Resolved Help - Rocket Tab/MegaOffers malware on Chrome for Mac OS X

Discussion in 'Mac Basics and Help' started by bijtis, Mar 31, 2017.

  1. bijtis macrumors newbie

    bijtis

    Joined:
    Jan 22, 2016
    #1
    Hey all,

    I've somehow managed to infect my MBP with software that randomly opens new tabs and pop-up windows in Chrome, as well as embedding fake ads at the top of google search pages, usually marked "Rocket Tab by MegaOffers" or something similar.

    I'm obviously concerned for the wider security risk this poses, but I don't know where to start with it's removal. Google searches on the subject produce a number of dubious sounding solutions, which may or may not be promoted by the virus itself.

    The same behaviour isn't replicated in other browsers, e.g. Safari, so it's latched onto chrome in particular, but I can't see any odd extensions or plugins/apps. I installed AVG to scan my system and it turned up nothing, and a search of my system turned up nothing for "MegaOffers" or "Rocket Tab".

    Can anyone help me find and remove this malware?

    Thanks in advance.
     
  2. bijtis thread starter macrumors newbie

    bijtis

    Joined:
    Jan 22, 2016
    #3
    Thanks, but it did not. It found and removed Spigot, but after restarting, the same behaviour persists.
     
  3. keysofanxiety macrumors 604

    keysofanxiety

    Joined:
    Nov 23, 2011
    #4
    We'll try the nuclear option then. Drag Chrome into AppCleaner: https://freemacsoft.net/downloads/AppCleaner_3.4.zip

    Delete all related files, restart, reinstall Chrome.
     
  4. bijtis thread starter macrumors newbie

    bijtis

    Joined:
    Jan 22, 2016
    #5
    Still no use... thanks for the suggestions so far though.
     
  5. BrianBaughn macrumors 601

    BrianBaughn

    Joined:
    Feb 13, 2011
    Location:
    Baltimore, Maryland
    #6
    If you have Chrome sync setup it's going to re-add extensions when you re-install Chrome. Double-check the extensions and other advanced settings.

    Check your Applications folder for any spurious apps you don't recognize, also.
     
  6. ApfelKuchen macrumors 68030

    Joined:
    Aug 28, 2012
    Location:
    Between the coasts
    #7
    If MalwareBytes didn't get it, it's very likely this is due to an Extension (MalwareBytes doesn't clean Extensions). Also, check your settings for the default home page and search engine.
     
  7. bijtis thread starter macrumors newbie

    bijtis

    Joined:
    Jan 22, 2016
    #8
    Nothing suspicious whatsoever in my Applications folder, and when I check out chrome://extensions I'm redirected to chrome://apps, which then forces me to go to the Chrome web store to check my extensions. In any case the only two I have are ABP and Go****ingWork - or at least they are the only two listed.

    I logged into my Google account through Safari to see if there were any odd services attached to my account, but there was nothing at all.

    Nothing is out of place in my Chrome settings, no weird toolbars or anything installed.

    The unwanted activity is spreading to other sites, with obviously non-kosher ads appearing on websites that I know don't have any advertising. I'm increasingly concerned about the safety of my personal information. Anyone have any other ideas?
     
  8. BrianBaughn macrumors 601

    BrianBaughn

    Joined:
    Feb 13, 2011
    Location:
    Baltimore, Maryland
    #9
    Confirm that your System Preferences>Network>Advanced>DNS looks OK.
     
  9. bijtis thread starter macrumors newbie

    bijtis

    Joined:
    Jan 22, 2016
  10. bijtis thread starter macrumors newbie

    bijtis

    Joined:
    Jan 22, 2016
  11. satcomer macrumors 603

    satcomer

    Joined:
    Feb 19, 2008
    Location:
    The Finger Lakes Region
    #12
    Change the DNS to Google DNS or OpenDNS!
     
  12. BrianBaughn macrumors 601

    BrianBaughn

    Joined:
    Feb 13, 2011
    Location:
    Baltimore, Maryland
    #13
    Give removing Chrome and its system stuff a try again.

    Applications/Google Chrome

    In user folder:

    ~/Applications/Chrome Apps
    ~/Library/Application Support/Google
    ~/Library/Google

    Then reinstall. Don't log back into Google and don't add any extensions. Test.
     
  13. Fishrrman macrumors G4

    Joined:
    Feb 20, 2009
    #14
    Well, you could always just dump Chrome completely… ;)
     
  14. bijtis thread starter macrumors newbie

    bijtis

    Joined:
    Jan 22, 2016
    #15
    Tested, worked, logged back into google, still worked. I had forgotten the extent to which application files persist in hidden folders after "uninstalling". Thanks for your help, Brian!

    I wish! I've become so reliant on many of it's features... maybe next time I have a couple of weeks off to reorganise my entire... well, life!

    Thanks for the input everybody!
     
  15. xanthropod macrumors newbie

    xanthropod

    Joined:
    Nov 4, 2017
    #16
    AHH this thread is old now, but I'm having the same problem. I'm not super computer savvy, so do you mind giving the "dummies" version of this solution? Do I go to "Go-->Go to Folder" and then paste the above three things into the search bar? And if so, once I find those things, do I just delete everything in them? Any help is so appreciated. This is making my computer (and me) miserable.
     
  16. BrianBaughn macrumors 601

    BrianBaughn

    Joined:
    Feb 13, 2011
    Location:
    Baltimore, Maryland
    #17
    Quit and delete the Google Chrome app.
    1. Go to Folder>~/Applications/Chrome Apps and delete everything in there (you can re-add later if you need to)
    2. Go to Folder>~/Library/Application Support/Google and delete the "Chrome" folder
    3. Go to Folder>~/Library/Google and delete everything in there
    Use another browser to re-download and install Google Chrome.
     

Share This Page