ERR_CONNECTION_REFUSED to apple.com only

Safari/Preferences/Advanced - enable the Develop menu, then go there and Empty Caches. Quit/reopen Safari and test. Then try Safari/History/Show History and delete all history items. Quit/reopen Safari and test. You can also try try Safari/Clear History…. The down side is it clears all cookies.Doing this may cause some sites to no longer recognize your computer as one that has visited the web site. Go to Finder and select your user/home folder. With that Finder window as the front window, either select Finder/View/Show View options or go command - J. When the View options opens, check ’Show Library Folder’. That should make your user library folder visible in your user/home folder. Select Library./Caches/com.apple.Safari/Caches.db and move it to the trash.

Go to Safari Preferences/Extensions and turn all extensions off. Test. If okay, turn the extensions on one by one until you figure out what extension is causing the problem.

Safari Corruption See post by Linc Davis

Restart your router and also your broadband device, if they're separate.

You may have installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then follow Apple Support's instructions to remove it.

If you have trouble following those instructions, or if they don't work, see below.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

The VSearch malware tries to hide itself by varying the names of the files it installs. To remove it, you must first identify the naming pattern.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

/Library/LaunchDaemons

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" may open. Look inside it for two files with names of any of these forms:

com.something.daemon.plist

com.something.helper.plist

com.something.net-preferences.plist

com.something.preferences.plist

Here something is a variable string of characters, which can be different in each VSearch infection. So far it has always been an alphanumeric string without punctuation, such as "cloud," "dot," "highway," "submarine," or "trusteddownloads." Sometimes it's a meaningless string such as "e8dec5ae7fc75c28" rather than a word. Sometimes the string is "apple," and then you must be especially careful not to delete the wrong files, because many built-in OS X files have similar names.

You could have more than one copy of the malware, with different values of something.

There may also be one or more files with a name of this form:

com.somethingUpd.plist

where something may be a different meaningless string than in the other files. Again, there may be more than one such file, with different values of something.

Here's a specific example of a VSearch infection:

com.disbalance.daemon.plist

com.disbalance.helper.plist

com.thunderbearerUpd.plist

You will have files with names similar, but probably not identical, to these.

2. If you find such files, leave the LaunchDaemons folder open, and open the following folder in the same way:

/Library/LaunchAgents

In this folder, there may be a file named

com.something.agent.plist

where the string something is the same as before.

If you feel confident that you've identified the above files, back up all data, then drag just those files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder windows and restart the computer.

Don't delete the "LaunchAgents" or "LaunchDaemons" folder or anything else inside either one.

3. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select

Safari ▹ Preferences... ▹ General

and click

Set to Current Page

The malware is now permanently inactivated, as long as you never reinstall it. You can stop here if you like, or you can remove two remaining components for the sake of completeness.

4. This step is optional. Open this folder:

/Library

It may have subfolders named as follows

something

somethingUpd

where something is any of the strings you saw before. Drag any such subfolders to the Trash and close the window.

Don't delete the "Library" folder or anything else inside it.

5. This step doesn't apply to OS X 10.11 ("El Capitan") or later, and is optional if you're running an older version of OS X.

In this folder:

/System/Library/Frameworks

there may be an item named exactly

v.framework

or else an item named

something.framework

Again, something is the same string as before.

This item is actually a folder, though it has a different icon than usual. Drag it to the Trash and close the window.

Don't delete the "Frameworks" folder or anything else inside it.

6. If you didn't find the files or you're not sure about the identification, post what you found.

If in doubt, or if you have no backups, change nothing at all.

7. The trouble may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it. I don't recommend that you install the genuine "MPlayerX," because it's hosted on the rogue "SourceForge" website and is bundled with other malware.

This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.

In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.

Then, still in System Preferences, open the App Store or Software Update pane and check the box marked

Install system data files and security updates (OS X 10.10 or later)

or

Download updates automatically (OS X 10.9 or earlier)

if it's not already checked.

You may have installed ad-injection malware ("adware").

This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.

If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. That will disable the malware temporarily.

Step 1

Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.

If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.

Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.

Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.

Leave the folder open for now.

Step 2

Do as in Step 1 with this line:

/Library/LaunchAgents

The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.

Step 3

Repeat with this line:

/Library/LaunchDaemons

This time the folder will be named "LaunchDaemons."

Step 4

Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.

Step 5

If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.

A

"MacKeeper" is a scam with only one useful feature: it deletes itself.

If you have incompletely removed MacKeeper—for example, by dragging the application to the Trash and immediately emptying—then you'll have to reinstall it and start over.

Note: These instructions apply to the version of the product that I tested in early 2012. I haven't tested other versions, but so far I've had no reports of failure, and the issue comes up often.

IMPORTANT: "MacKeeper" has what the developer calls an “encryption” feature. In my tests, I didn't try to verify what this feature really does. If you used it to “encrypt” any of your files, “decrypt” them before you uninstall, or (preferably) restore the files from backups made before they were “encrypted.” As the developer is not trustworthy, you should assume that the "decrypted" files are corrupt unless proven otherwise.

Please back up all data before making any changes.

In the Finder, select

Go ▹ Applications

from the menu bar, or press the key combination shift-command-A. The "MacKeeper" application is in the folder that opens. Quit it if it's running, then drag it to the Trash. You'll be prompted for your login password. Click the Uninstall MacKeeper button in the dialog that appears. All the other functional components of the software will be deleted. Restart the computer and empty the Trash.

☞ Quit MacKeeper before dragging it to the Trash.

☞ Let MacKeeper delete its other components before you empty the Trash.

☞ Don't try to drag MacKeeper from the Dock or the Launchpad to the Trash.

☞ Don't try to remove MacKeeper while running in safe mode.

B

Below is a suggested procedure to inactivate the malware you installed.

Please back up all data before making any changes.

The numbers refer to the items in the screenshots, in the order shown. Use the screenshots as a guide. #1 would be the topmost item, #2 the one below, and so on.

The names in quotes refer to malware types, not to the names of the files. Don't expect the files to have similar names. For example, if you installed the "VSearch" malware, usually none of the files will have the word "VSearch" in the name. Malware attackers don't make it that easy for you.

You may be prompted for your administrator name and/or password when you delete some of the files listed below, or you may be prompted to confirm because a file is locked.

In the folder arranged as shown in the first screenshot, delete these items:

#4 through #6 ("ZipCloud")

#8 ("Spigot")

#9 through #15 ("InstallMac")

Restart the computer. Until you've done that, the malware will still be active, even after you delete the files.

Uninstall any Safari extensions you don't know you need. If in doubt, remove all of them. None is needed for normal operation.

Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

Reset the Safari home page and search engine, if either was changed. You may need to do the same in the other browsers.

From the Applications folder (not shown in the screenshots), delete items with any of the following names:

InstallMac

JustCloud

ZipDevil

These steps will permanently inactivate the malware, as long as you never reinstall it. A few small files may remain in hidden folders, but they have no effect.

The instructions above apply only to you. I'm including more general—and complete—self-contained removal instructions below for the benefit of others who may find this discussion. You can skip the remaining steps, but you should read them.

C (optional)

You installed the "Spigot" ad-injection malware. Please take the steps below to disable it.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

2. Inside the folder you just opened, there may be one or more files with a name beginning as follows:

com.spigot

Move all such items to the Trash.

Log out or restart the computer. Empty the Trash.

3. From the Safari menu bar, select

Safari ▹ Preferences... ▹ Extensions

Uninstall all extensions you don't know you need, including any with the word "Spigot" in the description. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

The trojan will now be inactive.

4. This step is optional. Do as in Step 1 with this line:

~/Library/Application Support

and delete an item named

Spigot

If it's present.

Make sure you don't repeat the mistake that led you to install the malware. Chances are you got it from an Internet cesspit such as "MacUpdate," "Softonic," "CNET Download," or "SourceForge." Never visit any of those sites again. You might also have downloaded it from an ad in a page on some other site. The ad would probably have included a large green button labeled "Download" or "Download Now" in white letters. The button is designed to confuse people who intend to download something else on the same page. If you ever download a file that isn't obviously what you expected, delete it immediately.

In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.

Still in System Preferences, open the App Store or Software Update pane and check the box marked

Install system data files and security updates (OS X 10.10 or later)

or

Download updates automatically (OS X 10.9 or earlier)

if it's not already checked.

D (optional)

You may have installed one or more variants of the "InstallMac" trojan. Please take the steps below to disable it.

The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

Press the key combination command-2 to select list view, if it's not already selected.

There should be a column in the Finder window headed Date Modified. Click that heading to sort the contents by date. This will make related files easy to identify regardless of their names, because they will have the same modification date.

2. Inside the folder you just opened, there may be files with a name of any of these forms:

something.AppRemoval.plist

something.download.plist

something.ltvbit.plist

something.notification.plist

something.update.plist

Here something is usually a meaningless string, such as any of the following:

Epolife

InstallMac

Javeview

Kuklorest

Manroling

Otwexplain

These are examples, not a complete list. The string could be anything, and there could be more than value of something. Look for a cluster of files with the same modification date that fit the description.

Lately, the "InstallMac" attacker has been scrambling the strings "AppRemoval," "download," "ltvbit," and "update" in the names of his files. For example, you might see file names such as these, instead of the above:

something.AppVemoral.plist

something.dolnwoad.plist

something.btvlit.plist

something.uadpte.plist

You could have more than one copy of the malware, with different values of something.

Move all such items to the Trash. If there are any other files with a name that begins with something, move those to the Trash also. You may get a warning that some of the files are locked; delete them anyway.

After you've done that, there may not be anything left in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)

Log out or restart the computer. The trojan should now be inactive.

3. This step is optional. Open the following folder as in Step 1:

~/Library/Application Support

and move to the Trash any subfolders with the name something that you found in Step 2.

Don't move the Application Support folder or anything else inside it.

4. Open the Applications folder. If there is an item named something, or "Zip Devil," or with any of the other names listed in Step 2, drag it to the Trash.

If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.

You may get an alert that the item is locked. Confirm that you want to move it to the Trash.

Empty the Trash.

If you get an alert that the application is in use, force it to quit.

E (optional)

"ZipCloud," sometimes named "JustCloud," is purportedly a cloud-storage client that either is, or is closely associated with, malware.

To remove ZipCloud, please start by backing up all data (not with ZipCloud itself, of course.)

This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Quit the "ZipCloud" or "JustCloud" application, if it's running, and drag it from the Applications folder to the Trash. Don't try to empty yet.

Triple-click anywhere in the line below on this page to select it:

~/Library/LaunchAgents

Right-click or control-click the highlighted line and select

Services ▹ Open

from the contextual menu.* A folder named "LaunchAgents" should open.

In the folder, there may be one or more files with a name beginning as follows:

com.jdibackup.

Move all such files to the Trash.

Log out or restart the computer and empty the Trash.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

Hi - I had the same problem and it was not related to my proxy settings. They were all turned off. It was malware on my Macbook. The problem was solved in a minute using Malwarebytes free software. I would definitely recommend this approach. I tried everything possible before but this was the only solution that worked.

Thanks, this is helpful.

I have removed below 2 file & its working fine;

com.romanticisticUpd.plist &

com.tanzeb.plist.

I notice both filed created & modified in same day.