Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: oneclickrev adware malware

I seem to have some kind of adware or malware affecting Safari. On most websites when I click any regular plain text or empty space, I get a tab opened with a website called oneclickrev. com /oneclickrev

https://www.reddit.com/r/antivirus/comments/72lllc/oneclickrevcom_adwarebrowser_ hijacker/The tab closes by itself before its loaded..

Around the same time this started happening, websites have started to automatically reload showing the message "this webpage was reloaded because a problem occurred"


Anyone having this same issue who has found a fix?

(Clearing History and Cache has not helped)

MacBook Air, macOS High Sierra (10.13.1)

Posted on

Reply

Nov 16, 2017 2:51 PM in response to ridahupo In response to ridahupo

Fixes for Adware and Pop-ups


  1. Malwarebytes
  2. DetectX 2.11
  3. Remove adware that displays pop-up ads and graphics on your Mac
  4. Stop pop-up ads and adware in Safari - Apple Support


Fixing Safari from Popups

[The following comes from user stevejobsfan0123. I have made minor changes to adapt to this presentation.]


Fix Some Browser Pop-ups That Take Over Safari


Common pop-ups include a message saying the government has seized your computer and you must pay to have it released (often called "Moneypak"), or a phony message saying that your computer has been infected, and you need to call a tech support number (sometimes claiming to be Apple) to get it resolved. First, understand that these pop-ups are not caused by a virus and your computer has not been affected. This "hijack" is limited to your web browser. Also, understand that these messages are scams, so do not pay any money, call the listed number, or provide any personal information. This article will outline the solution to dismiss the pop-up.


Quit Safari


Usually, these pop-ups will not go away by either clicking "OK" or "Cancel." Furthermore, several menus in the menu bar may become disabled and show in gray, including the option to quit Safari. You will likely have to force quit Safari. To do this, press Command + option + ESC, select Safari, and press Force Quit.


Relaunch Safari


If you relaunch Safari, the page will reopen. To prevent this from happening, hold down the 'Shift' key while opening Safari. This will prevent windows from the last time Safari was running from reopening.


This will not work in all cases. The shift key must be held at the right time, and in some cases, even if done correctly, the window reappears. In these circumstances, after force quitting Safari, turn off Wi-Fi or disconnect Ethernet, depending on how you connect to the Internet. Then relaunch Safari normally. It will try to reload the malicious web page, but without a connection, it won't be able to. Navigate away from that page by entering a different URL, i.e. www.apple.com, and trying to load it. Now you can reconnect to the Internet, and the page you entered will appear rather than the malicious one.

Nov 16, 2017 2:51 PM

Reply Helpful

Nov 16, 2017 4:01 PM in response to ridahupo In response to ridahupo

You can try my free tool


Adware Removal Pro for Mac



<Disclaimer: this post contains links to my own website from which I may derive some form of compensation. My website does not contain 3rd party ads. This disclaimer is required by ASC Terms of Use whenever linking to one's own site or product.>

Nov 16, 2017 4:01 PM

Reply Helpful

Nov 16, 2017 5:29 PM in response to ridahupo In response to ridahupo

If the above doesn't work, try running this program in your normal account, then copy and paste the output in a reply. The program was created by etresoft, a frequent contributor. Please use copy and paste as screen shots can be hard to read. On the screen with Options, please open Options and check the bottom 2 boxes before running. Click “Share Report” button in the toolbar, select “Copy Report” and then paste into a reply. This will show what is running on your computer. No personal information is shown.

Etrecheck – System Information

Nov 16, 2017 5:29 PM

Reply Helpful

Nov 16, 2017 5:38 PM in response to infosee In response to infosee

I wouldn't trust software from a company who's lead page states everything it claims to be able to remove as being a virus, when there are no viruses in the Mac OS.


MacKeeper is not a virus. It's just truly awful software and literally lies about the threats it claims needs to be cleaned up. The other three are adware.


And why does everyone think they need to tack the word "Pro" onto a product name that has no other version? Saying "Pro" means you also have a less capable, non-pro version. Or maybe an even better Enterprise version.

Nov 16, 2017 5:38 PM

Reply Helpful

Nov 16, 2017 7:00 PM in response to ridahupo In response to ridahupo

You may have got some adware. If you don't want to download 3rd party apps to check, you can run some simple searches from the Terminal as described below.


1. Open the Terminal.app (it's in /Applications/Utilities/ folder).


2. Triple click anywhere in the block of code below, copy and paste the block it into the Terminal window. The code will ask for an admin password, and create a small text file on your Desktop called 'Adware_Search.txt'. It'll take a few seconds to complete.


3. When the Terminal prompt returns, open the file, copy and paste the text into a post here so we can check whether the contents are legit or not.



w=`id -un`; r="s@$w@[redacted]@g"; f="/Users/"$w"/Desktop/adware_search.txt"; ls -alF /Lib*/Launch*/ ~/Lib*/Launch*/ /Users/Shared | sed "$r" >> "$f"; printf "\n\n/etc:\n" >> "$f";ls -alF /etc/*.sh 2>/dev/null >> "$f"; printf "\n\n# osacript processes:\n" >> "$f"; ps -axo ppid,pid,command | grep 'osascript -e global' | egrep -i "if is_Firefox_running|if is_Safari_running|if is_Chrome_running" | grep -v "grep" | grep -v ' 1 ' | awk '{ print $1, $2}' | sed "$r" >> "$f"; printf "\n\n# User launchd:\n" >> "$f"; launchctl list | grep -v apple | sed "$r" >> "$f"; printf "\n\n# Root launchd:\n" >> "$f"; sudo launchctl list | grep -v apple | sed "$r" >> "$f"; printf "\n\n# Find rec_script.sh:\n" >> "$f"; sudo find /Library ~/Library -name "*rec_script.sh*" | sed "$r" >> "$f"; sudo -K



A full explanation of the code can be found on my blogpost here:


http://applehelpwriter.com/2017/07/23/terminal-tricks-for-defeating-adware/



Disclaimer: this post contains links to my own website from which I may derive some form of compensation. My website does not contain 3rd party ads. This disclaimer is required by ASC Terms of Use whenever linking to one's own site or product.

Nov 16, 2017 7:00 PM

Reply Helpful

Nov 16, 2017 7:34 PM in response to PN2 In response to PN2

User uploaded file


I understand that adware removal/scanning tools need to access many files & folders in the User Home folder & beyond; and that developers may well have a professional interest in user habits… but I still can't really see what business they have in looking at what the user has been searching for in the App Store.


Maybe softwater, or another developer, can comment on whether or not that's a normal thing to do.

Nov 16, 2017 7:34 PM

Reply Helpful

Nov 16, 2017 8:14 PM in response to softwater In response to softwater

In what respect is this different from or better than using Malwarebytes or DetectX to locate and remove adware?


Suggesting that a user perform such Terminal tricks will be baffling but to a few. I skimmed your blog article, which was interesting, but not intended for novices.


Nov 16, 2017 8:14 PM

Reply Helpful

Nov 16, 2017 8:33 PM in response to Kappy In response to Kappy

How'd you figure that?


The code is there displayed for everyone to see. It's transparent. Even if the user can't read it, at least they can have some confidence from that transparency. Those that can read it around here (such as yourself, I believe) would be quick to jump all over it if it wasn't anything other than what it says it is.


The output of that block of code is also transparent, redacts the user's name and can be shared here for all to benefit (assuming that there's some bad actors in there). When people download DetectX or MBAM to solve their problems, everyone else is left in the dark about what the problem was.


As for your 'not for the novice' comment, I don't understand that either. The instructions are nothing other than a few cut and pastes.


Disclaimer: I'm the developer of DetectX.

Nov 16, 2017 8:33 PM

Reply Helpful

Nov 16, 2017 8:56 PM in response to softwater In response to softwater

But one cannot use it without making a copy, then pasting it into the Terminal. The code is itself gibberish to the unwashed. A user can have no more confidence in the code than in a complete application that is using the same code put together with a GUI wrapper. Just because I can see all the instructions in a block of code doesn't necessarily mean I understand it. For a non-programmer, it's just a foreign language. Without knowing me you have already assumed I will understand your code. But I'm not a Unix expert. I can figure out some of it but not all of it. I would trust using it only because I know you. Oh, and yes, I knew you wrote DetectX and its Swift companion or replacement. I know your coding abilities because I know you from another forum we share in common but isn't mentionable. 🙂


I spend a lot of time on the forums helping the many hapless users who are in trouble. Trust me when I tell you they just want the computer to work again, and they don't care about not knowing what the problem was. They want to know how to fix it.

Nov 16, 2017 8:56 PM

Reply Helpful

Nov 16, 2017 9:20 PM in response to Kappy In response to Kappy

All true, but I think you're misunderstanding, or arguing something that isn't an issue.


First, I posted the code above as an additional suggestion, not the only one. So the user can choose what suits them best. I think it's better to let people have more options than less.


Second, whether you personally understand the code isn't the point; the point is it's transparent and CAN be examined and verified by somebody else. Trust in its author is not required. That's not true of any app bundle people download. You've no idea what else is included in that app, or whether it's been hijacked on the way (see recent attacks on Transmission and Handbrake, for example).


Third, there's a lot of people advertising their 'adware removal' apps on here now. Some, one of which has been posted in this thread, I have real issues with. Others are notorious for false positives. How is the user to know which of these to trust? I've tried to post something that attempts to increase the knowledge of the community and give power to the user.


Unfortunately, even old hands like you seem to think there's something wrong with that. I find that disheartening. So, since we're all trigger happy about downloading 3rd party apps on ASC nowadays (wasn't always so), here's a link to mine (posted as a path, again for transparency reasons):


https://sqwarq.com/detectx/detectx-swift-beta/


Disclaimer: this post contains links to my own website from which I may derive some form of compensation. My website does not contain 3rd party ads. This disclaimer is required by ASC Terms of Use whenever linking to one's own site or product.

Nov 16, 2017 9:20 PM

Reply Helpful
User profile for user: ridahupo

Question: oneclickrev adware malware