Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Blocking .php download/malware

A

AnrBjotk

macrumors regular
Original poster
Jul 4, 2010
132
3
So, a few weeks ago, a download starting appearing whenever I entered certain sites (subscene, ultimateguotar.com etc). I.e. this is a malware download that I did not request. I found an old post on a appleforums that said you could block the hosting site, but I can't figure out how to block the correct site.
(I tried asking on the apple forum, but for some reason I get an error message whenever trying to post there these days).

When the download popup appear it says it's from a site called "cas.critero.Xom" (but with .com). I tried blocking that site, but to no avail. The user on apple.com added a block to the sites name, then /delivery, but I have no idea really....

So how do I stop this? I know it's not dangerous as long as I don't download it, but it's really frustrating since I visited these sites daily...

Help... Purdy please.
 
Malwarebytes is widely used, both on Mac (relatively new) and on Windows (this version has existed for many years.)
It's a safe and valuable tool.
 
  • Like
Reactions: Weaselboy
chrfr said:
Malwarebytes is widely used, both on Mac (relatively new) and on Windows (this version has existed for many years.)
It's a safe and valuable tool.
Click to expand...

Cheers for the 2nd opinion. Again, no offense. Just seemed strange since the user was brand new and other sites spoke of blocking the url. I'll try it then.
 
AnrBjotk said:
So, a few weeks ago, a download starting appearing whenever I entered certain sites (subscene, ultimateguotar.com etc). I.e. this is a malware download that I did not request. I found an old post on a appleforums that said you could block the hosting site, but I can't figure out how to block the correct site.
(I tried asking on the apple forum, but for some reason I get an error message whenever trying to post there these days).

When the download popup appear it says it's from a site called "cas.critero.Xom" (but with .com). I tried blocking that site, but to no avail. The user on apple.com added a block to the sites name, then /delivery, but I have no idea really....

So how do I stop this? I know it's not dangerous as long as I don't download it, but it's really frustrating since I visited these sites daily...

Help... Purdy please.
Click to expand...
Little Snitch, or GlimmerBlocker.
 
komatsu said:
They are good tools but how useful is the data they show for a non-IT savvy person?
Click to expand...

Heey!... Did you just insult me? :p

I managed to "treat the syptom" by using "block site". It blocks the download, but it still pings each time it blocks it, which is equally annoying.
 
komatsu said:
They are good tools but how useful is the data they show for a non-IT savvy person?
Click to expand...
Little Snitch will pop up a window saying this site is blocked, or Safari cannot find the site, or something. If you write a blocking rule for GlimmerBlocker, it simply does not load the site, silently ignores it. GlimmerBlocker is an http proxy, so it works on any browser or other program using the http protocol. You can disable it (or re-enable it) for individual network interfaces.
 
HenryAZ said:
Little Snitch will pop up a window saying this site is blocked, or Safari cannot find the site, or something. If you write a blocking rule for GlimmerBlocker, it simply does not load the site, silently ignores it. GlimmerBlocker is an http proxy, so it works on any browser or other program using the http protocol. You can disable it (or re-enable it) for individual network interfaces.
Click to expand...

Thanks. Maybe I'll try that instead. It wasn't clear what exactly Glimmerblocker did when you first mentioned it.
Any idea how it came about? And why on certain sites? Besides subscene, the sites are all scouts honour sites....

Though this entire debacle did make me concerned for the various "add-ons" firefox has running. Some of them seems very speculative. Though I'm afraid to remove them lest I rue the consequences.
Also, Malwarebyte found a whole list of unsavory characters on my mac, none of which ever created any issues...
 
komatsu said:
Hey, nothing wrong with need IT help ;)

Glad your workaround fixed it anyway.
Click to expand...

Well, well, well... that didn't last long. Once I restarted my mac, the "block site" doesn't block the site anymore. The filter is still active, as it were, but it just doesn't block it. Guess I'll have to try glimmerblocker.
[doublepost=1468950200][/doublepost]
HenryAZ said:
Little Snitch will pop up a window saying this site is blocked, or Safari cannot find the site, or something. If you write a blocking rule for GlimmerBlocker, it simply does not load the site, silently ignores it. GlimmerBlocker is an http proxy, so it works on any browser or other program using the http protocol. You can disable it (or re-enable it) for individual network interfaces.
Click to expand...

Could you kindly tell this novice how on earth I block this awful site with glimmerblocker? In these matters I'm legally retarted. I tried just adding the site to a subscription, but it apparently needs to be .xml or summar or other....
 
AnrBjotk said:
Could you kindly tell this novice how on earth I block this awful site with glimmerblocker? In these matters I'm legally retarted. I tried just adding the site to a subscription, but it apparently needs to be .xml or summar or other....
Click to expand...

You create your own new subscription, really add-on set of rules. You should read the GlimmerBlocker documentation, such as it is, and look at the stock subscriptions that come with the program to get an idea of how the syntax works. You can use regular expressions and wildcards in your rules, which helps. Here is a screen shot of the single rule set I have created. It's not much, the stock subscriptions do pretty much what I want (don't forget to update those subscriptions occasionally):
Blocker.jpg

Read the docs. Putting the wildcard at different places in the URL has different results. It's pretty easy, really.
 
HenryAZ said:
You create your own new subscription, really add-on set of rules. You should read the GlimmerBlocker documentation, such as it is, and look at the stock subscriptions that come with the program to get an idea of how the syntax works. You can use regular expressions and wildcards in your rules, which helps. Here is a screen shot of the single rule set I have created. It's not much, the stock subscriptions do pretty much what I want (don't forget to update those subscriptions occasionally):
View attachment 640942
Read the docs. Putting the wildcard at different places in the URL has different results. It's pretty easy, really.
Click to expand...

Thanks for this. Sadly, I'm discovering I'm somewhat retarted, 'cause I can't figure it out. Where is this "documentation" btw? On the website? Can't even find that. I'm hopeless ;)
Did I get it right, though? I added my own filter. Then added a new "rule" and inserted the url in the first box "host is". I couldn't add the "https://" so it was just the name "example.one.com".
Let me know if I messed up here...
 
AnrBjotk said:
Where is this "documentation" btw? On the website? Can't even find that. I'm hopeless ;)
Click to expand...

Do a Google search for glimmerblocker, and you should have no trouble locating the web site. It's only one page, but there is a lot of information there. There is no formal "manual" or anything like that, though. Mostly just examples and explanations of some basic syntax and actions.
 
HenryAZ said:
Do a Google search for glimmerblocker, and you should have no trouble locating the web site. It's only one page, but there is a lot of information there. There is no formal "manual" or anything like that, though. Mostly just examples and explanations of some basic syntax and actions.
Click to expand...

I'm sorry, but I've tried reading the text on the site, but I still dont get how it works. It's all to academic for me. Filters this, share filter that, codes and preferences. But nothing how to block and actual site, step by step.
If you know how to do it, could you just tell me? It just need to block this one site...
 
AnrBjotk said:
I'm sorry, but I've tried reading the text on the site, but I still dont get how it works. It's all to academic for me. Filters this, share filter that, codes and preferences. But nothing how to block and actual site, step by step.
If you know how to do it, could you just tell me? It just need to block this one site...
Click to expand...

Please... :(
 
Just to clarify - you said "Also, Malwarebyte found a whole list of unsavory characters on my mac, none of which ever created any issues..." Does this mean that you did NOT let MalwareBytes remove the list of "unsavoury characters"?
[doublepost=1470064702][/doublepost]Also are you sure the site is cas.critero as in your first message and not cas.criteo? cas.criteo is a well known malware site. If you have misspelled the name, then obviously any blocking is not going to work.
 
JohnDS said:
Just to clarify - you said "Also, Malwarebyte found a whole list of unsavory characters on my mac, none of which ever created any issues..." Does this mean that you did NOT let MalwareBytes remove the list of "unsavoury characters"?
[doublepost=1470064702][/doublepost]Also are you sure the site is cas.critero as in your first message and not cas.criteo? cas.criteo is a well known malware site. If you have misspelled the name, then obviously any blocking is not going to work.
Click to expand...

I let malwarebyte remove all suspicious elements and ran another search.

And I did make sure to spell the url correctly, I may have mispelled it here.

The strange thin is "blocksite" sometimes blocks it, other times not... and now I get two popups instead of one... So I'm really keen on getting glimmerblocker so solve the issue!
 
Can you post the EXACT full url of the popups? Cut and paste so you make sure they are right?
 
Don't try to block the pop-up sites. That's just covering up the problem without solving it.

You say that the problem happens when you visit certain sites. This may mean it's a problem with those specific sites.

It could also be a problem with a hacked network. If the problem happens with every device on your network, and goes away when you're on a different network, your network hardware has been hacked.

If neither of these things is true, and Malwarebytes Anti-Malware for Mac didn't solve the problem, open up Malwarebytes Anti-Malware and choose Contact Support from the Help menu.
 
JohnDS said:
Can you post the EXACT full url of the popups? Cut and paste so you make sure they are right?
Click to expand...

Ok. It's: https://cas.criteo.com (I can't copy and paste from the pop-up box...But I took a screen capture and this is exactly the adress)

thomasareed said:
Don't try to block the pop-up sites. That's just covering up the problem without solving it.

You say that the problem happens when you visit certain sites. This may mean it's a problem with those specific sites.

It could also be a problem with a hacked network. If the problem happens with every device on your network, and goes away when you're on a different network, your network hardware has been hacked.

If neither of these things is true, and Malwarebytes Anti-Malware for Mac didn't solve the problem, open up Malwarebytes Anti-Malware and choose Contact Support from the Help menu.
Click to expand...

The problem is only with firefox. Not with Safari etc... What does that mean?
 
If it's only happening with Firefox, that means its likely to be a bad Firefox extension. Can you post a list of your Firefox extensions? You can easily get that list by choosing Take System Snapshot from the Scanner menu in Malwarebytes Anti-Malware for Mac. You could just copy the section on Firefox extensions and paste it here.
 
Yes. Great. Like I posted some of them seem suspicious, but I have no idea which are necessary and which are not anymore..
I have no idea what you mean by talking a system snapshot through Malwarebytes as clicking on scan only scanned the computer again with no option of taking a screen capture.

But here is a list with names of extensions:

OpenH264 video codec (Cisco)
Widevine Content Decryption Modile Google
Adobe Acrobat NPAPI
Default Browser Helper
DivX Plus Web Player
DivX VOD Helper
Flip4Mac
Google Talk
iPhotoPhotocast
MIG Contents Plugin
PDF Browser Plugin
QuickTime Plug-in
Shockware Flash
Shocker for Director
Silverlight
 
AnrBjotk said:
I have no idea what you mean by talking a system snapshot through Malwarebytes as clicking on scan only scanned the computer again with no option of taking a screen capture.
Click to expand...

You've got to use the Scanner menu, in the menu bar at the top of the screen.

In any case, though, I can't say that I can identify any of those right away as suspicious, but that doesn't mean that they're all good either. Open Firefox and choose Add-Ons from the Tools menu, then click the Extensions item on the left side of the window. In the list of extensions, try disabling them one at a time (making sure to restart Firefox each time), then browse for a while and see if the problem is gone. When the problem goes away, you'll know the last extension you removed was the bad one.

Also, I usually recommend using as few browser extensions as possible, preferably 5 or less. Every browser extension you have installed is a potential security vulnerability waiting to happen in your browser.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back