blick

Q: R-ad-somware--is there a remedy?

"R-ad-somware" is my play-on-words for ransomware, due to recent events. I regularly peruse and participate in a web forum hosted by Zetaboards, and lately (past few days) the host redirects the active forum to ads that have only one active button--the "download" or "Install" button--with an inactive "cancel" or "later" button visible on screen. At first I could close the page/window/tab--there was no navigating "back" to the original page, but closing the page worked (meaning you had to reopen and log back into the forum in order to continue where you left off).

 

Today the ad that hijacked the page was for that darned MacKeeper, and as stated above, there was no choice but to download and install MacKeeper. I know all about MacKeeper and won't ever click any link to that malware distributor or basically any "ad" that appears on any webpage I visit, or in my email, etc. But, not only did MacKeeper's page prevent me from navigating back to my previous page/forum or closing that window, it disabled Chrome so I ended up having to force-quit to escape. It was like ransom-ware without a demand to call a phone number to "fix" the problem, or to download the "software fix" and pay hundreds of $$ for the privilege. The "ransom" in this case appears to be downloading MacKeeper and having your search engines hijacked as well as whatever else evil that criminal organization intends for your computer.

 

I don't have a "user account" with Zetaboards so I can't even report it to them. I also followed the steps to check and clear any malware/adware that might have been surreptitiously installed on my computer in the background...and my computer is clear of junk.

 

Is there any way to keep garbage on a web hosts' servers from hijacking your browser? (Short of outright quitting the forum that's affected and never visiting it again, that is?)

 

I am removing Chrome from my computer because it has serious problems-"flash plug-in" crashes constantly--and is no longer supported for my OS (10.6.8). I'm using Safari for the first time in two years because it has caused me headaches in past years....but Firefox and Chrome are unsuitable any more.

Mac mini, Mac OS X (10.6.8), core duo

Posted on Sep 19, 2016 1:39 PM

Close

Q: R-ad-somware--is there a remedy?

  • All replies
  • Helpful answers

Page 1 of 3 last Next
  • by etresoft,

    etresoft etresoft Sep 19, 2016 1:44 PM in response to blick
    Level 7 (29,228 points)
    Mac OS X
    Sep 19, 2016 1:44 PM in response to blick

    Hello blick,

    On 10.6.8, your options are limited. Many web sites won't work in that old version of Safari. Installing the latest Chrome or Firefox is something that I would normally suggest. Newer versions of OS X/Safari prevent the pop-ups from completely hijacking your web browser.

     

    You might try ScamZapper (https://sites.google.com/site/appleclubfhs/downloads/scamzapper-info) which was developed by another top contributor here at Apple Support Communities.

  • by ChitlinsCC,

    ChitlinsCC ChitlinsCC Sep 19, 2016 2:00 PM in response to blick
    Level 5 (7,778 points)
    Notebooks
    Sep 19, 2016 2:00 PM in response to blick

    I have effectively killed all "MacKeeper" (and many like it) popOVER/UNDERs for a couple of years by using Firefox in conjunction with the add-on P.U.K a rude PopUp/Under Killer :: Add-ons for Firefox

    I had some discussion with THE "... another top contributor here at Apple Support Communities" about this.
    His Safari - ScamZapper - Apple Club is easy to use - P.U.K. is maintained by you - also EASY - in a comma delimited list in the add-ons "Options" dialog. You simply add up to 30 characters in a particular URL to block the "page" from ever being seen.

  • by blick,

    blick blick Sep 20, 2016 9:32 AM in response to ChitlinsCC
    Level 1 (8 points)
    Desktops
    Sep 20, 2016 9:32 AM in response to ChitlinsCC

    Thanks for the quick replies. I will try ScamZapper first, since I'm using Safari currently. But, today another problem has arisen and it's affecting my ebay account. It's apparently a known adware issue called "stags.bluekai.com" and Safari is catching it, but every time I navigate to another page (auction, search list, etc) I get the Safari warning that I have to "cancel" or "Continue" before I can do anything else, even if I move to a different tabbed site. (I "cancel" each time.)

     

    I googled "stags.blueakai" and found several windows-based procedures to find and eliminate the adware (a cursory search of my hard-drive yesterday before I ran into stags.bluekai.com didn't find any evidence of that or any other known adware (I've had to do this before.....and followed a procedure to eradicate MacKeeper earlier this year that was posted here .))

     

    The malware information on the stags.bluekai adware indicate it is one of those hidden installers that comes with a downloaded application. I haven't downloaded any applications or even any other downloads except photos from my phone, emailed to myself so I could get them on my computer without having to hook up the phone and then go through iPhoto to select the few pics I need out of hundreds on the phone. I deliberately avoid "questionable" websites....most of my web browsing is to commercial sites in business for decades that I've been to many times with no issues.

     

    Is it possible that even without 'taking the bait' on any of the adware hijacks, adware has still been installed on my box without my knowledge? Are you guys familiar with this "stags.bluekai.com" issue? Is there a Mac-oriented cleaning solution for this?

     

    TIA

  • by ChitlinsCC,

    ChitlinsCC ChitlinsCC Sep 20, 2016 10:07 AM in response to blick
    Level 5 (7,778 points)
    Notebooks
    Sep 20, 2016 10:07 AM in response to blick

    To be sure about anything being "installed" without your consent (unlikely), download and run Malwarebytes | Free Anti-Malware Detection & Removal Software for Apple Macintosh Computers

     

    To add to your arsenal, download (and run after MWB) http://etrecheck.com/#download (written by our friend participating in this thread etresoft)

  • by blick,

    blick blick Sep 20, 2016 11:06 AM in response to ChitlinsCC
    Level 1 (8 points)
    Desktops
    Sep 20, 2016 11:06 AM in response to ChitlinsCC

    Malwarebytes says the OS requirements are 10.8 (and above, presumably). I'm on 10.6.8. Checking out etrecheck now.

  • by stevejobsfan0123,

    stevejobsfan0123 stevejobsfan0123 Sep 20, 2016 11:12 AM in response to blick
    Level 8 (43,767 points)
    iPhone
    Sep 20, 2016 11:12 AM in response to blick

    Unfortunately I don't think EtreCheck will remove adware for you either. etresoft can confirm, but I believe that it will not remove any files unless you have a Time Machine backup, and EtreCheck is not able to check the Time Machine status in 10.6.8.

     

    You might try the steps listed here: http://www.thesafemac.com/arg-identification/.

  • by etresoft,

    etresoft etresoft Sep 20, 2016 12:02 PM in response to stevejobsfan0123
    Level 7 (29,228 points)
    Mac OS X
    Sep 20, 2016 12:02 PM in response to stevejobsfan0123

    stevejobsfan0123 wrote:

     

    Unfortunately I don't think EtreCheck will remove adware for you either. etresoft can confirm, but I believe that it will not remove any files unless you have a Time Machine backup, and EtreCheck is not able to check the Time Machine status in 10.6.8.

    Hello stevejobsfan0123,

    There is "special dispensation" for people running older OS versions. Instead of the Time Machine check, it asks the user to confirm that they really, really do have a backup. Then it will allow them to delete files.

  • by stevejobsfan0123,

    stevejobsfan0123 stevejobsfan0123 Sep 20, 2016 12:04 PM in response to etresoft
    Level 8 (43,767 points)
    iPhone
    Sep 20, 2016 12:04 PM in response to etresoft

    Ah, good to know.

  • by blick,

    blick blick Sep 20, 2016 12:48 PM in response to stevejobsfan0123
    Level 1 (8 points)
    Desktops
    Sep 20, 2016 12:48 PM in response to stevejobsfan0123

    To you and everyone else who has helped with this problem, thank you very much. It is looking more and more like the issue is on the servers hosting ebay and the one web forum (Swifty's Garage) I regularly visit. I installed ScamZapper but the ads that are taking control of my browsers (Chrome and Safari both victims) are not ransomware in the original sense....ScamZapper says I shouldn't use it to report "ads" because it's not an adware remover, and I have a system in place for manually checking all the places on my hard drive where adware and its cousins are typically installed (according to the "adware removal" instructions, such as the page linked above which I just read through). I still haven't downloaded etrecheck, so I will try that since I do have "clean" backups (I even cleaned my backups earlier this year using a procedure like that suggested above...and found some of the malfeasants hiding in a couple of those backups....eliminated thankfully through some tedious digging according to the instructions.)

     

    I have reported the problem on Swifty's to the site's owner, but he's using (and has been for years) a 'free' web hosting site which was the first place I started getting hijacking ads just this weekend--the first event listed the source as that hosting site (Zetaboards, as noted in my first question in this thread). (I've been a member at Swifty's for more than 2 years with no problems until Sunday.)

     

    I searched google for the adware issue and an old (2013) user support request to ebay was one result, so ebay has been aware of the issue since at least then, but the ebay problem didn't begin until I stopped using Chrome yesterday and switched to Safari.

     

    I'm still very frustrated and I have no idea what else to do. (I guess I could download Firefox again....but I stopped using it when certain websites (Photobucket, in particular) became unusable in Firefox but still worked in Chrome and Safari.) Photobucket is a part of my whole daily existence....and directly related to my use of Swifty's....so I need both to work without problems......I really hope I don't need to buy a new computer because of this.

  • by John Lockwood,

    John Lockwood John Lockwood Sep 21, 2016 3:32 AM in response to blick
    Level 6 (9,314 points)
    Servers Enterprise
    Sep 21, 2016 3:32 AM in response to blick

    I use ScamZapper for Safari but it still does not block many ransomware popups.

     

    I find using Firefox with AdBlocker Plus far more effective.

  • by ChitlinsCC,

    ChitlinsCC ChitlinsCC Sep 21, 2016 8:57 AM in response to blick
    Level 5 (7,778 points)
    Notebooks
    Sep 21, 2016 8:57 AM in response to blick

    ...(Chrome and Safari both victims)... [later = Firefox too]

    As a test, I have poked around there with Firefox, AdBlock Ultimate OFF for that site - AND - PUK installed withOUT having added any URL strings to the blacklist = NO PopUP/OVER/UNDER ads or pages = smooth sailing

     

    If my testing is indeed scientific method of replicating your actions (as best I can), it seems to indicate that you DO in fact have something ON your Mac

     

    Our two VERY smart friends may find my conclusion false (I hope so for your sake)

  • by ChitlinsCC,

    ChitlinsCC ChitlinsCC Sep 21, 2016 9:06 AM in response to John Lockwood
    Level 5 (7,778 points)
    Notebooks
    Sep 21, 2016 9:06 AM in response to John Lockwood

    Give P.U.K a rude PopUp/Under Killer :: Add-ons for Firefox a try - even with it going, I still get ransomware pop-ups occasionally because any countermeasure requires prior knowledge of the URL one is blocking!

    AdBlockers may have "characteristics" criteria - the ad's source is not local to the website or somesuch, etc.

    When you get one, add some part of the URL of the resulting page to the comma delimited blacklist in the add-on options

  • by stevejobsfan0123,

    stevejobsfan0123 stevejobsfan0123 Sep 21, 2016 9:07 AM in response to John Lockwood
    Level 8 (43,767 points)
    iPhone
    Sep 21, 2016 9:07 AM in response to John Lockwood

    John Lockwood wrote:

     

    I use ScamZapper for Safari but it still does not block many ransomware popups.

     

    I find using Firefox with AdBlocker Plus far more effective.

    There appears to be some confusion about what a "ransom" pop-up is.

     

    These are examples:

    0Bz55zRGrsNW2c21MRE92QjV3Y1U.png0Bz55zRGrsNW2U1NWQ1NpbnEyTUU.png

    Ransom pop-ups demand that you call the attacker in order to release your browser. Hopefully by now most people know how to get rid of them on their own but it is still a nuisance. AdBlock Plus will do nothing to stop this. ScamZapper does.

     

    By contrast, what you call "ransomware popups" are simple advertisements, and are not displayed in a JavaScript alert window (they may have a one-time "download now!" message or something like that but they only display once and do not lock the browser). Adblock Plus will stop ads, ScamZapper does not.

  • by John Lockwood,

    John Lockwood John Lockwood Sep 21, 2016 9:13 AM in response to stevejobsfan0123
    Level 6 (9,314 points)
    Servers Enterprise
    Sep 21, 2016 9:13 AM in response to stevejobsfan0123

    No I am aware of the difference. If I visit a site I suspect is going to use a ransomware message as previously experienced in Safari, and go to the same site in Firefox equipped with ABP then in Firefox it is blocked I see a new window or tab try opening, be blank and then close all presumably by ABP. In Safari if not blocked by ScamZapper then I get hijacked and have to force-quit Safari.

Page 1 of 3 last Next