OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Adware Removal Guide : Other Causes

Published November 11th, 2013 at 1:40 PM EDT , modified September 12th, 2014 at 5:19 PM EDT

If you are reading this, you should have already tried looking for adware on your computer, using the Identification page of this guide. If you have not, please go back there now. This page applies to causes for ads in the web browser other than adware installed on the computer.

Begin by doing the following tests:

  1. Test multiple devices on the same network as the affected machine. (These devices need not all be the same. Mac, Windows, iOS, Android, all will work for this test. Just be positive they are actually connected to the same network as the affected device, and are not using some other network, like a cellular data connection!) Do all devices show the same behavior?
  2. Test the affected machine on multiple unrelated networks. (For example, take your computer to a neighborhood coffee shop, library or other location offering free wifi, or try a work machine on your home network or a home machine at work.) Does the problem happen on all networks?
  3. Test multiple web sites on every affected network and device. Do the problems happen only with one or more specific sites?

Your answers to these questions will determine what the possible causes of your problems are. In the table to the left of each paragraph below, a ‘Y’ means that particular question was answered with a “yes,” an ‘N’ means “no” and a question mark (‘?’) means that either answer is applicable.

Q1 ?
Q2 ?
Q3 Y

If you are having problems with only one site, or a small selection of sites, but not with most sites, this often means that the sites in question have been hacked. It is common for hackers to use a variety of techniques to insert malicious code into legitimate web sites. If you answered “yes” to both questions 1 and 2, it’s extremely likely that those sites were hacked. However, if you said “no” to either or both of the other questions, it could also be something else, related to your network or your computer, that is causing symptoms to only appear on specific sites.

Q1 Y
Q2 Y
Q3 ?

If all devices are exhibiting the same behavior, on all networks you have tried, and it’s not as simple as a hacked site, this is probably a large-scale issue affecting all the networks in question. One possibility is that a domain name server (DNS) being used by all those networks has been “poisoned.” Try changing your DNS server settings, as described below in the Domain name server issues section. If that doesn’t work, you need to report the issue to your internet service provider.

Q1 Y
Q2 N
Q3 ?

If all devices have the problem, but only on one specific network, then the problem is related to a problem with that network. This could also be a DNS poisoning issue, which would again be fixed by changing your DNS server settings (see Domain name server issues). However, it could also be an issue with the wireless router managing the network. See Wireless router issues for how to approach that problem.

Q1 N
Q2 Y
Q3 ?

If the problem only affects your Mac, and affects it on all networks you try, then the problem has to be with your Mac itself. You could simply be suffering from modern browsers’ tendency to re-load all pages that were open when you quit (see Last session issues). It’s also possible that the issue is caused by the DNS server settings on your computer, so you can try changing those settings (see Domain name server issues). Very unlikely, though still possible, is that something has screwed up your hosts file settings (see Hosts file issues).

If none of those things help, you may have unknown adware.

Last session issues

Many modern browsers will remember the pages you had open from the “last session” (ie, the last time you had your browser running before quitting the browser). Try turning this feature off. In Safari, open the preferences and click the General icon, then set the “Safari opens with” setting to “A new window.” In Chrome’s preferences, click the Settings link and change the “On startup” option to “Open the New Tab page”. In Firefox’s preferences, click the General icon and set the “When FireFox starts” item to “Show a blank page.”

If your browser was set to use a specific home page, rather than to re-open windows from the last session, then it’s possible that the page you have selected as your home page has been hacked (or contains an ad that has been hacked) to redirect you to another site. Try visiting your home page manually, and if that causes a redirect to occur, the problem is with that site.

Domain name server issues

Domain name servers (DNS) are what map human-readable site names into IP addresses, which are required for connecting to any server on the internet. For example, a DNS lookup will tell your computer that “www.reedcorner.net” is mapped to the IP address 216.92.72.106. However, if a hacker compromises the DNS server being used by your network, he can cause that DNS server to return a different IP address for “www.reedcorner.net,” which would send you to a different site than you should end up on. This is called “DNS poisoning,” and it’s typically caused by phishing attempts by hackers who want to redirect users from financial sites (bank sites, Amazon, PayPal, etc) to malicious sites designed to intercept login credentials.

This can be fixed by changing your DNS server settings, either for your computer or for your entire wireless network (by changing the settings in the wireless router). Rather than using the server provided by your internet service provider, try changing to the OpenDNS DNS servers or the Google DNS servers. (See those links for complete instructions for changing your settings.)

Wireless router issues

There are a variety of ways that a hacker anywhere in the world could change the settings of your wireless router for malicious reasons. If this is your home network, try resetting the router to factory defaults and set up your network again from scratch. Make sure NOT to enable remote administration, and change your router’s administrative password to something that nobody will be able to guess. (Note that this is entirely different from the password required to access your wireless network, and should be a different password!) Be sure to use WPA2 encryption on the wifi network, to protect you against snooping. Finally, ensure that the firmware of your router is up-to-date, and contact the manufacturer to see if there are any additional steps that need to be taken. (Some routers have vulnerabilities that will need to be addressed in varying ways.) If you don’t know how to do these things, see the manual for your wireless router for instructions.

If this behavior is happening on a free wifi network, it’s entirely possible that network is injecting ads as a way of earning revenue for whatever business is offering the free wifi. In such a case, there is nothing to be done other than complain to the staff at that business, which won’t have any immediate benefit and may very well not have any long-term benefit either.

Hosts file issues

The hosts file is a file buried in an out-of-sight location that maps certain special domain names to IP addresses. Ordinarily this file should not be modified without a very good reason, but sometimes people do make changes to it for a variety of reasons, such as to block a particular site. Malicious software can also make changes to this file. (The only Mac malware known to do this is QHost, which has not been seen in the wild in a while now.)

To determine if your hosts file has been modified, open the Terminal app (found in /Applications/Utilities) and enter the following command:

more /etc/hosts

After entering that command, press return. This will display the contents of the hosts file. You should see something like this:

##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1       localhost
255.255.255.255 broadcasthost
::1             localhost 
fe80::1%lo0     localhost

If your hosts file looks different, you may have a problem. You can fix this, but you will need a copy of TextWrangler. (Do not get the version of TextWrangler that is available in the App Store; download it from the Bare Bones web site! The version in the App Store is limited, due to sandboxing restrictions, and cannot edit the hosts file.) While logged in to an admin account, open TextWrangler, then choose Open File by Name from the File menu. Enter “/etc/hosts” (without the quotes) in the box and click the Open button. The window that opens should show the same thing that the Terminal showed as the contents of the hosts file. Change the file so that it only contains the text shown above. (When you try to edit the file, you will be asked if you want to unlock the hosts file. Click the Unlock button, then finish making the changes. When complete, save the file, and enter your admin password when asked. Then you can close the file, and should restart the computer to make the changes take effect.

However, note that if your hosts file has been modified, that may not be an isolated issue. If someone has had some form of access to your Mac and made that change maliciously, they may have made a number of other changes as well. In such a case, it’s probably best to erase the hard drive and reinstall everything from scratch.

Unknown Adware

If you have reached this point, you should have done the following:

  1. Used AdwareMedic and/or the Identification page of this guide and found nothing
  2. Performed all the tests on this page and ended up directed here

If this is not the case, go back and do those things first.

If you did all those things, you may have new adware that I have not seen yet. In this case, download AdwareMedic and use it to take a system snapshot, then send the report to me.


 

<- Back to Adware Removal Guide