remove malware (benaughty.com)

Uninstall Chrome add-ons and then uninstall Chrome

Uninstall iAntivirus and Sophos, install the free ClamXav and run it when you need too.

You shouldn't have more than one anti-virus running.

If your on 10.5 your machine might be infected with the Flashflake botnet which indeed runs advertising and may be blocking your Software Updates

https://support.apple.com/kb/DL1534

After running this make sure you Software Update fully. Apple has issued a security update for 10.5

If your on 10.6 or later, you might not be able to download the Security Updates to remove the malware, you will have to do it manually.

https://support.apple.com/downloads/

Harden your Mac against malware attacks

Once you rmachine is up and running on OS X, then download Chrome again, make sure pop-up windows is disabled and install Ad Block Plus or switch to Firefox which does.

David Crimmins wrote:

Sorry but no idea where to place this ticket. I have an iMac and use google Chrome to browse the internet. Somewhere along the line I have picked up a piece of malware or virus that keeps popping up a new browser page for the website benaughty.com. I have used Sophos and iAnti Virus but nothing has removed it, does anyone have any ideas?

It could be the Flashback Trojan, but Sophos should have picked that up. iAntiVirus has apparently not been updated in three years, so I would not trust it's results. This tool from F-Secure is the only one I recommend for removal by those that cannot run the Apple tool http://www.f-secure.com/weblog/archives/00002346.html.

Normally I'd say the DNSChanger malware as they used to go there, but those people are behind bars and the FBI is operating their servers until July, so I don't know how it could be that. Visit http://www.dcwg.org/ to check on that.

Backup your files off the machine and disconnect

Then run whatever OS X instal disk you have that matches the OS X verison on the machine (and is for that machine) by holding c or option key while booting from it.

Archive and install (10.5) or Install OS X 10.6 and then reboot, Software Update again until clear, that hopefully will take care of it.

Apple issued a security update for 10.5 and 10.6, so by reinstalling OS X you should have a fresh OS X and then by updating it wlll remove any traces of the malware from your system hopefully.

there is always the Disk Utility Erase with Zero and install, that will wipe it out for sure.

ds store wrote:

MadMacs0 wrote:

It could be the Flashback Trojan, but Sophos should have picked that up.

Not if he was pwned and it's blocking the definitions like malware does on PC's.

DNSChanger was known to block definition updates, but Flashback has not been observed to block definitions on a Mac yet. Older versions would not install if they saw Sophos (and several others), but apparently the latest only avoids VirusBarrier X6, Xcode and Little Snitch.

David Crimmins wrote:

both anti-virus software did pick up things they don't appear to be the cause of the benaughty.com pop under.

Likely not but iAntivirus hasn't been updated and Shopos should have caught it before it got onto your machine if it was working so since you can install it again.

I didn't know if it would have picked up the malware, but I knew ClamXav did, so with the anit-virus not causing any other behind the scenes issues...

A JavaScript popup-under window I don't think has been "fixed" yet, pop-ups has been.

I run the Friefox + NoScript + Ad block Plus, so I don't see or have any popup/under issues or much of any annoyances. I often forget sometimes how nice it is and very fast.

That site has a very BAD reputation

https://www.mywot.com/en/scorecard/benaughty.com

David Crimmins wrote:

used clamxav on one and protectmac on the other.

You should know that they both use the same clamav scan engine and suspect they would not get along well if installed on the same machine. As long as you keep them separate, you should be OK.

ds store wrote:

That site has a very BAD reputation

https://www.mywot.com/en/scorecard/benaughty.com

I noticed that and most of the sites claiming to remove it from a PC were equally bad, but I'm finding WOT less and less useful. I may have to start using a different service.

I also checked it out with Google Safe Browsing http://www.google.com/safebrowsing/diagnostic?site=http://benaughty.com/ and found nothing for the last 90 days.

MadMacs0 wrote: I noticed that and most of the sites claiming to remove it from a PC were equally bad, but I'm finding WOT less and less useful. I may have to start using a different service.

Is there any Add-on like WOT to directly show ratings in searches? Google Safe Browsing Diagnostic is almost useless and so are McAfee and Norton.

There's MalwareURL, URLQuery and hpHosts Online. Don't have a lot of experience with them, but with these the URL in question has to be looked up manually.

MadMacs0 wrote:

I noticed that and most of the sites claiming to remove it from a PC were equally bad, but I'm finding WOT less and less useful. I may have to start using a different service.

I also checked it out with Google Safe Browsing http://www.google.com/safebrowsing/diagnostic?site=http://benaughty.com/ and found nothing for the last 90 days.

MacKeeper isn't malware neither, but I sure like to be warned before I install it. 😁

WZZZ wrote:

Is there any Add-on like WOT to directly show ratings in searches?

I haven't found one yet, but I'm actively looking.

Google Safe Browsing Diagnostic is almost useless and so are McAfee and Norton.

I activated it on one or two browsers that I don't use very much and it has alerted me a few times. It's also been pretty accurate about some of the sites where MacDefender and Flashback were hanging out back when we were trying to track down samples.

There's MalwareURL, URLQuery and hpHosts Online. Don't have a lot of experience with them, but with these the URL in question has to be looked up manually.

Yes, same with scumware.org.

David Crimmins wrote:

I have [moved] to Safari but benaughty is back.

I just read about this Cross-browser worm spreads via Facebook, security experts warn except it's not supposed to work with Safari.

I don't know that I would immediately think malware here. While malware is always possible, it's not the first thing you should think of with a Mac. What you describe would have to be something new.

I have seen a couple reports here lately of people having ads added to pages by their internet service provider. It's entirely possible that such an ad could produce such a pop-up or pop-under. I notice that your profile says you're using an iMac, but if you can figure out a way to test on a different network, that would be extremely helpful. If it doesn't happen on a different network, you'll need to investigate this sort of network-related issue.

It's also possible that a poisoned DNS server or hacked DNS settings in a wireless router could be causing the problem, perhaps by redirecting legit ad sites to one that is generating these pop-ups. Try switching your network settings to use the Google DNS or OpenDNS servers.

You don't need to go to the OpenDNS site to use OpenDNS. Simply open Network>Advanced>DNS in Sys Prefs and enter the following numbers for the interface you use, e.g. Airport or Ethernet,

208.67.222.222

208.67.220.220

Hit OK and then Apply. Make sure those numbers are entered above any others you may have there.

To check to see if it's working

http://www.opendns.com/welcome/