How do I get the Rival Gaming malware off my mac?

mick mcart wrote:

ClamX didn't get rid of it, and SOPHOS doesn't seem to work either.

That's because it's not really malware, just a scheme to redirect your searches to the Rival Gaming site.

What browser is giving you the problem?

mick mcart wrote:

It's happening on Safari and Firefox.

Try this with Firefox. If it works we can try to figure out how to fix Safari in a similar manner.

On Firefox :

1. Type “about:config” in the URL box and do following =>
2. Type “Keyword.url” in the search box. Right click it & reset it.
3. Type “browser.search.defaultengine” in the search box. Right click it & reset it.

mick mcart wrote:

ClamX didn't get rid of it, and SOPHOS doesn't seem to work either.

A few additional questions in order to try and figure out why this has happened to you.

Did ClamXav find anything when you ran it. If so, please share the exact file and infection names.

I'm guessing that some action you take in the browser ends up taking you to the rivalgaming.com site. Is it when you are searching for something; asking for a specific site (by entering the url/using a bookmark/clicking an e-mail link); or clicking link on another site?

Have you been asked to install some software to view a video (e.g. a Codec) recently?

How long has this been going on?

mick mcart wrote:

My wife went to Rivalgaming.com after finding it while searching for game sites through google. After she went to the site she clicked on one of the games and that's when the trouble began. I'm going to try to get a screen shot so you can see what's happening.

It started two weeks ago.

So are we talking about an on-line game that is played on the browser without need to download anything?

ClamXav didn't find anything either.

Good, I didn't think it would, but at least it rules out several other possibilities.

Here is a screen shot of what's on Safari:

...

The highlighted "Christian Artist" link is not one I created. Rival Gaming placed it there. This is happening on every website I visit.

Looks like a simple Pop-Up to me. You should be able to dismiss it with the red button in the upper left hand corner and perhaps prevent them completely by choosing "Block Pop-Up Windows" from the Safari menu or in Safari Preferences->Security->Web content: check the box for "Block pop-up windows". Either should stop them.

What I don't know for sure is exactly how they are able to provide this on a persistent basis if you don't have another window or tab open to the Rival Gaming site. I suppose they may be able to do it with a cookie, but I just haven't heard of that before.

I would encourage you to do a reset by choosing Reset Safari from the Safari menu, then checking the boxes for everyting you feel comfortable deleting, especially cache and cookies. I would not clear saved names and passwords or AutoFill form text if you use those feature a lot.

Might try using OpenDNS, which is patched against redirects that might be the cause.

In System Preferences>Network>Advanced>DNS, enter

208.67.222.222

208.67.220.220

for the interface you are using, e.g. Airport or Ethernet. Make sure they are entered above any other numbers. They will be used in that order. Then go to

http://www.opendns.com/welcome/

to be sure it's working.

My wife went to Rivalgaming.com after finding it while searching for game sites through google. After she went to the site she clicked on one of the games and that's when the trouble began. I'm going to try to get a screen shot so you can see what's happening.

It started two weeks ago. No video has been involved.

No video has been involved would seem to rule out a Flash cookie having been accepted, but it still might have been through allowing Flash to load and there might now be an "evercookie."

See the following for my procedure, as edited for clarity and with added screenshots by Kurt Lang, for setting up to remove and prevent Flash cookies (Local Shared Objects.)

https://discussions.apple.com/thread/4221814?answerId=19349393022#19349393022

Or, for Firefox, get the Add-on Better Privacy.

WZZZ wrote:

Might try using OpenDNS, which is patched against redirects that might be the cause.

In System Preferences>Network>Advanced>DNS, enter

208.67.222.222

208.67.220.220

for the interface you are using, e.g. Airport or Ethernet. Make sure they are entered above any other numbers. They will be used in that order. Then go to

http://www.opendns.com/welcome/

to be sure it's working.

Good morning WZZZ. You took the words right out of my mouth ;-)

🙂 Evercookie a possibility, you think?

mick mcart wrote:

The problem still exists.

If it's not too late can you tell us what was showing as your DNS settings? If you have never changed it before it should have been settings provided by your ISP, but I'm wondering if there's a new way to change that which could then insert these pop-ups. Or maybe Rival Gaming is paying your ISP to insert them.

WZZZ wrote:

Evercookie a possibility, you think?

Anything is possible at this point. I haven't been seeing much of this since the DNSChanger folks went out of business. There have been short lived attempts at changing the hosts file and instances of ISP's making money on the side by inserting ads at the top of browser pages, but the only thing that comes close to anything like this is the assertion by some MacKeeper users that they were getting pop-ups after removing the app. I never really saw the evidence of this (lots of users who never had it installed get MacKeeper ads all the time) and if ZeoBIT was doing something like this (they never admitted to it) I don't believe we ever figured out the mechanism.

By evercookie I assume you are talking about the fiasco over Flash cookies being used as a cross-site tracking method. I can understand how Rival Gaming could have easily dropped one when the site was visited, but I'm not sure I understand how they could use that to deliver the pop-up. I wonder if it's a true pop-up window (that can be moved around the screen) or just a Flash window overlaying the page itself?

may i just throw a couple of thoughts out there, you have cleaned your history, you have reset your browsers and emptied your cache and this issue is still happening.

there is a product called ccleaner in the app store which u may want to run for safety (in case it is browser related) only have the browser areas checked when you start your analyze and then clean up (the app has given some people strange results to people at times when more then there browser areas were cleaned up)

there is a product called iantivirus - owned by norton which may be of some value in this situation as an additional "av/malware" resolution.

but more importantly,

have you created an additional new account, to see if the problem is related to your user account or is system based.