Constantly getting ads on safari/firefox/chrome. Brother downloaded a file and have tried EVERYTHING to find this malware but cannot. Can a factory reset help at all?

Question

Level 1

0 points

Constantly getting ads on safari/firefox/chrome. Brother downloaded a file and have tried EVERYTHING to find this malware but cannot. Can a factory reset help at all?

Alright so a few days ago my brother used my laptop to download Super Bowl 48 (huge seahawk fans). He torrented it offline, however now whenever I use Safari/Firefox/Chrome I get CONSTANT ads and pop ups. I have tried everything. Clearing extensions, uninstalling everything he did, scanned my computer with Clamxav, iAntivirus and even a free trial from Norton's latest software. Nothing, yet the problem still remains. From what I've heard/read, if I take it to the apple store they cannot help. Is a factory reset the only way to go?

Links are double underlined in green, and when I move the mouse over them

they pop up into an ad

This is the homepage of www.bleacherreport.com full of ads that were never ever there before. (2014 ford, play now/download/ video on left).

Simply very annoying and I have noticed a slower speed to my computers processing of webpages. please please please help!

MacBook Pro with Retina display, OS X Mavericks (10.9.2)

Posted on Mar 23, 2014 2:47 AM

Reply

Answer 1

Csound1

Level 9

59,973 points

Mar 23, 2014 2:51 AM in response to Harford3

Stop adding more 3rd party junk to your Mac, it will not help the situation and will probably make things worse.

Do you have a backup of your Mac (with a Seahawk fan for a brother you should have)

Reply

Answer 2

Paul_31

Level 6

14,160 points

Mar 23, 2014 2:52 AM in response to Harford3

Sounds like you may have some malware hijacked your browser. Download and run the free EtreCheck and post he report here - it may reveal the culprit:

http://www.etresoft.com/etrecheck

BTW, Norton is an app to be avoided at all costs going by reports on here. Hopefully you've removed it using their uninstaller.

Reply

Answer 3

thomas_r.

Level 7

31,989 points

Mar 23, 2014 3:53 AM in response to Harford3

Your brother probably installed adware on your computer. This is often a consequence of downloading things from torrents... or worse. Don't do that anymore.

To remove it, see my Adware Removal Guide. My guess, based on the fact that this appeared after downloading from a torrent, would be that you have DownLite, but it could be something else as well. Even if you find that DownLite is installed, and successfully remove it, I'd still recommend going through the entire guide. In my experience, people who have one adware program installed fairly frequently have more than one.

Reply

Answer 4

thomas_r.

Level 7

31,989 points

Mar 23, 2014 3:55 AM in response to thomas_r.

Oh, and I forgot to add... iAntivirus is completely worthless. Norton is only fair at detecting Mac malware, and in exchange, has a penchant for ruining performance and causing instability. Get rid of both of those. Be sure to uninstall Norton properly, by running the original installer you used to install it (which will offer to remove it for you since it's already installed).

Reply

Answer 5

Harford3 Author

Level 1

0 points

Mar 23, 2014 9:39 AM in response to Paul_31

Alright I tried the EtreCheck and what happens is it gets to "checking launch agents" and then quits everytime. I uninstalled all the virus security crap, but thomas_r. I have no idea where the "Go to Folder" is in finder.

EDIT: Found go to folder and am now going through the removal process, will update soon.

Reply

Answer 6

Harford3 Author

Level 1

0 points

Mar 23, 2014 9:46 AM in response to thomas_r.

Your removal process is often hard to follow, especially for someone who knows nothing about these computers. I am lost on where you direct me to type "~/Library/LaunchAgents" into the go to folder, and then never come back to what I was supposed to do after.

Reply

Answer 7

Linc Davis

Level 10

209,547 points

Mar 23, 2014 9:59 AM in response to Harford3

You installed the "DownLite" trojan, perhaps under a different name. Remove it as follows.

Back up all data.

Triple-click anywhere in the line below on this page to select it:

/Library/Application Support/VSearch

Right-click or control-click the line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item named "VSearch" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.

Repeat with each of these lines:

/Library/LaunchAgents/com.vsearch.agent.plist /Library/LaunchDaemons/com.vsearch.daemon.plist /Library/LaunchDaemons/com.vsearch.helper.plist /Library/LaunchDaemons/Jack.plist /Library/PrivilegedHelperTools/Jack /System/Library/Frameworks/VSearch.framework

Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.

Restart and empty the Trash. Don't try to empty the Trash until you have restarted.

From the Safari menu bar, select

Safari ▹ Preferences... ▹ Extensions

Uninstall any extensions you don't know you need, including any that have the word "Spigot" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.

This trojan is distributed on illegal websites that traffic in pirated movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect much worse to happen in the future.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens (command-V). You won't see what you pasted because a line break is included. Press return.

Reply

Answer 8

Harford3 Author

Level 1

0 points

Mar 23, 2014 10:00 AM in response to Linc Davis

Yup, I found it is in fact DownLite. (march 19 around 1:03am is when this all happened)

Reply

Answer 9

Harford3 Author

Level 1

0 points

Mar 23, 2014 10:05 AM in response to Harford3

So before I do anything, because I feel as though this is my only chance to get this, I want to clarify. I found those two files form March 19th at 1am, now should I drag them to the trash, restart my computer and then empty the trash?

Reply

Answer 10

Linc Davis

Level 10

209,547 points

Mar 23, 2014 10:46 AM in response to Harford3

Yes.

Reply

Answer 11

Linc Davis

Level 10

209,547 points

Mar 23, 2014 10:48 AM in response to Harford3

In addition to "DownLite," you also installed the "Genieo" search-hijacking rootkit. The product is a fraud, and the developer knowingly distributes an uninstaller that doesn't work. I suggest the tedious procedure below to disable Genieo. You need to become a lot more careful about how you use the Internet.

Back up all data. You must know how to restore from a backup even if the system becomes unbootable. If you don't know how to do that, or if you don't have any backups, stop here and ask for guidance.

Step 1

Triple-click anywhere in the line below on this page to select it:

/etc/launchd.conf

Right-click or control-click the line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.

If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens (command-V). You won't see what you pasted because a line break is included. Press return.

A folder may open with a file selected, or the file may not exist, in which case you'll get a message that it can't be found. If it does exist, it's a configuration file created or replaced by the Genieo installer. Any software installer that does this should be considered ipso facto malware. Move the file to the Trash. You'll be prompted for your administrator password. Then restart, empty the Trash, and continue as below.

IMPORTANT: If the launchd.conf file exists, you must move it to the Trash and restart before continuing. Otherwise the system may become unbootable. In that case, restore from your backup and start over. That's how badly Genieo has sabotaged your system. If you're not completely sure you can complete this step, stop here and ask for guidance.

Some variants of Genieo don't include the launchd.conf file. The absence of that file doesn't mean that Genieo is not installed.

Step 2

Quit the Genieo application, if it's running. Force quit if necessary.

Move each of these items to the Trash in the same way as above:

/Applications/Genieo.app
/Applications/Uninstall Genieo.app
/Library/Frameworks/GenieoExtra.framework
/Library/LaunchAgents/com.genieo.engine.plist
/Library/LaunchAgents/com.genieoinnovation.macextension.plist
/Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist
/Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client
/usr/lib/libgenkit.dylib
  
 
    
     
  
   /usr/lib/libgenkitsa.dylib
   
  
     
/usr/lib/libimckit.dylib
   
  
     
/usr/lib/libimckitsa.dylib

There's no need to restart after each one. Again, some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.

Restart and empty the Trash. Don't try to empty the Trash until you have restarted.

Your web browser(s) should now function normally, and you should be able to reset the home page and search engine. If not, stop here and post your results.

Step 3

From the Safari menu bar, select

Safari ▹ Preferences... ▹ Extensions

Uninstall any extensions you don't know you need, including ones called "Genieo" or "Omnibar," and any that have the word "Spigot" or "InstallMac" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.

This procedure may leave a few files behind, but it will deactivate any version of Genieo that I know of. Make sure you don't repeat the mistake that led you to install it. Chances are you got it from one of the Internet's open sewers such as "Softonic" or "CNET Download." Never visit either of those sites again. You might also have downloaded it from an ad in a page on some other site.

Finally, be forewarned that when Genieo is mentioned on this site, the developer sometimes shows up under the name "Genieo support." If that happens, don't believe anything he says, but feel free to tell him what you think of his scam.

Reply

Answer 12

Linc Davis

Level 10

209,547 points

Mar 23, 2014 10:54 AM in response to Linc Davis

It might be a better idea for you to erase your hard drive and start over with a clean system and only your documents. Ask if you want guidance in doing that. Who knows what other detritus you've accumulated in your travels through the netherworld of the Internet?

Reply

Answer 13

Harford3 Author

Level 1

0 points

Mar 23, 2014 10:54 AM in response to Linc Davis

Alright so the ads and popups are finally gone, now I don't really know how to backup my computer. I have a macbook pro with retina, so no disk drive and unfortunately I do not have an external disk drive.

Reply

Answer 14

Harford3 Author

Level 1

0 points

Mar 23, 2014 10:57 AM in response to Linc Davis

I found the launchd.conf file, now I move it to trash and start over before doing anything?

Reply

Answer 15

Harford3 Author

Level 1

0 points

Mar 23, 2014 11:01 AM in response to Harford3

Mind as well start with a clean system, only really use this computer for school. I would like to save most of my pictures and what not so I'll just use a thumbdrive for that.

Reply