and I cannot update them without purchasing the application. So it is definitely possible (if not likely) that the full version of VirusBarrier has a solution for this... it would be nice if they would update the trial version)
As everyone has deduced this is very clearly not an issue with the websites themselves and is some sort of malware on my computer. The New York Times, MLB.com, macworld.com, and countless other respectable sites were not simultaneously compromised. On top of that I have visited these sites simultaneously with a friends computer and my own and on his computer they are completely clean. I hope everyone can take this as a definitive test that this is a problem of malware and my compromised computer -- not compromised websites. (Although, curiously I did see the ads on nytimes.com this morning but can't seem to get them again). And for clarity's sake I will mention that the ads are always replacing the spaces on websites where normal ads would sit and I have yet to see one in a pop-up window and they certainly aren't spawning pop-up windows of their own.
Like Whit555 I'm curious how this ended up on my computer. I just noticed it this morning, but I haven't really downloaded anything in the past few days. I do recall updating VLC media player, but I'm sure I was prompted to download an update from within the application itself. And I certainly haven't downloaded p*rn.
I'm not very interested in blocking these ads -- I'm interested in removing the malware from my computer. A month ago a strategy for blocking these ads was mentioned here: (http://aalaap.blogspot.com/2008/10/block-annoying-vimax-ads.html) where you add a fake DNS entry for the host of the images: "127.0.0.1 b1.adv.net". I think it is important to note that this seems to be a new version of the malware as the host of the images seems to change depending upon when you open a website and which website. I have gotten images from hosts "b2.adv.net", "b4.adv.net", "b12.adv.net", "b13.adv.net" and "b18.adv.net" and that is just in the last 10 minutes since I've been checking. (Also perhaps of note, the ads on any one page can be sent from different host servers -- so b2 and b13 could both be displaying on mlb.com).
If someone is only interested in blocking these adds they can incrementally just add a new fake DNS entry for every single host they encounter. (You can find this by right clicking on the image and select "Copy Image Address". For example one of my adds yielded this: http://b18.adv.net/wim/300x250/300x250_10.gif. Obviously the host you input to block this ad is "b18.adv.net"). One could probably live with the malware by just blocking everything from b1 to b20. But like I said I want this off of my computer.
I am slightly concerned that this could be more harmful than just offensive ads. A minute ago when I was testing the fake DNS stuff with my horribly slow Firefox Max OS X force quit. The screen slowly dimmed and then it froze and said I needed to manually restart by holding the power button. No matter what, it seems clear that this problem existed a month ago and the solutions to fix that version of the malware exist with MacScan or the DNSChanger Removal Tool. However, considering that these ads are now served up by variable hosts and it doesn't seem as if that was documented before and considering that no plugin.settings or cron job exists (see linked macworld article), it seems as if this is a new and different version of the malware.
Like Whit555 I would appreciate any help resolving this issue. I've tried to document it as accurate as possible. Hopefully this will help.MacBook Pro Intel Core Duo, Mac OS X (10.5.5)