Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How to clear computer of tracking999 trojan.

I'm using OS 10.6.8 and recently started having issues with tracking999 while using Firefox. Any advice as to how to get this removed (all solutions I've found don't seem to help with Mac OSX users).

Mac OSX-OTHER, Mac OS X (10.6.8)

Posted on Nov 25, 2012 11:48 PM

Reply
18 replies

Nov 30, 2012 8:02 AM in response to Klaus1

I have the same issue since this morning.


It is some kind of DNS redirect I think. I have changed my DNS prefs in Network Settings to OpenDNS, but this did not help.


I used Time Machine to go back a couple of days in case it was something I inadvertently downloaded recently. Also no help.


I have installed Ghostery on all my browsers in all user accounts. Still getting redirects. This seems to be a recent phenomenon for most people according to my Google searches. I hope someone can shed some light on this soon.

Nov 30, 2012 10:01 AM in response to thomas_r.

Hi Thomas.

In my case, this just started happening as of this morning. My girlfriend was trying to watch an episode of Homeland on the internet and I'm guessing that she may have clicked on a bad link instead of the legitimate TV company link.


Since then, regardless of which browser I use and what website I visit, after a brief second or two, the page I had intended to visit is replaced by "the document has been moved, redirecting…" (or similar) and then it takes me to a completely unknown website such as "allwaysearch" or "tracking999", but not limited to these. It's not a popup or popunder, it literally stops you from visiting the page you want and takes you somewhere bad. I also have WOT (Weboftrust) installed and this is showing 'red' even at the Google search results page, so I think it has already lined up redirects?


I have read that this Tracking99 is related to something called Luxemil (which I have no knowledge of) but basically it seems to have hijacked my browsers and continually redirects to dubious sites. This may be 'black hat' pay-per-click or even sites that will install more malware, so I am concerned.


I am in the process of restoring the entire system (10.6.8 on my Mac Pro) from a TM backup of a couple of days ago.


If (and I don't advise it!) you were to visit the tracking999 site, it says something like "Test. This is to test traffic to check the quality of something for the benefit of our advertisers".


According to Google Safe Browsing diagnostic page:

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, tracking999.com appeared to function as an intermediary for the infection of 40 site(s) including (edited out obviously!)

Most of the Google references to this problem relate to PCs and encourage you to download all sorts of 'malware removal tools' but I would think that these too are unlikely to be trustworthy.

Nov 30, 2012 10:12 AM in response to hotmetal_UK

Did your girlfriend install any "video plug-ins" to play the video? I'm unaware of any current Mac malware that uses that trick, but that trick has been used in the past by the RSPlug (aka DNSChanger) trojan. That trojan is extinct at this point, though, so that's not the problem.


However, it is possible that she may have installed some junk software that added an internet plug-in that is doing this. Copy the following command and past it into the Terminal (found in /Applications/Utilities):


ls -al ~/Library/Internet\ Plug-Ins; ls -al /Library/Internet\ Plug-Ins


Paste the output of that command into a new message here.


Also, just out of curiosity, what does your hosts file look like? The following Terminal command will tell you:


more /etc/hosts

Nov 30, 2012 10:25 AM in response to thomas_r.

My MacPro is half an hour away from a total restore from Time Machine being finished, so I can't try those suggestions just yet. I will do when it restarts, but hopefully that will have reset everything anyway.


I don't think she did install anything because she hit a page that said "You need Adobe Flash, click here to install" and she asked me if she should. Of course I said "NOO!" and closed that page down but maybe it was too late. She did watch the video but swears she didn't install anything. Can webpages install malware without you clicking 'install'? I mean just by visiting a page or watching a video? I think we were logged in as me (i.e. Admin privileges). I'm a bit jumpy because my Mac Pro is what I use for my business and internet banking.

Nov 30, 2012 10:30 AM in response to hotmetal_UK

Can webpages install malware without you clicking 'install'? I mean just by visiting a page or watching a video?


Nope, not if you have the machine properly updated. There have been a few things that could install without user interaction through older versions of Java, which contained vulnerabilities, but if you have Java disabled in your web browser or have installed all OS updates, that can't happen.

Nov 30, 2012 12:00 PM in response to thomas_r.

D'oh! It seems that Java was enabled. I have now restored my entire system, a bit of a PITA because I had to reload a bunch of photos into iPhoto, reconfigure Mail etc. But it seems as if the problem has gone.


I have now disabled Java and reinstalled Ghostery in my browsers.


I think there's no point at the moment posting up what's in my Terminal because I already restored the system.

Hopefully that's the end of the issue. My 'fix' was a sledgehammer to crack a nut (if indeed it fixed it, which time will tell).


Many thanks for your help Thomas. Hope this helps the original poster and others too. I guess it might have been more informative if I could have captured the Terminal info before I started my restore, but I was getting pretty bothered about my security and wanted it shut down as soon as poss.

Dec 2, 2012 10:14 PM in response to thomas_r.

Hi Thomas, I'm having the same issue as hotmetal UK, but I don't have the restore option since I don't know how far back to go, and I have some key files that I can't afford to lose that I've been working on of late.


Here is the output file from the terminal for me;


Last login: Sun Dec 2 21:19:13 on console

macbooks-MacBook-2:~ macbook$ ls -al ~/Library/Internet\ Plug-Ins; ls -al /Library/Internet\ Plug-Ins

ls: /Users/macbook/Library/Internet Plug-Ins: No such file or directory

total 56

drwxrwxr-x 27 root admin 918 Sep 2 00:18 .

drwxrwxr-t+ 61 root admin 2074 Jul 5 23:28 ..

drwxr-xr-x 3 root wheel 102 Jan 30 2011 AdobePDFViewer.plugin

drwxr-xr-x 3 root wheel 102 May 2 2012 AdobePDFViewerNPAPI.plugin

drwxrwxr-x 3 root admin 102 Nov 25 2010 DFusionWebPlugin.plugin

drwxrwxr-x 3 root admin 102 Nov 25 2010 DFusionWebPluginS64.plugin

drwxrwxr-x 3 root admin 102 Jul 5 23:56 Flash Player.plugin

drwxrwxr-x 3 root admin 102 Nov 3 2009 Flip4Mac WMV Plugin.plugin

drwxrwxr-x 3 root admin 102 Nov 3 2009 Flip4Mac WMV Plugin.webplugin

drwxr-xr-x 3 root admin 102 May 2 2012 GarminGpsControl.plugin

drwxr-xr-x@ 5 macbook admin 170 Jan 20 2010 Google Earth Web Plug-in.plugin

lrwxr-xr-x 1 root admin 79 Jul 3 10:41 JavaAppletPlugin.plugin -> /System/Library/Java/Support/CoreDeploy.bundle/Contents/JavaAppletPlugin.plugin

lrwxr-xr-x 1 root admin 76 Jul 5 18:50 JavaPluginCocoa.bundle -> /System/Library/Frameworks/JavaVM.framework/Resources/JavaPluginCocoa.bundle

-rwxrwxr-x@ 1 root admin 4752 Feb 7 2006 NP-PPC-Dir-Shockwave

drwxrwxr-x 3 root admin 102 May 18 2009 Quartz Composer.webplugin

drwxrwxr-x 3 root admin 102 Dec 2 21:38 QuickTime Plugin.plugin

lrwxr-xr-x 1 macbook admin 68 Feb 18 2010 RealPlayer Plugin.plugin -> /Applications/RealPlayer.app/Contents/MacOS/RealPlayer Plugin.plugin

drwxrwxr-x@ 3 root admin 102 Aug 25 2010 SharePointBrowserPlugin.plugin

drwxrwxr-x 3 root admin 102 Aug 25 2010 SharePointWebKitPlugin.webplugin

drwxrwxr-x 3 root admin 102 Nov 20 2011 Silverlight.plugin

drwxrwxr-x 3 root admin 102 Jul 28 2010 TVUPlugin.webplugin

drwxr-xr-x 3 root admin 102 Jan 28 2010 VeetleBroadcast-0.9.16

drwxr-xr-x 3 root admin 102 Jan 25 2010 VeetleTVCore-0.9.16

drwxr-xr-x 3 root admin 102 Jan 28 2010 VeetleTVPlayer-0.9.16

-rw-rw-r-- 1 root admin 856 Apr 11 2012 flashplayer.xpt

drwxrwxr-x 3 root admin 102 Jan 14 2009 iPhotoPhotocast.plugin

-rw-rw-r-- 1 root admin 2394 Mar 2 2010 nsIQTScriptablePlugin.xpt

macbooks-MacBook-2:~ macbook$


Thanks in advance for your advice. I've since tried to download Kaspersky but the problem still appears when I use Fireforx (its been ok with Chrome though).

Dec 3, 2012 3:53 AM in response to p.lonj

The plug-ins that I don't have on my system are:


drwxr-xr-x 3 root wheel 102 Jan 30 2011 AdobePDFViewer.plugin

drwxr-xr-x 3 root wheel 102 May 2 2012 AdobePDFViewerNPAPI.plugin

drwxrwxr-x 3 root admin 102 Nov 25 2010 DFusionWebPlugin.plugin

drwxrwxr-x 3 root admin 102 Nov 25 2010 DFusionWebPluginS64.plugin

drwxr-xr-x 3 root admin 102 May 2 2012 GarminGpsControl.plugin

drwxr-xr-x@ 5 macbook admin 170 Jan 20 2010 Google Earth Web Plug-in.plugin

-rwxrwxr-x@ 1 root admin 4752 Feb 7 2006 NP-PPC-Dir-Shockwave

lrwxr-xr-x 1 macbook admin 68 Feb 18 2010 RealPlayer Plugin.plugin -> /Applications/RealPlayer.app/Contents/MacOS/RealPlayer Plugin.plugin

drwxrwxr-x@ 3 root admin 102 Aug 25 2010 SharePointBrowserPlugin.plugin

drwxrwxr-x 3 root admin 102 Aug 25 2010 SharePointWebKitPlugin.webplugin

drwxrwxr-x 3 root admin 102 Nov 20 2011 Silverlight.plugin

drwxrwxr-x 3 root admin 102 Jul 28 2010 TVUPlugin.webplugin

drwxr-xr-x 3 root admin 102 Jan 28 2010 VeetleBroadcast-0.9.16

drwxr-xr-x 3 root admin 102 Jan 25 2010 VeetleTVCore-0.9.16

drwxr-xr-x 3 root admin 102 Jan 28 2010 VeetleTVPlayer-0.9.16


These are all in the Internet Plug-Ins folder in the Library folder at the root level of your hard drive. If you're not sure where to find that, choose Go -> Go To Folder in the Finder and enter the following path:


/Library/Internet Plug-Ins


You can quit your web browsers, move suspicious plug-ins to the desktop, then re-open your browser and test. If the problem goes away, the issue is caused by one of the things you removed. Test until you figure out which plug-in is the culprit.


Also, note that if you are not having exactly the same problem (redirects in all browsers), and it's happening only in one browser, try looking for browser-specific extensions. In Safari, for example, you should look in the Extensions pane of Safari's preferences.

Dec 6, 2012 2:34 AM in response to p.lonj

hi

i have the same problem since 3 days in firefox.

here from my terminal:

Andy-MacBook-Pro:~ andy$ ls -al ~/Library/Internet\ Plug-Ins; ls -al /Library/Internet\ Plug-Ins

total 0

drwx------+ 2 andy staff 68 19 Okt 20:05 .

drwx------@ 45 andy staff 1530 3 Nov 22:50 ..

total 16

drwxr-xr-x 18 root wheel 612 10 Nov 17:49 .

drwxr-xr-x+ 70 root wheel 2380 20 Okt 22:20 ..

drwxrwxrwx 2 andy admin 68 20 Okt 00:24 Disabled Plug-Ins

drwxrwxr-x 3 root admin 102 27 Jul 01:54 DivXBrowserPlugin.plugin

drwxrwxr-x 3 root wheel 102 10 Nov 17:49 Flash Player.plugin

drwxrwxr-x 3 root admin 102 19 Okt 23:47 Flip4Mac WMV Plugin.plugin

drwxrwxr-x 3 root admin 102 19 Okt 23:41 Flip4Mac WMV Plugin.webplugin

drwxrwxr-x 5 root admin 170 19 Okt 22:56 Google Earth Web Plug-in.plugin

drwxr-xr-x 3 root wheel 102 2 Nov 14:10 JavaAppletPlugin.plugin

drwxr-xr-x 3 andy staff 102 20 Okt 00:07 Mozillaplug.plugin

drwxr-xr-x 3 root admin 102 19 Okt 23:32 OVSHelper.plugin

drwxr-xr-x 3 root wheel 102 21 Jun 06:50 Quartz Composer.webplugin

drwxr-xr-x 3 root wheel 102 21 Jun 06:18 QuickTime Plugin.plugin

lrwxr-xr-x 1 root wheel 68 20 Okt 00:22 RealPlayer Plugin.plugin -> /Applications/RealPlayer.app/Contents/MacOS/RealPlayer Plugin.plugin

drwxrwxr-x 4 root admin 136 19 Okt 23:37 SpeedDownload Browser Plugin.plugin

-rw-rw-r-- 1 root admin 856 29 Okt 09:32 flashplayer.xpt

drwxrwxr-x 3 root admin 102 20 Okt 00:05 iPhotoPhotocast.plugin

-rw-r--r-- 1 root wheel 2394 22 Jul 10:23 nsIQTScriptablePlugin.xpt

for windows i can find lots of removal tips/tools, but for mac i find nothing !?

Dec 6, 2012 4:10 AM in response to bazamba

here from my terminal:


Rather than keep telling folks what's unusual, here's a list of the items that should normally be found in the /Library/Internet Plug-Ins folder:


drwxr-xr-x 12 root wheel 408 Nov 7 16:45 . drwxr-xr-x+ 65 root wheel 2210 Dec 2 13:33 .. lrwxr-xr-x 1 root wheel 79 Oct 11 13:16 JavaAppletPlugin.plugin -> /System/Library/Java/Support/CoreDeploy.bundle/Contents/JavaAppletPlugin.plugin drwxr-xr-x 3 root wheel 102 Jun 20 18:50 Quartz Composer.webplugin drwxr-xr-x 3 root wheel 102 Sep 5 20:38 QuickTime Plugin.plugin drwxrwxr-x 3 root admin 102 Nov 17 2009 iPhotoPhotocast.plugin -rw-r--r-- 1 root wheel 2394 Oct 11 13:19 nsIQTScriptablePlugin.xpt


The ~/Library/Internet Plug-Ins folder should be empty by default, so anything in there can be removed.


Of course, some items are quite normal to see. For example, the Flash Player.plugin and flashplayer.xpt files are normal if you have Adobe Flash installed.


bazamba, in your case, I don't see anything terribly suspicious other than SpeedDownload. That software is crap, and you should uninstall it, but I wouldn't expect it to be causing this particular problem. Did you check Firefox's add-ons? Choose Tools -> Add-ons and check both Plugins and Extensions in the window that opens.

Jan 4, 2013 7:43 AM in response to p.lonj

Hi!


I have been having this problem for a while. It was gone for a while after I reseted firefox, but now it's back and even when I do a reset the problem keeps going. This is a shared computer and even when I tell them not to installl anything, I'm sure they do.


This is what I have on Terminal:


Last login: Sun Mar 15 07:35:30 on console

Lauras-MacBook:~ Laura$ ls -al ~/Library/Internet\ Plug-Ins; ls -al /Library/Internet\ Plug-Ins

total 24

drwx------+ 8 Laura staff 272 Jan 4 09:33 .

drwx------+ 52 Laura staff 1768 Nov 6 09:40 ..

-rw-------@ 1 Laura staff 6148 Jan 4 09:33 .DS_Store

drwxr-xr-x@ 3 Laura staff 102 Aug 4 2010 BrowserPlus_2.9.8.plugin

drwxrwxr-x 3 Laura admin 102 Mar 31 2010 ClickToFlash.webplugin

lrwxr-xr-x 1 Laura staff 96 Jul 11 16:45 FacebookVideoCalling.bundle -> /Users/Laura/Library/Application Support/Facebook/video/1.2.0.158/FacebookVideoCalling.webplugin

drwxr-xr-x@ 3 Laura admin 102 Oct 14 2009 Move-Media-Player.plugin

drwxr-xr-x 3 Laura staff 102 Aug 12 2010 Picasa.plugin

total 80

drwxrwxr-x 31 root admin 1054 Dec 22 10:11 .

drwxrwxr-t+ 60 root admin 2040 Dec 24 2011 ..

-rw-rw-r--@ 1 Laura admin 15364 Oct 30 21:32 .DS_Store

drwxr-xr-x 3 root wheel 102 Oct 25 2010 AdobePDFViewer.plugin

drwxr-xr-x 3 root wheel 102 Apr 12 2012 AdobePDFViewerNPAPI.plugin

lrwxr-xr-x 1 Laura admin 92 Mar 5 2012 AmazonMP3DownloaderPlugin.plugin -> /Applications/Amazon MP3 Downloader.app/Contents/Resources//AmazonMP3DownloaderPlugin.plugin

lrwxr-xr-x 1 root admin 91 Aug 4 13:15 AmazonMP3DownloaderPlugin1017265.plugin -> /Applications/Amazon MP3 Downloader.app/Contents/Resources/AmazonMP3DownloaderPlugin.plugin

drwxrwxr-x 3 root admin 102 Sep 20 2011 CouponPrinter-FireFox_v2.plugin

drwxrwxr-x 3 root admin 102 Sep 20 2011 CouponPrinter-Safari.webplugin

drwxrwxr-x 3 root admin 102 Jan 30 2012 DirectorShockwave.plugin

drwxrwxr-x 4 root admin 136 Oct 30 21:35 Disabled Plug-Ins

drwxrwxr-x 3 root admin 102 Dec 10 18:51 DivXBrowserPlugin.plugin

drwxrwxr-x 3 root admin 102 Nov 13 21:36 Flash Player.plugin

drwxrwxr-x 3 root admin 102 Jun 30 2011 Flip4Mac WMV Plugin.plugin

lrwxr-xr-x 1 root admin 77 Jul 7 2011 JavaPluginCocoa.bundle -> /System/Library/Frameworks/JavaVM.framework/Versions/A/JavaPluginCocoa.bundle

drwxr-xr-x 3 root admin 102 Jan 17 2012 OVSHelper.plugin

drwxrwxr-x 3 root wheel 102 Feb 14 2012 PDF Browser Plugin.plugin

drwxr-xr-x@ 3 root admin 102 Mar 30 2010 PandoWebInst.plugin

drwxrwxr-x 3 root admin 102 Sep 24 2007 Quartz Composer.webplugin

drwxrwxr-x 3 root admin 102 Nov 5 12:18 QuickTime Plugin.plugin

drwxrwxr-x 3 root admin 102 Jun 14 2008 QuickTime Plugin.webplugin

lrwxr-xr-x 1 Laura admin 68 Apr 8 2009 RealPlayer Plugin.plugin -> /Applications/RealPlayer.app/Contents/MacOS/RealPlayer Plugin.plugin

drwxrwxr-x 3 root admin 102 Apr 11 2012 Silverlight.plugin

drwxr-xr-x 3 root admin 102 Jan 28 2010 VeetleBroadcast-0.9.16

drwxr-xr-x 3 root admin 102 Jan 25 2010 VeetleTVCore-0.9.16

drwxr-xr-x 3 root admin 102 Jan 28 2010 VeetleTVPlayer-0.9.16

drwxrwxr-x 3 root admin 102 Dec 12 2007 VerifiedDownloadPlugin.plugin

drwxr-xr-x@ 4 Laura admin 136 Nov 28 2007 Yahoo! Installer 3.plugin

-rw-rw-r-- 1 root admin 856 Oct 30 12:50 flashplayer.xpt

drwxrwxr-x 3 root admin 102 Jul 14 2008 iPhotoPhotocast.plugin

-rw-rw-r-- 1 root admin 2394 Jun 25 2011 nsIQTScriptablePlugin.xpt

Lauras-MacBook:~ Laura$


Can anybody help me? Tell me what should I do to solve this? Thanks.

How to clear computer of tracking999 trojan.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.