I have adware (DoubleClick?) and can't get rid of it.

Discussion in 'OS X Yosemite (10.10)' started by Justgrant2009, Jun 28, 2016.

  1. Justgrant2009 macrumors newbie

    Joined:
    Jun 28, 2016
    #1
    As the title suggests, I have some kind of hijacking adware that is constantly trying to force a redirect. Fortunately, the pages it's trying to force redirect me to all have bad certificates, so I just hit "cancel" every time it tries, but that's really obnoxious when it's constantly doing that. It doesn't do it on EVERY site, (MacRumors is fine) but especially Google sites (and also a few others not owned by Google I've noticed, like my electricity company's site).

    It says things like "Safari can't verify the identify of the website '2507573.fls.doubleclick.net". But the stuff before "doubleclick.net" is different on different websites.

    So I have a screenshot of it triggering when I even attempted to access the "DoubleClickbyGoogle.com" website that I'll attach.

    I got Ghostery to try to stop it, which is does a lot now, but it's not 100%, and I shouldn't need this plugin to stop it, because this is something that only just started happening in the last few days.

    Here's what Ghostery has to say about it:
    https://apps.ghostery.com/en/apps/doubleclick

    I've done a lot of researching and have found several forums (even here in MacRumors) about removing it, but NONE of them have helped. I'm still dealing with this mess... Any ideas (preferably free)? I'm pretty tech savvy so I'm not afraid to get back in the weeds to fix things... But I need a place to start.
     

    Attached Files:

  2. keysofanxiety macrumors 604

    keysofanxiety

    Joined:
    Nov 23, 2011
    #2
    Sorry to go through the obvious -- have you tried running MalwareBytes for Mac?
     
  3. Justgrant2009, Jun 28, 2016
    Last edited: Jun 28, 2016

    Justgrant2009 thread starter macrumors newbie

    Joined:
    Jun 28, 2016
    #3
    Yes, and MalwareBytes for Mac says it didn't find anything on my machine. Same with Symantec Endpoint Protection for Mac.

    By the way, when I went to MalwareBytes' website, I got another one of these redirects.
     

    Attached Files:

  4. keysofanxiety macrumors 604

    keysofanxiety

    Joined:
    Nov 23, 2011
    #4
    Could you check the time and date on your machine?
     
  5. Justgrant2009 thread starter macrumors newbie

    Joined:
    Jun 28, 2016
    #5
    Yes, they're correct. I have it set the time and date automatically use the "Apple Americas/U.S. (time.apple.com.)"
     
  6. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #6
    Download and run the app Etrecheck. That will create an anonymized report showing everything running on your system, including any hidden launch items that may be causing this. Post the report here for us to take a look for you.
     
  7. Justgrant2009 thread starter macrumors newbie

    Joined:
    Jun 28, 2016
    #7
    EtreCheck version: 2.9.12 (265)

    Report generated 2016-06-28 10:54:46

    Download EtreCheck from https://etrecheck.com

    Runtime 2:01

    Performance: Excellent



    Click the [Support] links for help with non-Apple products.

    Click the [Details] links for more information about that line.

    Click the [Check files] link for help with unknown files.



    Problem: Other problem

    Description:

    Adware is hijacking my Safari Browser and redirecting me. I suspect the phrase “DoubleClick.net”



    Hardware Information:

    MacBook Pro (Retina, Mid 2012)

    [Technical Specifications] - [User Guide] - [Warranty & Service]

    MacBook Pro - model: MacBookPro10,1

    1 2.6 GHz Intel Core i7 CPU: 4-core

    16 GB RAM Not upgradeable

    BANK 0/DIMM0

    8 GB DDR3 1600 MHz ok

    BANK 1/DIMM0

    8 GB DDR3 1600 MHz ok

    Bluetooth: Good - Handoff/Airdrop2 supported

    Wireless: en0: 802.11 a/b/g/n

    Battery: Health = Normal - Cycle count = 57



    Video Information:

    Intel HD Graphics 4000

    NVIDIA GeForce GT 650M - VRAM: 1024 MB

    Color LCD 2880 x 1800

    Thunderbolt Display 2560 x 1440



    System Software:

    OS X Yosemite 10.10 (14A389) - Time since boot: about one day



    Disk Information:

    APPLE SSD SM512E disk0 : (500.28 GB) (Solid State - TRIM: Yes)

    EFI (disk0s1) <not mounted> : 210 MB

    Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

    Macintosh HD (disk1) / : 499.05 GB (175.41 GB free)

    Core Storage: disk0s2 499.42 GB Online



    USB Information:

    Apple, Inc. Keyboard Hub

    Logitech USB Receiver

    Apple Inc. Apple Keyboard

    Apple Inc. Apple Internal Keyboard / Trackpad

    Apple Inc. BRCM20702 Hub

    Apple Inc. Bluetooth USB Host Controller

    Apple Inc. FaceTime HD Camera (Built-in)

    Apple Inc. Apple Thunderbolt Display

    Apple Inc. Display Audio

    Apple Inc. FaceTime HD Camera (Display)



    Thunderbolt Information:

    Apple Inc. thunderbolt_bus

    Apple Inc. Thunderbolt Display



    Gatekeeper:

    Mac App Store and identified developers



    Unknown Files:

    /Library/LaunchDaemons/com.quest.rc.ipwatchd.plist

    /opt/quest/sbin/ipwatchd /opt/quest/sbin/dnsupdate

    /Library/LaunchDaemons/com.quest.vasd.plist

    /opt/quest/sbin/vasd -D -p /var/opt/quest/vas/vasd/.vasd.pid

    2 unknown files found. [Check files]



    Kernel Extensions:

    /Library/Application Support/Symantec/AntiVirus

    [loaded] com.symantec.kext.SymAPComm (100.1f1 - SDK 10.6 - 2016-06-28) [Support]



    /Library/Extensions

    [loaded] com.symantec.kext.internetSecurity (5.2.1 - SDK 10.6 - 2015-09-25) [Support]

    [loaded] com.symantec.kext.ips (3.5.1 - SDK 10.6 - 2015-09-25) [Support]

    [loaded] com.symantec.kext.ndcengine (1.0 - SDK 10.6 - 2015-09-25) [Support]



    /System/Library/Extensions

    [loaded] com.seagate.driver.PowSecDriverCore (5.2.6 (26925) - SDK 10.4 - 2015-09-25) [Support]

    [not loaded] com.wacom.kext.pentablet (Pen Tablet 5.3.5-4 - SDK 10.9 - 2015-09-25) [Support]



    /System/Library/Extensions/Seagate Storage Driver.kext/Contents/PlugIns

    [not loaded] com.seagate.driver.PowSecLeafDriver_10_4 (5.2.6 (26925) - SDK 10.4 - 2014-08-15) [Support]

    [not loaded] com.seagate.driver.PowSecLeafDriver_10_5 (5.2.6 (26925) - SDK 10.5 - 2014-08-15) [Support]

    [not loaded] com.seagate.driver.SeagateDriveIcons (5.2.6 (26925) - SDK 10.4 - 2014-08-15) [Support]



    System Launch Agents:

    [not loaded] 5 Apple tasks

    [loaded] 134 Apple tasks

    [running] 64 Apple tasks



    System Launch Daemons:

    [running] com.seagate.TBDecorator.plist (2013-10-11) [Support]

    [not loaded] 43 Apple tasks

    [loaded] 131 Apple tasks

    [running] 88 Apple tasks



    Launch Agents:

    [not loaded] com.adobe.AAM.Updater-1.0.plist (2016-05-05) [Support]

    [loaded] com.citrix.AuthManager_Mac.plist (2013-03-06) [Support]

    [running] com.citrix.ReceiverHelper.plist (2013-03-06) [Support]

    [running] com.citrix.ServiceRecords.plist (2013-03-06) [Support]

    [loaded] com.oracle.java.Java-Updater.plist (2013-05-08) [Support]

    [running] com.symantec.uiagent.application.plist (2014-09-12) [Support]

    [running] com.wacom.pentablet.plist (2014-08-20) [Support]

    [running] net.juniper.pulsetray.plist (2014-12-29) [Support]

    [loaded] org.macosforge.xquartz.startx.plist (2012-09-27) [Support]



    Launch Daemons:

    [loaded] com.adobe.SwitchBoard.plist (2013-08-05) [Support]

    [failed] com.adobe.fpsaud.plist (2016-04-15) [Support]

    [running] com.fitbit.galileod.plist (2012-10-05) [Support]

    [loaded] com.logmein.join.me.update-helper.plist (2014-09-12) [Support]

    [loaded] com.malwarebytes.HelperTool.plist (2016-06-28) [Support]

    [loaded] com.microsoft.office.licensing.helper.plist (2011-03-10) [Support]

    [loaded] com.oracle.java.Helper-Tool.plist (2013-05-08) [Support]

    [running] com.quest.rc.ipwatchd.plist (2013-05-07) [Support]

    [running] com.quest.vasd.plist (2013-02-10) [Support]

    [loaded] com.skype.skypeinstaller.plist (2016-01-22) [Support]

    [loaded] com.symantec.liveupdate.daemon.ondemand.plist (2014-09-12) [Support]

    [failed] com.symantec.liveupdate.daemon.plist (2014-09-12) [Support]

    [not loaded] com.symantec.sep.migratesettings.plist (2014-12-29) [Support]

    [running] com.symantec.sharedsettings.plist (2014-09-12) [Support]

    [running] com.symantec.symdaemon.plist (2014-09-12) [Support]

    [running] net.juniper.AccessService.plist (2014-12-29) [Support]

    [not loaded] net.juniper.UninstallPulse.plist (2014-12-29) [Support]

    [loaded] org.macosforge.xquartz.privileged_startx.plist (2012-09-27) [Support]



    User Launch Agents:

    [loaded] com.adobe.AAM.Updater-1.0.plist (2013-08-05) [Support]

    [loaded] com.adobe.ARM.[...].plist (2013-08-06) [Support]

    [loaded] com.adobe.ARM.[...].plist (2013-08-28) [Support]

    [loaded] com.citrixonline.GoToMeeting.G2MUpdate.plist (2015-11-17) [Support]

    [running] com.spotify.webhelper.plist (2016-06-13) [Support]



    User Login Items:

    iTunesHelper Application (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

    Dropbox Application (/Applications/Dropbox.app)

    Content Manager Assistant Application (/Applications/CMA.app)



    Other Apps:

    [running] com.google.Chrome.56548

    [running] com.microsoft.Lync.98864

    [running] com.microsoft.Outlook.3724

    [running] com.microsoft.alerts.daemon.131524

    [running] com.microsoft.autoupdate.fba.98012

    [running] com.microsoft.outlook.databasedaemon.4860

    [running] com.wacom.ConsumerTouchDriver.92900

    [running] com.wacom.TabletDriver.9972

    [running] jp.co.scei.ContentManagerAssistant.189460

    [running] jp.co.scei.ContentManagerAssistant.Watcher.190028

    [loaded] 354 Apple tasks

    [running] 205 Apple tasks



    Internet Plug-ins:

    JavaAppletPlugin: Java 8 Update 66 build 17 (2016-01-07) Check version

    Unity Web Player: UnityPlayer version 5.3.5f1 - SDK 10.6 (2016-06-20) [Support]

    Default Browser: 600 - SDK 10.10 (2014-10-21)

    AdobeExManDetect: AdobeExManDetect 1.1.0.0 - SDK 10.7 (2014-12-22) [Support]

    Flip4Mac WMV Plugin: 3.2.0.16 - SDK 10.8 (2013-05-07) [Support]

    SlingPlayer: Unknown - SDK 10.8 (2014-03-28) [Support]

    AdobePDFViewerNPAPI: 11.0.15 - SDK 10.6 (2016-04-04) [Support]

    FlashPlayer-10.6: 21.0.0.226 - SDK 10.6 (2016-04-22) [Support]

    Silverlight: 5.1.30514.0 - SDK 10.6 (2015-02-06) [Support]

    WacomTabletPlugin: WacomTabletPlugin 2.1.0.6 - SDK 10.9 (2014-11-20) [Support]

    Flash Player: 21.0.0.226 - SDK 10.6 (2016-04-22) Outdated! Update

    QuickTime Plugin: 7.7.3 (2014-10-21)

    CitrixICAClientPlugIn: 11.0.0 (2014-12-22) [Support]

    SharePointBrowserPlugin: 14.3.4 - SDK 10.6 (2013-05-07) [Support]

    AdobePDFViewer: 11.0.15 - SDK 10.6 (2016-04-04) [Support]

    MeetingJoinPlugin: Unknown - SDK 10.6 (2013-05-08) [Support]



    User internet Plug-ins:

    WebEx64: 1.0 - SDK 10.6 (2015-11-06) [Support]

    CitrixOnlineWebDeploymentPlugin: 1.0.105 (2013-04-25) [Support]

    DISH Anywhere Player: ECHO.2.13.0 (2014-07-09) [Support]

    Google Earth Web Plug-in: 7.1 (2013-10-07) [Support]



    Safari Extensions:

    AdBlock - BetaFish, Inc. - https://getadblock.com (2016-05-13)

    Adblock Plus - Eyeo GmbH - https://adblockplus.org/ (2016-06-01)

    Reddit Enhancement Suite - Steve Sobel - http://redditenhancementsuite.com/ (2014-12-30)

    Ghostery - GHOSTERY, Inc. - https://www.ghostery.com/ (2016-06-27)



    3rd Party Preference Panes:

    Citrix online plug-in (2009-09-11) [Support]

    Citrix ShareFile Sync (2013-01-06) [Support]

    Flash Player (2016-04-15) [Support]

    Flip4Mac WMV (2013-03-29) [Support]

    Java (2016-01-07) [Support]

    Seagate Dashboard for Mac OSX (2014-09-11) [Support]

    Symantec QuickMenu (2014-12-29) [Support]

    PenTablet (2014-11-20) [Support]



    Time Machine:

    Skip System Files: NO

    Auto backup: YES

    Volumes being backed up:

    Macintosh HD: Disk size: 499.05 GB Disk used: 323.64 GB

    Destinations:

    My Passport for Mac [Local]

    Total size: 999.83 GB

    Total number of backups: 66

    Oldest backup: 7/13/15, 1:11 PM

    Last backup: 6/27/16, 9:15 AM

    Size of backup disk: Adequate

    Backup size 999.83 GB > (Disk used 323.64 GB X 3)



    Top Processes by CPU:

    11% Google Chrome

    10% WindowServer

    5% Google Chrome Helper(4)

    4% kernel_task

    2% fontd



    Top Processes by Memory:

    1.27 GB kernel_task

    1.02 GB iPhoto

    803 MB com.apple.WebKit.WebContent(2)

    590 MB Google Chrome Helper(5)

    508 MB Safari



    Virtual Memory Information:

    5.51 GB Free RAM

    10.00 GB Used RAM (2.72 GB Cached)

    0 B Swap Used



    Diagnostics Information:

    Jun 27, 2016, 01:24:02 PM Self test - passed



    Standard users cannot read /Library/Logs/DiagnosticReports.

    Run as an administrator account to see more information.
     
  8. Weaselboy, Jun 28, 2016
    Last edited: Jun 28, 2016

    Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #8
    Nothing that is malware/adware is jumping out at me there, but you have a LOT of third party processes running there. The section I quoted here looks like some kind of DNS redirect service, and I'm wondering if that could be causing this.

    Also, I'm curious if that Juniper Pulse stuff could be causing trouble. It looks like a network access control process.

    You also might try ditching all that Symantec stuff as that also intercepts Internet traffic.

    Can you shed any light here in why these things are installed or if you installed them?

    How about just as a test, reboot and hold down the shift key at startup to boot to safe mode. That will stop ALL these processes from running. See if that stops the redirects. If that does, that proves it is one of these startup or launch items in the Etrecheck report. Then it is a matter of removing them until you find the culprit.
     
  9. Justgrant2009 thread starter macrumors newbie

    Joined:
    Jun 28, 2016
    #9
    I can give that a shot and also try removing those launch items (the Quest stuff I have no clue about).

    Symantec is installed because my company requires it, and Junos Pulse is a VPN tool I use. This is a company computer, however, I'm the only Mac user in the company so IT will not support me in any problems I encounter. That's something I've always been ok with since I'm usually very good with managing my own troubleshooting and repairs.

    I'll try removing those unknown quest files and then also do a safe mode test. Good ideas! Thanks! I'll let you know how it goes!
     
  10. Justgrant2009 thread starter macrumors newbie

    Joined:
    Jun 28, 2016
    #10
    Ok, so it turns out that it may not be adware. I just checked with a few colleagues here and even they're getting the same issue with the bad certificates for DoubleClick.net, and they're on PCs. I checked with one our IT members and he's looking into it now (since it affects the PCs). As I said before, being the Mac user, I'm expected to troubleshoot my own issues, but if it's a threat to the PC users in the company, they need to find a resolution before the not-so-tech-savvy do something bad.

    I'll keep this thread updated as I learn more. In the meantime, thank you for the support Weaselboy, you've been very helpful!
     
  11. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #11
    Not related to your original question, but you really should update your operating system to 10.10.5 and install the security updates that follow. 10.10, which you are running now, is seriously out of date and far less stable than 10.10.5.
     
  12. JohnDS macrumors 65816

    Joined:
    Oct 25, 2015
    #12
    Here is how to get rid of doubleclick.net ads permanently:

    Download the freeware TextWrangler: http://www.barebones.com/products/textwrangler/download.html

    (You may have to change your Mac Security settings to allow downloads from "All")

    Put TextWrangler into your Applications folder and keep the Application folder open on your desktop so you can see the TextWrangler icon.

    Click on the desktop to make sure you are in Finder. Then pull down the Go menu to Go To Folder and type the following line in and hit return:

    /etc

    In that folder, you will find a file called "Hosts". Drag and drop it onto the TextWrangler icon. The Hosts file should open in Textwrangler and look like this:

    ##
    ##
    # Host Database
    #
    # localhost is used to configure the loopback interface
    # when the system is booting. Do not change this entry.
    ##
    127.0.0.1 localhost
    255.255.255.255 broadcasthost
    ::1 localhost
    fe80::1%lo0 localhost
    Just before the line that says ::1 localhost, add a line that reads

    0.0.0.0 doubleclick.net

    so that your hosts file now looks like this:

    ##
    ##
    # Host Database
    #
    # localhost is used to configure the loopback interface
    # when the system is booting. Do not change this entry.
    ##
    127.0.0.1 localhost
    255.255.255.255 broadcast host
    0.0.0.0 doubleclick.net
    ::1 localhost
    fe80::1%lo0 localhost​

    Save the file (you will be asked for you administrative password). Close Textwrangler. Restart your computer.

    Now you should be unable to reach any doubleclick.net page in any browser.
     
  13. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #13
    Entries in the hosts file are not global by domain but instead are specific to one hostname. You would need to enter every doubleclick.net host in there for this to work.
     

Share This Page