bagpipes rule

Q: safari keeps opening up a smpdr webpage which then redirects to multiple other sites.  Is this a virus and how do I get rid of it?

My MacBook Pro seems to be infected with a virus because Safari keeps opening up smpdr webpage, which then rapidly redirects to multiple other websites.  By the end of the all the other websites which load, then re-load Safari is completely hung and I must force quit.

 

Can anyone tell me what this is and how to get rid of it?

 

Thanks,

Jason

 

<Edited by host>

MacBook Pro, OS X Yosemite (10.10.4), null

Posted on Aug 18, 2015 10:17 PM

Close

Q: safari keeps opening up a smpdr webpage which then redirects to multiple other sites.  Is this a virus and how do I get rid o ... more

  • All replies
  • Helpful answers

  • by Linc Davis,

    Linc Davis Linc Davis Aug 18, 2015 2:51 PM in response to bagpipes rule
    Level 10 (207,995 points)
    Applications
    Aug 18, 2015 2:51 PM in response to bagpipes rule

    You may have installed one or more variants of the "VSearch" ad-injection malware. Follow Apple Support's instructions to remove it.

    If you have trouble following those instructions, see below.

    Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

    The VSearch malware tries to hide itself by varying the names of the files it installs. To remove it, you must first identify the naming pattern.

    Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination  command-C:

    /Library/LaunchDaemons

    In the Finder, select

              Go Go to Folder...

    from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

    A folder named "LaunchDaemons" may open. Look inside it for two files with names of the form

              com.something.daemon.plist

    and

               com.something.helper.plist

    Here something is a variable string of characters, which can be different in each VSearch infection. So far it has always been an alphanumeric string without punctuation, such as "cloud," "dot," "highway," "submarine," or "trusteddownloads." Sometimes it's a meaningless string such as "e8dec5ae7fc75c28" rather than a word. Sometimes the string is "apple," and then you must be especially careful not to delete the wrong files, because many built-in OS X files have similar names.

    You could have more than one copy of the malware, with different values of something.

    If you find these files, leave the LaunchDaemons folder open, and open the following folder in the same way:

    /Library/LaunchAgents

    In this folder, there may be a file named

              com.something.agent.plist

    where the string something is the same as before.

    If you feel confident that you've identified the above files, back up all data, then drag just those three files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder windows and restart the computer.

    Don't delete the "LaunchAgents" or "LaunchDaemons" folder or anything else inside either one.

    The malware is now permanently inactivated, as long as you never reinstall it. You can stop here if you like, or you can remove two remaining components for the sake of completeness.

    Open this folder:

    /Library/Application Support

    If it has a subfolder named just

               something

    where something is the same string you saw before, drag that subfolder to the Trash and close the window.

    Don't delete the "Application Support" folder or anything else inside it.

    Finally, in this folder:

    /System/Library/Frameworks

    there may be an item named exactly

                v.framework

    or else an item named

                something.framework

    Again, something is the same string as before.

    This item is actually a folder, though it has a different icon than usual. Drag it to the Trash and close the window.

    Don't delete the "Frameworks" folder or anything else inside it.

    If you didn't find the files or you're not sure about the identification, post what you found.

    If in doubt, or if you have no backups, change nothing at all.

    The trouble may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it. I don't recommend that you install the genuine "MPlayerX," because it's hosted on the rogue "SourceForge" website and is bundled with other malware.

    This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.

    In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere  should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.

    Then, still in System Preferences, open the App Store or Software Update pane and check the box marked

              Install system data files and security updates (OS X 10.10 or later)

    or

              Download updates automatically (OS X 10.9 or earlier)

    if it's not already checked.

  • by Carolyn Samit,

    Carolyn Samit Carolyn Samit Aug 18, 2015 9:29 PM in response to bagpipes rule
    Level 10 (122,402 points)
    Apple Music
    Aug 18, 2015 9:29 PM in response to bagpipes rule

    Redirects are most often caused by malware.

     

    Download and run Malwarebyyes Anti-Malware for Mac formerly known as AdwareMedic. It's free.

     

    Make sure Mac App Store and identified developers is selected in System Preferences > Security & Privacy > General

     

    If you would rather not download Malwarebytes Anti-Malware, you can remove the malware manually following the instructions here >   Remove unwanted adware that displays pop-up ads and graphics on your Mac - Apple Support

  • by Linc Davis,

    Linc Davis Linc Davis Aug 18, 2015 10:05 PM in response to bagpipes rule
    Level 10 (207,995 points)
    Applications
    Aug 18, 2015 10:05 PM in response to bagpipes rule

    Your question brings up the subject of removing adware. This is a general comment on that subject.

    The only tools that anyone needs to detect and remove adware are the Finder and a web browser, both of which you already have. Anyone who has enough computer skill to install adware can just as well remove it without using anything else.

    Under no circumstances should you ever allow anti-virus software to delete something for you.

    Apple doesn't endorse any third-party "anti-virus" or "anti-malware" product. Here and here are its general statements about malware protection, and here are its instructions for removing the most common types of ad-injection malware. None of those support pages mentions anti-malware products. An Apple employee who recommends such a product is speaking only for himself or herself, not for the company. See this thread for an example of what the results can be.

    You become infected with malware by downloading unknown software without doing research to determine whether it's safe. If you keep making that mistake, the same, and worse, will keep happening, and no anti-malware will rescue you. Your own intelligence and caution are the only reliable defense.

    The Windows/Android anti-malware industry had more than $75 billion in sales in 2014 [source: Gartner, Inc.] Its marketing strategy is to convince people that they're helpless against malware attack unless they use its products. But with all that anti-malware, the Windows and Android platforms are still infested with malware—most of it far more harmful than mere adware. The same can be expected to happen to the Mac platform if its users trust the same industry to protect them, instead of protecting themselves.

    You are not helpless, and you don't have to give full control of your computer—and your data—to strangers in order to be rid of adware.

    These are generalities. Regarding the "malwarebytes" product in particular, you may be told that there are no reports that is has caused damage. In fact, I know of two such reports: one by ASC user Big Kev55 in this thread, and one by LizardMBP in this thread. Draw your own conclusions from those reports. There are also many reports that the Windows version of the product has deleted essential Windows system files; see, for example, this thread on the developer's own support forum.

    Whether the software damages the system or not, it takes full control and connects to a server controlled by the developer. There is no way of knowing what information it sends to that server.

    The question then is: as a security-conscious computer user, do you want to take such risks when there is no offsetting benefit whatsoever?

  • by thomas_r.,

    thomas_r. thomas_r. Aug 25, 2015 8:03 AM in response to Linc Davis
    Level 7 (30,924 points)
    Mac OS X
    Aug 25, 2015 8:03 AM in response to Linc Davis

    Linc Davis wrote:

     

    Regarding the "malwarebytes" product in particular, you may be told that there are no reports that is has caused damage. In fact, I know of two such reports: one by ASC user Big Kev55 in this thread, and one by LizardMBP in this thread. Draw your own conclusions from those reports. There are also many reports that the Windows version of the product has deleted essential Windows system files; see, for example, this thread on the developer's own support forum.

    Whether the software damages the system or not, it takes full control and connects to a server controlled by the developer. There is no way of knowing what information it sends to that server.

    The question then is: as a security-conscious computer user, do you want to take such risks when there is no offsetting benefit whatsoever?

     

    These statements are outright libel. There is no actual evidence that Malwarebytes Anti-Malware for Mac has caused any damage to any systems. Linc knows that the two reports he's using to attack this software present only two users opinions without any evidence to back them up, and in one case the report was filled with numerous false statements that were caught and resulted in the post getting removed.

     

    I don't deny the possibility of bugs in any piece of software. However, I also know that many people without a lot of tech experience frequently mis-attribute problems. Case in point, there were numerous complaints here not long ago about how upgrading to Yosemite "caused" adware problems. This was not at all true, but because for some people, adware problems coincided in time with the upgrade, they blamed the update. This is not their fault, but neither would it be appropriate for an expert who knows better to start running around waving his hands and yelling "Yosemite installs adware!"

     

    For the record, I, as the original developer of AdwareMedic (which is now Malwarebytes Anti-Malware for Mac), have never seen a single confirmed case of a system or browser damaged by either AdwareMedic or Malwarebytes Anti-Malware for Mac. If it were to happen at some point in the future, I would address it immediately, but as far as I can tell, it still hasn't happened yet.

     

    As for the implication that Malwarebytes Anti-Malware for Mac "takes full control and connects to a server controlled by the developer" - first, the statement that the software "takes full control" is blatantly false. The Malwarebytes app takes full control of your computer no more than any other third-party app, such as OmniDiskSweeper or GrandPerspective, both of which Linc has been known to recommend running with root privileges.

     

    As for the implications that something fishy is going on with the communication to the server, one has only to use tcpdump to monitor the data being sent and received by Malwarebytes Anti-Malware for Mac. Linc surely knows how this is done, and could verify that the communications are to check for and download updates. Since he has not done so and chooses to make up stories about the network activity instead is deceitful.