I have adware (DoubleClick?) and can't get rid of it.

[Justgrant2009]

As the title suggests, I have some kind of hijacking adware that is constantly trying to force a redirect. Fortunately, the pages it's trying to force redirect me to all have bad certificates, so I just hit "cancel" every time it tries, but that's really obnoxious when it's constantly doing that. It doesn't do it on EVERY site, (MacRumors is fine) but especially Google sites (and also a few others not owned by Google I've noticed, like my electricity company's site).

It says things like "Safari can't verify the identify of the website '2507573.fls.doubleclick.net". But the stuff before "doubleclick.net" is different on different websites.

So I have a screenshot of it triggering when I even attempted to access the "DoubleClickbyGoogle.com" website that I'll attach.

I got Ghostery to try to stop it, which is does a lot now, but it's not 100%, and I shouldn't need this plugin to stop it, because this is something that only just started happening in the last few days.

Here's what Ghostery has to say about it:
https://apps.ghostery.com/en/apps/doubleclick

I've done a lot of researching and have found several forums (even here in MacRumors) about removing it, but NONE of them have helped. I'm still dealing with this mess... Any ideas (preferably free)? I'm pretty tech savvy so I'm not afraid to get back in the weeds to fix things... But I need a place to start.

 

[keysofanxiety]

As the title suggests, I have some kind of hijacking adware that is constantly trying to force a redirect. Fortunately, the pages it's trying to force redirect me to all have bad certificates, so I just hit "cancel" every time it tries, but that's really obnoxious when it's constantly doing that. It doesn't do it on EVERY site, (MacRumors is fine) but especially Google sites (and also a few others not owned by Google I've noticed, like my electricity company's site).

It says things like "Safari can't verify the identify of the website '2507573.fls.doubleclick.net". But the stuff before "doubleclick.net" is different on different websites.

So I have a screenshot of it triggering when I even attempted to access the "DoubleClickbyGoogle.com" website that I'll attach.

I got Ghostery to try to stop it, which is does a lot now, but it's not 100%, and I shouldn't need this plugin to stop it, because this is something that only just started happening in the last few days.

Here's what Ghostery has to say about it:
https://apps.ghostery.com/en/apps/doubleclick

I've done a lot of researching and have found several forums (even here in MacRumors) about removing it, but NONE of them have helped. I'm still dealing with this mess... Any ideas (preferably free)? I'm pretty tech savvy so I'm not afraid to get back in the weeds to fix things... But I need a place to start.

Sorry to go through the obvious -- have you tried running MalwareBytes for Mac?

 

[Justgrant2009]

Sorry to go through the obvious -- have you tried running MalwareBytes for Mac?

Yes, and MalwareBytes for Mac says it didn't find anything on my machine. Same with Symantec Endpoint Protection for Mac.

By the way, when I went to MalwareBytes' website, I got another one of these redirects.

 

[keysofanxiety]

Yes, and MalwareBytes for Mac says it didn't find anything on my machine. Same with Symantec Endpoint Protection for Mac.

By the way, when I went to MalwareBytes' website, I got another one of these redirects.

Could you check the time and date on your machine?

 

[Justgrant2009]

Yes, they're correct. I have it set the time and date automatically use the "Apple Americas/U.S. (time.apple.com.)"

 

[Weaselboy]

Yes, they're correct. I have it set the time and date automatically use the "Apple Americas/U.S. (time.apple.com.)"

Download and run the app Etrecheck. That will create an anonymized report showing everything running on your system, including any hidden launch items that may be causing this. Post the report here for us to take a look for you.

 

[Justgrant2009]

Download and run the app Etrecheck. That will create an anonymized report showing everything running on your system, including any hidden launch items that may be causing this. Post the report here for us to take a look for you.

EtreCheck version: 2.9.12 (265)

Report generated 2016-06-28 10:54:46

Download EtreCheck from https://etrecheck.com

Runtime 2:01

Performance: Excellent



Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

Click the [Check files] link for help with unknown files.



Problem: Other problem

Description:

Adware is hijacking my Safari Browser and redirecting me. I suspect the phrase “DoubleClick.net”



Hardware Information: ⓘ

MacBook Pro (Retina, Mid 2012)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Pro - model: MacBookPro10,1

1 2.6 GHz Intel Core i7 CPU: 4-core

16 GB RAM Not upgradeable

BANK 0/DIMM0

8 GB DDR3 1600 MHz ok

BANK 1/DIMM0

8 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n

Battery: Health = Normal - Cycle count = 57



Video Information: ⓘ

Intel HD Graphics 4000

NVIDIA GeForce GT 650M - VRAM: 1024 MB

Color LCD 2880 x 1800

Thunderbolt Display 2560 x 1440



System Software: ⓘ

OS X Yosemite 10.10 (14A389) - Time since boot: about one day



Disk Information: ⓘ

APPLE SSD SM512E disk0 : (500.28 GB) (Solid State - TRIM: Yes)

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

Macintosh HD (disk1) / : 499.05 GB (175.41 GB free)

Core Storage: disk0s2 499.42 GB Online



USB Information: ⓘ

Apple, Inc. Keyboard Hub

Logitech USB Receiver

Apple Inc. Apple Keyboard

Apple Inc. Apple Internal Keyboard / Trackpad

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

Apple Inc. FaceTime HD Camera (Built-in)

Apple Inc. Apple Thunderbolt Display

Apple Inc. Display Audio

Apple Inc. FaceTime HD Camera (Display)



Thunderbolt Information: ⓘ

Apple Inc. thunderbolt_bus

Apple Inc. Thunderbolt Display



Gatekeeper: ⓘ

Mac App Store and identified developers



Unknown Files: ⓘ

/Library/LaunchDaemons/com.quest.rc.ipwatchd.plist

/opt/quest/sbin/ipwatchd /opt/quest/sbin/dnsupdate

/Library/LaunchDaemons/com.quest.vasd.plist

/opt/quest/sbin/vasd -D -p /var/opt/quest/vas/vasd/.vasd.pid

2 unknown files found. [Check files]



Kernel Extensions: ⓘ

/Library/Application Support/Symantec/AntiVirus

[loaded] com.symantec.kext.SymAPComm (100.1f1 - SDK 10.6 - 2016-06-28) [Support]



/Library/Extensions

[loaded] com.symantec.kext.internetSecurity (5.2.1 - SDK 10.6 - 2015-09-25) [Support]

[loaded] com.symantec.kext.ips (3.5.1 - SDK 10.6 - 2015-09-25) [Support]

[loaded] com.symantec.kext.ndcengine (1.0 - SDK 10.6 - 2015-09-25) [Support]



/System/Library/Extensions

[loaded] com.seagate.driver.PowSecDriverCore (5.2.6 (26925) - SDK 10.4 - 2015-09-25) [Support]

[not loaded] com.wacom.kext.pentablet (Pen Tablet 5.3.5-4 - SDK 10.9 - 2015-09-25) [Support]



/System/Library/Extensions/Seagate Storage Driver.kext/Contents/PlugIns

[not loaded] com.seagate.driver.PowSecLeafDriver_10_4 (5.2.6 (26925) - SDK 10.4 - 2014-08-15) [Support]

[not loaded] com.seagate.driver.PowSecLeafDriver_10_5 (5.2.6 (26925) - SDK 10.5 - 2014-08-15) [Support]

[not loaded] com.seagate.driver.SeagateDriveIcons (5.2.6 (26925) - SDK 10.4 - 2014-08-15) [Support]



System Launch Agents: ⓘ

[not loaded] 5 Apple tasks

[loaded] 134 Apple tasks

[running] 64 Apple tasks



System Launch Daemons: ⓘ

[running] com.seagate.TBDecorator.plist (2013-10-11) [Support]

[not loaded] 43 Apple tasks

[loaded] 131 Apple tasks

[running] 88 Apple tasks



Launch Agents: ⓘ

[not loaded] com.adobe.AAM.Updater-1.0.plist (2016-05-05) [Support]

[loaded] com.citrix.AuthManager_Mac.plist (2013-03-06) [Support]

[running] com.citrix.ReceiverHelper.plist (2013-03-06) [Support]

[running] com.citrix.ServiceRecords.plist (2013-03-06) [Support]

[loaded] com.oracle.java.Java-Updater.plist (2013-05-08) [Support]

[running] com.symantec.uiagent.application.plist (2014-09-12) [Support]

[running] com.wacom.pentablet.plist (2014-08-20) [Support]

[running] net.juniper.pulsetray.plist (2014-12-29) [Support]

[loaded] org.macosforge.xquartz.startx.plist (2012-09-27) [Support]



Launch Daemons: ⓘ

[loaded] com.adobe.SwitchBoard.plist (2013-08-05) [Support]

[failed] com.adobe.fpsaud.plist (2016-04-15) [Support]

[running] com.fitbit.galileod.plist (2012-10-05) [Support]

[loaded] com.logmein.join.me.update-helper.plist (2014-09-12) [Support]

[loaded] com.malwarebytes.HelperTool.plist (2016-06-28) [Support]

[loaded] com.microsoft.office.licensing.helper.plist (2011-03-10) [Support]

[loaded] com.oracle.java.Helper-Tool.plist (2013-05-08) [Support]

[running] com.quest.rc.ipwatchd.plist (2013-05-07) [Support]

[running] com.quest.vasd.plist (2013-02-10) [Support]

[loaded] com.skype.skypeinstaller.plist (2016-01-22) [Support]

[loaded] com.symantec.liveupdate.daemon.ondemand.plist (2014-09-12) [Support]

[failed] com.symantec.liveupdate.daemon.plist (2014-09-12) [Support]

[not loaded] com.symantec.sep.migratesettings.plist (2014-12-29) [Support]

[running] com.symantec.sharedsettings.plist (2014-09-12) [Support]

[running] com.symantec.symdaemon.plist (2014-09-12) [Support]

[running] net.juniper.AccessService.plist (2014-12-29) [Support]

[not loaded] net.juniper.UninstallPulse.plist (2014-12-29) [Support]

[loaded] org.macosforge.xquartz.privileged_startx.plist (2012-09-27) [Support]



User Launch Agents: ⓘ

[loaded] com.adobe.AAM.Updater-1.0.plist (2013-08-05) [Support]

[loaded] com.adobe.ARM.[...].plist (2013-08-06) [Support]

[loaded] com.adobe.ARM.[...].plist (2013-08-28) [Support]

[loaded] com.citrixonline.GoToMeeting.G2MUpdate.plist (2015-11-17) [Support]

[running] com.spotify.webhelper.plist (2016-06-13) [Support]



User Login Items: ⓘ

iTunesHelper Application (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

Dropbox Application (/Applications/Dropbox.app)

Content Manager Assistant Application (/Applications/CMA.app)



Other Apps: ⓘ

[running] com.google.Chrome.56548

[running] com.microsoft.Lync.98864

[running] com.microsoft.Outlook.3724

[running] com.microsoft.alerts.daemon.131524

[running] com.microsoft.autoupdate.fba.98012

[running] com.microsoft.outlook.databasedaemon.4860

[running] com.wacom.ConsumerTouchDriver.92900

[running] com.wacom.TabletDriver.9972

[running] jp.co.scei.ContentManagerAssistant.189460

[running] jp.co.scei.ContentManagerAssistant.Watcher.190028

[loaded] 354 Apple tasks

[running] 205 Apple tasks



Internet Plug-ins: ⓘ

JavaAppletPlugin: Java 8 Update 66 build 17 (2016-01-07) Check version

Unity Web Player: UnityPlayer version 5.3.5f1 - SDK 10.6 (2016-06-20) [Support]

Default Browser: 600 - SDK 10.10 (2014-10-21)

AdobeExManDetect: AdobeExManDetect 1.1.0.0 - SDK 10.7 (2014-12-22) [Support]

Flip4Mac WMV Plugin: 3.2.0.16 - SDK 10.8 (2013-05-07) [Support]

SlingPlayer: Unknown - SDK 10.8 (2014-03-28) [Support]

AdobePDFViewerNPAPI: 11.0.15 - SDK 10.6 (2016-04-04) [Support]

FlashPlayer-10.6: 21.0.0.226 - SDK 10.6 (2016-04-22) [Support]

Silverlight: 5.1.30514.0 - SDK 10.6 (2015-02-06) [Support]

WacomTabletPlugin: WacomTabletPlugin 2.1.0.6 - SDK 10.9 (2014-11-20) [Support]

Flash Player: 21.0.0.226 - SDK 10.6 (2016-04-22) Outdated! Update

QuickTime Plugin: 7.7.3 (2014-10-21)

CitrixICAClientPlugIn: 11.0.0 (2014-12-22) [Support]

SharePointBrowserPlugin: 14.3.4 - SDK 10.6 (2013-05-07) [Support]

AdobePDFViewer: 11.0.15 - SDK 10.6 (2016-04-04) [Support]

MeetingJoinPlugin: Unknown - SDK 10.6 (2013-05-08) [Support]



User internet Plug-ins: ⓘ

WebEx64: 1.0 - SDK 10.6 (2015-11-06) [Support]

CitrixOnlineWebDeploymentPlugin: 1.0.105 (2013-04-25) [Support]

DISH Anywhere Player: ECHO.2.13.0 (2014-07-09) [Support]

Google Earth Web Plug-in: 7.1 (2013-10-07) [Support]



Safari Extensions: ⓘ

AdBlock - BetaFish, Inc. - https://getadblock.com (2016-05-13)

Adblock Plus - Eyeo GmbH - https://adblockplus.org/ (2016-06-01)

Reddit Enhancement Suite - Steve Sobel - http://redditenhancementsuite.com/ (2014-12-30)

Ghostery - GHOSTERY, Inc. - https://www.ghostery.com/ (2016-06-27)



3rd Party Preference Panes: ⓘ

Citrix online plug-in (2009-09-11) [Support]

Citrix ShareFile Sync (2013-01-06) [Support]

Flash Player (2016-04-15) [Support]

Flip4Mac WMV (2013-03-29) [Support]

Java (2016-01-07) [Support]

Seagate Dashboard for Mac OSX (2014-09-11) [Support]

Symantec QuickMenu (2014-12-29) [Support]

PenTablet (2014-11-20) [Support]



Time Machine: ⓘ

Skip System Files: NO

Auto backup: YES

Volumes being backed up:

Macintosh HD: Disk size: 499.05 GB Disk used: 323.64 GB

Destinations:

My Passport for Mac [Local]

Total size: 999.83 GB

Total number of backups: 66

Oldest backup: 7/13/15, 1:11 PM

Last backup: 6/27/16, 9:15 AM

Size of backup disk: Adequate

Backup size 999.83 GB > (Disk used 323.64 GB X 3)



Top Processes by CPU: ⓘ

11% Google Chrome

10% WindowServer

5% Google Chrome Helper(4)

4% kernel_task

2% fontd



Top Processes by Memory: ⓘ

1.27 GB kernel_task

1.02 GB iPhoto

803 MB com.apple.WebKit.WebContent(2)

590 MB Google Chrome Helper(5)

508 MB Safari



Virtual Memory Information: ⓘ

5.51 GB Free RAM

10.00 GB Used RAM (2.72 GB Cached)

0 B Swap Used



Diagnostics Information: ⓘ

Jun 27, 2016, 01:24:02 PM Self test - passed



Standard users cannot read /Library/Logs/DiagnosticReports.

Run as an administrator account to see more information.

 

[Weaselboy]

Unknown Files: ⓘ

/Library/LaunchDaemons/com.quest.rc.ipwatchd.plist

/opt/quest/sbin/ipwatchd /opt/quest/sbin/dnsupdate

/Library/LaunchDaemons/com.quest.vasd.plist

/opt/quest/sbin/vasd -D -p /var/opt/quest/vas/vasd/.vasd.pid

Nothing that is malware/adware is jumping out at me there, but you have a LOT of third party processes running there. The section I quoted here looks like some kind of DNS redirect service, and I'm wondering if that could be causing this.

Also, I'm curious if that Juniper Pulse stuff could be causing trouble. It looks like a network access control process.

You also might try ditching all that Symantec stuff as that also intercepts Internet traffic.

Can you shed any light here in why these things are installed or if you installed them?

How about just as a test, reboot and hold down the shift key at startup to boot to safe mode. That will stop ALL these processes from running. See if that stops the redirects. If that does, that proves it is one of these startup or launch items in the Etrecheck report. Then it is a matter of removing them until you find the culprit.

 

[Justgrant2009]

I can give that a shot and also try removing those launch items (the Quest stuff I have no clue about).

Symantec is installed because my company requires it, and Junos Pulse is a VPN tool I use. This is a company computer, however, I'm the only Mac user in the company so IT will not support me in any problems I encounter. That's something I've always been ok with since I'm usually very good with managing my own troubleshooting and repairs.

I'll try removing those unknown quest files and then also do a safe mode test. Good ideas! Thanks! I'll let you know how it goes!

 

[Justgrant2009]

Ok, so it turns out that it may not be adware. I just checked with a few colleagues here and even they're getting the same issue with the bad certificates for DoubleClick.net, and they're on PCs. I checked with one our IT members and he's looking into it now (since it affects the PCs). As I said before, being the Mac user, I'm expected to troubleshoot my own issues, but if it's a threat to the PC users in the company, they need to find a resolution before the not-so-tech-savvy do something bad.

I'll keep this thread updated as I learn more. In the meantime, thank you for the support Weaselboy, you've been very helpful!

 

[chrfr]

Ok, so it turns out that it may not be adware. I just checked with a few colleagues here and even they're getting the same issue with the bad certificates for DoubleClick.net, and they're on PCs. I checked with one our IT members and he's looking into it now (since it affects the PCs). As I said before, being the Mac user, I'm expected to troubleshoot my own issues, but if it's a threat to the PC users in the company, they need to find a resolution before the not-so-tech-savvy do something bad.

I'll keep this thread updated as I learn more. In the meantime, thank you for the support Weaselboy, you've been very helpful!

Not related to your original question, but you really should update your operating system to 10.10.5 and install the security updates that follow. 10.10, which you are running now, is seriously out of date and far less stable than 10.10.5.

 

[JohnDS]

Here is how to get rid of doubleclick.net ads permanently:

Download the freeware TextWrangler: http://www.barebones.com/products/textwrangler/download.html

(You may have to change your Mac Security settings to allow downloads from "All")

Put TextWrangler into your Applications folder and keep the Application folder open on your desktop so you can see the TextWrangler icon.

Click on the desktop to make sure you are in Finder. Then pull down the Go menu to Go To Folder and type the following line in and hit return:

/etc

In that folder, you will find a file called "Hosts". Drag and drop it onto the TextWrangler icon. The Hosts file should open in Textwrangler and look like this:

##
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
​

Just before the line that says ::1 localhost, add a line that reads

0.0.0.0 doubleclick.net

so that your hosts file now looks like this:

##
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcast host
0.0.0.0 doubleclick.net
::1 localhost
fe80::1%lo0 localhost​

Save the file (you will be asked for you administrative password). Close Textwrangler. Restart your computer.

Now you should be unable to reach any doubleclick.net page in any browser.

 

[chrfr]

Here is how to get rid of doubleclick.net ads permanently:...
Now you should be unable to reach any doubleclick.net page in any browser.

Entries in the hosts file are not global by domain but instead are specific to one hostname. You would need to enter every doubleclick.net host in there for this to work.