oneclickrev adware malware

Fixes for Adware and Pop-ups

1. Malwarebytes
2. DetectX 2.11
3. Remove adware that displays pop-up ads and graphics on your Mac
4. Stop pop-up ads and adware in Safari - Apple Support

Fixing Safari from Popups

[The following comes from user stevejobsfan0123. I have made minor changes to adapt to this presentation.]

Fix Some Browser Pop-ups That Take Over Safari

Common pop-ups include a message saying the government has seized your computer and you must pay to have it released (often called "Moneypak"), or a phony message saying that your computer has been infected, and you need to call a tech support number (sometimes claiming to be Apple) to get it resolved. First, understand that these pop-ups are not caused by a virus and your computer has not been affected. This "hijack" is limited to your web browser. Also, understand that these messages are scams, so do not pay any money, call the listed number, or provide any personal information. This article will outline the solution to dismiss the pop-up.

Quit Safari

Usually, these pop-ups will not go away by either clicking "OK" or "Cancel." Furthermore, several menus in the menu bar may become disabled and show in gray, including the option to quit Safari. You will likely have to force quit Safari. To do this, press Command + option + ESC, select Safari, and press Force Quit.

Relaunch Safari

If you relaunch Safari, the page will reopen. To prevent this from happening, hold down the 'Shift' key while opening Safari. This will prevent windows from the last time Safari was running from reopening.

This will not work in all cases. The shift key must be held at the right time, and in some cases, even if done correctly, the window reappears. In these circumstances, after force quitting Safari, turn off Wi-Fi or disconnect Ethernet, depending on how you connect to the Internet. Then relaunch Safari normally. It will try to reload the malicious web page, but without a connection, it won't be able to. Navigate away from that page by entering a different URL, i.e. www.apple.com, and trying to load it. Now you can reconnect to the Internet, and the page you entered will appear rather than the malicious one.

I understand that adware removal/scanning tools need to access many files & folders in the User Home folder & beyond; and that developers may well have a professional interest in user habits… but I still can't really see what business they have in looking at what the user has been searching for in the App Store.

Maybe softwater, or another developer, can comment on whether or not that's a normal thing to do.

...& I wouldn't trust software from a website that uses unrelated photographs next to the names of those who made glowing comments about it.

Haha! Sorry, I (finally) see what you meant. I hadn't noticed that until I scrolled all the way down.

All three pretty obviously use stock photography for the "happy users".

You can try my free tool

Adware Removal Pro for Mac

<Disclaimer: this post contains links to my own website from which I may derive some form of compensation. My website does not contain 3rd party ads. This disclaimer is required by ASC Terms of Use whenever linking to one's own site or product.>

If the above doesn't work, try running this program in your normal account, then copy and paste the output in a reply. The program was created by etresoft, a frequent contributor. Please use copy and paste as screen shots can be hard to read. On the screen with Options, please open Options and check the bottom 2 boxes before running. Click “Share Report” button in the toolbar, select “Copy Report” and then paste into a reply. This will show what is running on your computer. No personal information is shown.

Etrecheck – System Information

I wouldn't trust software from a company who's lead page states everything it claims to be able to remove as being a virus, when there are no viruses in the Mac OS.

MacKeeper is not a virus. It's just truly awful software and literally lies about the threats it claims needs to be cleaned up. The other three are adware.

And why does everyone think they need to tack the word "Pro" onto a product name that has no other version? Saying "Pro" means you also have a less capable, non-pro version. Or maybe an even better Enterprise version.

...& I wouldn't trust software from a website that uses unrelated photographs next to the names of those who made glowing comments about it. What else isn't quite as it seems ?, I would ask myself.

You may have got some adware. If you don't want to download 3rd party apps to check, you can run some simple searches from the Terminal as described below.

1. Open the Terminal.app (it's in /Applications/Utilities/ folder).

2. Triple click anywhere in the block of code below, copy and paste the block it into the Terminal window. The code will ask for an admin password, and create a small text file on your Desktop called 'Adware_Search.txt'. It'll take a few seconds to complete.

3. When the Terminal prompt returns, open the file, copy and paste the text into a post here so we can check whether the contents are legit or not.

w=`id -un`; r="s@$w@[redacted]@g"; f="/Users/"$w"/Desktop/adware_search.txt"; ls -alF /Lib*/Launch*/ ~/Lib*/Launch*/ /Users/Shared | sed "$r" >> "$f"; printf "\n\n/etc:\n" >> "$f";ls -alF /etc/*.sh 2>/dev/null >> "$f"; printf "\n\n# osacript processes:\n" >> "$f"; ps -axo ppid,pid,command | grep 'osascript -e global' | egrep -i "if is_Firefox_running|if is_Safari_running|if is_Chrome_running" | grep -v "grep" | grep -v ' 1 ' | awk '{ print $1, $2}' | sed "$r" >> "$f"; printf "\n\n# User launchd:\n" >> "$f"; launchctl list | grep -v apple | sed "$r" >> "$f"; printf "\n\n# Root launchd:\n" >> "$f"; sudo launchctl list | grep -v apple | sed "$r" >> "$f"; printf "\n\n# Find rec_script.sh:\n" >> "$f"; sudo find /Library ~/Library -name "*rec_script.sh*" | sed "$r" >> "$f"; sudo -K

A full explanation of the code can be found on my blogpost here:

http://applehelpwriter.com/2017/07/23/terminal-tricks-for-defeating-adware/

Disclaimer: this post contains links to my own website from which I may derive some form of compensation. My website does not contain 3rd party ads. This disclaimer is required by ASC Terms of Use whenever linking to one's own site or product.

In what respect is this different from or better than using Malwarebytes or DetectX to locate and remove adware?

Suggesting that a user perform such Terminal tricks will be baffling but to a few. I skimmed your blog article, which was interesting, but not intended for novices.

How'd you figure that?

The code is there displayed for everyone to see. It's transparent. Even if the user can't read it, at least they can have some confidence from that transparency. Those that can read it around here (such as yourself, I believe) would be quick to jump all over it if it wasn't anything other than what it says it is.

The output of that block of code is also transparent, redacts the user's name and can be shared here for all to benefit (assuming that there's some bad actors in there). When people download DetectX or MBAM to solve their problems, everyone else is left in the dark about what the problem was.

As for your 'not for the novice' comment, I don't understand that either. The instructions are nothing other than a few cut and pastes.

Disclaimer: I'm the developer of DetectX.

But one cannot use it without making a copy, then pasting it into the Terminal. The code is itself gibberish to the unwashed. A user can have no more confidence in the code than in a complete application that is using the same code put together with a GUI wrapper. Just because I can see all the instructions in a block of code doesn't necessarily mean I understand it. For a non-programmer, it's just a foreign language. Without knowing me you have already assumed I will understand your code. But I'm not a Unix expert. I can figure out some of it but not all of it. I would trust using it only because I know you. Oh, and yes, I knew you wrote DetectX and its Swift companion or replacement. I know your coding abilities because I know you from another forum we share in common but isn't mentionable. 🙂

I spend a lot of time on the forums helping the many hapless users who are in trouble. Trust me when I tell you they just want the computer to work again, and they don't care about not knowing what the problem was. They want to know how to fix it.

All true, but I think you're misunderstanding, or arguing something that isn't an issue.

First, I posted the code above as an additional suggestion, not the only one. So the user can choose what suits them best. I think it's better to let people have more options than less.

Second, whether you personally understand the code isn't the point; the point is it's transparent and CAN be examined and verified by somebody else. Trust in its author is not required. That's not true of any app bundle people download. You've no idea what else is included in that app, or whether it's been hijacked on the way (see recent attacks on Transmission and Handbrake, for example).

Third, there's a lot of people advertising their 'adware removal' apps on here now. Some, one of which has been posted in this thread, I have real issues with. Others are notorious for false positives. How is the user to know which of these to trust? I've tried to post something that attempts to increase the knowledge of the community and give power to the user.

Unfortunately, even old hands like you seem to think there's something wrong with that. I find that disheartening. So, since we're all trigger happy about downloading 3rd party apps on ASC nowadays (wasn't always so), here's a link to mine (posted as a path, again for transparency reasons):

https://sqwarq.com/detectx/detectx-swift-beta/

Disclaimer: this post contains links to my own website from which I may derive some form of compensation. My website does not contain 3rd party ads. This disclaimer is required by ASC Terms of Use whenever linking to one's own site or product.

And what does that have to do with AV software from a company that gives you the very large impression they don't know what a virus is?

Not a single thing on the site the owner calls a virus (and that's everything, by the way), is a virus. It sure doesn't instill any trust in me that the vendor has any idea what they're talking about.

If a mechanic had picture after picture of car engines on their site and kept calling them a transmission, would you use his or her services? Unlikely.

In a like manner, you couldn't possilby get me to use AV software from a company that doesn't know the difference between a virus, worm, Trojan, adware, social engineering, or in the case of MacKeeper (which is none of these things), is just plain fraudulent software. It certainly isn't a "virus".

deleted

No, I wouldn't consider that a normal thing for any app to do. None of my troubleshooting apps do that, and they tackle most common problems caused by 3rd party downloads.