how to remove Malware and Adware on safari and Firefox

Helpful Links Regarding Malware Problems

If you are having an immediate problem with ads popping up see The Safe Mac » Adware Removal Guide, AdwareMedic, or Remove unwanted adware that displays pop-up ads and graphics on your Mac - Apple Support.

Open Safari, select Preferences from the Safari menu. Click on Extensions icon in the toolbar. Disable all Extensions. If this stops your problem, then re-enable them one by one until the problem returns. Now remove that extension as it is causing the problem.

The following comes from user stevejobsfan0123. I have made minor changes to adapt to this presentation.

Fix Some Browser Pop-ups That Take Over Safari.

Common pop-ups include a message saying the government has seized your computer and you must pay to have it released (often called "Moneypak"), or a phony message saying that your computer has been infected, and you need to call a tech support number (sometimes claiming to be Apple) to get it resolved. First, understand that these pop-ups are not caused by a virus and your computer has not been affected. This "hijack" is limited to your web browser. Also understand that these messages are scams, so do not pay any money, call the listed number, or provide any personal information. This article will outline the solution to dismiss the pop-up.

Quit Safari

Usually, these pop-ups will not go away by either clicking "OK" or "Cancel." Furthermore, several menus in the menu bar may become disabled and show in gray, including the option to quit Safari. You will likely have to force quit Safari. To do this, press Command + option + esc, select Safari, and press Force Quit.

Relaunch Safari

If you relaunch Safari, the page will reopen. To prevent this from happening, hold down the 'Shift' key while opening Safari. This will prevent windows from the last time Safari was running from reopening.

This will not work in all cases. The shift key must be held at the right time, and in some cases, even if done correctly, the window reappears. In these circumstances, after force quitting Safari, turn off Wi-Fi or disconnect Ethernet, depending on how you connect to the Internet. Then relaunch Safari normally. It will try to reload the malicious webpage, but without a connection, it won't be able to. Navigate away from that page by entering a different URL, i.e. www.apple.com, and trying to load it. Now you can reconnect to the Internet, and the page you entered will appear rather than the malicious one.

An excellent link to read is Tom Reed's Mac Malware Guide.

Also, visit The XLab FAQs and read Detecting and avoiding malware and spyware.

See these Apple articles:

Mac OS X Snow Leopard and malware detection

OS X Lion- Protect your Mac from malware

OS X Mountain Lion- Protect your Mac from malware

OS X Mavericks- Protect your Mac from malware

About file quarantine in OS X

If you require anti-virus protection Thomas Reed recommends using ClamXAV. (Thank you to Thomas Reed for this recommendation.)

From user Joe Bailey comes this equally useful advice:

The facts are:

1. There is no anti-malware software that can detect 100% of the malware out there.

2. There is no anti-malware that can detect everything targeting the Mac.

3. The very best way to prevent the most attacks is for you as the user to be aware that

the most successful malware attacks rely on very sophisticated social engineering

techniques preying on human avarice, ****, and fear.

4. Internet popups saying the FBI, NSA, Microsoft, your ISP has detected malware on

your computer is intended to entice you to install their malware thinking it is a

protection against malware.

5. Some of the anti-malware products on the market are worse than the malware

from which they purport to protect you.

6. Be cautious where you go on the internet.

7. Only download anything from sites you know are safe.

8. Avoid links you receive in email, always be suspicious even if you get something

you think is from a friend, but you were not expecting.

9. If there is any question in your mind, then assume it is malware.

There is no need to download anything to solve this problem. You may have installed a variant of the "VSearch" ad-injection malware.

Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

/Library/LaunchDaemons

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" may open. Look inside it for a file with a name of the form

com.something.daemon.plist

Here something is a variable word, which can be different in each case. It could be "cloud," "dot," "highway," "submarine," "trusteddownloads," or pretty much anything else.

There may also be a file named

com.something.helper.plist

in the same folder.

If you find files with names that fit the above description, post what you have for "something."

Here is my post for what I found for "something" given your instructions.

com.google.keystone.daemon.plist

com.microsoft.office.licensing.helper.plist

Appreciate your help and would like to know if these files from folder /Library/LaunchDaemons are legitimate. If not, how do I fix to remove pop-up malware?

Those have nothing to do with malware.

Jumping in to this thread as I am having a near identical issue with Safari.

- A virus warning has completely taken over Safari, advising me to go to "nexonite.com" to remedy it (fat chance). googling the site reveals a couple other people are also having the same issue, but it seems to be a very new one.

- Spotlight for 'nexonite' reveals nothing

- Safari is un-usable. Cannot access preferences/extensions or clear my history, the adware has blocked it

- AdwareMedic says i'm clean.

- I have tried manually deleting Safari preference files (history et al) from Finder window

- My "something" as advised above didn't turn up anything weird, nor any recently modified files

- I have tried restarting the computer, toggling fileVault, deleting and reinstalling Safari with AppCleaner

- With wifi off, Safari still loads the scam/pop up

- Holding Shift does nothing

I imagine I have to manually go in to my ~library or whatever and delete each and every instance of the little bugger. Problem is, I have no idea where to look or what to look for.

Any help?

Dan454 wrote:

com.google.keystone.daemon.plist

com.microsoft.office.licensing.helper.plist

Those are legit files, not related to adware. If you didn't see any of the things Linc said to look for, you don't have that one particular piece of adware, but there are dozens of others. For help finding and removing whatever adware you may have installed, see my Adware Removal Guide.

(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com, in the form of buttons allowing for donations. Donations are not required to use my site or software.)

BlerpityBloop wrote:

- A virus warning has completely taken over Safari, advising me to go to "nexonite.com" to remedy it (fat chance). googling the site reveals a couple other people are also having the same issue, but it seems to be a very new one.

This is not really related to adware, this is just a scam. See:

Tech support scam pop-ups

(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com, in the form of buttons allowing for donations. Donations are not required to use my site or software.)

yep, well aware these are scam sites, following this advice from your link:

Quit Safari. If you are unable to do that, press command-option-esc to display the Force Quit Applications window. In that window, select Safari and click the Force Quit button.

To prevent the malicious page from reloading automatically, and thus the pop-up from reappearing, hold down the shift key while launching Safari.

If that doesn’t work, quit Safari again, then navigate to the following folder:

~/Library/Saved Application State/

(If you are not sure how to find this folder, see Locating files from paths.)

Inside that folder, find the folder named com.apple.Safari.savedState. Drag that to the trash, then open Safari.

AND IT WORKED.

WOO! Back to surfing questionable websites again...

Thank you so much.

I tried your solution to drag the folder named "com.apple.Safari.savedState" to trash, but it did not fix my problem. I still get pop-ups labeled "Ad by PJS-4.2". Any further suggestions would be greatly appreciated.

Dan454 wrote:

I tried your solution to drag the folder named "com.apple.Safari.savedState" to trash, but it did not fix my problem. I still get pop-ups labeled "Ad by PJS-4.2".

That solution is not applicable to your problem. You have adware installed. See my Adware Removal Guide for help removing it.

(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com, in the form of buttons allowing for donations. Donations are not required to use my site or software.)

This fixed me!!!!!

Kind'a proud I fixed this myself before I arrived here, but I gave Kappy and BlerpityBloop "helped me" votes because that's about how things went for me.

Oh yes: OS 10.10.5 on a sweet newish 27"

First off, I fell for it; I clicked on a Colbert Report video link in a Facebook posting. I should have been savvy enough to recognize the video was not previewing as I scrolled by, but anyway... What that got me was a popup from "downgradepc[dot]media4updateads[dot]com" and a whole lot of grayed-out Safari controls. The popup also stated that pressing the "OK" button (the only action allowed at that point) would install a security update for Flash Player (yeah, right). No, I did not press "OK". I was able to quit Safari using the keyboard despite the greyed out mouse menu, but all normal "reset" actions, right down to rebooting, were useless. Frankly, it's the first time in 15+yrs I've been legitimately scared by my Mac's behavior.

Using Chrome I surfed about for tips a-la the Kappy method. As good as all that is it wasn't pertinent to my particular malady. In the end my problem was solved using BlerpityBloop's suggestion (I love that Lost in Space reference, Mr Bloop).

Paranoid about anything Adobe to start with, I purged my directories of all Flash related files assuming they're easily replaced. Again, no result. Then I started hunting for .plist files associated with Safari. I couldn't find anything fruitful in the User/Library/whatever zone (getting scared now), but I finally hit my mark going to: User/Applications/Safari and right-clicking to select "show package contents". That's where I found "savedstate.plist" and once that was trashed Safari opened with one topsites window. Voila!

I put everything non-Flash related back from the trash that I'd removed and restored my Flash Player by downloading from scratch at Adobe. All is well.

And yes, I include Facebook as a questionable website. 😁

So I posted this reply thinking 1) it might be good to add a recent victim's update to the thread and 2) If I solved this then it's likely you can do it too. Just dig in and start cleaning (but use a dust brush, not a backhoe).

DC

Bloop,

Three days I worked on this...so grateful for you post. I'm quietly going to say it worked.

Fingers crossed.