Centurylink.net Webhelper Safari Redirect Bot-How Do I Remove it? I have completely reformatted my computer, and it is still there

Question

Centurylink.net Webhelper Safari Redirect Bot-How Do I Remove it? I have completely reformatted my computer, and it is still there

Hello. For a few months now I have had a redirect bot on my computer (Safari Redirect). I got it after I downloaded Maverick. I have been in touch with Apple Support and have done several things to try and remove it. I have reset Safari. I have deleted all extentions and add ons. I deleted Safari and reinstalled it. I erased all free space using Disk Utility. Finally, I reformatted my disk drive completely using Disk Utility and reinstalled OS X Moutntain Lion from the computer. We also attempted to reset the DNS cache, but I am not sure that was successful because I coul not see whether it accepted my password or not.

The redirect is an address bar redirect and it used to redirect me to a fake Centurylink.net webhelper page. It does this at first by adding 20's and percents between my search words. Like this: lexeon%20titan%2010000%20gpd%20commercial%20ro%20reverse%20osmosis%20whole%20hou se%20water%20filter

Before I reformatted my computer, it was taking me to a fake Centurylink.net Webhelper Page or a fake GoDaddy Page. Since I have reformatted my computer, Safari cannot find the server it used to be redirected too.

Now I get a message like this:

Safari Can't Find the Server

Safari Can't Open the Page "French%20Huguenot" because Safari can't find the

server "french huguenot"

I put Java on the highest security setting possible and that seemed to take care of the problem for awhile. However, it is now back. I just ordered a Mountain Lion OS X disk from Apple.com and I am going to reformat my computer again and reinstall with that disk because I cannot figure out what else to do.

HELP PLEASE?! DOES ANYBODY ELSE HAVE ANY IDEA HOW TO FINALLY GET THIS THING COMPLETELY OFF MY COMPUTER?!

MacBook Pro, OS X Mountain Lion (10.8.5), Happened after I upgraded to Maveri

Posted on Dec 1, 2013 12:57 PM

Reply

Answer 1

Linc Davis

Level 10

209,547 points

Dec 1, 2013 7:36 PM in response to tiggerkenwood

Please read this whole message before doing anything.

This procedure is a diagnostic test. It changes nothing, and therefore will not, in itself, solve your problem.

Third-party system modifications are a common cause of usability problems. By a “system modification,” I mean software that affects the operation of other software — potentially for the worse. The procedure will help identify which such modifications you've installed, as well as certain other aspects of the configuration that may have a bearing on the problem. Don’t be alarmed by the apparent complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.

These steps are to be taken while booted in “normal” mode, not in safe mode, if possible. If you’re now running in safe mode, reboot as usual before continuing. If you can only boot in safe mode, you can still use this procedure, but not all of it will work. Be sure to mention that in your reply, if you haven't already done so.

Below are instructions to enter UNIX shell commands. The commands are safe and do nothing but produce human-readable text output, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects. I am not asking you to trust me. If you can't satisfy yourself that these instructions are safe, don't follow them.

The commands will line-wrap or scroll in your browser, but each one is really just a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then copy it.

Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. Step 1 should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.

Launch the Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.

When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.

Step 1

Triple-click anywhere in the line of text below on this page to select it:

{ echo "Loaded kernel extensions:"; kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'; echo $'\n'"Loaded user agents:"; launchctl list | sed 1d | awk '!/0x|com\.apple|org\.(x|openbsd)|\.[0-9]+$/{print $3}'; echo $'\n'"Inserted libraries:"; launchctl getenv DYLD_INSERT_LIBRARIES; echo $'\n'"User cron tasks:"; crontab -l; echo $'\n'"System launchd configuration:"; cat /e*/lau*; echo $'\n'"User launchd configuration:"; cat .lau*; echo $'\n'"Login items:"; osascript -e 'tell application "System Events" to get name of login items' | sed $'s/, /\\\n/g'; echo $'\n'"Safari extensions:"; /usr/libexec/PlistBuddy -c Print L*/Saf*/*/E*.plist | awk -F'= ' '/Bundl/{print $2}' | sed 's/\..*$//;s/-[1-9]$//'; printf "\nRestricted user files: %s\n" $(find ~ $TMPDIR.. $ -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 $ | wc -l); echo $'\n'"Extrinsic loadable bundles:"; cd; find -L /S*/L*/E* {,/}L*/{Ad,Compon,Ex,In,Keyb,Mail/Bu,P*P,Qu,Scripti,Servi,Spo}* -type d -name Contents -prune | while read d; do /usr/libexec/PlistBuddy -c 'Print :CFBundleIdentifier' "$d/Info.plist" | egrep -qv "^com\.apple\.[^x]|Accusys|ArcMSR|ATTO|HDPro|HighPoint|driver\.stex|hp-fax|JMicron|print|SoftRAID" && echo ${d%/Contents}; done; echo $'\n'"Unsigned shared libraries:"; find /u*/{,*/}lib -type f -exec sh -c 'file -b $1 | grep -qw shared && ! codesign -v $1' {} {} \; -print; echo; ls -A {,/}L*/{La,Priv,Sta}* L*/Fonts; } 2> /dev/null | open -ef

Copy the selected text to the Clipboard by pressing the key combination command-C. Then click anywhere in the Terminal window and paste (command-V). I've tested these instructions only with the Safari web browser. If you use another browser, you may have to press the return key after pasting.

The command may take up to a few minutes to run, depending on how many files you have and the speed of the computer. A TextEdit window will open with the output. Post the contents of the TextEdit window (not the Terminal window) — the text, please, not a screenshot. You can then close the TextEdit window. The title of the window doesn't matter, and you don't need to post that. No typing is involved in this step.

Step 2

Remember that you must be logged in as an administrator for this step. Do as in Step 1 with this line:

{ echo "Loaded system agents:"; sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix\.cron)|org\.(amav|apac|cups|isc|ntp|postf|x)/{print $3}'; echo $'\n'"Login hook:"; sudo defaults read com.apple.loginwindow LoginHook; echo $'\n'"Root cron tasks:"; sudo crontab -l; echo $'\n'"Log check:"; syslog -k Sender kernel -k Message CReq 'GPU |hfs: Ru|I/O e|find tok|n Cause: -|NVDA\(|pagin|timed? ?o' | tail; } 2> /dev/null | open -ef

This time you'll be prompted for your login password, which you do have to type. Nothing will be displayed when you type it. Type it carefully and then press return. You may get a one-time warning to be careful. Heed that warning, but don't post it. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.

To prevent confusion, I'll repeat: When you type your password in the Terminal window, you won't see what you're typing.

Note: If you don’t have a login password, set one before taking Step 2. If that’s not possible, skip the step.

Important: If any personal information, such as your name or email address, appears in the output of these commands, anonymize it before posting. Usually that won't be necessary.

Remember, Steps 1 and 2 are all copy-and-paste — no typing, except your password. Also remember to post the output as text, not as a screenshot.

You can then quit Terminal.

Reply

Answer 2

Dec 1, 2013 8:54 PM in response to Linc Davis

HERE'S WHAT I GOT:

Last login: Sun Dec 1 21:39:52 on console

Rebeccas-MacBook-Pro:~ rebeccaswanstrom$ { echo "Loaded kernel extensions:"; kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'; echo $'\n'"Loaded user agents:"; launchctl list | sed 1d | awk '!/0x|com\.apple|org\.(x|openbsd)|\.[0-9]+$/{print $3}'; echo $'\n'"Inserted libraries:"; launchctl getenv DYLD_INSERT_LIBRARIES; echo $'\n'"User cron tasks:"; crontab -l; echo $'\n'"System launchd configuration:"; cat /e*/lau*; echo $'\n'"User launchd configuration:"; cat .lau*; echo $'\n'"Login items:"; osascript -e 'tell application "System Events" to get name of login items' | sed $'s/, /\\\n/g'; echo $'\n'"Safari extensions:"; /usr/libexec/PlistBuddy -c Print L*/Saf*/*/E*.plist | awk -F'= ' '/Bundl/{print $2}' | sed 's/\..*$//;s/-[1-9]$//'; printf "\nRestricted user files: %s\n" $(find ~ $TMPDIR.. $ -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 $ | wc -l); echo $'\n'"Extrinsic loadable bundles:"; cd; find -L /S*/L*/E* {,/}L*/{Ad,Compon,Ex,In,Keyb,Mail/Bu,P*P,Qu,Scripti,Servi,Spo}* -type d -name Contents -prune | while read d; do /usr/libexec/PlistBuddy -c 'Print :CFBundleIdentifier' "$d/Info.plist" | egrep -qv "^com\.apple\.[^x]|Accusys|ArcMSR|ATTO|HDPro|HighPoint|driver\.stex|hp-fax|JMic ron|print|SoftRAID" && echo ${d%/Contents}; done; echo $'\n'"Unsigned shared libraries:"; find /u*/{,*/}lib -type f -exec sh -c 'file -b $1 | grep -qw shared && ! codesign -v $1' {} {} \; -print; echo; ls -A {,/}L*/{La,Priv,Sta}* L*/Fonts; } 2> /dev/null | open -ef

AND

Loaded kernel extensions:

com.symantec.kext.internetSecurity (5.3f6)

com.symantec.kext.pf (5.6f22)

com.symantec.kext.ips (3.9f13)

com.symantec.kext.fw (5.3f12)

com.symantec.kext.SymAPComm (12.6f28)

Loaded user agents:

com.fiplab.MemoryCleanHelper

com.symantec.uiagent.application

com.symantec.nis.application

com.symantec.errorreporting.periodic-agent

com.oracle.java.Java-Updater

Inserted libraries:

User cron tasks:

System launchd configuration:

User launchd configuration:

Login items:

iTunesHelper

BetterSnapTool

Safari extensions:

Norton Internet Security

RedirectBuster

Reply

Answer 3

Dec 1, 2013 8:57 PM in response to tiggerkenwood

THIS IS WHAT I GOT WHEN I ENTERED THE PASSWORD LINE:

Loaded system agents:

com.symantec.deepsight-extractor

com.symantec.symdaemon

com.symantec.sharedsettings

com.symantec.liveupdate.daemon

com.symantec.liveupdate.daemon.ondemand

com.symantec.errorreporting.periodic

com.oracle.java.Helper-Tool

com.microsoft.office.licensing.helper

com.adobe.fpsaud

Login hook:

Root cron tasks:

Log check:

Nov 25 08:42:35 Rebeccas-MacBook-Pro kernel[0] <Debug>: MacAuthEvent en1 Auth result for: 00:0b:86:58:52:49 Auth timed out

--- last message repeated 1 time ---

Nov 28 20:27:19 Rebeccas-MacBook-Pro kernel[0] <Debug>: (default pager): [KERNEL]: Switching ON Emergency paging segment

Nov 28 20:27:20 Rebeccas-MacBook-Pro kernel[0] <Debug>: (default pager): [KERNEL]: Failed to recover emergency paging segment

Reply

Answer 4

Dec 1, 2013 8:59 PM in response to tiggerkenwood

NOTE: I downloaded the Redirect Buster after I started having problems with the BOT. Unfortunately, it does not work for this situation.

Reply

Answer 5

Linc Davis

Level 10

209,547 points

Dec 1, 2013 9:10 PM in response to tiggerkenwood

You didn't post all the output of Step 1. This is what I suggest on the basis of the information provided.

Remove the Norton/Symantec product by following the instructions on either of these pages:

Uninstalling your Norton product for Mac

Removing Symantec programs for Macintosh

If you have a different version of the product, the procedure may be different. Back up all data before making any changes.

From the Safari menu bar, select

Safari ▹ Preferences ▹ Extensions

Uninstall the two extensions.

Although it's not causing this problem, you should also remove the completely useless "MemoryClean" according to its developer's instructions.

Reply

Answer 6

thomas_r.

Level 7

31,989 points

Dec 2, 2013 3:25 AM in response to tiggerkenwood

I would agree with Linc that you need to get rid of Norton entirely. It doesn't do a very good job of detecting Mac malware, and is renowned for bringing a healthy Mac to its knees.

As for the problem, it sounds like the things you are entering in the address bar are not being searched for, they're being treated like a web site address. Is this only happening when you try to search for something using the address bar? If so, try again after removing Norton. Also, I'd recommend getting rid of RedirectBuster, it could be causing a problem like this.

Reply

Answer 7

Dec 4, 2013 9:18 PM in response to Linc Davis

I removed Memory Clean and Norton Internet Security with your directions. Now I am going to post the contents of the first text edit window here:

Loaded kernel extensions:

Loaded user agents:

com.oracle.java.Java-Updater

Inserted libraries:

User cron tasks:

System launchd configuration:

User launchd configuration:

Login items:

iTunesHelper

BetterSnapTool

Safari extensions:

RedirectBuster

Restricted user files: 55

Extrinsic loadable bundles:

/Library/Internet Plug-Ins/Flash Player.plugin

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin

/Library/Internet Plug-Ins/Silverlight.plugin

/Library/PreferencePanes/Flash Player.prefPane

/Library/PreferencePanes/JavaControlPanel.prefPane

/Library/Spotlight/Microsoft Office.mdimporter

Unsigned shared libraries:

/Library/LaunchAgents:

com.oracle.java.Java-Updater.plist

/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.microsoft.office.licensing.helper.plist

com.oracle.java.Helper-Tool.plist

/Library/PrivateFrameworks:

/Library/PrivilegedHelperTools:

com.microsoft.office.licensing.helper

/Library/StartupItems:

Library/Fonts:

Library/LaunchAgents:

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.955B769D-201C-471D-9C23-499 7516A1595.plist

Reply

Answer 8

Dec 4, 2013 9:49 PM in response to Linc Davis

There is something wrong. I cannot get you the second text edit window. It asks for my login and then right away it gives me the message login incorrect before I can type anything in. It keeps on doing this over and over again as if someone else is typing. Here is all I could get from the first window. Notice all the logins that I did not do:

Loaded kernel extensions:

-bash: Loaded: command not found

Loaded user agents:

-bash: Loaded: command not found

com.oracle.java.Java-Updater

-bash: com.oracle.java.Java-Updater: command not found

Inserted libraries:

-bash: Inserted: command not found

User cron tasks:

-bash: User: command not found

System launchd configuration:

-bash: System: command not found

User launchd configuration:

-bash: User: command not found

Login items:

iTunesHelper

BetterSnapTool

Safari extensions:

RedirectBuster

Restricted user files: 55

Extrinsic loadable bundles:

/Library/Internet Plug-Ins/Flash Player.plugin

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin

/Library/Internet Plug-Ins/Silverlight.plugin

/Library/PreferencePanes/Flash Player.prefPane

/Library/PreferencePanes/JavaControlPanel.prefPane

/Library/Spotlight/Microsoft Office.mdimporter

Unsigned shared libraries:

/Library/LaunchAgents:

com.oracle.java.Java-Updater.plist

/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.microsoft.office.licensing.helper.plist

com.oracle.java.Helper-Tool.plist

/Library/PrivateFrameworks:

/Library/PrivilegedHelperTools:

com.microsoft.office.licensing.helper

/Library/StartupItems:

Library/Fonts:

Library/LaunchAgents:

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.955B769D-201C-471D-9C23-499 7516A1595.plist

Login incorrect

login: Login incorrect

login: login: Login incorrect

login: Login incorrect

login: login: Login incorrect

login: Login incorrect

/Library/PreferencePanes/Flash Player.prefPane

-bash: /Library/PreferencePanes/Flash: No such file or directory

/Library/PreferencePanes/JavaControlPanel.prefPane

-bash: /Library/PreferencePanes/JavaControlPanel.prefPane: is a directory

/Library/Spotlight/Microsoft Office.mdimporter

-bash: /Library/Spotlight/Microsoft: No such file or directory

Unsigned shared libraries:

-bash: Unsigned: command not found

/Library/LaunchAgents:

-bash: /Library/LaunchAgents:: No such file or directory

com.oracle.java.Java-Updater.plist

-bash: com.oracle.java.Java-Updater.plist: command not found

/Library/LaunchDaemons:

-bash: /Library/LaunchDaemons:: No such file or directory

com.adobe.fpsaud.plist

-bash: com.adobe.fpsaud.plist: command not found

com.microsoft.office.licensing.helper.plist

-bash: com.microsoft.office.licensing.helper.plist: command not found

com.oracle.java.Helper-Tool.plist

-command not found

/Library/PrivateFrameworks:

-bash: /Library/PrivateFrameworks:: No such file or directory

/Library/PrivilegedHelperTools:

-bash: /Library/PrivilegedHelperTools:: No such file or directory

com.microsoft.office.licensing.helper

-bash: com.microsoft.office.licensing.helper: command not found

/Library/StartupItems:

-bash: /Library/StartupItems:: No such file or directory

Library/Fonts:

-bash: Library/Fonts:: No such file or directory

Library/LaunchAgents:

-bash: Library/LaunchAgents:: No such file or directory

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.955B769D-201C-471D-9C23-499 7516A1595.plist

-bash: com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.955B769D-201C-471D-9C23-49 97516A1595.plist: command not found

Message was edited by: tiggerkenwood

Reply

Answer 9

Dec 4, 2013 9:44 PM in response to tiggerkenwood

I tried it one more time. This time, this is what I get for the second textedit window:

Loaded system agents:

com.oracle.java.Helper-Tool

com.microsoft.office.licensing.helper

com.adobe.fpsaud

Login hook:

Root cron tasks:

Log check:

Dec 3 00:37:40 Rebeccas-MacBook-Pro kernel[0] <Debug>: Trying restart GPU ...

Dec 3 00:37:46 Rebeccas-MacBook-Pro kernel[0] <Debug>: GPU hang:

Dec 3 00:37:46 Rebeccas-MacBook-Pro kernel[0] <Debug>: Trying restart GPU ...

Dec 3 00:37:50 Rebeccas-MacBook-Pro kernel[0] <Debug>: GPU hang:

Dec 3 00:37:50 Rebeccas-MacBook-Pro kernel[0] <Debug>: Trying restart GPU ...

Dec 3 00:37:56 Rebeccas-MacBook-Pro kernel[0] <Debug>: GPU hang:

Dec 3 00:37:56 Rebeccas-MacBook-Pro kernel[0] <Debug>: Trying restart GPU ...

Dec 3 11:58:10 Rebeccas-MacBook-Pro kernel[0] <Debug>: MacAuthEvent en1 Auth result for: 00:0b:86:41:cd:61 Auth timed out

Dec 4 21:30:50 Rebeccas-MacBook-Pro kernel[0] <Debug>: GPU hang:

Dec 4 21:30:50 Rebeccas-MacBook-Pro kernel[0] <Debug>: Trying restart GPU ...

Reply

Answer 10

Linc Davis

Level 10

209,547 points

Dec 4, 2013 10:18 PM in response to tiggerkenwood

You were pasting output into the Terminal window, but that doesn't matter. There's enough information there to draw two conclusions.

First, you haven't removed the "RedirectBuster" Safari extension, which from the sound of the name is a likely cause of your original problem.

More importantly, you have a failing graphics adapter. The logic board will need to be replaced.

Make a "Genius" appointment at an Apple Store, or go to another authorized service provider.

Back up all data on the internal drive(s) before you hand over your computer to anyone. There are ways to back up a computer that isn't fully functional — ask if you need guidance.

If privacy is a concern, erase the data partition(s) with the option to write zeros* (do this only if you have at least two complete, independent backups, and you know how to restore to an empty drive from any of them.) Don’t erase the recovery partition, if present.

Keeping your confidential data secure during hardware repair

*An SSD doesn't need to be zeroed.

Reply

Answer 11

Dec 4, 2013 10:39 PM in response to Linc Davis

I bought that redirect software AFTER I got the bot or virus etc. in an attempt to stop the redirect. It did not work. However, the problem happened way before I installed that extension. It is not the issue. But, I did go in and remove it anyway.

Reply

Answer 12

Linc Davis

Level 10

209,547 points

Dec 4, 2013 10:48 PM in response to tiggerkenwood

From the menu bar, select

 ▹ System Preferences... ▹ Network ▹ Advanced... ▹ DNS

Under DNS Servers you should have one or more numerical addresses, such as “192.168.1.1” or “10.0.0.1”. What are those addresses?

Reply

Answer 13

Dec 5, 2013 3:46 PM in response to Linc Davis

Under DNS Servers: 192.168.0.1

Under Search Domains: PK5001Z

Reply

Answer 14

Linc Davis

Level 10

209,547 points

Dec 5, 2013 3:55 PM in response to tiggerkenwood

Back up all data.

Unlock the Network preference pane, if necessary, by clicking the lock icon in the lower left corner and entering your password. Cllck Advanced, open the DNS tab, and change the server addresses to the following:

8.8.8.8

8.8.4.4

That's Google DNS. Click OK, then Apply.

In Safari, select

Safari ▹ Preferences... ▹ Privacy ▹ Remove All Website Data

and confirm. If you’re using another browser, empty the cache. Test. Any difference?

Notes:

1. If you lose Internet access after making the above change to your network settings, delete the Google servers in the Network preference pane, then select the TCP/IP tab and click Renew DHCP Lease. That should restore the original DNS settings; otherwise restore them yourself.

2. I’m not advocating Google or anything else as a DNS provider; the server addresses are offerred merely for testing purposes. There may be privacy and technical issues involved in using that service, which you should investigate personally before you decide whether to keep the settings. Other public DNS services exist.

Reply

Answer 15

Dec 5, 2013 5:28 PM in response to Linc Davis

Disregard. I figured it out. Still Working on the step.

Reply