Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

rsdotscot

macrumors regular
Original poster
Feb 10, 2006
205
89
Scotland
Hi folks,

This is a two day old MacBook Pro, with Safari as the default browser. Whenever I open Google Chrome it's loading two spam URLs in Safari. I've disabled all Chrome extensions and run Malwarebytes Anti-Malware (no results), then deleted and reinstalled Chrome as per Google's instructions and it's still doing it.

Any ideas?


Cheers,
Rab
 
Are you having any issues with Safari?

Always the same two URLs when you launch Chrome? It may also help if you would tell us what those sites are that you consider spam.

Chrome (cause no harm!) may not be the friendliest browser you can use, although I typically use Canary, which is about two steps ahead on the beta chain in Google. I figure if you are going to use Chrome, then go all in at once :D

Of course, the "uninstall" instructions for Chrome leave a lot to be desired, and also leave various bits, such as Cache folders, and preference files. That would explain why there's little change after removing and reinstalling.

That all leads to the last question - Do you really need Chrome?

My last thought - if you must use the grand RAM eater Chrome, you could just make it as the default web browser for your OS X system. You can change the web browser in your System Preferences/General tab. (I have more than 20 apps in that list. :D )
 
The URLs being loaded are always different, and on occasion there's only one, but more often than not it's two. I haven't taken note of any of them at this point, but I'll close Safari and Chrome then reopen Chrome and see what it hits me with this time.

Canary looks interesting. I'm a developer myself so I'm surprised that this is the first I've seen it.

UPDATE: Here are the two URLs it loaded this time:
 
Canary did not find those sites without your help... (even if unintentional)

Chrome, and Chrome Canary have separate preference paths - so you have simply used the same site with Canary now that you used with Chrome. It's some site that has an active advertiser with crappy ethics. Just the state of the internet these days.
Likely the result of some site that you may use all the time, and Chrome/Canary lets it happen.

Have you noticed how those shopping links that you post take on the additional address of the page where they are posted? Seems a little intrusive to me. The link shows where it was posted. (and you just re-posted that shopping link, two of them, in fact) and you have now passed it on. thanks :D
You might clear this up by using one of the public DNS servers, like OpenDNS. That has options to pick up on some of those intrusive sites, and allow you to block them.
 
Well you did ask what the URLs were :p

It's very odd. I have Adblock Plus installed (which I disabled after this began, just in case it was a compromised copy and thus the root of the problem) and the tabs which open with Chrome as just the Google home page and Facebook. If it was a website that caused this, it's planted something in the browser so that there's no requirement to visit that site again, it just spams me.

I don't know what you mean about taking on the additional address of the page where they're posted. The links just have a language variable in the query string when I hover over them here.

Are you aware of any way that I can completely strip Chrome and Canary out of my machine without reinstalling OS X?
 
I've reset the settings on each of my Chrome profiles (within Canary) and there's no improvement.
 
Well you did ask what the URLs were :p

It's very odd. I have Adblock Plus installed (which I disabled after this began, just in case it was a compromised copy and thus the root of the problem) and the tabs which open with Chrome as just the Google home page and Facebook. If it was a website that caused this, it's planted something in the browser so that there's no requirement to visit that site again, it just spams me.

I don't know what you mean about taking on the additional address of the page where they're posted. The links just have a language variable in the query string when I hover over them here.

Are you aware of any way that I can completely strip Chrome and Canary out of my machine without reinstalling OS X?

It really sounds like you have an extension or helper that's been installed that's causing this to happen. Are you signed into Chrome at all - doing so will sync extensions that might have been added even with a fresh install.

If you are signed in (and even if you're not):

  • Go to Chrome -> Preferences -> Extensions
  • Is there anything in this list that doesn't look like you've intentionally put it there, or know what it does?
  • If there is, remove it
  • Now same thing with Safari, go to Safari -> Preferences -> Extensions and look to see if there are any add ons installed. If you're not 100% sure what something is remove it.
  • Now quit Chrome (and Safari for that matter) and remove Chromes preferences and setting by following this guide
  • You could also delete the Chrome app once competed - then empty the bin
  • Next have a look in your System Preferences -> Users & Groups -> [user] -> Login items
  • Are there any apps in your users login items that you don't recognise or know what they do? If there is consider removing it from this list (by clicking the - button). Also consider deleting the App itself if you find something odd.


If that fails to do the trick I guess it's always possible that you may have an 'agent' running in the background responsible for the behaviour - open terminal and run the command 'launchctl list' (without the ''), this will list out a load of entries. Most of these will start something like com.apple.xxxxx however if they start along the lines of com.xxxx (where xxxx is not apple) or just xxxx then it is likely a 3rd party bit of software running.
You might recognise the name i.e. you might see com.evernote.Evernote.182644 if you have evernote installed, and if you trust the source here you're probably fine.

If you still get the issues after removing the preferences and any bad startup items as described above it might be worth posting your results of the launchctl list command as the guys here might be able to help identify any rogue applications you may have running.
 
Try this:

http://www.thesafemac.com/arg-genieo/

If that doesn't work ( it did for me on a 2010 MacBook Pro when I recently unintentionally installed genieo on my computer) then try:

http://www.thesafemac.com/eliminating-browser-redirects-and-advertisements/

Thesafemac site itself is not great, but it has very good instructions to remove unwanted adware.
The author of that site is now affiliated with Malware Bytes,
https://www.malwarebytes.org/
and the free malware soft available there does a great job of getting rid of those critters.

You might consider stripping Chrome completely and installing Chromium, a version without the tracking etc., that makes Chrome infamous. Otherwise it is exactly like Chrome, and can use all of the extensions in the Chrome store, and sync your bookmarks etc., if you have a Google account. Get Chromium here, http://www.freesmug.org/chromium and follow the link to the latest version 44.0.2403.125. Normally available on the SourceForge servers, they are now using a twitter link to the download, due to network issues. Using Chromium, I have not noticed any of the RAM hogging that many people complain about with Chrome.
 
Hi guys,

Thanks for all of your responses.

Yesterday I reformatted and reinstalled, making sure I didn't visit any websites which could be of a suspect nature (although this doesn't rule out legitimate sites which have experienced code injection attacks...), with everything going well up until about an hour ago.

I was using Chromium with only 1Password and AdBlock installed. No extensions installed in Safari yet.

Login items all look good. My launchctl looks pretty clean to me but I'll paste it below just in case.

I also tried switching to OpenDNS (locally, my router doesn't give me the option, Sky are morons).

The only apps I've installed besides those which are very well known (Adobe CC, Coda, Transmit, Evernote, Twitter, Google Drive, 1Password, VLC, Skype, Spotify) are as follows:
Strangely enough, the first time I noticed the problem today was just after installing Spotify, but that was downloaded from them directly and I couldn't imagine them adding malicious code. On the off chance, I uninstalled it to no avail.

Here's my launchctl:
Code:
PID    Status    Label
-    0    com.apple.CoreAuthentication.daemon
4500    0    com.apple.quicklook
-    0    com.apple.parentalcontrols.check
227    0    com.apple.Finder
-    0    com.apple.PackageKit.InstallStatus
-    0    com.apple.FontWorker
1477    0    com.alfredapp.Alfred.70180
243    0    com.apple.bird
-    0    com.apple.familycontrols.useragent
-    0    com.apple.aos.migrate
602    0    com.apple.universalaccessAuthWarn
302    0    com.apple.nsurlsessiond
321    0    com.adobe.acc.AdobeDesktopService.55128.81E359CA-4F31-4642-A0D1-825DE863A14C
-    0    com.apple.syncservices.uihandler
276    0    com.apple.iconservices.iconservicesagent
-    0    com.apple.ManagedClientAgent.agent
-    0    com.apple.screensharing.agent
-    0    com.apple.TMHelperAgent.SetupOffer
-    0    com.apple.AddressBook.SourceSync
-    0    com.apple.familynotificationd
408    0    com.apple.photolibraryd
-    0    com.apple.cfnetwork.cfnetworkagent
-    0    com.apple.xpc.otherbsd
-    0    com.apple.bluetoothUIServer
-    0    com.apple.assistant_service
-    0    com.apple.mdworker.mail.03000000-0000-0000-0000-000000000000
-    0    com.apple.NotesMigratorService
2909    0    com.apple.MailServiceAgent
-    0    com.apple.appkit.xpc.sandboxedServiceRunner
-    0    com.apple.mdworker.mail
4326    0    com.apple.mdworker.shared.04000000-0000-0000-0000-000000000000
822    0    com.apple.DataDetectorsDynamicData
2673    0    com.apple.cfprefsd.xpc.agent
-    0    com.apple.unmountassistant.useragent
-    0    com.apple.csuseragent
-    0    com.apple.CoreRAIDAgent
-    0    com.apple.AOSPushRelay
270    0    com.apple.SocialPushAgent
3454    0    com.apple.xpc.launchd.oneshot.0x10000011.Google Drive
-    0    org.openbsd.ssh-agent
-    0    com.apple.apsctl
1468    0    com.apple.xpc.loginitemregisterd
-    0    com.apple.warmd_agent
-    0    com.apple.PubSub.Agent
-    0    com.apple.pictd
-    0    com.apple.universalaccesscontrol
-    0    com.apple.findmymacmessenger
-    0    com.apple.FilesystemUI
-    0    com.apple.pluginkit.pkreporter
-    0    com.apple.systemprofiler
340    0    com.apple.lateragent
281    0    com.adobe.AdobeCreativeCloud
-    0    com.apple.UserNotificationCenterAgent
-    0    com.apple.noticeboard.agent
-    0    com.apple.dt.CommandLineTools.installondemand
290    0    com.apple.cmfsyncagent
298    0    com.apple.cloudd
-    0    com.apple.ATS.FontValidator
285    0    com.apple.diagnostics_agent
-    0    com.apple.appleseed.seedusaged
-    0    com.apple.PhotoLibraryMigrationUtility.XPC
3172    0    com.apple.tonelibraryd
406    0    com.apple.CloudPhotosConfiguration
-    0    com.apple.mdworker.bundles
-    0    com.apple.mdworker.lsb.02000000-0000-0000-0000-000000000000
2825    0    com.apple.sbd
244    0    com.apple.secinitd
2834    0    com.apple.facebook.xpc
-    0    com.apple.cvmsCompAgentLegacy_i386
405    0    com.apple.cloudphotosd
-    0    com.apple.alf.useragent
3563    0    com.apple.coreservices.uiagent
-    0    com.apple.installd.user
-    0    com.apple.ContainerRepairAgent
297    0    com.apple.CallHistoryPluginHelper
-    0    com.apple.NetworkDiagnostics
4588    0    com.apple.Terminal.13948
306    0    com.apple.storeaccountd
-    0    com.apple.PCIESlotCheck
-    0    com.apple.AddressBook.AssistantService
-    0    com.apple.quicklook.32bit
3239    0    com.apple.printtool.agent
-    0    com.apple.IMLoggingAgent
2799    0    com.apple.USBAgent
256    0    com.apple.nsurlstoraged
279    0    com.apple.askpermissiond
-    0    com.apple.webinspectord
-    0    com.apple.ssinvitationagent
-    0    com.apple.WebKit.PluginAgent
-    0    com.apple.speech.synthesisserver
-    0    com.apple.DiagnosticReportCleanup.plist
396    0    com.apple.storeuid
-    0    com.apple.BezelUIServer
-    0    com.apple.speech.speechdatainstallerd
-    0    com.apple.rcd
-    0    com.apple.quicklook.config
-    0    com.apple.printuitool.agent
-    0    com.apple.AOSHeartbeat
2437    0    com.apple.SafariNotificationAgent
-    0    com.apple.appsleep
-    0    com.apple.FileStatsAgent
-    0    com.apple.ichat.BuddyPictureService
240    0    com.apple.tccd
3997    0    com.apple.netauth.user.auth
-    0    com.apple.cvmsCompAgent_x86_64
2828    0    com.apple.sharekit.EntitlementsHelper
-    0    com.apple.weibo.xpc
239    0    com.apple.pluginkit.pkd
-    0    com.apple.cvmsCompAgentLegacy_x86_64
-    0    com.apple.mdworker.mail.04000000-0000-0000-0000-000000000000
-    0    com.apple.security.XPCTimeStampingService
4344    0    com.apple.mdworker.single.08000000-0000-0000-0000-000000000000
-    0    com.apple.maspushagent
294    0    com.apple.CallHistorySyncHelper
618    0    com.divisiblebyzero.Spectacle.67908
224    0    com.apple.Dock.agent
218    0    com.apple.UserEventAgent-Aqua
-    0    com.apple.ReportPanic
250    0    com.apple.telephonyutilities.callservicesd
245    0    com.apple.identityservicesd
571    0    com.apple.security.DiskUnmountWatcher
-    0    com.apple.security.agentStub
-    0    com.apple.CoreLocationAgent
-    0    com.apple.cfnetwork.AuthBrokerAgent
341    0    com.apple.storedownloadd
-    0    com.apple.rtcreportingd
280    0    com.apple.cloudpaird
4521    0    org.chromium.Chromium.85232
236    0    com.apple.pboard
-    0    com.fiplab.MemoryCleanHelper
-    0    com.apple.thermaltrap
2436    0    com.apple.SafariCloudHistoryPushAgent
-    0    com.apple.AskPermissionUI
4330    0    com.apple.mdworker.shared.02000000-0000-0000-0000-000000000000
-    0    com.apple.accounts.dom
-    0    com.apple.lakitu
303    0    com.apple.security.cloudkeychainproxy3
353    0    com.apple.metadata.mdflagwriter
-    0    com.apple.DictionaryServiceHelper
4237    0    com.apple.speech.speechsynthesisd
-    0    com.apple.mdworker.mail.01000000-0000-0000-0000-000000000000
318    0    com.apple.InputMethodKit.UserDictionary
-    0    com.apple.mdworker.shared
-    0    com.apple.mbpluginhost.user
-    0    com.apple.mdworker.isolation
252    0    com.apple.imdpersistence.IMDPersistenceAgent
-    0    com.apple.TrustEvaluationAgent
-    0    com.apple.tiswitcher
259    0    com.apple.accountsd
-    0    com.adobe.AAM.Scheduler-1.0
338    0    com.apple.storelegacy
-    0    com.apple.coredata.externalrecordswriter
-    0    com.apple.locationmenu
311    0    com.apple.pbs
274    0    com.apple.notificationcenterui.agent
-    0    com.apple.imklaunchagent
-    0    com.apple.imcore.imtransferagent
-    0    com.apple.FTCleanup
-    0    com.apple.btsa
3791    0    com.apple.EscrowSecurityAlert
255    0    com.apple.coreservices.appleid.authentication
-    0    com.apple.metadata.mdwrite
263    0    com.apple.coreservices.lsactivity
242    0    com.apple.CalendarAgent
-    0    com.apple.powerchime
238    0    com.apple.sharingd
339    0    com.apple.storeassetd
-    0    com.apple.iCloudUserNotificationsd
-    0    com.apple.familycircled
-    0    com.apple.ReportCrash.Self
251    0    com.apple.imagent
-    0    com.apple.FontRegistryUIAgent
-    0    com.apple.lookupd
-    0    com.apple.syncservices.SyncServer
-    0    com.apple.ZoomWindow
-    0    com.apple.talagent
226    0    com.apple.SystemUIServer.agent
1466    0    com.apple.storeinappd
-    0    com.apple.icbaccountsd
-    0    com.apple.ATS.FontValidatorConduit
-    0    com.apple.VoiceOver
-    0    com.apple.RemoteDesktop.agent
-    0    com.apple.cloudfamilyrestrictionsd
257    0    com.apple.icloud.fmfd
-    0    com.apple.AssistiveControl
301    0    com.apple.internetaccounts
4567    0    com.apple.mdworker.shared.00000000-0000-0000-0000-000000000000
-    0    com.apple.FileSyncAgent.PHD
-    0    com.apple.mdworker.32bit
246    0    com.apple.secd
400    0    com.apple.appstore.PluginXPCService
4261    0    com.apple.BKAgentService
4508    0    com.apple.cvmsCompAgent_x86_64_1
-    0    com.apple.tencentweibo.xpc
-    0    com.apple.mbloginhelper.user
-    0    com.apple.cvmsCompAgent_i386_1
-    0    com.apple.cvmsCompAgentLegacy_i386_1
-    0    com.apple.mdworker.lsb
304    0    com.apple.metadata.SpotlightNetHelper
-    0    com.apple.assistantd
-    0    com.apple.mdmclient.cloudconfig.agent
2352    0    com.apple.xpc.launchd.oneshot.0x10000008.iTunesHelper
-    0    com.apple.isst
-    0    com.apple.DiskArbitrationAgent
-    0    com.apple.reclaimspace
3233    0    com.apple.scopedbookmarksagent.xpc
-    0    com.apple.ReportCrash
248    0    com.apple.fontd
323    0    com.adobe.accmac.59672
-    0    com.apple.Maps.mapspushd
1456    0    com.fiplab.memoryclean.69328
292    0    com.apple.gamed
-    0    com.spotify.webhelper
-    0    com.apple.java.updateSharing
-    0    com.apple.midiserver
-    0    com.apple.quicklook.ui.helper
2974    0    com.apple.helpd
284    0    com.apple.wifi.WiFiAgent
-    0    com.apple.screensharing.MessagesAgent
-    0    com.apple.java.InstallOnDemandAgent
-    0    com.apple.DictationIM
-    0    com.apple.mdmclient.agent
4241    0    com.apple.iCloudHelper
4346    0    com.apple.mdworker.single.07000000-0000-0000-0000-000000000000
-    0    com.apple.mdworker.mail.02000000-0000-0000-0000-000000000000
2841    0    com.apple.linkedin.xpc
-    0    com.apple.ichat.TranscriptRenderingService
-    0    com.apple.security.XPCKeychainSandboxCheck
-    0    com.apple.mdworker.single
4325    0    com.apple.mdworker.shared.03000000-0000-0000-0000-000000000000
-    0    com.apple.twitter.xpc
-    0    com.apple.cvmsCompAgentLegacy_x86_64_1
-    0    com.apple.scrod
2879    0    com.apple.mail.6564
268    0    com.apple.spindump_agent
-    0    com.apple.softwareupdate_notify_agent
272    0    com.apple.security.keychain-circle-notification
-    0    com.google.keystone.user.agent
-    0    com.apple.universalaccessd
-    0    com.apple.AirPortBaseStationAgent
-    0    com.apple.appstoreupdateagent
2906    0    com.apple.recentsd
-    0    com.apple.neagent
-    0    com.apple.idsfoundation.IDSRemoteURLConnectionAgent
241    0    com.apple.usernoted
-    0    com.apple.AddressBook.abd
-    0    com.apple.ScreenReaderUIServer
3193    0    com.apple.AirPlayUIAgent
-    0    com.apple.safaridavclient
312    0    com.apple.xpc.launchd.oneshot.0x10000002.AppleSpell
-    0    com.apple.netauth.user.gui
334    0    com.apple.xpc.launchd.oneshot.0x10000003.CCLibrary
-    0    com.apple.TMHelperAgent
266    0    com.apple.Spotlight
288    0    com.apple.soagent
-    0    com.apple.mdworker.32bit.02000000-0000-0000-0000-000000000000
-    0    com.apple.syncdefaultsd
2630    0    com.apple.mdworker.sizing
-    0    com.apple.SpeechRecognitionCore.brokerd
4324    0    com.apple.mdworker.shared.01000000-0000-0000-0000-000000000000
-    0    com.apple.iokit.IOServiceAuthorizeAgent
-    0    com.apple.xmigrationhelper.user
220    0    com.apple.distnoted.xpc.agent
-    0    com.apple.cvmsCompAgent_i386
378    0    com.apple.geod

This really is an insidious bugger!
 
I've just seen this. Do you guys think it could be related?

Possible, but the article mentions the malware being used to install applications like vsearch/genio on your system - I can't see any tell tail signs of them in your launchd list (no expert here, but pretty sure they'd show up).

Out of interest do you have the free Spotify account? It sounds like they might have had some issues with dodgy ads being served through the application but that was a month ago, it may have been cleared up now... it's possible a bad ad made it through again however. Now Spotify is uninstalled you could try clearing your caches for both browsers in case there's anything lurking in there....
 
I have a paid Spotify account, so no ads would've been running.

I've removed Chromium but I'll clean out the Safari cache and see how it behaves.
 
You don't need "Memory Clean" (your OS X system does a fine job of doing everything to maintain your system that doesn't involve an actual vacuum cleaner :D ) Try removing that app.

Monity? Not heard of that one before ...
If you really need a system monitoring utility, you might want to go with a better-known example, such as iStat Menus.
I'm not saying that Monity caused anything - only that there's no real history to help you decide if you want to trust it or not.
Spectacle might be in the same category.

Maybe look in your Google Drive for possible "hitchhikers"

I'm not sure if you could call your experience "malicious", but certainly unwanted. It may simply be something that some developer (or download website) thought was a good idea, and earns some extra money when their software gets installed and used.
And, it may be disingenuous to think that a paid account with Spotify therefore guarantees no outside advertising, other than when Spotify is in use. Another possibility is that Spotify accepts links as part of their software install, with no distinction between paid accounts or free. It's not uncommon to find that an installer includes "interesting" items that are not part of the app itself.
I'm not saying that Spotify does that, only that you can't assume that getting an app from the "real" website means that it's not possible for the developer to add "something" to the installer (or allow it). Money, unfortunately, can still win out over best business practices.
 
I'm reasonably certain that Memory Clean, Monity, and Spectacle aren't the culprits. I've had all three running on my iMac for months without running into this issue. Unless it's a very new addition to one of them, I haven't seen it because I don't have automatic MAS updates switched on.

I know what you mean regarding unscrupulous developers being weak when it comes to fistfuls of cash, but I'd have thought Spotify would've wanted to avoid annoying users given the introduction of Apple Music. You never can tell I suppose.
 
I really am not pointing any fingers here - just thinking out loud, I suppose.
Third party apps can easily slip "things" through, when they have been pretty clean in the past. I read enough to hear about those.

I note that some of these forum sites seem to have struggles quite often with the companies that help them put up the sites in the first place, regarding advertising that is pushed out to those sites.
The advertisers also try to stay ahead of the field, and really can push the technology (and not in a good way :D )

And, you end up on the short end of the stick, trying to figure out why you get those strange sites now....
 
Just going back to this, and re-reading one of DeltaMac's comments: when you're opening Chrome what tabs/sites do you have open?

If you close them all and just have say, bbc.co.uk, google or another site without any display type ads on it, then close/reopen chrome is the issue replicated? or was this happening with the default 'google' home page?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.