blick
Level 1 (12 points)
Desktops

Q: R-ad-somware--is there a remedy?

"R-ad-somware" is my play-on-words for ransomware, due to recent events. I regularly peruse and participate in a web forum hosted by Zetaboards, and lately (past few days) the host redirects the active forum to ads that have only one active button--the "download" or "Install" button--with an inactive "cancel" or "later" button visible on screen. At first I could close the page/window/tab--there was no navigating "back" to the original page, but closing the page worked (meaning you had to reopen and log back into the forum in order to continue where you left off).

 

Today the ad that hijacked the page was for that darned MacKeeper, and as stated above, there was no choice but to download and install MacKeeper. I know all about MacKeeper and won't ever click any link to that malware distributor or basically any "ad" that appears on any webpage I visit, or in my email, etc. But, not only did MacKeeper's page prevent me from navigating back to my previous page/forum or closing that window, it disabled Chrome so I ended up having to force-quit to escape. It was like ransom-ware without a demand to call a phone number to "fix" the problem, or to download the "software fix" and pay hundreds of $$ for the privilege. The "ransom" in this case appears to be downloading MacKeeper and having your search engines hijacked as well as whatever else evil that criminal organization intends for your computer.

 

I don't have a "user account" with Zetaboards so I can't even report it to them. I also followed the steps to check and clear any malware/adware that might have been surreptitiously installed on my computer in the background...and my computer is clear of junk.

 

Is there any way to keep garbage on a web hosts' servers from hijacking your browser? (Short of outright quitting the forum that's affected and never visiting it again, that is?)

 

I am removing Chrome from my computer because it has serious problems-"flash plug-in" crashes constantly--and is no longer supported for my OS (10.6.8). I'm using Safari for the first time in two years because it has caused me headaches in past years....but Firefox and Chrome are unsuitable any more.

Mac mini, Mac OS X (10.6.8), core duo

Posted on Sep 19, 2016 1:39 PM

by blick,Solvedanswer
blick blick
Level 1 (12 points)
Desktops
A:

I asked other users at Swifty's if any of them were experiencing similar 'hijacks' to what I was seeing, and several of them, including one of the admins, said they too had seen both: obnoxious ads replace Swifty's window, and the ransom pages doing the same thing. One of those affected (an admin) said he would contact Zetaboards' admin to advise them what's happening (that was Saturday or last Friday). So far, nothing has changed on my end; Swifty's has become an unfriendly site because I can't visit it without ads or ransom pages interrupting my user end experience, frequently and almost instantaneously (almost as soon as I enter a forum simply to read it....). It doesn't matter which browser I'm using; I've looked into updating the browsers, but as it turns out, neither Chrome, Safari, or Firefox support OSX 10.6.8 any longer, so there are no more "recent" versions of any browser for my box. (That's also an issue because I can no longer even access my bank online because they have stopped supporting old versions of all the browsers and I can't log in because the banks' system won't allow the use of the browsers I am stuck with.)

 

This morning, the Flash ad that took over Swifty's literally prevented most action from my end. No "Quit" command in Safari's menu (same with Chrome); no navigating back or forward; it was difficult and took a few minutes even to close the browser window(s)/tabs that were open. The popover dialog box that appeared 'floating' above the ad and it's "install now" dialog had two 'buttons' that both highlighted under mouse-over as if they would perform some action, but did nothing. Nothing at all. Those fake buttons were under the text "Are you sure you want to leave this page?"....even though when the ad appeared I didn't have time to do a **** thing before the "leave page" dialog appeared. And, of course, as long as that dialog box remained on screen--it wouldn't go away, since the buttons did nothing--I could do nothing else in the browser except "force quit" from the Apple menu.

 

This seems like it should be illegal; but of course, the perpetrators are probably in Russia or some authoritarian country and don't give a **** about laws or a person's right to be unassaulted by jerks and criminals.

 

Anyway, it appears I'm left with a very few choices: buy and install more memory and upgrade my OS hoping (without evidence) the latest Mac OS will help prevent this stuff; wipe my Mac's hard drive and throw the box out and buy a new Mac, again hoping this will result in some more effective built-in suppression of scams and crapware, without any evidence it will; or simply never visit Swifty's again, and hope no other site I want to visit will use a "free" web hosting service.

 

Thanks again, all of you, for trying to help me. I will end this thread the next opportunity to click a button that allows me to close the question. While it hasn't been "solved" or whatever the option is, I'm tired of fighting this battle against unscrupulous "advertisers". They won. I'm defeated.

Posted on Sep 25, 2016 12:43 PM

Close
blick

Q: R-ad-somware--is there a remedy?

  • All replies
  • Helpful answers

Previous Page 2 of 3 last Next

  • by stevejobsfan0123,

    stevejobsfan0123 stevejobsfan0123 Sep 21, 2016 9:20 AM in response to John Lockwood
    Level 8 (43,853 points)
    iPhone
    Sep 21, 2016 9:20 AM in response to John Lockwood

    What version of ScamZapper do you have, and is "Aggressive Mode" checked in preferences?

  • by blick,

    blick blick Sep 21, 2016 10:06 AM in response to stevejobsfan0123
    Level 1 (12 points)
    Desktops
    Sep 21, 2016 10:06 AM in response to stevejobsfan0123

    ScamZapper (2.04, downloaded from the link supplied here yesterday) did not stop the ransom page that just took over Safari. I panicked and immediately quit the browser....but clearly, I could do NOTHING else in the browser while that RANSOM page was taking over the browser window--it did still leave the Safari menu's "quit Safari" available, but other commands in that menu--and the "back button" above the window-- were grayed out...and it had an obnoxious timer ticking audibly the seconds to action necessary (clicking or calling....I didn't stick around to read it....) before it claimed the 'infection' would do some damage. The page said (similar to the first screenshot above) it was from Apple user support.

     

    The intervals between hijackings this morning---and they only occurred while visiting that ONE site (Swifty's), shortened to a matter of seconds--literally--between me restarting the browser, opening that forum, and loss of access to anything in that browser window. I'm currently using Safari to write this, and this site seems impervious to the problem.

     

    Out of curiosity, can you suggest a reason why only ebay and Swifty's seem to have the problem, and not my email account or Apple user support forums? I "reset" Safari after the second Flash Player ad took over Swifty's....and the next login was almost immediately taken over by what was most certainly a RANSOM request. The second "Flash Player" ad definitely disabled the browser window, which is why I "reset" Safari. But the reset did not prevent the ransom page from displaying.

     

    I had another Apple User Support thread in progress a week or two ago when I got my first "Ransom" demand while using Chrome, and that request completely locked Chrome....and I couldn't even get to the finder to "force quit" Chrome, so it appeared to me that my computer had, indeed, been "locked". I ended up doing a "hard shutdown" with the Mini's power button to escape....though after the responses I got in here I found I might have been able to force quit the browser without the menu. Problem is, I haven't memorized the keystrokes to do that, and without access to the menu bar at the top of my screen, I couldn't even find "Help" to tell me how to do that.

  • by stevejobsfan0123,

    stevejobsfan0123 stevejobsfan0123 Sep 21, 2016 10:11 AM in response to blick
    Level 8 (43,853 points)
    iPhone
    Sep 21, 2016 10:11 AM in response to blick

    If the below page is what you're referring to, this is not a ransomware pop-up - simply a fake Flash Player ad. These do not typically lock up the browser, but in any case, that's why ScamZapper didn't block it.

     

    Screen Shot 2016-09-21 at 10.08.50 AM.png

  • by blick,

    blick blick Sep 21, 2016 10:13 AM in response to blick
    Level 1 (12 points)
    Desktops
    Sep 21, 2016 10:13 AM in response to blick

    I might add, if I have adware or other malware on this box, why doesn't it affect every web page I access? Why only ebay and Swifty's?

     

    I am afraid to access any other website for which I must log in (my bank, paypal, whatever) because I don't know what "triggers" these attacks.

  • by stevejobsfan0123,

    stevejobsfan0123 stevejobsfan0123 Sep 21, 2016 10:22 AM in response to blick
    Level 8 (43,853 points)
    iPhone
    Sep 21, 2016 10:22 AM in response to blick

    blick wrote:

     

    I might add, if I have adware or other malware on this box, why doesn't it affect every web page I access? Why only ebay and Swifty's?

    You may be on to something. If both eBay and Swifty's require a login, that could be what's triggering it. This could be caused by adware installed on your Mac, or by a hacked wireless router.

     

    I already linked to adware identification instructions earlier: http://www.thesafemac.com/arg-identification/.

    If it's a hacked wireless router, see: http://www.thesafemac.com/how-to-manage-a-hacked-wireless-router/.

  • by John Lockwood,

    John Lockwood John Lockwood Sep 21, 2016 10:29 AM in response to blick
    Level 6 (9,349 points)
    Servers Enterprise
    Sep 21, 2016 10:29 AM in response to blick

    The ransomware I have experienced is caused by the original webpage loading an 'advert', that advert is from a feed of semi-random adverts they use to generate revenue. In these cases however the 'advert' contains Javascript code which displays a pop-up window claiming your computer is infected, or you have kiddie ****, and to call a phone number to get your computer unlocked. (A scam.)

     

    Nothing has really infected your computer, it is merely the Javascript prevents you using the browser. The only solution is to force-quit the browser. As long as you don't subsequently reload the same page containing the same Javascript code your unaffected.

     

    Note: I saw an article suggesting the infamous MacKeeper software is actually reasonably legitimate and does not contain malware. It is more their use of highly aggressive web adverts including popups that has marred their reputation beyond repair. It is actually quite easy to uninstall MacKeeper if you have (foolishly) installed it.

     

    PS. There is a different type of scam which involves tricking you in to allowing the installation of a web-browser add-on which then hijacks your search results. As far I am aware unlike the Javascript browser hijack mentioned above, a search engine hijack requires the user to explicitly allow its installation.

  • by stevejobsfan0123,

    stevejobsfan0123 stevejobsfan0123 Sep 21, 2016 10:32 AM in response to John Lockwood
    Level 8 (43,853 points)
    iPhone
    Sep 21, 2016 10:32 AM in response to John Lockwood

    John Lockwood wrote:

     

    Note: I saw an article suggesting the infamous MacKeeper software is actually reasonably legitimate and does not contain malware. It is more their use of highly aggressive web adverts including popups that has marred their reputation beyond repair. It is actually quite easy to uninstall MacKeeper if you have (foolishly) installed it.

    Agree that it is not actual malware. But it is not legitimate, and their reputation was due to scamming people out of their money: http://www.thesafemac.com/ongoing-mackeeper-fraud/. In a sense, MacKeeper is ransomware, because just like the pop-ups, the program will claim your computer is infected and you need to pay for their services to remove the infection.

  • by ChitlinsCC,

    ChitlinsCC ChitlinsCC Sep 21, 2016 11:01 AM in response to John Lockwood
    Level 5 (7,905 points)
    Notebooks
    Sep 21, 2016 11:01 AM in response to John Lockwood

    ...from a feed of semi-random adverts they use to generate revenue. ...

    Indeed

     

    I have a buddy who "contracts" with a company that provides him with revenue - they "manage" the content delivery.

    His deal is for "placement" in certain places on his pages.

    Apparently, he must give a key or two to the kingdom to get this done (not privy to the details)

    Occasionally, this access has allowed what you describe to be inserted into his PHP display of "thread" pages - a script that places a full page invisible button which OnClick (randomly or item-by-item) picks a 'target' page from some list that displays popUPs (blocked by Firefox with a 'below the toolbar' alert) or popUNDERs (noticeable if one is paying attention - then manually killed) - OR those pesky popOVER 'ransomware' alerts.

    The bad part of this is that whenever this happens, it kills all "response" actions (links or javascript-buttons) on the page - page is just dead, requiring closing the TAB or window.

    When this script gets activated, I shoot him an email. He gets POed at his "ad guy". Sometime later the script goes away.

    He has not told me what is what on this periodic behavior, but my feeling is that the 'ad guy' has a script of his own that 'manages' his customer accounts - or at worst is in collusion with the ransom seekers.

    At bottom, this behavior requires that code be inserted into the HTML that displays the page to the user.

     

    I have "joined" Swifty's Garage site to see if being logged in has any effect on whether or not POPs of any kind are affected by LoggedInState = no difference = no POPs of any kind - that does not mean that they don't exist there, only that the above described "LIST" script is not presently there

    Swifty's is HOSTED by a "free-forum" outfit

  • by blick,

    blick blick Sep 21, 2016 11:12 AM in response to stevejobsfan0123
    Level 1 (12 points)
    Desktops
    Sep 21, 2016 11:12 AM in response to stevejobsfan0123

    That one has definitely appeared several times....but I swear it has locked up my browser most times. That occurred this morning twice, and the first time I could access the back button on the browser, which I successfully used, but immediately the flash ad hijacked the screen again, and that time it was disabled, and that next time was within seconds of restarting the browser. What I didn't try either time was the right mouse click to see if a menu appeared with "Back"....but yesterday I did try that and the right click was 'disabled' as far as I could determine....no options available.

     

    Sounds like you're saying I will have to live with that one. I guess I'll download Firefox and hope it's a version that still works on OS X10.6.8....and then delete Safari and Chrome to avoid trying them again*. But, after the two Flash ads, the next hijack was a RANSOM ad and I had to quit Safari. I see I missed a step in the etrecheck instructions/faqs, in restarting Safari without holding down the shift or command key or whatever they recommend.

     

    *I haven't been able to figure out how to transfer Chrome's bookmarks---Mac help tells me I have to export the file from Chrome before I can import them into Safari, but Chrome doesn't tell me how to export them--it's not an option, only to "import" bookmarks.

     

    I also downloaded EtreCheck and ran it and there was no "adware" or other problem, except for "Insufficient RAM" (only 1gb in each of the two slots on this box). I have that report available if anyone wants to see it.

  • by stevejobsfan0123,

    stevejobsfan0123 stevejobsfan0123 Sep 21, 2016 11:15 AM in response to blick
    Level 8 (43,853 points)
    iPhone
    Sep 21, 2016 11:15 AM in response to blick

    blick wrote:

     

    Sounds like you're saying I will have to live with that one.

    No, I'm not saying that at all. I posted two links in my last post which may address your problem.

  • by blick,

    blick blick Sep 21, 2016 11:31 AM in response to stevejobsfan0123
    Level 1 (12 points)
    Desktops
    Sep 21, 2016 11:31 AM in response to stevejobsfan0123

    Etrecheck didn't find any adware. The wireless router is my phone/internet modem provided by my isp--but my desktop computer is connected directly to the internet via ethernet (I didn't feel comfortable using Apple's wireless on the desktop box). The frequency of hijacks has gotten so bad I have decided I can't go back to Swiftys until something changes....and sadly I am part of that community and will miss the friends and compadres I've made there over the years (hopefully some of them will miss me, too).

     

    I have to log into my email, and PayPal, and neither one of them has been hijacked (to date....email is often open in the background on another tab/window while I'm on Swifty's or ebay). But, that possibility, that the hijacks somehow are triggered by logging into a site, leaves me fearing using my bank's website and doctor's/insurance websites....basically every important website to me may be subject to this problem?

  • by blick,

    blick blick Sep 21, 2016 12:26 PM in response to etresoft
    Level 1 (12 points)
    Desktops
    Sep 21, 2016 12:26 PM in response to etresoft

    Etrecheck (which I ran an hour or so ago) found nothing wrong but "Insufficient RAM". It offered me NO CHOICE regarding Time Machine.....just highlighted that line in red font. I wasn't given any chance to state that I have backups (clean ones); perhaps that choice only exists if etrecheck finds adware?

     

    Now, about that "Insufficient RAM".....I have 2gb total (one gb each slot). That has been "sufficient" for my browsing habits since I bought this MacMini (2010). Etrecheck highlights it as a problem, but I don't see any way to find an explanation whether that can cause any of this. It says both memory cards (whatever....) are "ok". (One article I read yesterday--perhaps linked from here or found from one of those linked articles--said even 4gb wouldn't support OSX 10.10 or higher, which is one reason I haven't tried upgrading to any version of OSX higher than what I have now (10.6.8), though in my recent OTHER user support community discussion about frequent "flash plugin" crashes in Chrome and the adware/ransomware I experienced in Chrome, a couple of the highly-rated folks said I should upgrade and it WILL work on this box (10.11.xx is all that's available any more).

     

    Well, gotta go now....suffering a migraine (really) and need to get away from this screen.

  • by BDAqua,

    BDAqua BDAqua Sep 21, 2016 12:56 PM in response to blick
    Level 10 (123,765 points)
    Sep 21, 2016 12:56 PM in response to blick

    I'm a bit shocked that you didn't have browsing problems with only 2 GB of RAM!

     

    4 GB of RAM in 10.6.8 would become unbearable after a short time of browsing for me.

  • by etresoft,

    etresoft etresoft Sep 21, 2016 3:11 PM in response to blick
    Level 7 (29,298 points)
    Mac OS X
    Sep 21, 2016 3:11 PM in response to blick

    Hello blick,

    Many features in EtreCheck are geared specifically to problems that people tend to report here on Apple Support Communities. One of the most common questions involves upgrading the operating system. Many of those red error messages are issues that may be fine for your current configuration, but would make your experience very painful during or after upgrading.

     

    Ideally, people should post their entire EtreCheck report so that helpers experienced with troubleshooting, and reading an EtreCheck report, can give you good advice. I know that people don't always do that, so there are a few items that I go ahead and flag in red to try to encourage such a discussion. In many cases, these issues don't have black and white answers. 2 GB may be fine for your machine. 4 GB may be adequate for a new MacBook Air with SSD running Sierra. So it is difficult to make definitive statements without having more details.

     

    And EtreCheck is certainly no magic bullet. It can't reliably determine if you have a Time Machine backup or not unless you are running OS X 10.8 or later. On the bright side, a 2010 Mac mini is easily upgradeable. Here is a good starting point for upgrades: https://eshop.macsales.com/upgrades/mac-mini-mid-2010-2.4-ghz

     

    With more RAM and an SSD, your machine could run the latest OS with ease.

  • by blick,

    blick blick Sep 22, 2016 9:00 AM in response to BDAqua
    Level 1 (12 points)
    Desktops
    Sep 22, 2016 9:00 AM in response to BDAqua

    I guess it's possible I DID have browsing problems with only 2gb of ram.....but I've never had more ram so I probably wouldn't have noticed it as being different ...it would have just been "normal" to me. So that's what I mean. (Perhaps in the 5-6 years since I bought this MacMini browsing has slowed, but until this adware problem showed up this weekend with such a vengeance, it was barely noticeable to me.)

     

    Bear with me here. Is it possible that adding RAM will stop the adware and those occasional (but increasingly frequent) phony ransomware popups/popunders/popovers or whatever is the right term for a webpage being replaced by an add (not just hidden or covered, but literally replacing the page I was on)?

     

    As I've noted in my continued responses, I can find NO unexpected, non-Apple system software, extensions, or launch agents/daemons, or any of the other signs of an adware infestation on my computer, following the detailed procedures shown here. To the best of my ability to examine the contents of my hard drive, there is nothing installed that I don't recognize or that is identified in the procedures as "bad".

Previous Page 2 of 3 last Next