Jump to content

Chrome opens unwanted tabs on Mac

Recommended Posts

I've tried everything I could find online to solve this, but nothing has actually helped. 
I do not have any malicious extensions or apps installed, I have tried resetting chrome, I have scanned my mac with ClamXav, Sophos Antivirus, Avast, Combo Cleaner, Kaspersky Internet Security, Bitdefender Adware removal tool and none of these found anything during the scans. Malwarebytes's scan found two things which it removed but all the rest, nothing. And every other scan with Malwarebytes comes clean.
My search settings and homepage settings are all intact and there wasn't anything suspicious at all. But when chrome is idle for a while or I'm reading something on a website, there's suddenly a muted tab opened (first it was for a dating site, then betting, and most recently a clean my mac page).

I also tried Bitdefender Virus Scanner for Mac, and it found a spigot extension for safari and quarantined it. The file appeared to be stored in ClamXav's folder for some reason. (I do not even use Safari, and when I checked before the scan, no extensions have been installed on that browser, and the same goes for Firefox).
I've also checked whether the router has been hijacked (https://campaigns.f-secure.com/router-checker/en_global/) and everything seems to be fine. I tried changing the DNS settings to Google's, but it wouldn't connect for a long time so I left it as it was initially.
It seems to have been passed to another Windows laptop at home, but when the PC was scanned with Malwarebytes, Clamwin, and CCcleaner nothing seemed to help and the problem occurs on both computers. Windows Defender found BrowserModifier:Win32/Diplugem and removed it, but the ad tabs keep coming.
How can I get rid of this? Is it possible that the specific IP is targeted and it's not one of the two devices actually being infected? 
PS. I've attached the log file from Malwarebytes and from Bitdefender Virus Scanner.

Screen Shot 2017-05-13 at 23.02.55.png

Screen Shot 2017-05-13 at 23.04.58.png

Link to post
Share on other sites

  • Staff
On 5/13/2017 at 5:08 PM, TapperD said:
I also tried Bitdefender Virus Scanner for Mac, and it found a spigot extension for safari and quarantined it. The file appeared to be stored in ClamXav's folder for some reason.

It looks like ClamXav had already quarantined that extension, so it would not have been active on your system any longer. You'd have to check ClamXav's logs to see when it was quarantined, but my guess is that this has nothing to do with your current issue.

Can you send a system snapshot taken with Malwarebytes Anti-Malware for Mac? To do so, open Malwarebytes Anti-Malware for Mac and choose Take System Snapshot from the Scanner menu. Then, in the window that opens, select all the text (Edit → Select All), copy it and paste into a reply to this message.

Alternately, if you'd prefer not to post that information publicly, send me a direct message. Click on my name or profile picture at left, and then click the Message button.

BTW, sorry for the delay getting back to you... I normally get notifications for posts in this forum, but sometimes it fails, so I didn't see your post until now.

Link to post
Share on other sites

On 5/21/2017 at 5:19 AM, FredHarrington said:

I have exactly the same issue.

Please post an update if you have found a way to fix it.

Well, apart from scanning my macbook with everything I could find out there, and resetting chrome two times, I added the uBlock origin extension and checked all the filters for malware domains and since then I haven't had a new tab open up. I don't know how effective this was, or if I'm in an adware illusion, but at least it worked. 

Let me know if you give this a try and if it works for you.

Link to post
Share on other sites

On 5/21/2017 at 0:10 PM, treed said:

Can you send a system snapshot taken with Malwarebytes Anti-Malware for Mac?

Hi Treed, thanks a lot for your reply and apologies for writing back so late. Here's the snapshot of the system:


Malwarebytes Anti-Malware system report - May 27, 2017 at 12:13:59 GMT+2

Mac OS X version Version 10.11.6 (Build 15G1421)

System uptime: 0d 00:02:07

Helper tool version:

Signatures version: 201


Safari extensions




        Name: DivX Plus Web Player HTML5 <video>

        Path: /Users/Minxy/Library/Safari/Extensions/DivXHTML5.safariextz

        Modified: 2013-07-19 09:57:58 +0000



Chrome extensions




        Name: Duolingo on the Web

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/aiahmijlpehemcpleichkcokhegllfjl

        Modified: 2016-07-06 17:50:30 +0000


        Name: Google Drive

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/apdfllckaahabafndbhieahigkjlhalf

        Modified: 2015-10-23 03:41:09 +0000


        Name: YouTube

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/blpcfgokakmgnkcojhhkbfbldkacnbeo

        Modified: 2015-10-02 19:24:54 +0000


        Name: uBlock Origin

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/cjpalhdlnbpafiamejdnhcphjbkeiagm

        Modified: 2017-05-20 10:03:38 +0000


        Name: Google Search

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/coobgpohoikkiipiblmjeljniedjpjpf

        Modified: 2015-10-31 18:01:19 +0000


        Name: Session Buddy

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/edacconmaakjimmfgnblocblbcdcpbko

        Modified: 2017-05-08 13:16:46 +0000


        Name: Closed tabs

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/eonffnnfmbfnmjpaiigdclmfelolemah

        Modified: 2016-08-18 09:53:59 +0000


        Name: QCLean:Remove Facebook Ad,Suggested Page&Post

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/fdhhejjkjfjkchkimomgfegnpapndjne

        Modified: 2017-01-21 14:24:06 +0000


        Name: Wunderlist - To-do and Task list

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/fjliknjliaohjgjajlgolhijphojjdkc

        Modified: 2016-01-22 01:30:11 +0000


        Name: PDF Mage

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/gknphemhpcknkhegndlihchfonpdcben

        Modified: 2016-10-21 10:58:55 +0000


        Name: Pinterest Save Button

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/gpdjojdkbbmdfjfahjcgigfpmkopogic

        Modified: 2017-04-22 11:15:22 +0000


        Name: Symphonical

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/hcgllakjbbignhambejggdljofdagfja

        Modified: 2013-11-09 19:11:39 +0000


        Name: LastPass: Free Password Manager

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/hdokiejnpimakedhajhdlcegeplioahd

        Modified: 2017-05-12 18:30:07 +0000


        Name: feedly

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/hipbfijinpcgfogaopmgehiegacbhmob

        Modified: 2016-08-23 08:18:08 +0000


        Name: Eye Dropper

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/hmdcmlfkchdmnmnmheododdhjedfccka

        Modified: 2016-10-06 23:45:40 +0000


        Name: Unseen

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/iicapmagmhahddefgokbabbgieiogjop

        Modified: 2017-03-20 05:50:44 +0000


        Name: Grammarly for Chrome

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/kbfnbcaeplbcioakkpcpgfkobkghlhen

        Modified: 2017-05-18 08:33:58 +0000


        Name: The Great Suspender

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/klbibkeccnjlkjkiokjodocebajanakg

        Modified: 2017-03-05 20:10:25 +0000


        Name: Save as PDF

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/kpdjmbiefanbdgnkcikhllpmjnnllbbc

        Modified: 2016-11-05 12:48:25 +0000


        Name: Momentum

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/laookkfknpbbblfpciffpaejjkokdgca

        Modified: 2017-05-01 21:10:20 +0000


        Name: Numerics Calculator & Converter

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/liglcienpnkhdajdfmnpbgmpjglonipe

        Modified: 2014-01-17 06:41:00 +0000


        Name: Currency Converter

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/lncdobdbibdgoiohgnflmjajfphcnakg

        Modified: 2017-04-26 12:14:40 +0000


        Name: Boomerang for Gmail

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/mdanidgdpmkimeiiojknlnekblgmpdll

        Modified: 2017-05-17 10:07:58 +0000


        Name: Do It (Tomorrow)

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/nfagjoblnoeagfhfhohcdklnddjaiglo

        Modified: 2014-12-28 10:10:35 +0000


        Name: Save to Pocket

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/niloccemoadcdkdjlinkgdfekeahmflj

        Modified: 2017-04-25 14:20:23 +0000


        Name: Chrome Web Store Payments

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/nmmhkkegccagdldgiimedpiccmgmieda

        Modified: 2017-03-10 11:40:15 +0000


        Name: Buffer

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/noojglkidnpfjbincgijbaiedldjfbhh

        Modified: 2017-05-10 10:31:02 +0000


        Name: Print Friendly & PDF

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/ohlencieiipommannpdfcmfdpjjmeolj

        Modified: 2017-02-04 12:29:27 +0000


        Name: Gmail

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/pjkljhegncpnkpknbcohdijeoejaedia

        Modified: 2015-04-03 15:35:55 +0000


        Name: Chrome Media Router

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Default/Extensions/pkedcjkdefgpdelpbcmbmeomcjbeemfm

        Modified: 2017-05-17 10:07:58 +0000


    Profile 2

        Name: Google Slides

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/aapocclcgogkmnckokdopfmhonfmgoek

        Modified: 2016-02-22 00:08:22 +0000


        Name: Google Docs

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/aohghmighlieiainnegkcijnfilokake

        Modified: 2016-02-22 00:08:36 +0000


        Name: Google Drive

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/apdfllckaahabafndbhieahigkjlhalf

        Modified: 2016-02-22 00:08:36 +0000


        Name: YouTube

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/blpcfgokakmgnkcojhhkbfbldkacnbeo

        Modified: 2016-02-22 00:08:36 +0000


        Name: Google Search

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/coobgpohoikkiipiblmjeljniedjpjpf

        Modified: 2016-02-22 00:08:36 +0000


        Name: Session Buddy

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/edacconmaakjimmfgnblocblbcdcpbko

        Modified: 2017-05-08 17:20:57 +0000


        Name: Closed tabs

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/eonffnnfmbfnmjpaiigdclmfelolemah

        Modified: 2017-03-17 18:14:30 +0000


        Name: Google Sheets

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/felcaaldnbdncclmgdcncolpebgiejap

        Modified: 2016-02-22 00:08:17 +0000


        Name: Google Docs Offline

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/ghbmnnjooekpmoecnnnilnnbdlolhkhi

        Modified: 2016-10-16 12:55:37 +0000


        Name: LastPass: Free Password Manager

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/hdokiejnpimakedhajhdlcegeplioahd

        Modified: 2017-05-14 11:04:38 +0000


        Name: feedly

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/hipbfijinpcgfogaopmgehiegacbhmob

        Modified: 2017-04-07 10:55:30 +0000


        Name: Save to Pocket

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/niloccemoadcdkdjlinkgdfekeahmflj

        Modified: 2017-04-25 18:15:46 +0000


        Name: Chrome Web Store Payments

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/nmmhkkegccagdldgiimedpiccmgmieda

        Modified: 2017-03-12 20:50:33 +0000


        Name: Gmail

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/pjkljhegncpnkpknbcohdijeoejaedia

        Modified: 2016-02-22 00:08:36 +0000


        Name: Chrome Media Router

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/Profile 2/Extensions/pkedcjkdefgpdelpbcmbmeomcjbeemfm

        Modified: 2017-05-17 12:03:54 +0000



        Name: [unknown Chrome extension format]

        Path: /Users/Minxy/Library/Application Support/Google/Chrome/External Extensions/lmjegmlicamnimmfhcmpkclmigmmcbeh.json

        Modified: 2015-01-13 22:41:03 +0000



Firefox extensions




        Name: [name not found in install.rdf]

        Path: /Users/Minxy/Library/Application Support/Firefox/Profiles/a6qold36.default-1475404622954/extensions/ffext_basicvideoext@startpage24.xpi

        Modified: 2016-10-22 12:28:23 +0000


        Name: Xmarks

        Path: /Users/Minxy/Library/Application Support/Firefox/Profiles/a6qold36.default-1475404622954/extensions/foxmarks@kei.com

        Modified: 2017-02-19 15:35:38 +0000


        Name: LastPass: Free Password Manager

        Path: /Users/Minxy/Library/Application Support/Firefox/Profiles/a6qold36.default-1475404622954/extensions/support@lastpass.com

        Modified: 2017-05-20 17:31:05 +0000


        Name: [name not found in install.rdf]

        Path: /Users/Minxy/Library/Application Support/Firefox/Profiles/a6qold36.default-1475404622954/extensions/vdpure@link64.xpi

        Modified: 2016-10-22 12:30:46 +0000


        Name: Session Manager

        Path: /Users/Minxy/Library/Application Support/Firefox/Profiles/a6qold36.default-1475404622954/extensions/{1280606b-2510-4fe0-97ef-9b5a22eafe30}.xpi

        Modified: 2017-02-01 13:58:12 +0000


        Name: Download YouTube Videos as MP4

        Path: /Users/Minxy/Library/Application Support/Firefox/Profiles/a6qold36.default-1475404622954/extensions/{b9bfaf1c-a63f-47cd-8b9a-29526ced9060}.xpi

        Modified: 2017-02-19 15:43:44 +0000


        Name: Video DownloadHelper

        Path: /Users/Minxy/Library/Application Support/Firefox/Profiles/a6qold36.default-1475404622954/extensions/{b9db16a4-6edc-47ec-a1f4-b86292ed211d}.xpi

        Modified: 2017-05-16 13:49:50 +0000


        Name: Adblock Plus

        Path: /Users/Minxy/Library/Application Support/Firefox/Profiles/a6qold36.default-1475404622954/extensions/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi

        Modified: 2016-12-03 17:28:38 +0000



User Login Items


User: Minxy

  Name: iTunesHelper

  Path: /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app


  Name: Flux

  Path: /Applications/Flux.app


  Name: Stickies

  Path: /Applications/Stickies.app


  Name: Dropbox

  Path: /Applications/Dropbox.app


  Name: EvernoteHelper

  Path: /Applications/Evernote.app/Contents/Library/LoginItems/EvernoteHelper.app



System startup items




User launch agents










System launch agents








System launch daemons













Kernel extensions




















/System/Library/Extensions/Wacom Tablet.kext


















launchd.conf contents




Hosts file



# Host Database


# localhost is used to configure the loopback interface

# when the system is booting.  Do not change this entry.

## localhost broadcasthost

::1             localhost 

fe80::1%lo0 localhost


### Begin DesktopServer - do not edit this and proceeding lines ### www.wpwebtest.dev

### End DesktopServer - do not edit this and preceeding lines ###



Scan log


2017-05-11 16:33:58 :  

2017-05-11 16:33:59 : ----- Scan Started -----

2017-05-11 16:33:59 : Scanning with signatures version 196 (2017-5-9)

2017-05-11 16:34:01 : Adware.Spigot : /Users/Minxy/Library/Application Support/Spigot

2017-05-11 16:39:46 : PUP.Hotger : /Users/Minxy/hotger

2017-05-11 16:40:05 : *** Scan time: 0d 00:06:06 ***

2017-05-11 16:40:05 : ------ Scan Ended ------

2017-05-11 16:40:15 : Removing detected threats...

2017-05-11 16:40:15 :  Removing Item: /Users/Minxy/Library/Application Support/Spigot

2017-05-11 16:40:15 :  Removing Item: /Users/Minxy/hotger

2017-05-11 16:40:15 : ---- Threat Removal Complete ----

2017-05-11 17:15:21 :  

2017-05-11 17:15:22 : ----- Scan Started -----

2017-05-11 17:15:22 : Scanning with signatures version 196 (2017-5-9)

2017-05-11 17:19:55 : *** Scan time: 0d 00:04:32 ***

2017-05-11 17:19:55 : ------ Scan Ended ------

2017-05-11 17:51:06 :  

2017-05-11 17:51:07 : ----- Scan Started -----

2017-05-11 17:51:07 : Scanning with signatures version 196 (2017-5-9)

2017-05-11 17:54:51 : *** Scan time: 0d 00:03:44 ***

2017-05-11 17:54:51 : ------ Scan Ended ------

2017-05-11 20:04:36 :  

2017-05-11 20:04:36 : ----- Scan Started -----

2017-05-11 20:04:37 : Scanning with signatures version 196 (2017-5-9)

2017-05-11 20:07:57 : *** Scan time: 0d 00:03:20 ***

2017-05-11 20:07:57 : ------ Scan Ended ------

2017-05-13 23:00:30 :  

2017-05-13 23:00:30 : ----- Scan Started -----

2017-05-13 23:00:30 : Scanning with signatures version 198 (2017-5-12)

2017-05-13 23:03:49 : *** Scan time: 0d 00:03:18 ***

2017-05-13 23:03:49 : ------ Scan Ended ------

2017-05-14 14:13:19 :  

2017-05-14 14:13:20 : ----- Scan Started -----

2017-05-14 14:13:20 : Scanning with signatures version 198 (2017-5-12)

2017-05-14 14:16:40 : *** Scan time: 0d 00:03:20 ***

2017-05-14 14:16:40 : ------ Scan Ended ------

_____End Snapshot______


Like I told FredHarrington, the issue does not seem to appear anymore, and I think it's because I've activated the malware filters that come with the uBlock origin extension for chrome. I hope it is safe to assume there is no threat creeping somewhere in there, especially since all the scans I've run come clean. 

Thanks a lot for your help with this! 


Link to post
Share on other sites

  • Staff

You have a known bad Chrome extension, but the last time you scanned with Malwarebytes, it hadn't yet been detected. Do another scan, and it will remove the Unseen extension. uBlock might be covering up the symptoms, but you should still get rid of the problem. (In general, using an ad blocker to stop ads that are not normal for the sites you're visiting is not a good idea. It just obscures the symptom, but leaves the problem still present.)

In addition, you have a LOT of Chrome extensions. I wouldn't recommend having more than about 5 third-party browser extensions total. Adding more just increases the odds of having problems, especially in Chrome, for which there is a constant stream of new malicious extensions. Thinning out the extensions you have installed would be strongly recommended.



Link to post
Share on other sites

On 5/27/2017 at 3:44 PM, treed said:

You have a known bad Chrome extension, but the last time you scanned with Malwarebytes, it hadn't yet been detected. Do another scan, and it will remove the Unseen extension.

I removed the extension directly in chrome, and ran the scan once again and it all came out clean. I do get that this is not the way to use an ad-blocker, but how can I fix the issue when nothing comes on *any* scan after those first initial threats that were detected and removed?

Also,  I've been using the FBunseen extension for over two years now way before this issue started happening and unlike PCs, the options for mac are very few in terms of solutions. I've disabled some of the extensions I have, but if the problem is not any malicious extensions, this doesn't seem to fix anything either..?



Link to post
Share on other sites

  • Staff

It is a common problem among Chrome extensions for them to be obtained by adware creators, who will then release an update that causes a formerly-legitimate extension to become adware. So the fact that you've used an extension for years does not mean that it can't be the problem. We've seen numerous cases of problems caused by that Unseen extension.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.