Solved Cdn.freefarcy.com Pop up on Mac

Status
Not open for further replies.

hockeybuddha

New Member
Sep 20, 2016
6
Hey all,

Got the cdn.freefracy pop up virus. It seems to only be infecting Chrome after I ran the Malware Bytes program. Manual removal didn't turn up any suspicious files in the places I was directed to on the Mac forums. Any advice would be really awesome,

Thanks!
 

XIII

Level 5
Sep 20, 2016
162
You installed one or more variants of the "VSearch" trojan. Please inactivate them as follows. This procedure will leave a few small files behind, but they have no effect, and trying to remove them all would be a lot more trouble than it's worth.

This malware has many variants. Anyone else finding this comment should not expect it to be applicable.

Back up all data before proceeding.

Step 1

The VSearch variant that you have regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.

Step 2

While running in safe mode, load this web page and then triple-click anywhere in the line below to select it:

/Library/LaunchDaemons
In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" will open. Press the key combination command-2 to select list view, if it's not already selected.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within a few minutes, so they will be clustered together when you sort the folder this way, making them easy to identify.

Step 3

Inside the LaunchDaemons folder, there may be one or more files with a name of this form:

com.apple.something.plist

where something is a random, meaningless string of letters, different in every case.

Note that the name consists of four words separated by periods. Typical examples:

com.apple.builins.plist

com.apple.cereng.plist

com.apple.nysgar.plist

There may also be one or more items with a name of this form:

com.something.plist

Again, something is a random, meaningless string—not necessarily the same one that appears in any of the other file names.

These names consist of three words separated by periods. Typical examples:

com.semifasciaUpd.plist

com.ubuiling.plist

Drag all such items to the Trash. You may be prompted for your administrator login password.

Restart the computer and empty the Trash.

If you're not sure whether a file is part of the malware, order the folder contents by modification date,not by name. The malware files will be clustered together. There could be more than one such cluster. A file dated far in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.

If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Go back to Step 1 and try again.

Step 4

Reset the home page in each of your web browsers, if it was changed. In Safari, first load the home page you want, then select

Safari ▹ Preferences... ▹ General

and click

Set to Current Page

If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.

Step 5

The malware enables web proxy discovery in the network settings. If you know that the setting was already enabled for a good reason, skip this step. Otherwise you should revert the change.

Open the Network pane in System Preferences. If there is a closed padlock icon in the lower left corner of the window, click it and authenticate to unlock the settings. Click the Advanced button, then select Proxiesin the sheet that drops down. Uncheck the box marked Auto Proxy Discovery if it's checked. Click OK, then Apply.

Step 6

This step is optional. Open the Users & Groups pane in System Preferences and click the lock icon to unlock the settings. In the list of users, there may be some with random names that were added by the malware. You can delete those users. If you're not sure whether a user is legitimate, don't delete it.

Source: https://discussions.apple.com/thread/7590690?start=0&tstart=0
 

hockeybuddha

New Member
Sep 20, 2016
6
Thanks but I already tried this. There are no files that match this format in the folders. Any other suggestions?
 

Jack

Administrator
Verified
Staff member
Jan 24, 2011
9,334
Thanks but I already tried this. There are no files that match this format in the folders. Any other suggestions?
Hello @hockeybuddha
Is this device connected to a router? Does this pop-up/redirect happen on other devices (phone, tablet etc..) that are connected to this router?
 

Jack

Administrator
Verified
Staff member
Jan 24, 2011
9,334
Thanks @Jack! I am connected to wireless internet through a router. Is that what you mean?
Yes. We've seen a lot of these redirects happening because the router was infected. While this may not be the case, I would also try to do this as this could be the cause. Do you know how to reset the router and then reconfigure it?

NOTE: Resetting your router to its default factory settings will also reset your router's password. You will need to reconfigure its settings.

 

hockeybuddha

New Member
Sep 20, 2016
6
@Jack - I am totally up for this but one interesting thing is that right now it seems only to affect me when I use Chrome. Does that seem consistent with a router infection?
 

Jack

Administrator
Verified
Staff member
Jan 24, 2011
9,334
@Jack - I am totally up for this but one interesting thing is that right now it seems only to affect me when I use Chrome. Does that seem consistent with a router infection?
Does this happen on all websites or only on a specific website? What extensions do you have installed on Google Chrome? Did you try to reset Google Chrome to the default settings?
 

hockeybuddha

New Member
Sep 20, 2016
6
All that I notice is that occasionally a new tab opens with the cdn.freefarcy.com and tries to get me to "update" my Flash Player. It can go for hours without doing anything and seems more regular when I am restarting the browser or coming back from the computer being asleep. It originally affected every browser but I seem to have conquered it in Safari and Firefox
 
  • Like
Reactions: Jack

Jack

Administrator
Verified
Staff member
Jan 24, 2011
9,334
All that I notice is that occasionally a new tab opens with the cdn.freefarcy.com and tries to get me to "update" my Flash Player. It can go for hours without doing anything and seems more regular when I am restarting the browser or coming back from the computer being asleep. It originally affected every browser but I seem to have conquered it in Safari and Firefox
That sounds like adware. Are there any extensions installed on Google Chrome?


To remove an extension from Google Chrome:
  1. On your browser, click menu
    unnamed.png
    .
  2. Select More tools > Extensions.
  3. On the extension you want to remove, click Remove from Chrome
    b6fLKle2EAchK2pBi90sMiibbshe9MgOCbfMSvGmCQ8vQK8cZQ1ouFjA2osO=w18
    .
  4. A notice to remove the extension will appear. Click Remove.
 

hockeybuddha

New Member
Sep 20, 2016
6
Yup, I have a few extensions but nothing fishy. A bunch of google extensions, AdBlock, Blur, Disconnect and StayFocusd. I've had them for months.
 
Status
Not open for further replies.
Top