Crossrider Malware?

Question

Level 1

9 points

Crossrider Malware?

Hello ~

I've never worried about viruses or malware on my Mac, but lately my computer has been acting kind of quirky - I get the spinning wheel a lot and have been having issues on numerous websites while using Firefox 32.0.3. So I tried some trouble-shooting within Firefox and found I was not able to delete cookies. That led me to instructions (for Firefox) to find my Profile Manager and delete certain user.js files including a pref.js file. I found the file, but it won't delete, so then I opened it with text edit and noticed a bunch of lines in it that say 'Crossrider', which is apparently a type of virus?? I'm not sure it's really a virus or what to do about it if it is? I greatly appreciate ANY help? Thank you!

I copied and pasted some of the lines below

user_pref("extensions.crossrider.bic", "148f7b69a7db7159842440ff9d28f905");

user_pref("extensions.crossriderapp14917.14917.InstallationTime", 1412905213);

user_pref("extensions.crossriderapp14917.14917.MyEXT14917.Prefs_is_not_a_functio n", 6);

user_pref("extensions.crossriderapp14917.14917.active", true);

user_pref("extensions.crossriderapp14917.14917.addressbar", "NA");

user_pref("extensions.crossriderapp14917.14917.addressbarenhanced", "");

user_pref("extensions.crossriderapp14917.14917.asyncdb.was_copied", "true");

user_pref("extensions.crossriderapp14917.14917.asyncdb_dbWasSet", true);

user_pref("extensions.crossriderapp14917.14917.asyncdb_dbWasSet_FF25_FIX", true);

user_pref("extensions.crossriderapp14917.14917.backgroundver", 6);

user_pref("extensions.crossriderapp14917.14917.certdomaininstaller", "");

user_pref("extensions.crossriderapp14917.14917.changeprevious", false);

user_pref("extensions.crossriderapp14917.14917.cookie.InstallationTime.expiratio n", "Fri

iMac, OS X Mavericks (10.9.1), Actually 10.9.2

Posted on Oct 9, 2014 7:55 PM

Reply

Answer 1

Kappy

Level 10

362,007 points

Oct 9, 2014 8:02 PM in response to Silly1here

Adware.CrossRider Removal Guide - malwareremovalguides

Helpful Links Regarding Malware Problems

If you are having an immediate problem with ads popping up see The Safe Mac » Adware Removal Guide and AdwareMedic.

Open Safari, select Preferences from the Safari menu. Click on Extensions icon in the toolbar. Disable all Extensions. If this stops your problem, then re-enable them one by one until the problem returns. Now remove that extension as it is causing the problem.

The following comes from user stevejobsfan0123. I have made minor changes to adapt to this presentation.

Fix Some Browser Pop-ups That Take Over Safari.

Common pop-ups include a message saying the government has seized your computer and you must pay to have it released (often called "Moneypak"), or a phony message saying that your computer has been infected, and you need to call a tech support number (sometimes claiming to be Apple) to get it resolved. First, understand that these pop-ups are not caused by a virus and your computer has not been affected. This "hijack" is limited to your web browser. Also understand that these messages are scams, so do not pay any money, call the listed number, or provide any personal information. This article will outline the solution to dismiss the pop-up.

Quit Safari

Usually, these pop-ups will not go away by either clicking "OK" or "Cancel." Furthermore, several menus in the menu bar may become disabled and show in gray, including the option to quit Safari. You will likely have to force quit Safari. To do this, press Command + option + esc, select Safari, and press Force Quit.

Relaunch Safari

If you relaunch Safari, the page will reopen. To prevent this from happening, hold down the 'Shift' key while opening Safari. This will prevent windows from the last time Safari was running from reopening.

This will not work in all cases. The shift key must be held at the right time, and in some cases, even if done correctly, the window reappears. In these circumstances, after force quitting Safari, turn off Wi-Fi or disconnect Ethernet, depending on how you connect to the Internet. Then relaunch Safari normally. It will try to reload the malicious webpage, but without a connection, it won't be able to. Navigate away from that page by entering a different URL, i.e. www.apple.com, and trying to load it. Now you can reconnect to the Internet, and the page you entered will appear rather than the malicious one.

An excellent link to read is Tom Reed's Mac Malware Guide.

Also, visit The XLab FAQs and read Detecting and avoiding malware and spyware.

See these Apple articles:

Mac OS X Snow Leopard and malware detection

OS X Lion- Protect your Mac from malware

OS X Mountain Lion- Protect your Mac from malware

OS X Mavericks- Protect your Mac from malware

About file quarantine in OS X

If you require anti-virus protection Thomas Reed recommends using ClamXAV. (Thank you to Thomas Reed for this recommendation.)

From user Joe Bailey comes this equally useful advice:

The facts are:

1. There is no anti-malware software that can detect 100% of the malware out there.

2. There is no anti-malware that can detect everything targeting the Mac.

3. The very best way to prevent the most attacks is for you as the user to be aware that

the most successful malware attacks rely on very sophisticated social engineering

techniques preying on human avarice, ****, and fear.

4. Internet popups saying the FBI, NSA, Microsoft, your ISP has detected malware on

your computer is intended to entice you to install their malware thinking it is a

protection against malware.

5. Some of the anti-malware products on the market are worse than the malware

from which they purport to protect you.

6. Be cautious where you go on the internet.

7. Only download anything from sites you know are safe.

8. Avoid links you receive in email, always be suspicious even if you get something

you think is from a friend, but you were not expecting.

9. If there is any question in your mind, then assume it is malware.

Reply

Answer 2

Linc Davis

Level 10

209,739 points

Oct 9, 2014 9:44 PM in response to Silly1here

First follow the instructions on this page. If there's a Firefox extension you can't get rid of, see below.

Back up all data before proceeding.

Triple-click anywhere in the line below on this page to select it:

~/Library/Application Support/Mozilla

Right-click or control-click the line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item selected. Quit the application if it's running. Move the selected item to the Trash. Relaunch the application and test.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

Reply

Answer 3

thomas_r.

Level 7

32,031 points

Oct 10, 2014 3:18 AM in response to Silly1here

There is undoubtedly more installed than just those entries in that file. To help you understand what needs to be removed, it would be helpful if you could download my AdwareMedic app and take a system snapshot, then post the results here. (The app will allow you to give a donation, but there is no need to do so, especially for this purpose.)

If you are unwilling to download an unfamiliar app, there are a few other things you can do. First, post a list of all the browser extensions you have installed. For instructions on where to find these, see:

http://www.adwaremedic.com/kb/browserextensions.php

Next, please provide a list of the files in the following folders (choose Go -> Go to Folder in the Finder and paste in each path to open it in a Finder window):

~/Library/LaunchAgents /Library/LaunchAgents /Library/LaunchDaemons

That will at least give us some of the information that AdwareMedic would gather.

(Fair disclosure: I may receive compensation from links to my site and software, in the form of buttons allowing for donations. Donations are not required to use my site or software.)

Reply

Answer 4

Silly1here Author

Level 1

9 points

Oct 10, 2014 7:36 PM in response to Linc Davis

Thanks to all for the replies, Linc - do you mean I should back up everything on an external drive? I'll have to wait to try those steps until tomorrow then so I can run out and grab an external device. Once I have something, I'll try those steps in order. I did already do the Firefox reset though that you stated in the first step. Thank you!

Reply

Answer 5

Linc Davis

Level 10

209,739 points

Oct 10, 2014 7:46 PM in response to Silly1here

Yes, you must back up all data. If you don't already have a backup, that's a much higher priority than the original question.

Mac Basics: Time Machine backs up your Mac

Reply

Answer 6

Silly1here Author

Level 1

9 points

Oct 10, 2014 7:48 PM in response to Linc Davis

Ok, I will do that right away tomorrow and then follow the rest of your steps. I have certain things/files backed up externally, but not my entire system, I know I should have though! 😊

Thanks!

Reply

Answer 7

Silly1here Author

Level 1

9 points

Oct 10, 2014 8:05 PM in response to thomas_r.

Hi thomas ~

I think this is the info you asked for -

I rarely even use Safari, and I'm sure these extensions aren't ones that I installed, at least not knowingly...

This is the AdwareMedic_log.txt

2014-10-10 22:01:09: ----- Scan Started -----

2014-10-10 22:01:09: Scanning with signatures version 23

2014-10-10 22:01:10: Spigot : /Users/angelaford/Library/Safari/Extensions/Amazon Shopping Assistant.safariextz , /Users/angelaford/Library/Safari/Extensions/Ebay Shopping Assistant.safariextz , /Users/angelaford/Library/Safari/Extensions/Searchme.safariextz , /Users/angelaford/Library/Safari/Extensions/SlickSavings.safariextz

2014-10-10 22:01:10: Spigot : /Users/angelaford/Library/Application Support/Spigot

2014-10-10 22:01:10: ----- Scan Ended -----

And this is the AdwareMedic System Report.txt

AdwareMedic 1.0.8 system report - Friday, October 10, 2014 @ 10:02:02 PM

Mac OS X version 10.9.5

22:02 up 2:29, 1 user, load averages: 1.99 1.62 1.46

Safari extensions

---------------

/Users/angelaford/Library/Safari/Extensions/Amazon Shopping Assistant.safariextz

Name: Amazon Shopping Assistant

Modified: Saturday, April 12, 2014 @ 5:41:19 PM

/Users/angelaford/Library/Safari/Extensions/Ebay Shopping Assistant.safariextz

Name: Ebay Shopping Assistant

Modified: Saturday, April 12, 2014 @ 5:41:19 PM

/Users/angelaford/Library/Safari/Extensions/iTube Studio.safariextz

Name: iTube Studio

Modified: Wednesday, December 18, 2013 @ 9:12:52 PM

/Users/angelaford/Library/Safari/Extensions/Searchme.safariextz

Name: Searchme

Modified: Saturday, April 12, 2014 @ 5:41:19 PM

/Users/angelaford/Library/Safari/Extensions/SlickSavings.safariextz

Name: Slick Savings

Modified: Saturday, April 12, 2014 @ 5:41:19 PM

Chrome extensions

---------------

None

Firefox extensions

---------------

None

Login items

---------------

Flux, iTunesHelper, Music Manager, MotoCastUpdater, Android File Transfer Agent, V CAST Backup Scheduler, Amazon Cloud Drive, Dropbox, AdobeResourceSynchronizer, CrossOver CD Helper, MotoCast

Startup items

---------------

total 0

drwxr-xr-x 5 root wheel 170 Mar 16 2010 HP IO

drwxr-xr-x 4 root wheel 136 Apr 27 15:05 Jaksta

System startup items

---------------

None

User launch agents

---------------

total 40

-rw-r--r-- 1 angelaford staff 603 Oct 22 2013 com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

-rw-r--r--@ 1 angelaford staff 807 Oct 8 19:13 com.google.keystone.agent.plist

-rw-r--r-- 1 angelaford staff 552 Mar 26 2014 com.nds.pcshow.plist

-rw-r--r-- 1 angelaford staff 636 May 10 12:05 com.nds.pcshow.uninstall.plist

-rw-r--r-- 1 angelaford staff 535 May 8 18:09 com.victorpimentel.TVShowsHelper.plist

System launch agents

---------------

total 56

-rw-r--r-- 1 root wheel 884 Feb 19 2014 com.coupons.coupond.plist

-rw-r--r-- 1 root wheel 528 Jun 1 2012 com.kodak.BonjourAgent.plist

-rw-r--r-- 1 root wheel 588 Sep 24 2012 com.motorola.MDMUpdater.plist

-rw-r--r-- 1 root wheel 475 Sep 24 2012 com.motorola.motohelper.plist

-rw-r--r-- 1 root wheel 559 Sep 24 2012 com.motorola.motohelperUpdater.plist

lrwxr-xr-x 1 root wheel 104 Nov 8 2013 com.oracle.java.Java-Updater.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Java-Update r.plist

-rw-r--r-- 1 root wheel 721 Nov 10 2013 org.macosforge.xquartz.startx.plist

System launch daemons

---------------

total 56

-rw-r--r-- 1 root wheel 462 Aug 27 20:34 com.adobe.fpsaud.plist

-rw-r--r-- 1 root wheel 483 Jul 17 21:05 com.charlessoft.pacifist.helper.plist

-rwxr-xr-x 1 root wheel 418 Jan 17 2012 com.motorola-mobility.mmcfgd.plist

lrwxr-xr-x 1 root wheel 103 Nov 8 2013 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool .plist

-rw-r--r-- 1 root wheel 486 Jan 27 2014 com.oracle.java.JavaUpdateHelper.plist

-rwxr-xr-x 1 root wheel 639 Jun 29 17:28 com.torch.update.agent.plist

-rw-r--r-- 1 root wheel 670 Nov 10 2013 org.macosforge.xquartz.privileged_startx.plist

Third-party kernel extensions

---------------

com.Cycling74.driver.Soundflower (1.6.6) <88 5 4 3>

com.sophos.nke.swi (9.1.50) <4 3 1>

com.sophos.kext.sav (9.1.55) <5 4 1>

User cron tasks

---------------

None

Root cron tasks

---------------

None

launchd.conf contents

---------------

None

DNS settings

---------------

Server: 192.168.0.1

Hosts file

---------------

##

# Host Database

#

# localhost is used to configure the loopback interface

# when the system is booting. Do not change this entry.

##

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

fe80::1%lo0 localhost

Scan log

---------------

No log file found

Reply

Answer 8

thomas_r.

Level 7

32,031 points

Oct 11, 2014 6:06 AM in response to Silly1here

Okay, here are some things I see:

First, you have the Spigot adware installed, probably due to downloading stuff from Download.com. AdwareMedic can remove it for you, or you can just remove the following extensions from Safari (in the Extensions pane of Safari's preferences): Amazon Shopping Assistant, Ebay Shopping Assistant, Searchme and Slick Savings.

You also have something called iTube Studio, which I'm not familiar with... but a Google search raises some red flags. It may be adware, and if so, could have been created by Crossrider.

However, I see no extensions installed in Firefox. You may have had some Crossrider-created browser extension installed in Firefox at some point and removed it.

There are a few other slightly suspicious things... something installed from coupons.com, something called TVShowsHelper by Victor Pimentel and the Torch web browser. (Torch is bad because it includes a torrent downloader, and as such is usually used for downloading things that you shouldn't be downloading, and thus may be a source for adware or malware.) None of those should be related to Crossrider, though.

Reply

Answer 9

Silly1here Author

Level 1

9 points

Oct 11, 2014 10:44 AM in response to thomas_r.

Hmmmm...Safari preferences doesn't show any extensions???? Hopefully the pic I attach will come through ok!

Reply

Answer 10

thomas_r.

Level 7

32,031 points

Oct 11, 2014 1:13 PM in response to Silly1here

That is definitely not normal! If you have extensions installed, which you do, they should show up in a list. Even if you don't have extensions installed, though, the list should still be there, but will be empty:

If your window is showing as your screenshot indicates, with the area where the list should be removed, then something is definitely wrong somewhere, but I'm not sure where that might be.

Start by removing all your Safari extensions. Quit Safari, then, in the Finder, choose Go to Folder from the Go menu and paste in the following path:

~/Library/Safari/Extensions/

Then click the Go button. Drag everything inside that folder out. Re-open Safari. Are the ads gone, and do your Extensions preferences display normally?

Reply

Answer 11

Linc Davis

Level 10

209,739 points

Oct 11, 2014 1:20 PM in response to Silly1here

The "Adwaremedic" application does not correctly determine which Safari extensions are active, due to a programming error.

Reply

Answer 12

thomas_r.

Level 7

32,031 points

Oct 11, 2014 1:40 PM in response to Linc Davis

It does not attempt to determine which ones are ACTIVE, only which ones are installed. It is behaving exactly as intended.

Reply

Answer 13

thomas_r.

Level 7

32,031 points

Oct 11, 2014 1:42 PM in response to thomas_r.

thomas_r. wrote:

That is definitely not normal!

Actually, I have to correct myself here... I thought I saw that your extensions were turned on, but the switch is set to off. The appearance is normal in that case. Those extensions are installed, but they are currently disabled and thus not displayed in Safari. Turn the switch back to "on" to manage your extensions through Safari, or use the technique I described for removing them manually.

Reply

Answer 14

Silly1here Author

Level 1

9 points

Oct 11, 2014 5:54 PM in response to Linc Davis

Again, thank you both very much for your help. I'm trying to find an external drive that I can afford and is big enough to store all of the back up info on my Mac so I can use Time Machine - I had no idea the storage devices were so expensive!

I'm definitely making it my top priority!

I don't know if it was resetting Firefox or the AdwareMedic, but the crossrider items are gone when I open my pref.js with text edit now. I did also turn on my Safari extensions and removed all of them that then showed up.

I can't thank you enough!!!

Is there a way I can mark 'This solved my question' for both of you???

Reply

Answer 15

thomas_r.

Level 7

32,031 points

Oct 11, 2014 6:08 PM in response to Silly1here

Silly1here wrote:

Is there a way I can mark 'This solved my question' for both of you???

No, but it really doesn't matter. I don't care about the points; they really have no purpose, and that's not why I'm here anyway. I can't speak for Linc.

My advice would be to consider what post would be most useful to someone else who finds this topic at some point in the future. That's really what the "solved" is most important for - helping others with similar problems determine which post solved the issue for you. You can also award two "helpfuls," which can help to identify other posts as helping towards the solution.

Also, regarding the backups... keep in mind that you want to have a backup drive about three times the size of the data being backed up. So, if you have a 500 GB drive, but you've only filled it up to 150 GB and don't anticipate that growing significantly in the near future, you can do just fine with a backup drive that's 500 GB in size (150 GB x 3 = 450 GB). External drives that size aren't too expensive, unless you buy a solid state drive... traditional hard drives are much cheaper. You can get a good one for only $130 here:

http://eshop.macsales.com/shop/firewire/1394/USB/EliteAL/eSATA_FW800_FW400_USB

However, I always recommend having a minimum of two separate backups! If you can't afford buying two drives now, get one backup started now, then get a second drive as soon as you can manage it.

Reply