Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

I Believe My Mac Has Adware/Malware. Advice?

J

jason23432

macrumors newbie
Original poster
Dec 22, 2016
5
0
I have a 2016 MacBook Pro and use Safari. When using Safari, I frequently get redirected from a "good" website (it usually happens when I'm on CNN.com, but has happened elsewhere) to a website that says "alert, you have the yah.lover worm infection on your computer...call this number for help...blah...blah."

I realize that the yah.lover thing is BS and I'm not concerned I have that. Obviously I haven't called the number. What I am concerned about is why I keep getting redirected to that scam website WITHOUT having clicked anything. That's what makes me think I'm infected with some sort of adware/malware.

I've installed and ran malwarebytes, but it found nothing.

Yet, I keep getting redirected to that scam virus website. I don't understand why. It happens without me clicking anything.

I have no extensions installed in Safari. I have no programs installed except for Microsoft Office. I don't download porn/illegal copies of media. I clear contents/settings/history/cookies every time I'm redirected to the scam site.

Any advice?
 
Get an ad blocker. Will stop infected ads from being loaded.
 
NoBoMac said:
Get an ad blocker. Will stop infected ads from being loaded.
Click to expand...
I'd say this is more serious since the malware is already on his machine. The horse has left the barn. He or she will beed to either identify and eradicate the source of the malware or start fresh. A good test would be to create a new test user account, log in with that, and see if it still happens.
 
bopajuice said:
Cleared history and cookies?
Click to expand...

I close the Safari page and clear history/cookies each time the ad pops up (same ad every time), yet that hasn't worked.

barbu said:
Did you install anything other than office? Mackeeper by chance?
Click to expand...

I haven't knowingly installed anything else. Is a drive-by download a possibility. Certainly not Mackeeper, I know that program is trash.

NoBoMac said:
Get an ad blocker. Will stop infected ads from being loaded.
Click to expand...

I would agree with you except for that fact that this redirect has happened from CNN.com. That isn't exactly a shady website. Could they have been hacked?
[doublepost=1511321516][/doublepost]
barbu said:
I'd say this is more serious since the malware is already on his machine. The horse has left the barn. He or she will beed to either identify and eradicate the source of the malware or start fresh. A good test would be to create a new test user account, log in with that, and see if it still happens.
Click to expand...

The problem is that the redirects are too random/infrequent to test out easily. I guess I could create a new account and use it for several days and see what happens.

Also, if it's already on my computer why didn't Malwarebytes detect it?
 
How are you with the Terminal? If you can, open it up and run the following commands:

ls ~/Library/LaunchAgents

and

ls /Library/LaunchAgents

Paste the output here or PM me with the results if you prefer.
 
barbu said:
How are you with the Terminal? If you can, open it up and run the following commands:

ls ~/Library/LaunchAgents

and

ls /Library/LaunchAgents

Paste the output here or PM me with the results if you prefer.
Click to expand...

I've never used terminal before. But I copied and pasted them and hit enter. The only thing that appeared was "com.google.keystone.agent.plist"

ImBuz said:
I like this one https://www.malwarebytes.com/
Click to expand...

I downloaded it and ran the program. It didn't find anything.
 
IF MalwareBytes didn't find anything, I doubt you have either adware or malware.

I also agree with previous advice to install both adblocker and "anti-tracker" extensions.
I use the "Adblock Plus" and "Ghostery" extensions for Safari. Works for me.
 
Another couple of place to check:
Terminal.app >

ls /Library/LaunchDaemons

and

ls /Library/Application Support

paste output here.
 
If you only get this when in Safari (not in other browsers) then it is likely browser related. Usually the case.

If Safari only...look at Safari Preferences closely, especially Extensions and Plugins (in the websites tab). More info here.

If you see similar issues in other browsers, it is a global issue, not just in Safari. Could be something like DNS Cache poisoning.

Good right up here.
 
Last edited:
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back