How to remove ad pop ups

Question

Level 1

8 points

How to remove ad pop ups

I have been getting pop up ads from pages that say "advance mac cleaner", "free rewards" and some survey ones as well. It started last week after I mistakenly clicked on a pop up that either said said my flash was out of date or it was an Adobe update. The ads started that day. I use Safari almost exclusively but do have Chrome installed. When I checked Chrome the page that loaded was Chumsearch.com. That was never my home page for Chrome. I checked my applications folder and there was something in there called Coupon something and I believe MacOpitimizer. I trashed those but am still having the pop up problem. I downloaded Malwarebytes, ran the scan and deleted the things it found yet I still have the pop ups. I'm assuming I've installed some adware that I didn't know I was doing. My iMac says I am running OS X El Capitan 10.11.6 and Safari says I am running version 10.0.1.

Can anyone please help me? I am not tech savvy at all.

VIN, iMac (21.5-inch Mid 2010), OS X El Capitan (10.11.6)

Posted on Nov 29, 2016 3:13 PM

Reply

Answer 1

Kappy

Level 10

362,007 points

Dec 2, 2016 2:37 PM in response to klsaxt

Fixes for Adware and Pop-ups

[Please ignore remarks such as "Don't use any kind of "anti-virus" or "anti-malware" product on a Mac." Such remonstrations are an exaggeration. They may be needed in some situations, but need not be installed or used for all circumstances. Furthermore, adware removal programs make the job of removal much easier. They require no permanent installation to remove adware or other types of malware. They do no damage, and they don't make you more vulnerable to attack.]

Fixing Safari from Pop-ups

[The following comes from user stevejobsfan0123. I have made minor changes to adapt to this presentation.]

Fix Some Browser Pop-ups That Take Over Safari

Common pop-ups include a message saying the government has seized your computer and you must pay to have it released (often called "Moneypak"), or a phoney message saying that your computer has been infected, and you need to call a tech support number (sometimes claiming to be Apple) to get it resolved. First, understand that these pop-ups are not caused by a virus and your computer has not been affected. This "hijack" is limited to your web browser. Also, understand that these messages are scams, so do not pay any money, call the listed number, or provide any personal information. This article will outline the solution to dismiss the pop-up.

Quit Safari

Usually, these pop-ups will not go away by either clicking "OK" or "Cancel." Furthermore, several menus in the menu bar may become disabled and show in gray, including the option to quit Safari. You will likely have to force quit Safari. To do this, press Command + option + ESC, select Safari, and press Force Quit.

Relaunch Safari

If you relaunch Safari, the page will reopen. To prevent this from happening, hold down the 'Shift' key while opening Safari. This will prevent windows from the last time Safari was running from reopening.

This will not work in all cases. The shift key must be held at the right time, and in some cases, even if done correctly, the window reappears. In these circumstances, after force quitting Safari, turn off Wi-Fi or disconnect Ethernet, depending on how you connect to the Internet. Then relaunch Safari normally. It will try to reload the malicious web page, but without a connection, it won't be able to. Navigate away from that page by entering a different URL, i.e. www.apple.com, and trying to load it. Now you can reconnect to the Internet, and the page you entered will appear rather than the malicious one.

Reply

Answer 2

klsaxt Author

Level 1

8 points

Nov 30, 2016 12:18 PM in response to thomas_r.

I just screenshoted the one that just popped up--picture is below. I had one pop up a while ago that said "Flash update". The web address was not Adobe--it was some random sounding thing. I closed that window.

Under the Home->Library->LaunchAgents category there is something called "com.trt.opaoc.plist". When I click on it the log opens and the date on it is Wednesday, November 23, 2016 at 3:45 PM. The log I found for MacOptimizer is dated Wednesday, November 23, 2016 at 3:46 PM---1 minute before. Is this txt.opaoc thing the problem?

Reply

Answer 3

klsaxt Author

Level 1

8 points

Nov 30, 2016 1:27 PM in response to thomas_r.

They are pages that just pop up over the page I am on while using Safari. There is not rhyme or reason to when they pop up. I have been on many different websites when they pop up.....Apple, Facebook, Bing, Pinterest, etc, etc.

Another one just popped up. I screenshoted the page (first picture below). The second picture is a screenshot of when I clicked on the lock button in the address bar. The third picture is when I clicked the "show certificate". The fourth picture shows a partial list of DNS Names that sound like malware/spam/whatever you want to call it.

Is there any relation to what I wrote in the reply before this one---

Under the Home->Library->LaunchAgents category there is something called "com.trt.opaoc.plist". When I click on it the log opens and the date on it is Wednesday, November 23, 2016 at 3:45 PM. The log I found for MacOptimizer is dated Wednesday, November 23, 2016 at 3:46 PM---1 minute before. Is this txt.opaoc thing the problem?

Reply

Answer 4

klsaxt Author

Level 1

8 points

Nov 30, 2016 2:26 PM in response to thomas_r.

Let me try trashing the"com.trt.opaoc.plist" from the Launch Agent thing. Before I do though, you said that txt.com seems to be a legit site. I don't know what site that is so I don't know what it's for or if I have anything from txt.com installed. It just seems suspicious to me that the the log for this in that folder is time stamped just one minute before the MacOptimizer log is time stamped. As in did this "com.trt.opaoc.plist" thing install the MacOptimizer on my computer that caused all the pop up ads? It is the same day and general time that I mistakenly clicked on the flash update box that popped up.

Here is a screenshot of the log from it-

Reply

Answer 5

klsaxt Author

Level 1

8 points

Dec 2, 2016 2:31 PM in response to thomas_r.

I have Time Machine backups on my Mac but where I found the info I wrote above was by going into the FreeAgent GoFlex external hard drive tab in the Finder. I clicked on the day it happened and typed in FlashPlayer.dmg into search. Two files comes up. I clicked "Get info" on each file. The first one (first pic below) said it was created on November 18. The second one said it was created on July 6.....so I guess I had this thing in my computer for longer than I thought.

Under the "More info" section for each one of these is a long http that says "makeymcmacface.com".

I don't know how to restore the files to my desktop. Could you please help me with this? I appreciate all the help I'm receiving here! 😕

Reply

Answer 6

thomas_r.

Level 7

32,031 points

Nov 30, 2016 11:45 AM in response to klsaxt

The com.valvesoftware.steamclean.plist file was not causing the problem. That's legit software that doesn't display these kinds of pop-up ads. I've actually got that installed on one of my own Macs here, so I can speak from experience.

The com.imobie.silentcleanserver.plist I'm suspicious of. I don't generally have a high opinion of the kind of products iMobie sells, but have yet to critically examine their products for evaluation as possible PUPs (potentially unwanted programs). I'd recommend deleting that file and restarting your computer, if you haven't already done so. (If you need help finding that file, let me know.)

If removing that doesn't make a difference, can you provide a screenshot of one of these pop-ups? Make a screenshot by following the directions here:

http://support.apple.com/kb/HT5775

Attach the screenshot file, which will be found on the desktop, to a reply to this message.

Reply

Answer 7

thomas_r.

Level 7

32,031 points

Dec 2, 2016 1:48 PM in response to klsaxt

These files can't spread and get installed by themselves. If you have a Time Machine backup, they will be in there, but that's really not a danger... you'll have a newer, clean state stored in the backups at this point, so as long as you don't do a full-system restore from one of the backups made while you were infected, you're fine, and even if you did that, you could remove the adware again with a quick Malwarebytes scan now.

If you've got a Time Machine backup, though, could you look in there on the day those files were created and see if you can find some kind of fake Flash Player installer in whatever folder your downloads go into? Most likely, it will be a file named FlashPlayer.dmg, or something similar.

If you find something like that in your backups, it would be very helpful if you could:

Restore that file to your desktop (don't worry, there's no danger as long as you don't open it)
Go to VirusTotal (https://virustotal.com)
Upload that installer to VirusTotal
Copy the address of the analysis page that loads once VirusTotal is done, and post that address here

If you can't find it, no big deal.... I'm sure we'll find it in the wild sooner or later.

Reply

Answer 8

klsaxt Author

Level 1

8 points

Nov 29, 2016 6:59 PM in response to Kappy

Kappy,

Thank you. I did everything you said except turning off the WiFi/disconnecting Ethernet. I have to figure out how to do that. The pop ups are still there. The DetectX scanner did not find anything. Is this adware that has infiltrated my Mac? Is it harmful to my computer or my files and will it steal personal info?

Reply

Answer 9

Kappy

Level 10

362,007 points

Dec 2, 2016 2:37 PM in response to klsaxt

I don't know because I can't see what is happening. If these are occurring in Safari perhaps you need an ad blocker extension or stop visiting sites that pop these things up or perhaps they are in emails and not Safari.

Reply

Answer 10

klsaxt Author

Level 1

8 points

Nov 29, 2016 9:08 PM in response to Kappy

I turned the WiFi off and the ads are still there after following your directions above. It doesn't matter what website I am at--the ads keep popping up. They pop up when I am on this Apple forums page. They didn't start occurring until right after I clicked that update by mistake last week. Where would I find an ad blocker extension at?

Reply

Answer 11

thomas_r.

Level 7

32,031 points

Nov 30, 2016 5:29 AM in response to klsaxt

If you're getting ads on this site, an ad blocker will not help. At best, it will cover up the problem without solving it in any way.

You said DetectX didn't find anything, but did you try Malwarebytes Anti-Malware for Mac? If not, try that now.

If you did and it didn't find anything, open Malwarebytes Anti-Malware and choose Take System Snapshot from the Scanner menu, in the menu bar at the top of the screen. Select all the text in the window that opens, copy it and paste it into a message here.

Reply

Answer 12

klsaxt Author

Level 1

8 points

Nov 30, 2016 8:25 AM in response to thomas_r.

I downloaded and ran Malwarebytes Anti-Malware for Mac first, before the DetectX one. Ran the scan and it found some problems, which I trashed. All the subsequent scans with Malwarebytes have said no problems. I ran another scan a few minutes ago and it's below. I do see something called "imobiesilentcleanserver.plist" in the user launch agents. I had the Phone Clean app on my Mac but I trashed it before I ran this scan. I restarted the computer and ran another scan and it's still showing. The pop ups were showing up on my computer before I put the Phone Clean app on it. I also see a "valve software.steamclean.plist" on there too. My son had a game called Steam on his user name that I forgot about it. I trashed that too yesterday.

Malwarebytes Anti-Malware 1.2.5.715 system report - November 30, 2016 at 11:07:20 AM EST

Mac OS X version Version 10.11.6 (Build 15G1108)

System uptime: 0d 00:06:14

Helper tool version: 1.2.5.715

Signatures version: 145

Safari extensions

-----------------------

Chrome extensions

-----------------------

klsaxt

Default

Name: Google Docs

Path: /Users/klsaxt/Library/Application Support/Google/Chrome/Default/Extensions/aohghmighlieiainnegkcijnfilokake

Modified: 2015-02-13 01:07:57 +0000

Name: Google Drive

Path: /Users/klsaxt/Library/Application Support/Google/Chrome/Default/Extensions/apdfllckaahabafndbhieahigkjlhalf

Modified: 2015-11-18 06:24:53 +0000

Name: YouTube

Path: /Users/klsaxt/Library/Application Support/Google/Chrome/Default/Extensions/blpcfgokakmgnkcojhhkbfbldkacnbeo

Modified: 2015-11-18 06:24:53 +0000

Name: Google Search

Path: /Users/klsaxt/Library/Application Support/Google/Chrome/Default/Extensions/coobgpohoikkiipiblmjeljniedjpjpf

Modified: 2015-11-18 06:24:53 +0000

Name: Google Docs Offline

Path: /Users/klsaxt/Library/Application Support/Google/Chrome/Default/Extensions/ghbmnnjooekpmoecnnnilnnbdlolhkhi

Modified: 2016-04-17 21:42:52 +0000

Name: Chrome Web Store Payments

Path: /Users/klsaxt/Library/Application Support/Google/Chrome/Default/Extensions/nmmhkkegccagdldgiimedpiccmgmieda

Modified: 2016-04-17 21:42:52 +0000

Name: Gmail

Path: /Users/klsaxt/Library/Application Support/Google/Chrome/Default/Extensions/pjkljhegncpnkpknbcohdijeoejaedia

Modified: 2015-08-17 06:21:34 +0000

Name: Chrome Media Router

Path: /Users/klsaxt/Library/Application Support/Google/Chrome/Default/Extensions/pkedcjkdefgpdelpbcmbmeomcjbeemfm

Modified: 2016-11-07 01:35:55 +0000

Firefox extensions

-----------------------

User Login Items

-----------------------

User: klsaxt

Name: iTunesHelper

Path: /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app

Name: apple-scc-20140421-194649

Path: (null)

Name: TomTomHOMERunner

Path: /Users/klsaxt/Library/Application Support/TomTom HOME/TomTomHOMERunner.app

Name: apple-scc-20160502-175651

Path: (null)

System startup items

-----------------------

User launch agents

-----------------------

/Users/klsaxt/Library/LaunchAgents/.DS_Store

/Users/klsaxt/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist

/Users/klsaxt/Library/LaunchAgents/com.google.keystone.agent.plist

/Users/klsaxt/Library/LaunchAgents/com.imobie.silentcleanserver.plist

/Users/klsaxt/Library/LaunchAgents/com.trt.opaoc.plist

/Users/klsaxt/Library/LaunchAgents/com.valvesoftware.steamclean.plist

System launch agents

-----------------------

/Library/LaunchAgents/com.amazon.sendtokindle.launcher.plist

System launch daemons

-----------------------

/Library/LaunchDaemons/com.malwarebytes.HelperTool.plist

/Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist

Kernel extensions

-----------------------

/System/Library/Extensions/EPSONUSBPrintClass.kext

/Library/Extensions/ACS6x.kext

/Library/Extensions/ArcMSR.kext

/Library/Extensions/ATTOCelerityFC8.kext

/Library/Extensions/ATTOExpressSASHBA2.kext

/Library/Extensions/ATTOExpressSASRAID2.kext

/Library/Extensions/CalDigitHDProDrv.kext

/Library/Extensions/HighPointIOP.kext

/Library/Extensions/HighPointRR.kext

/Library/Extensions/hp_io_enabler_compound.kext

/Library/Extensions/PromiseSTEX.kext

/Library/Extensions/SoftRAID.kext

launchd.conf contents

-----------------------

Hosts file

-----------------------

##

# Host Database

#

# localhost is used to configure the loopback interface

# when the system is booting. Do not change this entry.

##

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

fe80::1%lo0 localhost

Scan log

-----------------------

2016-11-26 16:17:48 :

2016-11-26 16:17:49 : ----- Scan Started -----

2016-11-26 16:17:49 : Scanning with signatures version 145 (2016-11-23)

2016-11-26 16:19:06 : Adware.Vidx/MacVX : /Users/klsaxt/Library/Application Support/osxDownloader

2016-11-26 16:19:09 : Adware.Crossrider : /Users/klsaxt/Library/LaunchAgents/com.MyUpdater.agent.plist

2016-11-26 16:19:09 : Adware.Crossrider : /Applications/MyUpdater/

2016-11-26 16:19:09 : Adware.Crossrider : /Users/klsaxt/Library/Safari/Extensions/chumsearch.safariextz

2016-11-26 16:19:22 : PUP.Mac Optimizer : /Users/klsaxt/Library/MacOptimizer

2016-11-26 16:19:22 : PUP.Mac Optimizer : /Users/klsaxt/Library/Application Support/MacOptimizer

2016-11-26 16:19:22 : PUP.Mac Optimizer : /Users/klsaxt/Library/Application Support/mopt

2016-11-26 16:19:22 : PUP.Mac Optimizer : /Users/klsaxt/Library/LaunchAgents/com.mopt.hmopt.plist

2016-11-26 16:19:24 : *** Scan time: 0d 00:01:34 ***

2016-11-26 16:19:24 : ------ Scan Ended ------

2016-11-26 16:20:21 : Removing detected threats...

2016-11-26 16:20:21 : Removing Item: /Users/klsaxt/Library/Application Support/osxDownloader

2016-11-26 16:20:21 : Removing Item: /Users/klsaxt/Library/LaunchAgents/com.MyUpdater.agent.plist

2016-11-26 16:20:21 : Removing Item: /Applications/MyUpdater/

2016-11-26 16:20:22 : Removing Extension Item: /Users/klsaxt/Library/Safari/Extensions/chumsearch.safariextz

2016-11-26 16:20:22 : Removing Item: /Users/klsaxt/Library/MacOptimizer

2016-11-26 16:20:22 : Removing Item: /Users/klsaxt/Library/Application Support/MacOptimizer

2016-11-26 16:20:22 : Removing Item: /Users/klsaxt/Library/Application Support/mopt

2016-11-26 16:20:22 : Removing Item: /Users/klsaxt/Library/LaunchAgents/com.mopt.hmopt.plist

2016-11-26 16:20:23 : ---- Threat Removal Complete ----

2016-11-26 16:21:40 : ===== Attempting restart =====

2016-11-26 16:29:49 :

2016-11-26 16:29:50 : ----- Scan Started -----

2016-11-26 16:29:50 : Scanning with signatures version 145 (2016-11-23)

2016-11-26 16:31:09 : *** Scan time: 0d 00:01:19 ***

2016-11-26 16:31:09 : ------ Scan Ended ------

2016-11-27 12:14:37 :

2016-11-27 12:14:37 : ----- Scan Started -----

2016-11-27 12:14:37 : Scanning with signatures version 145 (2016-11-23)

2016-11-27 12:15:24 : *** Scan time: 0d 00:00:47 ***

2016-11-27 12:15:24 : ------ Scan Ended ------

2016-11-27 12:59:41 :

2016-11-27 12:59:42 : ----- Scan Started -----

2016-11-27 12:59:42 : Scanning with signatures version 145 (2016-11-23)

2016-11-27 13:00:28 : *** Scan time: 0d 00:00:46 ***

2016-11-27 13:00:28 : ------ Scan Ended ------

2016-11-28 11:56:53 :

2016-11-28 11:56:54 : ----- Scan Started -----

2016-11-28 11:56:54 : Scanning with signatures version 145 (2016-11-23)

2016-11-28 11:57:46 : *** Scan time: 0d 00:00:52 ***

2016-11-28 11:57:46 : ------ Scan Ended ------

2016-11-28 22:02:15 :

2016-11-28 22:02:16 : ----- Scan Started -----

2016-11-28 22:02:16 : Scanning with signatures version 145 (2016-11-23)

2016-11-28 22:03:03 : *** Scan time: 0d 00:00:47 ***

2016-11-28 22:03:03 : ------ Scan Ended ------

2016-11-29 12:42:57 :

2016-11-29 12:42:57 : ----- Scan Started -----

2016-11-29 12:42:58 : Scanning with signatures version 145 (2016-11-23)

2016-11-29 12:43:52 : *** Scan time: 0d 00:00:54 ***

2016-11-29 12:43:52 : ------ Scan Ended ------

2016-11-29 16:59:52 :

2016-11-29 16:59:53 : ----- Scan Started -----

2016-11-29 16:59:53 : Scanning with signatures version 145 (2016-11-23)

2016-11-29 17:00:44 : *** Scan time: 0d 00:00:50 ***

2016-11-29 17:00:44 : ------ Scan Ended ------

2016-11-30 10:50:48 :

2016-11-30 10:50:48 : ----- Scan Started -----

2016-11-30 10:50:48 : Scanning with signatures version 145 (2016-11-23)

2016-11-30 10:51:45 : *** Scan time: 0d 00:00:56 ***

2016-11-30 10:51:45 : ------ Scan Ended ------

2016-11-30 10:56:54 :

2016-11-30 10:56:55 : ----- Scan Started -----

2016-11-30 10:56:55 : Scanning with signatures version 145 (2016-11-23)

2016-11-30 10:57:57 : *** Scan time: 0d 00:01:02 ***

2016-11-30 10:57:57 : ------ Scan Ended ------

2016-11-30 11:06:07 :

2016-11-30 11:06:08 : ----- Scan Started -----

2016-11-30 11:06:08 : Scanning with signatures version 145 (2016-11-23)

2016-11-30 11:07:01 : *** Scan time: 0d 00:00:53 ***

2016-11-30 11:07:01 : ------ Scan Ended ------

Reply

Answer 13

klsaxt Author

Level 1

8 points

Nov 30, 2016 10:24 AM in response to BDAqua

The ad pop ups are still there. I found a MacOptimizer log from last Wednesday, Nov. 23 (that day the pop up ads started--that same day I mistakingly clicked on the flash or adobe updater thing that just randomly popped up on my screen) in the Finder folder under my User Name (is this the home folder?)->Library->Logs->MacOptimizerlog. I looked though it and the log is very long. Was this log sent to MacOptimizer? Do they now know everything that's on my computer? I'm feeling sick. What do I do with this log?

Reply

Answer 14

thomas_r.

Level 7

32,031 points

Nov 30, 2016 12:57 PM in response to klsaxt

It looks like that's just a page in Safari. When do you see these pages load? Is it happening while you're browsing, and you're redirected to, or have a tab/window open to, a page like this? Or is it happening out of the blue when you didn't even have the browser open?

Reply

Answer 15

thomas_r.

Level 7

32,031 points

Nov 30, 2016 1:55 PM in response to klsaxt

The trt.com website appears to be legit, belonging to a company with a number of different enterprise products. I doubt that is causing the problem, but it can't hurt to try removing it if you don't know what it's for and don't have anything from trt.com installed to your knowledge.

If that doesn't help, restart in recovery mode (by holding command-R at startup). Once in recovery mode, click the choice to Get Help Online, which will open a fresh copy of Safari. Do you see the same kinds of pop-ups while browsing in that copy of Safari in recovery mode? Or does the problem go away entirely and come back as soon as you reboot normally?

Reply