James Cook2

Q: onclickads - malware or virus?

As of this morning, when I click on a link within a page, a new page opens to onclickads and then reloads with some advertisement.

 

I've searched all of the usual folders in my Library, cleared caches etc, but cannot find out how to get rid of it. Norton found nothing.

 

I've not visited any unreputable sites and the only thing I can think of that I recently installed was a Flash update - though I can't vouch now for its authenticity.

 

I'm worried about it spreading to my other devices so I've turned off Safari in iCloud, hoping it's not already too late.

 

How do I get rid of this pest?

MacBook Pro, OS X Mavericks (10.9.2)

Posted on Apr 28, 2014 7:46 AM

Close

Q: onclickads - malware or virus?

  • All replies
  • Helpful answers

Previous Page 2 of 4 last Next
  • by sirpig,

    sirpig sirpig Apr 28, 2014 4:18 PM in response to James Cook2
    Level 1 (0 points)
    Apr 28, 2014 4:18 PM in response to James Cook2

    This is really weird...

     

    it seemed to be fixed, but as soon as I reinstalled flash player (this time from the link that Allan gave) the problem came back and the popups were constant.

     

    however, when I uninstalled flash player with the method I posted again, the problem instantly went away...


    ideas?

  • by Allan Jones,

    Allan Jones Allan Jones Apr 28, 2014 5:33 PM in response to James Cook2
    Level 8 (35,311 points)
    iPad
    Apr 28, 2014 5:33 PM in response to James Cook2

    Thank you James. Can you post another Etrechck report so we can see if anything still loks "funny/"

  • by James Cook2,

    James Cook2 James Cook2 Apr 28, 2014 6:27 PM in response to Allan Jones
    Level 1 (15 points)
    Notebooks
    Apr 28, 2014 6:27 PM in response to Allan Jones

    Hardware Information:

              MacBook Pro (17-inch 2.4GHZ)

              MacBook Pro - model: MacBookPro3,1

              1 2.4 GHz Intel Core 2 Duo CPU: 2 cores

              4 GB RAM

     

    Video Information:

              GeForce 8600M GT     - VRAM: 256 MB

     

    System Software:

              OS X 10.9.2 (13C1021) - Uptime: 0 days 2:48:51

     

    Disk Information:

              Hitachi HTS541616J9SA00 disk0 : (160.04 GB)

                        EFI (disk0s1) <not mounted>: 209.7 MB

                        Heracles (disk0s2) / [Startup]: 159.18 GB (39.55 GB free)

                        Recovery HD (disk0s3) <not mounted>: 650 MB

     

    USB Information:

     

              Apple Inc. Built-in iSight

     

     

              Apple Inc. Bluetooth USB Host Controller

     

              Logitech USB Receiver

     

     

              Apple Computer Apple Internal Keyboard / Trackpad

     

              Apple Computer, Inc. IR Receiver

     

    Thunderbolt Information:

     

    Configuration files:

              /etc/hosts - Count: 13

     

    Gatekeeper:

              Anywhere

     

    Kernel Extensions:

              [kext loaded] com.AmbrosiaSW.AudioSupport (4.1.2 - SDK 10.6) Support

              [kext loaded] com.Logitech.Control Center.HID Driver (3.3.0) Support

              [kext loaded] com.Logitech.Unifying.HID Driver (1.2.0) Support

              [not loaded] com.roxio.BluRaySupport (1.1.6) Support

              [not loaded] com.roxio.TDIXController (2.0) Support

              [not loaded] com.seagate.driver.PowSecDriverCore (5.0.1) Support

              [not loaded] com.targus.driver.EventDriver (2.1.0f2) Support

              [not loaded] com.wdc.driver.1394HP (1.0.11 - SDK 10.4) Support

              [not loaded] com.wdc.driver.1394_64HP (1.0.1 - SDK 10.6) Support

              [not loaded] com.wdc.driver.USBHP (1.0.11) Support

              [not loaded] com.wdc.driver.USB_64HP (1.0.0 - SDK 10.6) Support

     

    Startup Items:

              ProTec6: Path: /Library/StartupItems/ProTec6

              ProTec6b: Path: /Library/StartupItems/ProTec6b

     

    Problem System Launch Agents:

              [failed] com.paragon.NTFS.auth.plist Support

     

    Launch Daemons:

              [loaded] com.adobe.fpsaud.plist Support

              [loaded] com.adobe.SwitchBoard.plist Support

              [loaded] com.ambrosiasw.ambrosiaaudiosupporthelper.daemon.plist Support

              [loaded] com.barebones.authd.plist Support

              [loaded] com.barebones.textwrangler.plist Support

              [running] com.bjango.istatmenusdaemon.plist Support

              [not loaded] com.econtechnologies.ChronoAgentRemote.plist Support

              [not loaded] com.maintain.HideSpotlightMenuBarIcon.plist Support

              [running] com.memeo.Memeod.plist Support

              [failed] com.memeo.WDMemeod.plist Support

              [loaded] com.microsoft.office.licensing.helper.plist Support

              [loaded] com.oracle.java.Helper-Tool.plist Support

              [running] com.orbicule.uc.plist Support

              [running] com.orbicule.uclocator.plist Support

     

    Launch Agents:

              [not loaded] com.adobe.AAM.Updater-1.0.plist Support

              [loaded] com.adobe.CS5ServiceManager.plist Support

              [running] com.bjango.istatmenusagent.plist Support

              [running] com.Logitech.Control Center.Daemon.plist Support

              [not loaded] com.maintain.PurgeInactiveMemory.plist Support

              [not loaded] com.maintain.Restart.plist Support

              [not loaded] com.maintain.ShutDown.plist Support

              [running] com.maintain.SystemEvents.plist Support

              [loaded] com.oracle.java.Java-Updater.plist Support

              [running] com.seagate.SeagateStorageGauge.plist Support

              [running] com.targus.agent.plist Support

     

    User Launch Agents:

              [loaded] com.adobe.AAM.Updater-1.0.plist Support

              [loaded] com.adobe.ARM.[...].plist Support

              [failed] com.akamai.single-user-client.plist Support

              [loaded] com.google.keystone.agent.plist Support

              [loaded] com.propaganda.dejavu.dvmonitor.plist Support

     

    User Login Items:

              ScreenSharingMenulet

              ChronoSync

              Canon IJ Network Scanner Selector2

              Dropbox

              Spell Catcher

              finderpop-daemon

     

    Internet Plug-ins:

              AdobeExManDetect: Version: AdobeExManDetect 1.1.0.0 - SDK 10.7 Support

              FlashPlayer-10.6: Version: 13.0.0.206 - SDK 10.6 Support

              QuickTime Plugin: Version: 7.7.3

              Flash Player: Version: 13.0.0.206 - SDK 10.6 Support

              Default Browser: Version: 537 - SDK 10.9

              SharePointBrowserPlugin: Version: 14.3.9 - SDK 10.6 Support

              Silverlight: Version: 5.1.10516.0 - SDK 10.6 Support

              JavaAppletPlugin: Version: Java 7 Update 51 Check version

     

    Audio Plug-ins:

              BluetoothAudioPlugIn: Version: 1.0 - SDK 10.9

              AirPlay: Version: 2.0 - SDK 10.9

              AppleAVBAudio: Version: 203.2 - SDK 10.9

              iSightAudio: Version: 7.7.3 - SDK 10.9

     

    iTunes Plug-ins:

              Quartz Composer Visualizer: Version: 1.4 - SDK 10.9

     

    User Internet Plug-ins:

              CitrixOnlineWebDeploymentPlugin: Version: 1.0.94 Support

              WebEx64: Version: 1.0 - SDK 10.5 Support

     

    3rd Party Preference Panes:

              FinderPop  Support

              Flash Player  Support

              iStat Menus  Support

              Java  Support

              Logitech Control Center  Support

              Targus  Support

              Web Sharing  Support

     

    Time Machine:

              Skip System Files: NO

              Mobile backups: OFF

              Auto backup: NO - Auto backup turned off

              Volumes being backed up:

                        Heracles: Disk size: 148.25 GB Disk used: 111.42 GB

              Destinations:

                        Way Back [Local] (Last used)

                        Total size: 372.53 GB

                        Total number of backups: 29

                        Oldest backup: 2012-07-26 14:26:04 +0000

                        Last backup: 2014-04-25 18:54:23 +0000

                        Size of backup disk: Adequate

                                  Backup size 372.53 GB > (Disk used 111.42 GB X 3)

              Time Machine details may not be accurate.

              All volumes being backed up may not be listed.

     

    Top Processes by CPU:

                   5%          WindowServer

                   5%          ChronoSyncBackgrounder

                   1%          SystemUIServer

                   0%          Dropbox

                   0%          fontd

     

    Top Processes by Memory:

              168 MB          com.apple.IconServicesAgent

              123 MB          Mail

              90 MB          Safari

              82 MB          mds_stores

              78 MB          Dropbox

     

    Virtual Memory Information:

              706 MB          Free RAM

              1.82 GB          Active RAM

              988 MB          Inactive RAM

              537 MB          Wired RAM

              638 MB          Page-ins

              0 B          Page-outs

  • by thomas_r.,

    thomas_r. thomas_r. Apr 29, 2014 2:42 AM in response to James Cook2
    Level 7 (30,944 points)
    Mac OS X
    Apr 29, 2014 2:42 AM in response to James Cook2

    I've been working on this with James via e-mail, and I have to say that, so far, I'm stumped. I just asked him to run a test of the installed LaunchAgents and LaunchDaemons, but if all three of you actually have the same cause, he probably won't have any luck, because there doesn't seem to be anything common between those items on all your computers.

     

    I'd ask everyone to run the following command in the Terminal and report the output:

     

    crontab -l

     

    Also, do any of you know where this Adobe Flash Player update you all installed originally came from? Try looking back in your browser history to see if you can find it. If you can, it would be great if you could provide the link so I can test it out in a virtual machine. Alternately, if any of you still have the installer in your Downloads folder, let me know.

  • by James Cook2,

    James Cook2 James Cook2 Apr 29, 2014 5:30 AM in response to thomas_r.
    Level 1 (15 points)
    Notebooks
    Apr 29, 2014 5:30 AM in response to thomas_r.

    crontab: no crontab for jamescook

     

    That's all I got.

     

    Regarding an installer, it was several days ago, but if memory serves, it ran within my browser. I can't see anything in my browser history that jumps out.

     

    Worthy of noting though, my brother encountered it yesterday when he Googled "onclickads" and looked at a few of the results. I know he did a screen shot; I'll see if he has the URL.

  • by lytic,

    lytic lytic Apr 29, 2014 6:15 AM in response to James Cook2
    Level 1 (5 points)
    Apr 29, 2014 6:15 AM in response to James Cook2

    Run this command in terminal:

     

     

    sqlite3 ~/Library/Preferences/com.apple.LaunchServices.QuarantineEventsV* 'select LSQuarantineDataURLString from LSQuarantineEvent'
  • by omijan7,

    omijan7 omijan7 Apr 29, 2014 8:17 AM in response to thomas_r.
    Level 1 (0 points)
    Apr 29, 2014 8:17 AM in response to thomas_r.

    We apparently cleared the history on my desktop iMac recently, but my laptop history showed an Adobe Flash Player install on April 12, 2014.  Here are the three links:

     

    https://get3.adobe.com/flashplayer/completion/aih/?exitcode=0&type=update

    http://get.adobe.com/flashplayer/     (yes, that's right--no "s" on "http")

    https://get3.adobe.com/flashplayer/update/osx/

     

    I hope this helps.  I vaguely remember doing this install on both my laptop and desktop.  (I'll never do THAT again!!)

  • by thomas_r.,

    thomas_r. thomas_r. Apr 29, 2014 8:24 AM in response to omijan7
    Level 7 (30,944 points)
    Mac OS X
    Apr 29, 2014 8:24 AM in response to omijan7

    Those all look just fine. The middle one (with no "https") is just the base page, which would then redirect to a numbered, secure download server, based on traffic and (I'd guess) your location.

  • by omijan7,

    omijan7 omijan7 Apr 29, 2014 8:26 AM in response to omijan7
    Level 1 (0 points)
    Apr 29, 2014 8:26 AM in response to omijan7

    Needless to say, this didn't fix it -- it came back!

  • by Allan Jones,

    Allan Jones Allan Jones Apr 29, 2014 8:31 AM in response to James Cook2
    Level 8 (35,311 points)
    iPad
    Apr 29, 2014 8:31 AM in response to James Cook2

    James, this showed up as new in the last scan:

         [running] com.orbicule.uc.plist Support

              [running] com.orbicule.uclocator.plist Support

    Those preferences are related to a third-party "find my Mac" product called "Undercover." Di you install that since the previous Etrecheck run?

  • by n8huntsman,

    n8huntsman n8huntsman Apr 29, 2014 8:50 AM in response to James Cook2
    Level 1 (0 points)
    Apr 29, 2014 8:50 AM in response to James Cook2

    Just had the same problem with the same adds.  It seems that the old "DNSChanger" bug may be making a come back with new DNS servers.  Check your DNS settings on your computer and on your router.  Mine had been changed, presumably when I let  a friends computer (which was infected)  connect to my network.  Let me know if your DNS is set to something funky.  In my case, it was set to 199.182.166.168.

  • by James Cook2,

    James Cook2 James Cook2 Apr 29, 2014 9:25 AM in response to Allan Jones
    Level 1 (15 points)
    Notebooks
    Apr 29, 2014 9:25 AM in response to Allan Jones

    Allan Jones wrote:

     

    James, this showed up as new in the last scan:

         [running] com.orbicule.uc.plist Support

              [running] com.orbicule.uclocator.plist Support

    Those preferences are related to a third-party "find my Mac" product called "Undercover." Di you install that since the previous Etrecheck run?

     

    They're present in both of the scans I've posted. I did install Undercover some years ago but have not done anything with it. They're easily deleted - but - I've been running today with LaunchDaemons and LaunchAgents removed form my Library folder and have restarted. The problem persists.

     

    I've also discovered that it doesn't need a link. A click anywhere on the page can trigger it. Once the browser loses focus, what had been a repeatable result ceases to cause it. It may not happen again for quite some time or it can kick in immediately making it very hard to tell if it's been defeated.

     

    I've tried two other computers on my network and have not encountered it on them. Unfortunately it's randomness makes it hard to be certain that they're free of it.

  • by Allan Jones,

    Allan Jones Allan Jones Apr 29, 2014 9:51 AM in response to James Cook2
    Level 8 (35,311 points)
    iPad
    Apr 29, 2014 9:51 AM in response to James Cook2

    I see now. The darned threadjacks here are making the whole thing confusing!

     

    Do you have another user account on your computer from which to test?

  • by thomas_r.,

    thomas_r. thomas_r. Apr 29, 2014 9:58 AM in response to n8huntsman
    Level 7 (30,944 points)
    Mac OS X
    Apr 29, 2014 9:58 AM in response to n8huntsman

    That IP address appears to be in the serverel.net domain, which would seem to be a malicious domain if Web of Trust is to be believed:

     

    https://www.mywot.com/en/scorecard/serverel.net

     

    It is also identified as malicious by CLEAN MX and Webutation, according to VirusTotal:

     

    https://www.virustotal.com/en/url/6b2a330a9628a80f91a4624446c3b4a457d4d16103dba5 42677e298be35df392/analysis/1398790417/

     

    However, I know full well how questionable that kind of information is... my own site was identified as malicious by both of those at one time. So this may or may not mean anything.

     

    What are the domain name servers listed for everyone else having this problem? (Look in System Preferences -> Network, click the Advanced button and then the DNS tab.)

  • by omijan7,

    omijan7 omijan7 Apr 29, 2014 12:04 PM in response to thomas_r.
    Level 1 (0 points)
    Apr 29, 2014 12:04 PM in response to thomas_r.

    My laptop and desktop both list: 192.168.1.1

Previous Page 2 of 4 last Next