iMac OS 10.13.4 & !MacKeeper

It wasn’t. You will never find such junk in any download obtained from Apple. I presume that’s where you got the 10.3.4 update from?

You may have fallen for the “your Flash is out of date” bunk from a website. If you did, and installed whatever downloaded from that site, then you likely installed adware. The turds at MacKeeper buy copious amounts of ad space to inflict people with through adware.

Adware can also come from garbage sites like softonic.com and downloads.com. Yes, the software you’re downloading to try is real, but much of what you get from these sites also install adware with it.

Download and run MalwareByes for Mac. It will locate whatever adware is on your Mac and offer to remove it.

Malwarebytes for Mac—Mac Antivirus Replacement | Malwarebytes

Your screen shot, and the lengthy URL shows that the adware, or whatever is installed isn't just showing ads, but is redirecting you to the MacKeeper site.

I have been to one or two sites that legitimately told me I needed to update Flash. By that, I mean the popup didn't try to get me to download something from them. The text simply informed me to go to adobe.com to get the update. Here is Adobe's Flash page:

Adobe Flash Player Install for all versions

Earthlink's remark doesn't really mean much. Yes, it's a known issue because most folks already know adware is a major problem.

Please download and run EtreCheck. Post the output here. All personal data is automatically redacted. What it shows users here is the processes that are running. From there we can see what, or if any adware and other junk is installed.

It's also possible your router has been compromised. Follow the instructions for your router to view its built-in web pages so you can go through its settings. Many routers have remote access turned on. If a hacker happens across your router and manages to get by the password settings, they can add as many redirects as they want. Meaning, your Mac can be as clean as a whistle, but you still get bludgeoned with ads because the Mac itself is not the source.

On my CenturyLink router, those settings are under Advanced Setup > Remote Management.

I have Remote GUI and Remote Telnet disabled.

MalwareBytes doesn’t catch everything. Usually because it’s something new they don’t know about yet.

Open Safari’s preferences and click on Extensions. Disable any there you don’t recognize. If the problem goes away, you’ll know you found the cause. Delete the extension.

They further stated that while they do market through affiliates, they don't condone this level of intrusion. They know they have problems with some of their marketers and are working to clean that up.

They've been using this lame excuse for years. The "affiliates" have no control over the onslaught of ads Kromtech pours out every day. The ads exist because they want them to, and pay for them to be shown.

What is really strange is that I tried blocking the mackeeper URL by restricting it on my router, and it STILL comes through.

That's because the ads don't come directly from the MacKeeper site. There are numerous ad servers around the globe. Their business is taking in ads and charging however much every time a business' ad is shown. The ad server people would pay someone like me to allow a link on my web site that their server would feed ads to. What you see would not be in my control. Why would I want it there? Revenue. I would be paid a small portion of their ad fees every time an ad is displayed. A bit more if somebody clicks on one.

So, what does that mean? It means any number of sites who want to make extra money allow ads to be displayed on their site. MacKeeper buys a tremendous amount of ad time (more of their ads in rotation than other advertisers). If not directly on a site, where you see far more of them is if you have adware installed.

I have updated flash before, but it's always appeared to be a legit link and update.

Which leads to this part of your post. What "legit" link? The one and only place to get Flash - EVER - is directly from Adobe. Any popup you get from a site that says you need to update Flash and downloads something from that site is not going to be Flash. It will be adware.

MalwareBytes can't catch everything. Newer junk needs to be found by them and added to their database so it can be recognized and removed. This is getting harder to do as this junk has massively proliferated.

Hi Kurt. This is very helpful. I probably have above-average knowledge about security and networking but am by no means an expert.

Some questions/thoughts. Overall, I agree about Mackeeper. It's a bit hard to articulate what I was trying to say about them. On the one hand, they rely on this totally abusive, annoying, advertising strategy. Then they scurry around trying to help when people get annoyed. Seems that they're trying to walk right up to the line, but not step over. I don't really get it. Usually, if you follow a scorched-earth strategy it's because you're getting back more than it's costing you and you don't worry about the fallout.

With respect to blocking with my router: I understand that it's being injected by an "affiliate" with the blessing of whoever maintains the page, but in this case, maybe pop up is not the right term, because the mackeeper ad fills the entire window, and a new URL appears in the URL field. That's the URL I'm blocking (well the first part of it is what I'm blocking; it's REALLY long) so how is the browser going there if I've restricted it on the router?

Here is one of the actual URLs and a screen capture of the full-window ad

***************

It seems to hang up a bit more with the filter in place, at least if I try to enter the url into my browser window or click on the hypertext link, but more often than not, it eventually loads.

As for the flash updates, I guess now I'm questioning myself. I'm having to think hard as to whether or not the notifications I've gotten have been system based (that is pushed by the Flash program) or prompted by a web site I'm on. I can tell you that I've always got what appeared to be a valid adobe window on install, and it finishes by taking me to the adobe page. I suppose this could be spoofed. Yes? But I will also say that I'm not having problems with lots of random ad pop ups or things like that. Just Mackeeper, and it only appears to be through earthlink.

Is the most likely scenario here that this is someone using their page as route in.

For what it's worth, I did a support chat with earthlink, and the rep told me it's a known issue they're working on.

I appreciate your input.

Just a quick update . . . just to be clear, we've all been talking about pop ups, but at least in my case, what I've really been seeing is a complete re-direct of the browser window to a new, Mackeeper page. Is this what others are seeing?

I spoke with earthlink yesterday. They said it's a known issue and that they were working on it. I actually did not have any problems yesterday for the first time in couple weeks. Today it was back again. I just spoke with them once more and they said that it had been fixed on some of their servers but not all, so perhaps it depends upon which server you end up coming in on.

Curious to know what others are experiencing.

By the way, I don't use these forums much; can anyone tell me how to edit an entry? I am able to do it for some time after I post, but then the option seems to disappear. Is there a time limit or something?

I have the same problem. I don't recall downloading anything recently but you never know. I cleared my cookies did run MalwareBytes and it did not find anything on my computer. The problem only seems to occur with Safari. I don't have the problem on FireFox. Anyone else have any suggestions?

Hi. I'm having the same problem but on 10.9.5! I think it only traces to earthlink, but I'm having a bit of trouble telling. I actually spoke with someone from Kromtech in Germany (mackeeper's parent company). They've been amazingly responsive, and I can't quite square the way they behave on a personal level with their business practices. It's a bit schizophrenic.

They say they have a tool on their website to block the ads for 30 days which they say is currently not working and they're trying to fix. They think it will take until their next business quarter. They further stated that while they do market through affiliates, they don't condone this level of intrusion. They know they have problems with some of their marketers and are working to clean that up. I'm not making excuses for them to be clear; just reporting what I was told.

I have tried everything to address this and can't figure out a solution. What is really strange is that I tried blocking the mackeeper URL by restricting it on my router, and it STILL comes through.

I run a very lean system and short of MS Office and Malwarebytes, really don't have any third party plugs ins, extensions, programs, etc.

I have updated flash before, but it's always appeared to be a legit link and update. And again, I can't find any suspicious files.

Malware Bytes finds no threats, and I'm working with them to find out why, but wondering if the push is actually coming through Earthlink's page.

There is another thread on this here . . . How do we combine these?

Re: Gawdawful mackeeper popups!

Thoughts anyone?

That's what I thought. So back to one of my earlier questions. How is this possible if I've blacklisted them on my router? I double checked to be sure and Remote GUI and Remote Telnet are disabled, plus I have a particularly strong password. Also, other user accounts on the machine aren't having trouble . . . though I haven't navigated them to earthlink. AND this is the only ad I've been getting. I'd think I'd be getting deluged with that sort of breach.

Again, it's been a while. My recollection is that I've only responded to the kind of prompts you describe regarding Flash, though it was a bit odd. I went into System Preferences and checked the update parameters. I usually demand prompt to allow updates, but it was set for Always allow. Maybe change by a recent update? I set it back, but will certainly be doubly careful of prompts. I can say that I've never installed with anything other than an adobe installer. At least not to my knowledge.

Nothing personal, but I've been strongly warned against running any system profiles except when working directly with Apple. I'm sure it's fine, but under the current circumstances, I'm not sure I want to contradict the wisdom of the folks I'm currently consulting with.

I've been through most if not all of my folders: launch agents, launch daemons, frameworks, scripts, caches, cookies, extensions and plug ins of which I have none, and I can't find a thing.

I will say that after several weeks, the problem seems to have quieted. Let me watch it a bit more and see where I'm at, but I am curious to know what you think about the router's willingness to ignore the URL restriction.

Moreover, I got a note from apple saying they'd removed my link because it wasn't relevant to the original question. Any idea how that would be the case? Seems pretty on-point to me. The discussion is about Mackeeper pop ups taking over Safari, and I posted a link to the site that the pop ups are located on. Am I missing something here Apple?

Got it on most all including the link. That makes sense.

If I am very responsive when prompted to update, do you think it's ok to leave Flash as is. Also, I always get flash, java and javascript a bit muddled in my head in that I know they are all different, but I think some folks feel one of them opens you up to security issues. Am I right? I think Flash is a desirable, almost necessary, enhancement, but I have a little trouble keeping up.

With respect to the router. I get that it's not a remote access issue, but if it's not, and I've blacklisted them but they're still getting through, what does it tell us? How is that even possible?

Let me circle back with the security expert I consult, and I'll think about downloading Etre. In the meantime, the problem seems to have quieted, and earthlink did say they were addressing it internally. Is it POSSIBLE that this has nothing to do with my system and that the vulnerability simply was resident on the earthlink page?

If I am very responsive when prompted to update, do you think it's ok to leave Flash as is.

As long as you open its preference pane every week to check for updates, you should be able to keep on top of things pretty easily. Having it update itself is just easier as you don't have to pay attention to it.

Also, I always get flash, java and javascript a bit muddled in my head in that I know they are all different, but I think some folks feel one of them opens you up to security issues.

Flash and Shockwave are used to run web animations and other items that were written in their respective authoring apps. Shockwave is already pretty well dead (if not completely), and Adobe has announced that Flash will be killed off December 1st, 2020. It's always being attacked for exploits since it can give hackers a way into your system. It's impending death is mainly due to HTML5, which allows videos to play in your browser without the need for any type of plugin.

Java is also a nearly dead technology in browsers. I do have it installed since I have a few Java apps on my computer that won't run without it. But, I have it disabled in my browser. There is almost nothing you Java enabled for on the web anymore. It is also being constantly patched against exploits that may allow hackers to access your system through your browser when it is enabled for use in one. That's how the now long dead Flashback worked. If you visited an infected site, and had Java enabled in your browser, your Mac would be immediately infected. Not because the OS was vulnerable, but because Flashback used a flaw in Java to get on your system.

Despite the similar name, JavaScript has nothing to do with Java. It is used for all kinds of normal web functions. Such as rollovers. Move to the top of this page and scrub your mouse across the words in the black bar. Notice how they change color when you're over one. That's a rollover in action. You see these all the time. Such as mousing over an image and having it change to something else without clicking on it.

The only "exploit", so to speak with JavaScript is the many scam sites that make it appear you are stuck there with dire fake alerts that your Mac is infected and to call a 1-800 number now, now, NOW!!! Sometimes also with a loud annoying beep to make you jump and make the message appear more urgent. That catch is that you can click on the button to close the popup, but nothing seems to happen. That is also JavaScript because it is used to call the popup in the first place. When you click the button to close the popup, it contains a JavaScript "do on close" command to run one more JavaScript action. And that is to display the same popup. All to give you the appearance you're stuck.

It's actually near impossible to do any damage with JavaScript. I don't think you can do it at all.

As for Earthlink, yes, it's entirely possible the exploit is on their end and all Earthlink users are seeing unwanted ads and redirects.

This is INCREDIBLY helpful; thanks so much for the wonderful overview! Now if I can just get it to stick!

I don't go into Java weekly, but it's set to "Notify me to install updates". My understanding is that, on that setting, it will routinely check, then prompt me if necessary. Am I correct about that. If not, I'll reset to allow. I'm not THAT diligent.

I'm currently up to date for MY system; the caveat being that I am still on 10.9.5 because of a project I need if for. Not great, I know, but I'm upgrading as soon as I'm done . . . though I like it; it's nice and stable and I've come to like the UI better.

I think I have Java turned off. Am I correct that you disable by going System Prefs > Java > Security: Deselect "Enable Java content for browser and Web Start applications, then select the radio button for "Very High" security? I can't find any options locally in my browser prefs. Only JavaScript options.

My working theory at this point is that it is on Earthlink's end, though as mentioned, let me watch it a bit and consider the script you suggested if things go south again.

It still vexes me however that the router is allowing the redirect. Am I right that that SHOULDN'T be possible under my current circumstances? Any thoughts how that might be?

Now if I can just get it to stick!

The older I get, the less things want to stick. 😀

I don't go into Java weekly, but it's set to "Notify me to install updates". My understanding is that, on that setting, it will routinely check, then prompt me if necessary. Am I correct about that. If not, I'll reset to allow. I'm not THAT diligent.

I have Java set to check automatically. When there is an update, a popup appears on the screen. Trouble is, it may happen when you're using your browser. Then you can't be sure if Java created the message, or it's a fake popup the site is trying to get you to respond to. When I see those, I shut the browser down. If the message disappears with it, you know it was a fake popup. If it's still there, it's legitimate. Even so, I still close the message and go to the Java preference pane to ensure it is calling for an update, and then run it from there.

I'm currently up to date for MY system; the caveat being that I am still on 10.9.5 because of a project I need if for. Not great, I know, but I'm upgrading as soon as I'm done . . . though I like it; it's nice and stable and I've come to like the UI better.

The main problem with that is Safari. I think Apple is still releasing security updates for Yosemite, but I'm not sure. When they stop (and I think they relegate updates to the current OS and two back), then Safari and the OS are open to any exploits that show up later. Worse, they won't be fixed. Something to be aware of.

When iOS 7 introduced the flatter GUI, you knew it would only be a matter of time before the Mac OS went the same way, which it did in El Capitan. It looked odd at first, but it only took me about three or four days to get used to it. After a couple of weeks, I didn't even pay attention to the change. In fact, the older design now looks outdated to me.

I can't find any options locally in my browser prefs. Only JavaScript options.

Correct. All Java controls are in its preference pane. Where you have the security level set is irrelevant if you have it turned off for your browsers, per this check box:

Really, Java should be off at all times. If you have a particular site you use where it must be on, turn it on only for that session. When you're done using that site, turn it back off. If it's a bank you deal with that demands you use Java in order to do online transactions, they are a bank that is totally, almost criminally devoid of brain matter. Requiring the use of such a known security Swiss Cheese plugin as Java means you should all of your assets to another bank - immediately.

As far as Java apps on your computer (such as the ROES software I have to use to send client images out for prints), they're no more dangerous than any other app run directly from your Mac. Either it has malicious code intentionally written into the app, or it doesn't. No app, or even the OS is completely safe from a disgruntled employee. Though bigger companies like Apple, Adobe, etc. have engineers who look over all new and reworked code for errors. Part of that job is also to look for things that aren't supposed to be there so it never leaves the building.

It still vexes me however that the router is allowing the redirect. Am I right that that SHOULDN'T be possible under my current circumstances? Any thoughts how that might be?

I don't know what your router allows for blocking, but it could be the URL itself. Let's say you blocked the very long URL you had posted earlier. They do that on purpose. To get by such blocking attempts, those long strings are constantly changed so they don't match your lists. That's one possibility, anyway.

I'm sorry. I bungled that a bit. I meant to say that I have FLASH set to notify me to install updates rather than install them without my knowledge. I assume Flash makes that notification in a timely manner however, so I'm not on outdated software for any appreciable amount of time . . . assuming I respond when prompted.

Java is set to notify me automatically, and I do have that box unchecked in the preferences pane.

You are right; I am no longer getting Safari updates for my version which is a problem. I'm thinking of making a copy of 10.9.5 onto an external drive and just booting from that when I eventually get around to this project. Then I could update. Just not sure if that strategy is valid. Any reason you can think of it would be a problem?

With the router, I only blocked "getmackeeper.site". That's all my router would allow. That's been common to each pop up which is why I cannot for the life of me figure out what's going on. Could the fact that the redirect was coming through the already-loaded earthlink page have any bearing on the matter? I just can't figure it out.

I did some tests turning on and off the block. Sometimes it DOES work or at least slows it the point where it will leave my current page, and sit thinking for a long time before loading the other. Other times it doesn't seem to go through, but it's all spotty.

I'm sorry. I bungled that a bit. I meant to say that I have FLASH set to notify me to install updates…

Ah. Yes, we covered that earlier. No problem to leave it that way as long as you look for updates at least once a week. I prefer to let it update itself.

If Safari gets too far behind in security updates, that still isn't much of an issue as long as you stick with known, safe sites. But it's also very easy to get redirected by a malicious site, or even a known good site that has been hacked (and the owner hasn't cleaned it up yet). In the meantime, you could use Firefox if you would prefer to stay in Yosemite. The main issue there is that security for the OS itself won't be updated.

With the router, I only blocked "getmackeeper.site". That's all my router would allow. That's been common to each pop up which is why I cannot for the life of me figure out what's going on. Could the fact that the redirect was coming through the already-loaded earthlink page have any bearing on the matter? I just can't figure it out.

I'm afraid I can't guess on that one. Your link is no longer here of course, but was that the first part of the URL? If so, does the router allow wildcards? That is, putting in something like:

getmackeeper.site*

So no matter what follows "site", it would count as a match.

I did some tests turning on and off the block. Sometimes it DOES work or at least slows it the point where it will leave my current page, and sit thinking for a long time before loading the other. Other times it doesn't seem to go through, but it's all spotty.

Partial success if often more aggravating than none at all.