Q: why do new tabs open up with ads when I click on a link?

Click here and follow the instructions, or if there’s a type of adware not covered by them on the computer, these ones. If you'd rather not remove it manually, you can instead run MalwareBytes for Mac.

MalwareBytes is a removal tool and doesn't stop adware or other malware from getting onto the computer. To prevent future incidents, avoid downloading software from sources other than the Mac App Store or the developer websites.

(133697)

You may have installed ad-injection malware ("adware").

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

Some of the most common types of adware can be removed by following Apple's instructions. If those instructions don't work for you, or if you have trouble following them, see below.

This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure that doesn't involve downloading anything.

Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.

If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. That will disable the malware temporarily.

Step 1

Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.

If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.

Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.

Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.

Leave the folder open for now.

Step 2

Do as in Step 1 with this line:

/Library/LaunchAgents

The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.

Step 3

Repeat with this line:

/Library/LaunchDaemons

This time the folder will be named "LaunchDaemons."

Step 4

Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.

Step 5

If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.

Safari/Browsers - Eliminating browser redirects and advertisements

Safari/Browsers - Eliminating browser redirects and advertisements (2)

"Spyware?"

Try resetting Safari:

http://www.macissues.com/2015/06/22/how-to-fully-reset-safari-on-your-mac/

You're still infected with malware, probably including the "Flashmall" trojan. If you care to follow the instructions I posted earlier, the problem could be solved in a few minutes. Otherwise, see below.

You may have installed the "Flashmall" trojan. Take the steps below to disable it.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination  command-C:

~/Library/LaunchAgents

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

2. Inside the folder you just opened, there may be files with a name beginning in any of the following ways:

           com.crossrider

           com.extensions

           com.flashmall

           com.Installer.completer

           com.webhelper

           com.webtools

           flashmall

           UpdateDownloader

           WebSocketServerApp

Move any such files to the Trash and close the Finder window. Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.

3. Do as in Step 1 with this line:

~/Library/Application Support

A folder named "Application Support" will open. Inside it there may be subfolders with any of these names:

             IM.Installer

             webHelperApp

             WebTools

If so, move those subfolders—not the "Application Support" folder—to the Trash.

4. Open this folder in the same way as above:

~/Library/ScriptingAdditions

and remove an item named

            BrowserHelper.osax

if present.

5. Open this folder:

~/Library

Look for subfolders with either of these names:

            flashmall

            WebTools

and move them to the Trash, if present. Don't remove the subfolder named "WebKit".

6. Open the Applications folder. Move to the Trash items with any of these names:

            Flashmall

            mediaDownloader

            WebTools

Important: You can't delete applications by trying to drag them from the Dock or the LaunchPad. Open the Applications folder in the Finder.

7. Open this folder in the same way as above:

~/Applications

This is not the usual Applications folder, but a different one inside your home folder. Look for an application with a name like this:

             flashmall

and move it to the Trash, if present. Also remove anything else in that folder that you don't recognize.

Empty the Trash.

8. From the Safari menu bar, select

          Safari ▹ Preferences... ▹ Extensions

Uninstall all extensions you don't know you need, including one called "GoldenBoy," if it's present. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.