Skip navigation

Mac OSX 10.6.8 web browsing hijacked

8597 Views 23 Replies Latest reply: May 8, 2013 8:37 AM by MadMacs0 RSS
1 2 Previous Next
daav2001 Level 1 Level 1 (0 points)
Currently Being Moderated
Jul 30, 2012 4:21 AM

I seem to have contracted some sort of trojan or malware, or have some sort of DNS changer that I inadvertently installed... or somehow got on my system.


When browsing in any browser (i have used Safari, Chrome, and Firefox), i am often redirected to a chinese advertisement site (should be too suprising, as Ilive in China).  At first, i thought it was the ISP that was redirecting, but after having experienced this issue over the past week at numerous locations, i'm pretty sure my machine has a problem that need to be figured out. 


I have tried MacScan and DNSchanger removal tool.  I have tried dumping the cash in the terminal.  I have deleated my flash cookies and all browsing histlry/cache files.  I've tried a few other things that I thought might work as I found them on older posts for similar issues. None of these have resolved the issue. 


The only thing i can think that may have caused it is i was recently staying at a hotel and having issue with their internet.  They sent an "IT" guy to fix it and he made some changes to the network settings (i wasn't paying close enough atention to what he was doing).... in the end, the internet never worked at that hotel and from that point forward, i've had this problem. I can't say there is cause and effect with that, but corrolation for sure. 


The site i'm being directed to is:


I'm runing a MacBook pro 13"

Mac OSX 10.6.8

All my browsers are up to date. 


Any ideas?  Am I forgetting any important details?

Mac Pro, Mac OS X (10.6.8)
  • herger Calculating status...
    Currently Being Moderated
    Jul 30, 2012 4:44 AM (in response to daav2001)



    I am sorry for your problem.

    Did you try to rebuild an internet connection?

    Are you using LAN cable or wifi?





  • Kurt Lang Level 7 Level 7 (31,470 points)
    Currently Being Moderated
    Jul 30, 2012 5:55 AM (in response to daav2001)

    Open the System Preferences and click on Network. With your Ethernet connection in the left column selected, click Advanced at the lower right. Click on the DNS tab. If there are any DNS Server addresses there other than your router's address, delete them. Your router will always be a local domain, the same as, or similar to Leave that one and remove any others.

  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    Jul 30, 2012 12:39 PM (in response to daav2001)

    Just add the new ones above; the greyed out ones will be ignored or even replaced. I would suggest the DNS servers from OpenDNS, which are patched against DNS poisoning/redirects.


    You don't need to go to the OpenDNS site to use OpenDNS. Simply open Network>Advanced>DNS in Sys Prefs and enter the following numbers for the interface you use, e.g. Airport or Ethernet,




    Hit OK and then Apply. Make sure those numbers are entered above any others you may have there.


    To check to see if it's working



    EDIT: The greyed out ones are from China Telecom. That would appear to explain the redirects.





    Message was edited by: WZZZ

  • WZZZ Level 6 Level 6 (11,875 points)
    Currently Being Moderated
    Jul 30, 2012 5:16 PM (in response to daav2001)

    Did you start using OpenDNS?

  • ds store Level 7 Level 7 (30,305 points)
    Currently Being Moderated
    Jul 30, 2012 6:31 PM (in response to daav2001)

    There are no OpenDNS servers in China., closest is Singapore.



    Run all of the free 10.6 OnyX maintainence and cache cleaning routines and reboot at the end.




    Disconnect from the network, create a new Admin account, log into it and create a new location and then connect directly to the router and reset it so it gets a new IP address.


    Run through the list of fixes here, especially #8 Reinstall Just OS X then Software update fully.


    Step by Step to fix your Mac

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Jul 31, 2012 1:41 AM (in response to daav2001)

    daav2001 wrote:


    I'm seeing the infamous 'greyed out' DNS addresses showing up.  I can't delete them, or at least i don't know how. They are and

    They appear to be legit DNS servers belonging to CHINANET Shanghai province network, almost certainly provided by your ISP.


    There could be entries in your hosts file for Bing which will override DNS.


    In the Finder select Go->Go to Folder... and type "/etc/" without the quotes in the "Go to

    In the "Go to the folder:" box type "/etc/" without quotes and click the "Go" button.

    Select "hosts" and double-click to open it in TextEdit. If it says more than:


    # Host Database


    # localhost is used to configure the loopback interface

    # when the system is booting.  Do not change this entry.

    ##                      localhost          broadcasthost

    ::1                                  localhost

    fe80::1%lo0                    localhost

    you are infected. Copy and paste the rest of what you see here.

  • David Luckhardt Level 1 Level 1 (15 points)
    Currently Being Moderated
    Oct 16, 2012 4:54 PM (in response to MadMacs0)

    Just had a corporate user come back from China with the same issue on his Lion MacBook Air.  Same URL up to the end part, where it referenced our corporate reporting site rather than facebook.   Using Chrome, anytime he tried to access the reports it took him to the same Chinese website with popups and popunder windows.  The corporate report URL could be used just fine in Safari, and I checked the Network Pref pane Advanced settings to confirm that no proxy settings were changed systemwide.  So the problem was just the single redirected the link in Chrome.


    Fix was to delete all browsing data (which includes cookies) in Chrome and restart Chrome.  I tried just deleting all the cookies from the site and restarting Chrome, but that didn't work.    So the scope was different from what was reported above by the OP, but the problem was the same basic URL from using hotel networks in China.

  • sjd881 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 7, 2012 5:43 PM (in response to daav2001)

    Hi all,


    I am living in China and getting the same thing. Its very recent but it seems ChinaUnicom are trying to takover Google, BBC, NYT and other URL's and point you to their own web services (of course fully supported by the Chinese Government). Behaviour is very sporadic, sometimes Chrome, but mostly Firefox. I have checked host files, dns, everything and the only way to stop it is to delete all cookies and history from the browser after infection and restart. Its a total pain as I have the Google double sign in system turned on and I have to re-authenticate twice to get into my Gmail.


    I also have the greyed out DNS entries but they are legit servers - Google and our company one. Maybe they are taking over the google in the Great firewall of China? However once infected and I am in my office (has a tunnel throught the Chinese Firewall) I still get the re-direct and from reading this thread users returning to the USA still are infected so it can not be the GFC!


    The thing that makes me think its not DNS is, on the same system I can have it happen in Firefox but not Chrome at the same time, unless the cookies can somehow override DNS.


    I can also see that a site actually begins to load and then sometime through the page load (before it completes) the redirect happens.


    I would love to know how they are doing this but I dont want to share my cookies with the world! I am 90% convinced this is where its happening.


    Any ideas from any of the big brains out there.

  • sjd881 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 7, 2012 6:06 PM (in response to daav2001)

    My Firefox Profile files - note Cookie files


  • sjd881 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 7, 2012 6:16 PM (in response to daav2001)

    I have now opened the cookies.sqlite-wal and found a load of code in there with the same URL as my redirect - close to references to BBC, Google, Youtube etc.


    As I said I dont want to publically share my cookies contents as I am paranoid about security but I am now 99.9% sure the cookies are being altered in the browsers to redirect all traffic to google / BBC and others. Lovely, lovely China.


    Why cant the guys at anonymous do something usefull and bring down the Chinese internet system!




    oh - just in case anyone is reading this - delete your cookies and restart the browser, only way to fix the problem.

  • sjd881 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Nov 7, 2012 6:24 PM (in response to daav2001)



    Just spotted something else in firefox.


    Go to the help menu, troubleshooting information


    In the displayed list look at your important modified preferences. I had a modified preference for Keyword seach which looked very strange, anyway I pressed the "reset firefox" button and voila all fixed without deleting cookies.


    Cool, lets hope I have found an easy fix for firefox.



1 2 Previous Next


More Like This

  • Retrieving data ...

Bookmarked By (1)


  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.