You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Mackeeper and other pop ups

Hey, I was wondering if anyone could tell me if my Macbook Pro has a possible virus? I really don't think anything is wrong, as everything seems to be working fine, knock on wood.... However, I noticed I when using Safari, I have had pop ups for Mackeeper, to clean my Mac, and just now I got a new tab opened automatically for Mackeeper and when I went to leave the page, a pop up appeared that said Let Mackeeper clean your Mac, If you don't want to use Mackeeper, leave this page. It might not have been word for word, but it was to that effect, i exited out of that page! I saw a similar post on here from November, and Linc Davis gave steps to check for an extension that could be a problem. I followed those steps, but didn't find any extensions at all... So, did I look right and do I have anything to worry about? I really am not worried and know what to look for, but just want some opinions of my peers....

MacBook Pro, OS X Yosemite (10.10.1), Late 2011 2.2ghz Quad core i7

Posted on Dec 19, 2014 3:18 PM

Reply
7 replies

Dec 19, 2014 3:20 PM in response to LudwigZildjian

Helpful Links Regarding Malware Problems


If you are having an immediate problem with ads popping up see The Safe Mac » Adware Removal Guide, AdwareMedic, or Remove unwanted adware that displays pop-up ads and graphics on your Mac - Apple Support.


Open Safari, select Preferences from the Safari menu. Click on Extensions icon in the toolbar. Disable all Extensions. If this stops your problem, then re-enable them one by one until the problem returns. Now remove that extension as it is causing the problem.


The following comes from user stevejobsfan0123. I have made minor changes to adapt to this presentation.


Fix Some Browser Pop-ups That Take Over Safari.


Common pop-ups include a message saying the government has seized your computer and you must pay to have it released (often called "Moneypak"), or a phony message saying that your computer has been infected, and you need to call a tech support number (sometimes claiming to be Apple) to get it resolved. First, understand that these pop-ups are not caused by a virus and your computer has not been affected. This "hijack" is limited to your web browser. Also understand that these messages are scams, so do not pay any money, call the listed number, or provide any personal information. This article will outline the solution to dismiss the pop-up.


Quit Safari


Usually, these pop-ups will not go away by either clicking "OK" or "Cancel." Furthermore, several menus in the menu bar may become disabled and show in gray, including the option to quit Safari. You will likely have to force quit Safari. To do this, press Command + option + esc, select Safari, and press Force Quit.


Relaunch Safari


If you relaunch Safari, the page will reopen. To prevent this from happening, hold down the 'Shift' key while opening Safari. This will prevent windows from the last time Safari was running from reopening.


This will not work in all cases. The shift key must be held at the right time, and in some cases, even if done correctly, the window reappears. In these circumstances, after force quitting Safari, turn off Wi-Fi or disconnect Ethernet, depending on how you connect to the Internet. Then relaunch Safari normally. It will try to reload the malicious webpage, but without a connection, it won't be able to. Navigate away from that page by entering a different URL, i.e. www.apple.com, and trying to load it. Now you can reconnect to the Internet, and the page you entered will appear rather than the malicious one.


An excellent link to read is Tom Reed's Mac Malware Guide.

Also, visit The XLab FAQs and read Detecting and avoiding malware and spyware.

See these Apple articles:


Mac OS X Snow Leopard and malware detection

OS X Lion- Protect your Mac from malware

OS X Mountain Lion- Protect your Mac from malware

OS X Mavericks- Protect your Mac from malware

About file quarantine in OS X


If you require anti-virus protection Thomas Reed recommends using ClamXAV. (Thank you to Thomas Reed for this recommendation.)


From user Joe Bailey comes this equally useful advice:


The facts are:


1. There is no anti-malware software that can detect 100% of the malware out there.

2. There is no anti-malware that can detect everything targeting the Mac.

3. The very best way to prevent the most attacks is for you as the user to be aware that

the most successful malware attacks rely on very sophisticated social engineering

techniques preying on human avarice, ****, and fear.

4. Internet popups saying the FBI, NSA, Microsoft, your ISP has detected malware on

your computer is intended to entice you to install their malware thinking it is a

protection against malware.

5. Some of the anti-malware products on the market are worse than the malware

from which they purport to protect you.

6. Be cautious where you go on the internet.

7. Only download anything from sites you know are safe.

8. Avoid links you receive in email, always be suspicious even if you get something

you think is from a friend, but you were not expecting.

9. If there is any question in your mind, then assume it is malware.

Dec 19, 2014 3:22 PM in response to LudwigZildjian

You may have installed the "Downlite" or "VSearch" ad-injection malware. Follow the instructions on this Apple Support page to remove it.

Back up all data before making any changes.

Malware is always changing to get around the defenses against it. In addition to, or instead of, the files listed in the support article, you may need to remove the following items:

/Library/Application Support/dot
/Library/LaunchAgents/com.dot.agent.plist
/Library/LaunchDaemons/com.dot.daemon.plist
/Library/LaunchDaemons/com.dot.helper.plist
/System/Library/Frameworks/v.framework

One of the steps in the article is to remove malicious Safari extensions. Do the equivalent in the Chrome and Firefox browsers, if you use either of those. If Safari crashes on launch, skip that step and come back to it after you've done everything else.

If you don't find any of the files or extensions listed, or if removing them doesn't stop the ad injection, then you may have one of the other kinds of adware covered by the support article. Follow the rest of the instructions in the article.

The problem may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it, and if you wish, replace it with the genuine article from mplayerx.org.

This malware is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.

In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.

Still in System Preferences, open the App Store or Software Update pane and check the box marked

Install system data files and security updates

if it's not already checked.

Dec 19, 2014 3:35 PM in response to LudwigZildjian

The best way to prevent this from ever happening again is to be vigilant about where you click and what you install. Alternatively, a good way to suppress ads that might tempt or annoy you like the MacKeeper ads you're talking about is to install the AdBlock extension (free, donate if you like it) https://getadblock.com/

You don't have to download or install anything in order to get internet safety, but AdBlock has a very good reputation and makes everything much more convenient.

Dec 19, 2014 3:41 PM in response to CellarDwellr

Since my post and Linc Davis' reply, I already checked for those files, except the Genieo or InstallMac. I didn't find find any of those files in Finder, so I think I maybe just tapped an ad or something on accident.... I think I'll just be vigilante for any other problems. Like I said, I don't see any extensions listed in Safari extensions window. I haven't downloaded anything from the internet, either, like a torrent. Thanks for the replies and I'll keep my eye's open!

Dec 19, 2014 5:26 PM in response to Linc Davis

Linc Davis wrote:

/Library/Application Support/dot

/Library/LaunchAgents/com.dot.agent.plist
/Library/LaunchDaemons/com.dot.daemon.plist
/Library/LaunchDaemons/com.dot.helper.plist
/System/Library/Frameworks/v.framework


Linc, this list is not adequate. Every Mac I've seen with a recent Downlite infection has a different word used in four of those filenames... "dot," "heizenberg," "steak," "moonlight," etc. I have yet to see two cases where the same word is being used.

Mackeeper and other pop ups

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.