You can make a difference in the Apple Support Community!
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
Recently i've downloaded something and now I have all this adware on safari. Pop up ads and Certain words are highlited that when clicked go to ads for surveys and stuff etc. I've tried everything but i cant get rid of the highlighted text. Does anyone know how to fix this?
MacBook Pro
I had a similar problem. Can you help?
Here is what I got when I ran the shell.
Boot Mode: Normal
Model: MacBookPro9,2
System diagnostics
2015-01-22 Preview hang
2015-02-09 OnyX hang
2015-02-09 com.apple.WebKit.Plugin.64 hang
2015-02-09 com.apple.WebKit.WebContent hang
User diagnostics
2015-02-04 Google Earth crash
Kernel messages
Feb 3 08:05:29 BUG in process suhelperd[158]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 399 times ---
Feb 3 08:09:07 BUG in process suhelperd[158]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
--- last message repeated 4 times ---
Feb 3 08:09:16 BUG in process suhelperd[158]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 3 times ---
Feb 3 11:31:05 PM notification timeout (pid 465, WeatherBug Alert)
Feb 4 10:54:20 BUG in process suhelperd[158]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 661 times ---
Feb 6 07:38:13 BUG in process suhelperd[158]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
Feb 6 07:38:13 BUG in process suhelperd[158]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 270 times ---
Feb 9 10:41:03 BUG in process suhelperd[179]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)
--- last message repeated 117 times ---
Feb 9 10:47:33 smb_iod_sendall: Timed out waiting on the response for 0x72 mid = 0x0 state 0x1
Feb 9 10:51:02 BUG in process suhelperd[179]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)
Feb 9 11:14:06 Over-release of kernel-internal importance assertions for pid 52 (launchservicesd), dropping 1 assertion(s) but task only has 0 remaining (0 external).
Feb 9 11:16:33 process ARDAgent[420] thread 21781 caught burning CPU! It used more than 50% CPU (Actual recent usage: 51%) over 180 seconds. thread lifetime cpu usage 251.775096 seconds, (242.163437 user, 9.611659 system) ledger info: balance: 90002508411 credit: 251755843270 debit: 161753334859 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 175883740685
Feb 9 12:43:52 process MacScan[1867] thread 63376 caught burning CPU! It used more than 50% CPU (Actual recent usage: 96%) over 180 seconds. thread lifetime cpu usage 90.017933 seconds, (87.987255 user, 2.030678 system) ledger info: balance: 90010639789 credit: 90010639789 debit: 0 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 93565061563
Feb 9 12:53:18 process MacScan[2136] thread 70522 caught burning CPU! It used more than 50% CPU (Actual recent usage: 98%) over 180 seconds. thread lifetime cpu usage 90.007524 seconds, (87.966775 user, 2.040749 system) ledger info: balance: 90000319760 credit: 90000319760 debit: 0 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 91027004084
Loaded extrinsic kernel extensions
com.logmein.driver.LogMeInSoundDriver (1.0.3)
com.Cycling74.driver.Soundflower (1.5.1)
com.displaylink.driver.DisplayLinkDriver (2.1)
Extrinsic daemons
com.p5sys.jumpdesktop.service
com.v.helper
com.oracle.java.JavaUpdateHelper
com.microsoft.office.licensing.helper
com.google.keystone.daemon
com.oracle.java.Helper-Tool
com.displaylink.displaylinkmanager
com.bjango.istatlocaldaemon
com.eltima.ElmediaPlayer.daemon
com.logmein.raupdate
net.sourceforge.MonolingualHelper
com.ioxperts.ioxdeviced.1.1
com.adobe.fpsaud
com.bombich.ccc
Extrinsic agents
com.logmein.LMILaunchAgentFixer
com.bjango.istatlocal
com.v.agent
com.google.keystone.system.agent
com.epson.Epson_Low_Ink_Reminder.launcher
com.google.Chrome.framework.service_process/Users/newth/Library/Application_Sup port/Google/Chrome
com.p5sys.jumpdesktop.agent
com.skype.c2c_service
com.polyvision.dts.PreLoginAgentCarbon
com.polyvision.dts.PreLoginAgentCarbonv2
com.oracle.java.Java-Updater
com.displaylink.useragent
com.zeobit.MacKeeper.Helper
com.divx.update.agent
com.epson.eventmanager.agent
com.m86security.authenticator
com.divx.dms.agent
launchd items
/Library/LaunchAgents/com.displaylink.useragent-prelogin.plist
(com.displaylink.useragent-prelogin)
/Library/LaunchAgents/com.displaylink.useragent.plist
(com.displaylink.useragent)
/Library/LaunchAgents/com.divx.dms.agent.plist
(com.divx.dms.agent)
/Library/LaunchAgents/com.divx.update.agent.plist
(com.divx.update.agent)
/Library/LaunchAgents/com.epson.Epson_Low_Ink_Reminder.launcher.plist
(com.epson.Epson_Low_Ink_Reminder.launcher)
/Library/LaunchAgents/com.epson.eventmanager.agent.plist
(com.epson.eventmanager.agent)
/Library/LaunchAgents/com.google.keystone.agent.plist
(com.google.keystone.system.agent)
/Library/LaunchAgents/com.logmein.LMILaunchAgentFixer.plist
(com.logmein.LMILaunchAgentFixer)
/Library/LaunchAgents/com.logmein.logmeingui.plist
(com.logmein.logmeingui)
/Library/LaunchAgents/com.logmein.logmeinguiagent.plist
(com.logmein.logmeinguiagent)
/Library/LaunchAgents/com.logmein.logmeinguiagentatlogin.plist
(com.logmein.logmeinguiagentatlogin)
/Library/LaunchAgents/com.m86security.authenticator.plist
(com.m86security.authenticator)
/Library/LaunchAgents/com.oracle.java.Java-Updater.plist
(com.oracle.java.Java-Updater)
/Library/LaunchAgents/com.p5sys.jumpdesktop.agent.plist
(com.p5sys.jumpdesktop.agent)
/Library/LaunchAgents/com.polyvision.dts.PreLoginAgentCarbon.plist
(com.polyvision.dts.PreLoginAgentCarbon)
/Library/LaunchAgents/com.polyvision.dts.PreLoginAgentCarbonv2.plist
(com.polyvision.dts.PreLoginAgentCarbonv2)
/Library/LaunchDaemons/com.adobe.fpsaud.plist
(com.adobe.fpsaud)
/Library/LaunchDaemons/com.bombich.ccc.plist
(com.bombich.ccc)
/Library/LaunchDaemons/com.displaylink.displaylinkmanager.plist
(com.displaylink.displaylinkmanager)
/Library/LaunchDaemons/com.eltima.ElmediaPlayer.daemon.plist
(com.eltima.ElmediaPlayer.daemon)
/Library/LaunchDaemons/com.google.keystone.daemon.plist
(com.google.keystone.daemon)
/Library/LaunchDaemons/com.ioxperts.ioxdeviced.1.1.plist
(com.ioxperts.ioxdeviced.1.1)
/Library/LaunchDaemons/com.logmein.logmeinblanker.plist
(com.logmein.logmeinblanker)
/Library/LaunchDaemons/com.logmein.logmeinserver.plist
(com.logmein.logmeinserver)
/Library/LaunchDaemons/com.logmein.raupdate.plist
(com.logmein.raupdate)
/Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist
(com.microsoft.office.licensing.helper)
/Library/LaunchDaemons/com.oracle.java.Helper-Tool.plist
(com.oracle.java.Helper-Tool)
/Library/LaunchDaemons/com.oracle.java.JavaUpdateHelper.plist
(com.oracle.java.JavaUpdateHelper)
/Library/LaunchDaemons/com.p5sys.jumpdesktop.service.plist
(com.p5sys.jumpdesktop.service)
/Library/LaunchDaemons/net.sourceforge.MonolingualHelper.plist
(net.sourceforge.MonolingualHelper)
Library/LaunchAgents/com.adobe.ARM.UUID.plist
(com.adobe.ARM.UUID)
Library/LaunchAgents/com.apple.FolderActions.enabled.plist
(com.apple.FolderActions.enabled)
Library/LaunchAgents/com.apple.FolderActions.folders.plist
(com.apple.FolderActions.folders)
Library/LaunchAgents/com.google.Chrome.framework.plist
(com.google.Chrome.framework.service_process/Users/newth/Library/Application_Su pport/Google/Chrome)
Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist
(com.zeobit.MacKeeper.Helper)
Library/LaunchAgents/de.metaquark.appfresh.plist
(de.metaquark.appfresh)
Library/LaunchAgents/org.virtualbox.vboxwebsrv.plist
(org.virtualbox.vboxwebsvc)
Startup items
/Library/StartupItems/HP IO/HP IO
/Library/StartupItems/HP IO/Resources/English.lproj/Localizable.strings
/Library/StartupItems/HP IO/Resources/version.plist
/Library/StartupItems/IOXpertsDeviceMonitor/IOXpertsDeviceMonitor
/Library/StartupItems/IOXpertsDeviceMonitor/StartupParameters.plist
/Library/StartupItems/ParallelsTransporter/llipd
/Library/StartupItems/ParallelsTransporter/ParallelsTransporter
/Library/StartupItems/VideoGlide Startup/StartupParameters.plist
/Library/StartupItems/VideoGlide Startup/VideoGlide Startup
/Library/StartupItems/VideoGlide Startup/VideoGlide Startup.app/Contents/Info.plist
/Library/StartupItems/VideoGlide Startup/VideoGlide Startup.app/Contents/MacOS/VideoGlide Startup
/Library/StartupItems/VideoGlide Uninstall Startup/StartupParameters.plist
/Library/StartupItems/VideoGlide Uninstall Startup/VideoGlide Uninstall Startup
/Library/StartupItems/VideoGlide Uninstall Startup/VideoGlide Uninstall Startup.app/Contents/Info.plist
/Library/StartupItems/VideoGlide Uninstall Startup/VideoGlide Uninstall Startup.app/Contents/MacOS/VideoGlide Uninstall Startup
/Library/StartupItems/VirtualBox/Resources/English.lproj/Localizable.strings
/Library/StartupItems/VirtualBox/VirtualBox
/Library/StartupItems/WalkAndTalkUSBStartup/ReEnumerate
/Library/StartupItems/WalkAndTalkUSBStartup/StartupParameters.plist
/Library/StartupItems/WalkAndTalkUSBStartup/WalkAndTalkUSBStartup
Extrinsic loadable bundles
/System/Library/Extensions/ElmediaPlayer.kext
(com.eltima.ElmediaPlayer.kext)
/System/Library/Extensions/HotSync Classic Seize.kext
(com.palm.ClassicNotSeizeDriver)
/System/Library/Extensions/JMicronATA.kext
(com.jmicron.JMicronATA)
/System/Library/Extensions/LogMeInSoundDriver.kext
(com.logmein.driver.LogMeInSoundDriver)
/System/Library/Extensions/LumensAudioDriver.kext
(tw.com.Lumens.driver.LumensAudioDriver)
/System/Library/Extensions/LumensDC260MSDC.kext
(tw.com.lumens.driver.DC260MSDC)
/System/Library/Extensions/Soundflower.kext
(com.Cycling74.driver.Soundflower)
/System/Library/Extensions/USBAtTablet.kext
(com.Aiptek.iokit.driver.USBAtTablet)
/System/Library/Extensions/VideoGlide.kext
(com.echofx.videoglide.kext)
/System/Library/Extensions/WalkAndTalkSerial.kext
(com.FTDI.PolyVision.driver.FTDIUSBSerialDriver)
/Library/Address Book Plug-Ins/SMS Mac.bundle
(com.smsmac.abplugin)
/Library/Audio/Plug-Ins/Components/A52Codec.component
(com.shepmater.A52Codec)
/Library/Audio/Plug-Ins/Components/Flip4Mac WMA Import.component
(net.telestream.wmv.import)
/Library/Components/FileInputUnit.component
(com.WorldBook.FileInputUnit.component)
/Library/Components/IOXperts IIDC Codec.component
(com.ioxperts.codec.iidc.1.1)
/Library/Components/IOXperts Video Support.component
(com.ioxperts.vdig.sgpanel)
/Library/Components/IOXperts Webcam.component
(com.ioxperts.vdig.webcam)
/Library/Components/Scalar USB Microscope.component
(com.ioxperts.vdig.scalar)
/Library/Components/TimeAdapterUnit.component
(No bundle ID)
/Library/Extensions/DisplayLinkDriver.kext
(com.displaylink.driver.DisplayLinkDriver)
/Library/Extensions/DisplayLinkEthernetDriver.kext
(com.displaylink.dlusbncm)
/Library/Extensions/VBoxDrv.kext
(org.virtualbox.kext.VBoxDrv)
/Library/Extensions/VBoxNetAdp.kext
(org.virtualbox.kext.VBoxNetAdp)
/Library/Extensions/VBoxNetFlt.kext
(org.virtualbox.kext.VBoxNetFlt)
/Library/Extensions/VBoxUSB.kext
(org.virtualbox.kext.VBoxUSB)
/Library/InputManagers/Chax/Chax.bundle
(com.ksuther.chax.loader)
/Library/InputManagers/GearsEnabler/GearsEnabler.bundle
(com.google.GearsEnabler)
/Library/InputManagers/SIMBL/SIMBL.bundle
(net.culater.SIMBL)
/Library/Internet Plug-Ins/AdobePDFViewer.plugin
(com.adobe.acrobat.pdfviewer)
/Library/Internet Plug-Ins/AdobePDFViewerNPAPI.plugin
(com.adobe.acrobat.pdfviewerNPAPI)
/Library/Internet Plug-Ins/CouponPrinter-FireFox_v2.plugin
(com.coupons.plugin.mozilla-plugin)
/Library/Internet Plug-Ins/CouponPrinter-Safari.webplugin
(com.coupons.plugin.safari-plugin)
/Library/Internet Plug-Ins/DirectorShockwave.plugin
(com.adobe.shockwave.pluginshim)
/Library/Internet Plug-Ins/DivX Web Player.plugin
(com.divx.DivXWebPlayer)
/Library/Internet Plug-Ins/DRM Plugin.bundle
(com.microsoft.DRMPlugin)
/Library/Internet Plug-Ins/Flip4Mac WMV Plugin.plugin
(net.telestream.wmv.plugin)
/Library/Internet Plug-Ins/GarminGpsControl.plugin
(com.garmin.GarminGpsControl)
/Library/Internet Plug-Ins/Gears.plugin
(com.google.Gears)
/Library/Internet Plug-Ins/Google Earth Web Plug-in.plugin
(com.Google.GoogleEarthPlugin.plugin)
/Library/Internet Plug-Ins/Google Earth Web Plug-in.plugin.backup.backup
(com.Google.GoogleEarthPlugin.plugin)
/Library/Internet Plug-Ins/Google Earth Web Plug-in.plugin.backup.backup/Google Earth Web Plug-in.plugin
(com.Google.GoogleEarthPlugin.plugin)
/Library/Internet Plug-Ins/googletalkbrowserplugin.plugin
(com.google.googletalkbrowserplugin)
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin
(com.oracle.java.JavaAppletPlugin)
/Library/Internet Plug-Ins/LogMeIn.plugin
(com.logmein.remctrlplugin)
/Library/Internet Plug-Ins/LogMeIn.plugin/LogMeInPluginHost.app
(com.logmein.logmeinpluginhost)
/Library/Internet Plug-Ins/LogMeInSafari32.plugin
(com.logmein.remctrlplugin)
/Library/Internet Plug-Ins/LogMeInSafari64.plugin
(com.logmein.remctrlplugin)
/Library/Internet Plug-Ins/Mozillaplug.plugin
(com.apple.verifieddownloadplugin)
/Library/Internet Plug-Ins/o1dbrowserplugin.plugin
(com.google.o1dbrowserplugin)
/Library/Internet Plug-Ins/OfficeLiveBrowserPlugin.plugin
(com.microsoft.officelive.browserplugin)
/Library/Internet Plug-Ins/OVSHelper.plugin
(com.divx.OVSHelper)
/Library/Internet Plug-Ins/Photo Center Plugin.plugin
(com.snapfish.upload)
/Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin
(com.microsoft.sharepoint.browserplugin)
/Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin
(com.microsoft.sharepoint.webkitplugin)
/Library/Internet Plug-Ins/Silverlight.plugin
(com.microsoft.SilverlightPlugin)
/Library/Internet Plug-Ins/SnagitSafariScroller.webplugin
(com.techsmith.SnagitSafariScroller)
/Library/Internet Plug-Ins/Unity Web Player.plugin
(com.unity.UnityWebPlayer)
/Library/Internet Plug-Ins/Windows Media Plugin
(com.microsoft.WMP.defaultplugin)
/Library/iTunes/iTunes Plug-ins/TuneUp Visualizer.bundle
(com.TuneUp.app.iTuneUp Visualizer)
/Library/PreferencePanes/avc1DecoderPane.prefPane
(com.MyCometG3.avc1DecoderPane)
/Library/PreferencePanes/Flash Player.prefPane
(com.adobe.flashplayerpreferences)
/Library/PreferencePanes/Flip4Mac WMV.prefPane
(net.telestream.wmv.prefpane)
/Library/PreferencePanes/Growl.prefPane
(com.growl.prefpanel)
/Library/PreferencePanes/JavaControlPanel.prefPane
(com.oracle.java.JavaControlPanel)
/Library/PreferencePanes/MacFUSE.prefPane
(com.google.MacFUSE)
/Library/PreferencePanes/Perian.prefPane
(org.perian.PerianPane)
/Library/PreferencePanes/QuickTimeXPref.prefPane
(com.mcs.pref-qtx)
/Library/PreferencePanes/RCDefaultApp.prefPane
(RCDefaultAppPref)
/Library/QuickTime/AC3MovieImport.component
(com.cod3r.ac3movieimport)
/Library/QuickTime/avc1Decoder.component
(com.MyCometG3.avc1Decoder)
/Library/QuickTime/Flip4Mac WMV Advanced.component
(net.telestream.wmv.advanced)
/Library/QuickTime/Flip4Mac WMV Export.component
(net.telestream.wmv.export)
/Library/QuickTime/Flip4Mac WMV Import.component
(net.telestream.wmv.import)
/Library/QuickTime/FLV.component
(com.theoryllc.FLVComponentBundle)
/Library/QuickTime/LumensDigitizer.component
(tw.com.Lumens.Digitizer)
/Library/QuickTime/LumensVDIG.component
(tw.com.Lumens.VDIG)
/Library/QuickTime/macam.component
(net.sourceforge.webcam-osx.common)
/Library/QuickTime/Perian.component
(org.perian.Perian)
/Library/QuickTime/VideoGlide.component
(com.echofx.videoglide.component.digitizer)
/Library/ScriptingAdditions/XtraFinder.osax
(com.trankynam.XtraFinder)
Library/Address Book Plug-Ins/SkypeABDialer.bundle
(com.skype.skypeabdialer)
Library/Address Book Plug-Ins/SkypeABSMS.bundle
(com.skype.skypeabsms)
Library/InputManagers/Smart Crash Reports/Smart Crash Reports.bundle
(com.unsanity.smartcrashreports)
Library/Internet Plug-Ins/fbplugin_1_0_3.plugin
(com.facebook.plugin)
Library/Internet Plug-Ins/GCPlugin.plugin
(com.GradeCam.GCPlugin)
Library/Internet Plug-Ins/Picasa.plugin
(com.google.PicasaPlugin)
Library/Internet Plug-Ins/RealPlayer Plugin.plugin
(com.RealNetworks.RealPlayerPlugin)
Library/Internet Plug-Ins/skype_c2c_safari.bundle
(com.skype.c2c.safari-extension)
Library/Internet Plug-Ins/WebEx.plugin
(com.webex.WebEx)
Library/Internet Plug-Ins/WebEx64.plugin
(com.cisco_webex.plugin.gpc64)
Library/iTunes/iTunes Plug-ins/AudiblePalmPlugin.hplg
(com.audible.itunes.palm)
Library/PreferencePanes/skype_c2c_pref_pane.prefPane
(com.skype.c2c.skype-c2c-pref-pane)
Library/ScriptingAdditions/ChaxAddition.osax
(com.ksuther.chax.addition)
Library/ScriptingAdditions/EasySIMBL.osax
(com.github.norio-nomura.EasySIMBL.osax)
Extrinsic shared libraries
/usr/lib/libgutenprint.2.0.3.dylib
Proxies
AppleProxyConfigurationSelected : 2
ProxyAutoConfigEnable : 0
Netmask: 255.255.252.0
Root crontab
* */5 * * * "/Library/Internet Plug-Ins/AdobeFlash" vx 1>/dev/null 2>&1
Login hook
/Library/Scripts/mute-off.sh
Application check
com.google.GoogleDrive
Global login items
/Library/Application Support/IOXperts/Private/ioxsessiond.app
User login items
GrowlHelperApp
GrowlMenu
WeatherBug Alert
Dropbox
PowerboxInjector
AdobeResourceSynchronizer
XtraFinder
RealPlayer Downloader Agent
Safari extensions
AdBlock
Reload Button
OpenIE
Skype Click To Call
Restricted user files: 413
Font problems: 17
Bad plists
Library/Containers/com.apple.ShareKitHelper/Data/Library/Application Support/CrashReporter/com.apple.ShareKitHelper_UUID.plist
Desktop file count: 26
Keychains file count: 15
Elapsed time (s): 279
You installed the "MacAccess" malware, a remote-access rootkit that gives full control to an Internet criminal. It could have compromised all data.
MacAccess circulated in 2008 and 2009, and is probably no longer active today, though I can't be sure of that. Instructions for removing it were posted here. I have not tested those instructions, so I can't recommend that you follow them. Instead, I recommend the folllowing procedure to be sure the machine is safe to use. The choice is yours.
Erase and install OS X. If you don't already have at least two complete, independent backups of all data, then you must make them first. One backup is not enough to be safe.
When you restart after the installation, you'll be prompted to go through the initial setup process for a new computer. That’s when you transfer the data from a backup in Setup Assistant.
Select only users in the Setup Assistant dialog—not Applications, Other files and folders, or Computer & Network Settings. Don't transfer the Guest account, if it was enabled.
Reinstall third-party software from original media or fresh downloads—not from a backup, which may be contaminated. Do not reinstall "MacKeeper," "DivX," "Elmedia Player," or other such junk.
That being done, change all Internet passwords and check all financial accounts for unauthorized transactions. Do this after the system has been secured, not before.
Linc Davis wrote:
You installed the "MacAccess" malware, a remote-access rootkit that gives full control to an Internet criminal. It could have compromised all data.
There is actually no Mac malware that was called MacAccess. That was just the name of one of many things that installed the RSPlug (aka DNSChanger) malware.
RSPlug is no longer a threat. The malicious DNS servers that it utilized were seized by the FBI in 2011, and were ultimately shut down in mid-2012. The shutdown of those servers should have shut off network access to any infected Macs... the fact that Mr.Newth is able to get online means that this malware is not still functional on his Mac, even though some components are still present.
For help removing the remnants, see:
How to remove the DNS Changer malware
(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com, in the form of buttons allowing for donations. Donations are not required to use my site or software.)
Of course, because a Mac that still has components of RSPlug installed is probably chock-full of all manner of outdated software - and there are indeed some other problems with this machine - it may be more worthwhile to kill many birds with one stone, and do exactly as Linc says, erasing the hard drive and reinstalling everything from scratch.
There is actually no Mac malware that was called MacAccess.
That's incorrect. "MacAccess" is described briefly here:
http://ithreats.net/2008/12/26/how-to-remove-macaccess-trojan/
and in much more detail here:
http://www.sans.org/reading-room/whitepapers/forensics/mac-os-x-malware-analysis -33178
It doesn't change the DNS settings directly. It downloads and runs scripts to make other system modifications, including but not necessarily limited to "DNSChanger."
Linc Davis wrote:
That's incorrect. "MacAccess" is described briefly here:
http://ithreats.net/2008/12/26/how-to-remove-macaccess-trojan/
Yes, it is described there. However, the IP addresses and files installed that are mentioned in that article belonged to RSPlug. That particular blog called it MacAccess, because that's what the installer claimed to install. Nobody else ever called it that, however. Other names used besides RSPlug were DNSChanger, Jahlav and Puper.
and in much more detail here:
http://www.sans.org/reading-room/whitepapers/forensics/mac-os-x-malware-analysis -33178
You will notice that document does not mention MacAccess at all. It refers to Puper, and also calls it RSPlug. Quoting from the first sentence of section 2.0 of page 2 of that document:
"Our first sample is the OSXPuper.a (a.k.a RSPlug-F) Trojan."
You'll notice from the screenshot on page 7 that their sample went by the name MacCinema, not MacAccess.
This is very well-known and long-extinct malware that is not a threat in any way at this point.
The term "MacAccess" has been used more than once, and whether it's called that or "MacCinema" or "RSPlug" or something else is pointless to argue about. I call it "MacAccess." Since I and at least one other person are calling it that, "MacAccess" is one of its names. You're welcome to use a different one.
MacAccess is not the same thing as "DNSChanger." It's a remote-access rootkit that runs root scripts downloaded from a C&C server. One of those scripts changed the DNS settings. MacAccess itself did not change them, as shown in the SANS paper. Neither you, nor I, nor anyone else knows what other scripts might have been downloaded by MacAccess several years ago. While it's unlikely that any other kind of compromise would have persisted down to the present, no one can be sure of that. If I had it on a computer I was using, I would do what I advised the questioner to do, and so would you unless you are a fool.
Oddly enough, when I advise other questioners to remove the "iWorm" trojan, for which there's plenty of evidence that it can be removed safely, you take the opposite position that they must do a clean reinstallation. What is your source of data that a clean installation is mandatory with "iWorm" but not with "MacAccess?"
I am not going to take sides here. I know a lot about RSPlug or DNS Changer or whatever name you want to give that, but not enough about MacAccess to judge what it might be capable of, or even more important, what it's been observed to have done.
I just want to support both parties advise to Erase and Install OS X, migrate Users only (or Finder copy only your user data files) and install all third party software from a current source. I see you have all kinds of old, unsupported and partially installed software that you must have been dragging around for years. It would take me at least half an hour to list the ones I recognize and there are many others that I'd have to look up, which is really something you should be doing.
Linc Davis wrote:
The term "MacAccess" has been used more than once, and whether it's called that or "MacCinema" or "RSPlug" or something else is pointless to argue about. I call it "MacAccess." Since I and at least one other person are calling it that, "MacAccess" is one of its names. You're welcome to use a different one.
MacAccess is not the same thing as "DNSChanger."
You can't say MacAccess is another name for RSPlug and then turn around and say it's not the same thing as "DNSChanger". That's like saying that "jaybird" is another name for "blue jay," but it's not the same thing as a bird.
DNSChanger was the name used for both the Windows and Mac versions of this malware. The names RSPlug, Jahlav and Puper were Mac-specific names. MacAccess and MacCinema were the names of things supposedly installed by the installer for this malware - the "bait," so to speak. Calling the malware by these names is exactly as inaccurate as saying that the Downlite/VSearch adware can also be called MPlayerX.
Neither you, nor I, nor anyone else knows what other scripts might have been downloaded by MacAccess several years ago.
RSPlug is, in computer terms, ancient malware, and it was one of the most successful pieces of malware in Mac history... perhaps even more prevalent than Flashback was at its peak. It is very well documented at this point. It was never known to do more than change DNS servers, and prevent the user from changing them back. The hackers behind this malware are in jail and the servers it connected to are gone, so any threats it might have posed back before the FBI took these hackers down in late 2011 is no longer an issue.
Some reading on the topic:
http://en.wikipedia.org/wiki/RSPlug
http://en.wikipedia.org/wiki/DNSChanger
Oddly enough, when I advise other questioners to remove the "iWorm" trojan, for which there's plenty of evidence that it can be removed safely, you take the opposite position that they must do a clean reinstallation.
First, where is this "evidence" that you refer to? Thus far, I have not seen anyone document the behavior of iWorm's backdoor in detail, probably because the trojan was killed very quickly and never affected many users. If I have missed something, please cite your source.
Second, that is irrelevant to this topic. iWorm is a very recent piece of malware, while RSPlug is very old and well-documented. They really didn't have anything in common, other than being malware. They are completely different things.
You should note here that I did not recommend against erasing the system. There are some other good reasons to reinstall the system in this case. Mr.Newth's system is a mess. However, the presence of a non-functional remnant of some ancient malware is not one of those reasons. (And it is indeed non-functional, since any functional RSPlug infections remaining today would prevent the user from connecting to any internet servers, due to use of DNS server addresses that no longer exist.)
Boot Mode: Normal
Model: MacBookAir6,2
User diagnostics
2015-01-24 Spotify Helper crash
2015-01-30 Spotify Helper crash
Kernel messages
Feb 8 23:24:53 PM notification timeout (pid 2420, FaceTime)
--- last message repeated 1 time ---
Feb 9 08:25:39 PM notification timeout (pid 152, iPhoto)
--- last message repeated 1 time ---
Feb 14 17:17:45 PM notification timeout (pid 5034, Google Chrome He)
Pageouts (MiB): 403865
Total CPU usage: user 25%, system 35%
CPU usage by process "Google Chrome He" with UID 501: 80,8%
Extrinsic daemons
com.v.helper
com.microsoft.office.licensing.helper
Extrinsic agents
com.jdibackup.ZipCloud.backupstart
com.jdibackup.ZipCloud.notify
com.fiplab.MenuTabHelper
com.v.agent
com.spotify.webhelper
com.jdibackup.ZipCloud.autostart
com.google.keystone.user.agent
launchd items
/Library/LaunchAgents/com.mouse.agent.plist
(com.v.agent)
/Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist
(com.microsoft.office.licensing.helper)
/Library/LaunchDaemons/com.mouse.daemon.plist
(com.v.daemon)
/Library/LaunchDaemons/com.mouse.helper.plist
(com.v.helper)
Library/LaunchAgents/com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID. plist
(com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID)
Library/LaunchAgents/com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID. plist
(com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID)
Library/LaunchAgents/com.google.keystone.agent.plist
(com.google.keystone.user.agent)
Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist
(com.jdibackup.ZipCloud.autostart)
Library/LaunchAgents/com.jdibackup.ZipCloud.backupstart.plist
(com.jdibackup.ZipCloud.backupstart)
Library/LaunchAgents/com.jdibackup.ZipCloud.notify.plist
(com.jdibackup.ZipCloud.notify)
Library/LaunchAgents/com.spotify.webhelper.plist
(com.spotify.webhelper)
Extrinsic loadable bundles
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin
(com.apple.java.JavaAppletPlugin)
/Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin
(com.microsoft.sharepoint.browserplugin)
/Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin
(com.microsoft.sharepoint.webkitplugin)
Library/Address Book Plug-Ins/SkypeABDialer.bundle
(com.skype.skypeabdialer)
Library/Address Book Plug-Ins/SkypeABSMS.bundle
(com.skype.skypeabsms)
Library/Services/Add To Backup Selection.workflow
(No bundle ID)
Library/Services/Instant Backup.workflow
(No bundle ID)
Library/Services/Remove From Backup Selection.workflow
(No bundle ID)
Library/Services/View Previous Versions.workflow
(No bundle ID)
DNS (from DHCP): 80.58.61.250
User login items
iTunesHelper
Dropbox.app
Google Chrome
Spotify
Restricted user files: 40
Font problems: 20
Elapsed time (s): 175
A
There is no need to download anything to solve this problem. You may have installed a variant of the "VSearch" ad-injection malware. Follow Apple Support's instructions to remove it.
If you have trouble following those instructions, see below.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
The VSearch malware tries to hide itself by varying the names of the files it installs. To remove it, you must first identify the naming pattern.
Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
/Library/LaunchDaemons
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
A folder named "LaunchDaemons" may open. Look inside it for two files with names of the form
com.something.daemon.plist
and
com.something.helper.plist
Here something is a variable string of characters, which can be different in each case. So far it has always been a string of letters without punctuation, such as "cloud," "dot," "highway," "submarine," or "trusteddownloads." Sometimes it's a meaningless string such as "e8dec5ae7fc75c28" rather than a word. Sometimes the string is "apple," and then you must be especially careful not to delete the wrong files, because many built-in OS X files have similar names.
If you find these files, leave the LaunchDaemons folder open, and open the following folder in the same way:
/Library/LaunchAgents
In this folder, there may be a file named
com.something.agent.plist
where the string something is the same as before.
If you feel confident that you've identified the above files, back up all data, then drag just those three files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder windows and restart the computer.
Don't delete the "LaunchAgents" or "LaunchDaemons" folder or anything else inside either one.
The malware is now permanently inactivated, as long as you never reinstall it. You can stop here if you like, or you can remove two remaining components for the sake of completeness.
Open this folder:
/Library/Application Support
If it has a subfolder named just
something
where something is the same string you saw before, drag that subfolder to the Trash and close the window.
Don't delete the "Application Support" folder or anything else inside it.
Finally, in this folder:
/System/Library/Frameworks
there may an item named exactly
v.framework
It's actually a folder, though it has a different icon than usual. This item always has the above name; it doesn't vary. Drag it to the Trash and close the window.
Don't delete the "Frameworks" folder or anything else inside it.
If you didn't find the files or you're not sure about the identification, post what you found.
If in doubt, or if you have no backups, change nothing at all.
The trouble may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it, and if you wish, replace it with the genuine article from mplayerx.org.
This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.
In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.
Then, still in System Preferences, open the App Store or Software Update pane and check the box marked
Install system data files and security updates (OS X 10.10 or later)
or
Download updates automatically (OS X 10.9 or earlier)
if it's not already checked.
B
"ZipCloud" is some sort of cloud-storage service with a doubtful reputation. The OS X client is sometimes distributed along with malware. Although ZipCloud may not be malicious itself, it should be deemed suspect by virtue of the company it keeps.
To remove ZipCloud, start by backing up all data (not with ZipCloud itself, of course.)
Quit the application, if it's running, and drag it from the Applications folder to the Trash.
Triple-click anywhere in the line below on this page to select it:
~/Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist
Right-click or control-click the highlighted line and select
Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.* A folder should open with a file selected. Move the selected file to the Trash.
In the same folder, there may also be a file named
com.jdibackup.ZipCloud.notify.plist
Move that to the Trash as well.
Log out or restart the computer and empty the Trash.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
Hi friends, Sorry about my English,
Accidentally i download a plugin which is i think k virus. every time i open a site different different pop us windows will open.
so i searched a lot and finally find the solution.
So If you are facing Pop us ads problem automatically or on click anywhere so pls download adwaremedic its free.
This is the link.
try the below link....
Remove unwanted adware that displays pop-up ads and graphics on your Mac - Apple Support
Also what worked for me was...
to
su
and then...
rm -rf /System/Library/Frameworks/v.framework/*
I had this very problem for the last 2 days. Don't really know just how I got it but there you go... I got it. I looked around and seen several LONG and COMPLICATED ways to remove this rascal and then I came upon a FREE download called ADWAREMEDIC. Now this Program is FREE but they do ask if you want to DONATE. I DL'd this very quickly and as soon as I used it... POOF! GONE! VANISHED! my problem was SOLVED! I was soon Pleased I decided to send in a DONATION. I highly recommend this software NOT because it's CHEAP but it ABSOLUTELY WORKS, it does it FAST and it is FOR REAL! Go to www.adwaremedic.com. And get your computer back to NORMAL!
Lol! and why use that software and donate anything when a simple rm mentioned above can solve it! do you work/getting paid by ADWAREMEDIC?? 😁
ninadpradhan wrote:
do you work/getting paid by ADWAREMEDIC?? 😁
I am a colleague of thomas_r. and if you followed his work here in the forum and on TheSafeMac you would know that he would never do something like that.
How to remove Adware?
