Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Problem with loading google - malware site? gone viral.com

When I try and load google I get a whole lot of text that comes up. I will post below. It seems to be associated with a site: http://www.goneviral.com/? Other internet pages have this come up to when I try and load them. Did a scan with Adware Medic and it cannot find anything. I also have AVG Anti Virus and it picked something up which was meant to be 'deleted' but still having this problem. Scanning a second time with AVG brings up nothing.


Here is the text that comes up when going to google:

(function(){ var Linkbucks = { LinkId: "BXvnm", LinkType: 2, LinkTarget: 0, Exclusions: "", Frequency: 0, EncryptUrl: true, Domain: "goneviral.com", LinkUrl: "http://www.goneviral.com/BXvnm", Outside: this, Init: function() { // Backwards compatibility if (this.LinkId == 0) { if (typeof this.Outside.lb_params != "undefined" && this.Outside.lb_params[0] != null) this.LinkId = this.Outside.lb_params[0]; else if (typeof this.Outside.uid != "undefined") this.LinkId = this.Outside.uid; if (this.LinkId != 0) this.AddScript("http://www." + this.Domain + "/WebServices/jsParseLinks.aspx?id=" + this.LinkId); return; } // Link does not exist if (this.LinkType == 0) return; // Attach to the click event on the document. This allows to support links created dynamically after script was run Linkbucks.AddEvent(document, "mousedown", function(e){ var anchor = Linkbucks.GetAnchorElement(e); if (anchor != null && !Linkbucks.IsExcluded(anchor)) { if (Linkbucks.LinkType == 3){ if (!anchor.boundPop){ Linkbucks.AddEvent(anchor, "click", Linkbucks.HandlePop); anchor.boundPop = true; } } else if (Linkbucks.Frequency == 0 || Linkbucks.Increment() <= Linkbucks.Frequency) { Linkbucks.HandleClick(anchor); } } }); }, HandlePop: function(){ if (Linkbucks.Frequency != 0 && Linkbucks.GetDisplays() >= Linkbucks.Frequency){ return; } Linkbucks.Increment(); var pop = new popUnder(Linkbucks.LinkUrl + '?r=' + encodeURIComponent(document.location.href), { name: 'ad_' + Math.floor(89999999 * Math.random() + 10000000), width: window.screen.availWidth, height: window.screen.availHeight, top: 0, left: 0 }); pop.open(); return; }, HandleClick: function(e) { if (this.LinkTarget == 1) e.target = "_top"; else if (this.LinkTarget == 2) e.target = "_blank"; var linkUrl = this.LinkUrl + "/url/"; if (this.LinkType == 4 || (this.LinkType == 2 && this.EncryptUrl)) e.href = linkUrl + this.ConvertToHex(this.Encode(e.href), ""); else e.href = linkUrl + e.href; }, IsExcluded: function(e) { var exclusionList = this.FormatExclusionsArray(this.Exclusions); exclusionList.push(this.LinkId, this.ConvertToUnicode(this.LinkId), this.ConvertToHex(this.LinkId, "%")); if (!this.StartsWith(e.href, new Array("http://", "https://"))) return true; if (exclusionList[0].length > 0 && this.MatchesWith(e.href, exclusionList)) return true; return false; }, AddEvent: function(target,eventName,handlerName) { if ( target.addEventListener ) { target.addEventListener(eventName, eval(handlerName), false); } else if ( target.attachEvent ) { target.attachEvent("on" + eventName, eval(handlerName)); } else { var originalHandler = target["on" + eventName]; if ( originalHandler ) { target["on" + eventName] = eval(handlerName); } else { target["on" + eventName] = eval(handlerName); } } }, AddScript: function(scriptUrl) { var s1 = document.createElement("script"); s1.type = "text/javascript"; s1.async = true; s1.src = scriptUrl; var s2 = document.getElementsByTagName("script")[0]; s2.parentNode.insertBefore(s1, s2); }, FormatExclusionsArray: function(items) { var exclusionList = items.split(","); var wildCardIndex = 0; for (i = 0; i < exclusionList.length; i++) { wildCardIndex = exclusionList[i].indexOf("*"); if (wildCardIndex > -1) { exclusionList[i] = exclusionList[i].substring(wildCardIndex+1); } exclusionList[i] = this.LTrim(this.RTrim(exclusionList[i])); } return exclusionList; }, GetAnchorElement: function(e) { if (!e) e = window.event; var srcElement = e.srcElement ? e.srcElement : e.target; do { if (srcElement.tagName == "A") return srcElement; if (srcElement.parentNode) srcElement = srcElement.parentNode; } while (srcElement.parentNode) return null; }, GetDisplays: function(){ var cookie = "lbfrequency"; var total = this.ReadCookie(cookie); return (total != null) ? total : 0; }, Increment: function() { var cookie = "lbfrequency"; var total = this.ReadCookie(cookie); total = (total != null) ? parseInt(++total) : 1; this.CreateCookie(cookie, total, 1); return total; }, CreateCookie: function(name, value, days) { if (days) { var date = new Date(); date.setTime(date.getTime()+(days*24*60*60*1000)); var expires = "; expires="+date.toGMTString(); } else var expires = ""; document.cookie = name+"="+value+expires+"; path=/"; }, ReadCookie: function(name) { var ca = document.cookie.split(';'); var nameEQ = name + "="; for(var i=0; i < ca.length; i++) { var c = ca[i]; while (c.charAt(0)==' ') c = c.substring(1, c.length); //delete spaces if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length, c.length); } return null; }, ConvertToUnicode: function(value) { result = ''; for (i = 0; i < value.length; i++) { result += '&#' + value.charCodeAt(i); } return result; }, ConvertToHex: function(value, prepend) { var hex = ''; for (i = 0; i < value.length; i++) { if (value.charCodeAt(i).toString(16).toUpperCase().length < 2) { hex += prepend + "0" + value.charCodeAt(i).toString(16); } else { hex += prepend + value.charCodeAt(i).toString(16); } } return hex; }, StartsWith: function(str, e) { if (typeof e == "object") { for (_i = 0; _i < e.length; _i++) { if (str.toLowerCase().indexOf(e[_i].toLowerCase()) == 0) return true; } return false; } else return (str.toLowerCase().indexOf(e.toLowerCase()) == 0); }, MatchesWith: function(str, e) { if (typeof e == "object") { for (_i = 0; _i < e.length; _i++) { if (str.toLowerCase().indexOf(e[_i].toLowerCase()) > -1) return true; } return false; } else return (str.toLowerCase().indexOf(e.toLowerCase()) > -1); }, LTrim: function(str) { return str.replace(/^\s+/,''); }, RTrim: function(str) { return str.replace(/\s+$/,''); }, Encode: function(str) { var s = [], j = 0, x, res = '', k = arguments.callee.toString().replace(/\s+/g, ""); for (var i = 0; i < 256; i++) { s[i] = i; } for (i = 0; i < 256; i++) { j = (j + s[i] + k.charCodeAt(i % k.length)) % 256; x = s[i]; s[i] = s[j]; s[j] = x; } i = 0; j = 0; for (var y = 0; y < str.length; y++) { i = (i + 1) % 256; j = (j + s[i]) % 256; x = s[i]; s[i] = s[j]; s[j] = x; res += String.fromCharCode(str.charCodeAt(y) ^ s[(s[i] + s[j]) % 256]); } return res; } } Linkbucks.Init(); })();

Anyone have any suggestions?

MacBook Pro

Posted on Apr 24, 2015 10:59 AM

Reply
11 replies

Apr 24, 2015 3:22 PM in response to RichKann

Your router may have been hacked to direct DNS queries to a malicious server.

Follow the manufacturer's instructions to reset the router to the default state. Usually that involves inserting the end of a straightened paper clip or a similar tool into a pinhole somewhere in the back of the device, and pressing a switch inside for about 15 seconds. The pinhole may be marked "RESET."

Repeat the initial setup process. Make sure the router does not allow remote setup from the Internet (WAN port), if it has that feature—most do. The DNS servers should be set automatically by your ISP. If you still have trouble with those servers selected, contact your ISP.

Check the router manufacturer's website for a firmware update.

If you have a wireless network, it must be secured with WPA 2 encryption. The passwords for the network and the router must each be a string of at least 10 random upper- and lower-case letters and digits, and they should be different. Any password that you can remember is weak.

Apr 25, 2015 12:29 AM in response to RichKann

One possibility is what Linc has suggested: a problem with your network hardware. Before resetting your router, though, there's an easy test to try: take your MacBook Pro to a different network (at a friend's house, at work, at a local library or coffee shop with free wifi, etc). Test while on that network. If the problem does not occur, but happens as soon as you return to the network where this problem is occurring, it's a network hardware hack. Follow Linc's instructions.


If the problem continues on other networks, it's not due to the network hardware. In this case, open AdwareMedic and choose Take System Snapshot from the Scanner menu. Then, either submit that to The Safe Mac (ie, me) or copy the report and paste it into a message here.

Apr 25, 2015 12:32 AM in response to thomas_r.

Thank you both for your replies. I thought it was a problems with the DNS because someone else using our Wifi had the same problem, but when I tried it on another wifi it was still doing the same.

Thomas I did the "take a system snapshot" and one of the entries was for google chrome which I had removed earlier this week, when this problem started as it was the last thing for me to install. I moved the files assosiated with google chrome and it all seems to work fine now. Thank you very much for your help!

Apr 27, 2015 11:48 AM in response to Linc Davis

Thanks both again for your replies.

Thomas, I will post below the script from "system snapshot" maybe it will give some more insight?


Linc, you also appear to be right. Some websites again now appear to show the cached DNA or web data that I first posted above. Although this time I can still load a google page fine. Do you think this is an issue I need to take up with the ISP?


AdwareMedic 2.2.2 system report - Monday, 27 April 2015 @ 8:44:33 pm

Mac OS X version 10.10.2

20:44 up 3 days, 1:25, 1 user, load averages: 1.99 2.34 2.16


Safari extensions

---------------

/Users/Richard/Library/Safari/Extensions/iTISToolbar.safariextz

Name: Trend Micro Toolbar

Modified: Wednesday, 30 July 2014 @ 3:23:44 pm

/Users/Richard/Library/Safari/Extensions/JavaScript Blocker-2.safariextz

Name: JavaScript Blocker

Modified: Wednesday, 1 October 2014 @ 1:53:30 am


Chrome extensions

---------------

/Users/Richard/Library/Application Support/Google/Chrome/Default/Extensions/gmlllbghnfkpflemihljekbapjopfjik

Name: Bookmark Manager

Modified: Friday, 17 April 2015 @ 9:41:39 pm

/Users/Richard/Library/Application Support/Google/Chrome/Default/Extensions/lccekmodgklaepjeofjdjpbminllajkg

Name: Chrome Hotword Shared Module

Modified: Friday, 17 April 2015 @ 9:41:55 pm


Firefox extensions

---------------

None


Login items

---------------

iTunesHelper, Moveslink2, Dropbox


Startup items

---------------

None


System startup items

---------------

None


User launch agents

---------------

None


System launch agents

---------------

total 32

lrwxr-xr-x 1 root wheel 79 Jan 14 12:52 com.avg.Antivirus.gui.plist -> /Applications/AVG AntiVirus.app/Contents/Resources//com.avg.Antivirus.gui.plist

-rw-r--r--@ 1 root wheel 792 Apr 15 19:38 com.google.keystone.agent.plist

lrwxr-xr-x 1 root wheel 104 Apr 28 2013 com.oracle.java.Java-Updater.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Java-Update r.plist

-rwxr-xr-x 1 root wheel 693 Jan 25 2013 com.robohippo.HippoConnectAgent.plist


System launch daemons

---------------

total 80

-rw-r--r-- 1 root wheel 462 Apr 12 04:50 com.adobe.fpsaud.plist

lrwxr-xr-x 1 root wheel 79 Jan 14 12:52 com.avg.Antivirus.infosd.plist -> /Applications/AVG AntiVirus.app/Contents/Daemons/com.avg.Antivirus.infosd.plist

lrwxr-xr-x 1 root wheel 81 Jan 14 12:52 com.avg.Antivirus.services.plist -> /Applications/AVG AntiVirus.app/Contents/Daemons/com.avg.Antivirus.services.plist

-rwxr-xr-x@ 1 root wheel 474 Feb 6 13:31 com.cleverfiles.cfbackd.plist

-rw-r--r-- 1 root wheel 717 Sep 28 2014 com.ea.origin.ESHelper.plist

-rw-r--r--@ 1 root wheel 818 Apr 15 19:38 com.google.keystone.daemon.plist

-rw-r--r-- 1 root wheel 486 Jan 30 2014 com.gopro.stereomodestatus.plist

-rw-r--r-- 1 root wheel 568 Apr 2 2012 com.microsoft.office.licensing.helper.plist

lrwxr-xr-x 1 root wheel 103 Apr 28 2013 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool .plist

-rw-r--r-- 1 root wheel 723 Jan 25 2013 com.robohippo.HippoConnectDaemon.plist


Third-party kernel extensions

---------------

com.avg.Antivirus.OnAccess.kext (2015.0) <4 1>


User cron tasks

---------------

None


Root cron tasks

---------------

None


launchd.conf contents

---------------

None


DNS settings

---------------

Server: 208.67.222.222


Hosts file

---------------

##

# Host Database

#

# localhost is used to configure the loopback interface

# when the system is booting. Do not change this entry.

##

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost


Scan log

---------------

2015-01-09 07:35:06: ----- Scan Started -----

2015-01-09 07:35:06: Scanning with signatures version 45

2015-01-09 07:35:10: Genieo : /Users/Richard/Library/Safari/Extensions/Omnibar.safariextz

2015-01-09 07:35:10: Genieo : /Users/Richard/Library/LaunchAgents/com.genieo.completer.download.plist

2015-01-09 07:35:10: Genieo : /Users/Richard/Library/LaunchAgents/com.genieo.completer.update.plist

2015-01-09 07:35:10: Genieo : /Users/Richard/Library/LaunchAgents/com.genieo.completer.ltvbit.plist

2015-01-09 07:35:10: Genieo : /Applications/InstallMac

2015-01-09 07:35:10: Genieo : /Users/Richard/Library/Application Support/com.genieoinnovation.Installer

2015-01-09 07:35:10: Genieo : /Users/Richard/Library/Application Support/Firefox/Profiles/axkhqz5b.default/searchplugins/my-homepage.xml

2015-01-09 07:35:11: ----- Scan Ended -----

2015-01-09 07:35:28: +++++ Attempting to remove adware +++++

2015-01-09 07:35:28: /Users/Richard/Library/Safari/Extensions/Omnibar.safariextz

2015-01-09 07:35:28: /Users/Richard/Library/LaunchAgents/com.genieo.completer.download.plist

2015-01-09 07:35:28: /Users/Richard/Library/LaunchAgents/com.genieo.completer.update.plist

2015-01-09 07:35:28: /Users/Richard/Library/LaunchAgents/com.genieo.completer.ltvbit.plist

2015-01-09 07:35:28: /Applications/InstallMac

2015-01-09 07:35:28: /Users/Richard/Library/Application Support/com.genieoinnovation.Installer

2015-01-09 07:35:28: /Users/Richard/Library/Application Support/Firefox/Profiles/axkhqz5b.default/searchplugins/my-homepage.xml

2015-01-09 07:35:28: +++++ Adware removal complete +++++

2015-01-09 07:35:48: ===== User declined restart =====

2015-01-09 08:16:21: ----- Scan Started -----

2015-01-09 08:16:21: Scanning with signatures version 45

2015-01-09 08:16:26: No adware found

2015-01-09 08:16:26: ----- Scan Ended -----

2015-01-14 23:51:28: ----- Scan Started -----

2015-01-14 23:51:28: Scanning with signatures version 47

2015-01-14 23:51:34: No adware found

2015-01-14 23:51:34: ----- Scan Ended -----

2015-04-23 17:34:41: ----- Scan Started -----

2015-04-23 17:34:41: Scanning with signatures version 61

2015-04-23 17:34:59: No adware found

2015-04-23 17:34:59: ----- Scan Ended -----

2015-04-23 17:36:14: ----- Scan Started -----

2015-04-23 17:36:14: Scanning with signatures version 61

2015-04-23 17:36:21: No adware found

2015-04-23 17:36:21: ----- Scan Ended -----

2015-04-24 08:15:42: ----- Scan Started -----

2015-04-24 08:15:43: Scanning with signatures version 61

2015-04-24 08:16:17: No adware found

2015-04-24 08:16:17: ----- Scan Ended -----

2015-04-24 18:14:14: ----- Scan Started -----

2015-04-24 18:14:14: Scanning with signatures version 61

2015-04-24 18:20:33: No adware found

2015-04-24 18:20:33: ----- Scan Ended -----

2015-04-25 09:22:59: ----- Scan Started -----

2015-04-25 09:22:59: Scanning with signatures version 61

2015-04-25 09:23:12: No adware found

2015-04-25 09:23:12: ----- Scan Ended -----

Apr 27, 2015 7:17 PM in response to RichKann

RichKann wrote:


Thomas, I will post below the script from "system snapshot" maybe it will give some more insight?


You should start by uninstalling AVG, as well as the Trend Micro Toolbar extension in Safari. Be sure to use the uninstaller provided by AVG; don't just drag the app to the trash, and don't use generic uninstall apps. This may not make any difference, but both of these programs aren't good on the Mac to start with, and removing them removes some variables.


If that doesn't help, try disabling the JavaScript Blocker extension in Safari and see if that makes a difference.


If none of that helps, can you clarify things a bit? What browser(s) are you seeing this behavior in? What sites trigger this behavior? Have you tested this on different networks and found that it happens no matter what network you are connected to?

May 26, 2015 12:17 AM in response to RichKann

Hi RICH

I began having this exact problem today with gone viral.com. I've taken the advice to reset the router but hasn't helped and connecting to a different network still gives me the same problem. I use Safari and haven't changed anything since it was working fine yesterday, but today i'm having a problem loading Google..any suggestions as to what i should look for or remove?


Thanks

Problem with loading google - malware site? gone viral.com

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.