Safari homepage covertly hijacked...New Malware???

If you have not tried this already, try it.

1. Use free Malwarebytes Anti-Malware for Mac/ AdwareMedic to remove adware

http://www.adwaremedic.com/index.php

Download, install , open, and run it by clicking “Scan for Adware” button to remove adware.

Once done, quit Malwarebytes Anti-Malware.

or

Remove the adware manually by following the “HowTo” from Apple.

http://support.apple.com/en-us/HT203987

2. Disable Extensions and test.

Safari > Preferences > Extensions

Disable all extensions and test.

Enable Extensions one by one and test.

To uninstall any extension, select it and click the “Uninstall” button.

3. Safari > Preferences > Search > Search Engine :

Deselect and select your preferred search engine.

4. Safari > Preferences > General > Homepage:

Set your Homepage.

First, never use any kind of "anti-virus" or "anti-malware" software on a Mac. That's how you create problems, not how you solve them.

The update alerts are fake, and are intended to dupe you into installing malware or disclosing private information so that your identity can be stolen.

You might get the alerts when visiting a website that has been hacked. Don't visit the site again. If applicable, notify the site administrator of the problem, but don't send email to an unknown party.

If you get the alerts when visiting more than one well-known website, such as Google, YouTube, or Facebook, then they may be the result of an attack on your router that has caused you to get false results from looking up the addresses of Internet servers. Requests sent to those sites are redirected to a server controlled by the attacker. It's possible, but less likely, that the DNS server used by your ISP has been attacked.

Back up all data.

Unlock the Network preference pane, if necessary, by clicking the lock icon in the lower left corner and entering your password. Cllck Advanced, open the DNS tab, and change the server addresses to the following:

8.8.8.8

8.8.4.4

That's Google DNS. Click OK, then Apply.

In Safari, select

Safari ▹ Preferences... ▹ Privacy ▹ Remove All Website Data

and confirm. If you’re using another browser, empty the cache. Test. If the fake update alerts stop, see below. Otherwise, ask for instructions.

The router's documentation should tell you how to reset it to the factory default state. Usually there's a pinhole switch somewhere in the back. It may be labeled "RESET." Insert the end of a straightened paper clip or a similar tool and press the button inside for perhaps 15 seconds, or as long as the instructions specify.

After resetting the router, quit the web browser and relaunch it while holding down the shift key. From the Safari menu bar, select

Safari ▹ Preferences... ▹ Privacy ▹ Remove All Website Data

and confirm. Do the equivalent if you use another browser. Open the Downloads folder and delete anything you don't recognize.

Then go through the router's initial setup procedure. I can't be specific, because it's different for every model. The key points are these:

1. Don't allow the router to be administered from the WAN (Internet) port, if it has that option. Most do.

2. Set a strong password to protect the router's settings: at least ten random upper- and lower-case letters and digits. Don't use the default password or any other that could be guessed. Save the password in your keychain. Any password that you can remember is weak.

3. If the router is wireless, or if you have a wireless access point on the network, use "WPA 2 Personal" security and set a different strong password to protect the network. If the router or access point doesn't support WPA 2, it's obsolete and must be replaced.

During the time the router was compromised, you were redirected to bogus websites. If you ever connected to a secure site and got a warning from your browser that the identity of the server could not be verified, and you dismissed that warning in order to log in, assume that your credentials for the site have been stolen and that the attacker has control of the account. This warning also applies to all websites on which you saw the fake update alerts.

Check the router manufacturer's website for a firmware update.

If you downloaded and installed what you thought was a software update, ask for instructions.

Dominick's advice is perfect.

Have you changed your home page to another?

You can choose CNN, or even a blank page.

Good to see that you already changed to OPEN DNS.

Info on MalwareBytes:

This very successful app was developed by a very long-time contributor here, Thomas Reed.

It is excellent, and identifies and removes malware.

<Edited by Host>

Your problem has nothing to do with malware, and even if it did that would be no reason to trust any "anti-malware" product, which you should never do for any reason.

I was never a "beta tester" for any anti-malware product.

Your question indirectly brings up the subject of removing adware. This is a general comment on that subject.

Under no circumstances should you ever allow anti-virus software to delete something for you.

The only tools that anyone needs to detect and remove adware are the Finder and a web browser, both of which you already have. Anyone who has enough computer skill to install adware can just as well remove it without using anything else.

Apple's general statements about malware protection are here and here, and here are its instructions for removing the most common types of ad-injection malware. Those statements don't mention any third-party "anti-virus" or "anti-malware" product. Apple's method for removing adware involves only the Finder and a web browser, as stated above.

You become infected with malware by downloading unknown software without doing research to determine whether it's safe. If you keep making that mistake, the same, and worse, will keep happening, and no anti-malware will rescue you. Your own intelligence and caution are the only reliable defense.

The Windows/Android anti-malware industry had more than $75 billion in sales in 2014 [source: Gartner, Inc.] Its marketing strategy is to convince people that they're helpless against malware attack unless they use its products. But with all that anti-malware, the Windows and Android platforms are still infested with malware—most of it far more harmful than mere adware. The same can be expected to happen to the Mac platform if its users trust the same industry to protect them, instead of protecting themselves.

You are not helpless, and you don't have to give full control of your computer—and your data—to strangers in order to be rid of adware.

These are generalities. Regarding the "malwarebytes" product in particular, you may be told that there are no reports that is has caused damage. In fact, there are such reports; for example:

I found malware or adware on my system the other day. I removed it with Maleware Bytes and since then Safari has not worked proper at all.

preferences pane will not load

Read that report and draw your own conclusions—not anyone else's conclusions.

The developer itself admitted that the Windows version of the product has been known to delete essential system files.

Whether the software damages the system or not, it prompts for your password in order to take full adminstrative control, and connects via the Internet to a server controlled by the developer. The developer's privacy policy, linked directly to the product page, reads in part as follows:

"Without limiting the Privacy Policy, you agree that Malwarebytes may track certain data it obtains from your Computer including data about any malicious software or other threats flagged by the Software, data about your license, data about what version of the Software you are using and what operating conditions it runs under and data concerning your geographic location."

(Emphasis added.) So the developer admits to tracking your location, as well as other unspecified data, and gives itself the legal right to collect any data it chooses. How it uses that right, you don't know. By running the software, you accept these terms.

It's sometimes said that the Malwarebytes product only removes adware rather than malware as such (if there's a difference), and that it therefore shouldn't be stigmatized as anti-malware. The developer's own description does distinguish between adware and malware, and specifically mentions removing malware as a selling point six times. A self-described employee of the developer wrote in an ASC discussion, "Actually, it's also a malware removal app..." (emphasis added.)

The question then is: as a security-conscious computer user, do you want to take risks where there is no benefit?

<Edited by Host>

To get back to my original question:

Since everything seems to be fine now, did you go ahead and establish a new Home page?

Mr. Davis:

I was never a "beta tester" for any anti-malware product, that's just idiocy.

So, it's your statement that you never contributed to the development of "The Safe Mac?" or had any part of the early development of the app Thomas Reed was developing to help Mac owners get rid of malware? Really?

pookie--

Thanks for your thoughtful response. It seems that the new DNS number has fixed the issue, and you don't need to worry about the Philly newspaper home page. Assuming it's the not the Philadelphia Enquirer. (LOL).

If this problem does happen again, then immediately change the Homepage. As of now, there's no reason to.

The same for "messing with your router."

Go :Eagles!

I wouldn't recommend OpenDNS as a permanent solution, for reasons of privacy and security. If the router has been hacked, any other devices on the network will be affected unless you also change their DNS settings. However, if you're satisfied with things as they are, enjoy.

A couple of points in this discussion need to be clarified.

1. The "malwarebytes" product contributed nothing to solving the original poster's problem, as stated by the poster.

2. I have never tested or intentionally contributed to the development of that product. All such products are inherently harmful and should never be used by anyone for any reason.

WAIT A MINute!!!???!!!

It IS???

SHAME on you!!!!!!

(All bets are off . . .)

😝

pookiepuss wrote:

Linc, it is true that Malwarebytes did nothing to solve my problem, but neither did manually going through folders one by one. I'm curious why you feel so strongly about software that automates the process of looking for files of you rather than doing it manually? I can understand that sentiment with MacCleaner (I mean who would purchase or trust a product that is marketed in such an obtrusive way?) but not so much with this product. If Malwarebytes found something, would it just delete it on it's own, or quarantine the file and ask me what to do with it?

You hit the nail on the head, and I don't understand it either. As for your second question, yes, MalwareBytes will ask you what you want to do with the files it finds.