Blocking .php download/malware

Discussion in 'macOS' started by AnrBjotk, Jul 12, 2016.

  1. AnrBjotk macrumors member

    Joined:
    Jul 4, 2010
    #1
    So, a few weeks ago, a download starting appearing whenever I entered certain sites (subscene, ultimateguotar.com etc). I.e. this is a malware download that I did not request. I found an old post on a appleforums that said you could block the hosting site, but I can't figure out how to block the correct site.
    (I tried asking on the apple forum, but for some reason I get an error message whenever trying to post there these days).

    When the download popup appear it says it's from a site called "cas.critero.Xom" (but with .com). I tried blocking that site, but to no avail. The user on apple.com added a block to the sites name, then /delivery, but I have no idea really....

    So how do I stop this? I know it's not dangerous as long as I don't download it, but it's really frustrating since I visited these sites daily...

    Help... Purdy please.
     
  2. chrfr macrumors 603

    Joined:
    Jul 11, 2009
    #2
    Malwarebytes is widely used, both on Mac (relatively new) and on Windows (this version has existed for many years.)
    It's a safe and valuable tool.
     
  3. AnrBjotk thread starter macrumors member

    Joined:
    Jul 4, 2010
    #3
    Cheers for the 2nd opinion. Again, no offense. Just seemed strange since the user was brand new and other sites spoke of blocking the url. I'll try it then.
     
  4. HenryAZ macrumors 6502

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #4
    Little Snitch, or GlimmerBlocker.
     
  5. AnrBjotk thread starter macrumors member

    Joined:
    Jul 4, 2010
    #5
    Malwarebyte did not remove the issue... What else can I do?
     
  6. komatsu macrumors 6502

    Joined:
    Sep 19, 2010
    #6
    They are good tools but how useful is the data they show for a non-IT savvy person?
     
  7. AnrBjotk thread starter macrumors member

    Joined:
    Jul 4, 2010
    #7
    Heey!... Did you just insult me? :p

    I managed to "treat the syptom" by using "block site". It blocks the download, but it still pings each time it blocks it, which is equally annoying.
     
  8. komatsu macrumors 6502

    Joined:
    Sep 19, 2010
    #8
    Hey, nothing wrong with need IT help ;)

    Glad your workaround fixed it anyway.
     
  9. HenryAZ macrumors 6502

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #9
    Little Snitch will pop up a window saying this site is blocked, or Safari cannot find the site, or something. If you write a blocking rule for GlimmerBlocker, it simply does not load the site, silently ignores it. GlimmerBlocker is an http proxy, so it works on any browser or other program using the http protocol. You can disable it (or re-enable it) for individual network interfaces.
     
  10. AnrBjotk thread starter macrumors member

    Joined:
    Jul 4, 2010
    #10
    Thanks. Maybe I'll try that instead. It wasn't clear what exactly Glimmerblocker did when you first mentioned it.
    Any idea how it came about? And why on certain sites? Besides subscene, the sites are all scouts honour sites....

    Though this entire debacle did make me concerned for the various "add-ons" firefox has running. Some of them seems very speculative. Though I'm afraid to remove them lest I rue the consequences.
    Also, Malwarebyte found a whole list of unsavory characters on my mac, none of which ever created any issues...
     
  11. AnrBjotk thread starter macrumors member

    Joined:
    Jul 4, 2010
    #11
    Well, well, well... that didn't last long. Once I restarted my mac, the "block site" doesn't block the site anymore. The filter is still active, as it were, but it just doesn't block it. Guess I'll have to try glimmerblocker.
    --- Post Merged, Jul 19, 2016 ---
    Could you kindly tell this novice how on earth I block this awful site with glimmerblocker? In these matters I'm legally retarted. I tried just adding the site to a subscription, but it apparently needs to be .xml or summar or other....
     
  12. komatsu macrumors 6502

    Joined:
    Sep 19, 2010
  13. HenryAZ macrumors 6502

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #13

    You create your own new subscription, really add-on set of rules. You should read the GlimmerBlocker documentation, such as it is, and look at the stock subscriptions that come with the program to get an idea of how the syntax works. You can use regular expressions and wildcards in your rules, which helps. Here is a screen shot of the single rule set I have created. It's not much, the stock subscriptions do pretty much what I want (don't forget to update those subscriptions occasionally):
    Blocker.jpg
    Read the docs. Putting the wildcard at different places in the URL has different results. It's pretty easy, really.
     
  14. AnrBjotk thread starter macrumors member

    Joined:
    Jul 4, 2010
    #14
    Thanks for this. Sadly, I'm discovering I'm somewhat retarted, 'cause I can't figure it out. Where is this "documentation" btw? On the website? Can't even find that. I'm hopeless ;)
    Did I get it right, though? I added my own filter. Then added a new "rule" and inserted the url in the first box "host is". I couldn't add the "https://" so it was just the name "example.one.com".
    Let me know if I messed up here...
     
  15. HenryAZ macrumors 6502

    HenryAZ

    Joined:
    Jan 9, 2010
    Location:
    South Congress AZ
    #15

    Do a Google search for glimmerblocker, and you should have no trouble locating the web site. It's only one page, but there is a lot of information there. There is no formal "manual" or anything like that, though. Mostly just examples and explanations of some basic syntax and actions.
     
  16. AnrBjotk thread starter macrumors member

    Joined:
    Jul 4, 2010
    #16
    I'm sorry, but I've tried reading the text on the site, but I still dont get how it works. It's all to academic for me. Filters this, share filter that, codes and preferences. But nothing how to block and actual site, step by step.
    If you know how to do it, could you just tell me? It just need to block this one site...
     
  17. AnrBjotk thread starter macrumors member

    Joined:
    Jul 4, 2010
    #17
    Please... :(
     
  18. JohnDS macrumors 65816

    Joined:
    Oct 25, 2015
    #18
    Just to clarify - you said "Also, Malwarebyte found a whole list of unsavory characters on my mac, none of which ever created any issues..." Does this mean that you did NOT let MalwareBytes remove the list of "unsavoury characters"?
    --- Post Merged, Aug 1, 2016 ---
    Also are you sure the site is cas.critero as in your first message and not cas.criteo? cas.criteo is a well known malware site. If you have misspelled the name, then obviously any blocking is not going to work.
     
  19. AnrBjotk thread starter macrumors member

    Joined:
    Jul 4, 2010
    #19
    I let malwarebyte remove all suspicious elements and ran another search.

    And I did make sure to spell the url correctly, I may have mispelled it here.

    The strange thin is "blocksite" sometimes blocks it, other times not... and now I get two popups instead of one... So I'm really keen on getting glimmerblocker so solve the issue!
     
  20. JohnDS macrumors 65816

    Joined:
    Oct 25, 2015
    #20
    Can you post the EXACT full url of the popups? Cut and paste so you make sure they are right?
     
  21. thomasareed macrumors member

    thomasareed

    Joined:
    Aug 24, 2015
    #21
    Don't try to block the pop-up sites. That's just covering up the problem without solving it.

    You say that the problem happens when you visit certain sites. This may mean it's a problem with those specific sites.

    It could also be a problem with a hacked network. If the problem happens with every device on your network, and goes away when you're on a different network, your network hardware has been hacked.

    If neither of these things is true, and Malwarebytes Anti-Malware for Mac didn't solve the problem, open up Malwarebytes Anti-Malware and choose Contact Support from the Help menu.
     
  22. AnrBjotk thread starter macrumors member

    Joined:
    Jul 4, 2010
    #22
    Ok. It's: https://cas.criteo.com (I can't copy and paste from the pop-up box...But I took a screen capture and this is exactly the adress)

    The problem is only with firefox. Not with Safari etc... What does that mean?
     
  23. thomasareed macrumors member

    thomasareed

    Joined:
    Aug 24, 2015
    #23
    If it's only happening with Firefox, that means its likely to be a bad Firefox extension. Can you post a list of your Firefox extensions? You can easily get that list by choosing Take System Snapshot from the Scanner menu in Malwarebytes Anti-Malware for Mac. You could just copy the section on Firefox extensions and paste it here.
     
  24. AnrBjotk thread starter macrumors member

    Joined:
    Jul 4, 2010
    #24
    Yes. Great. Like I posted some of them seem suspicious, but I have no idea which are necessary and which are not anymore..
    I have no idea what you mean by talking a system snapshot through Malwarebytes as clicking on scan only scanned the computer again with no option of taking a screen capture.

    But here is a list with names of extensions:

    OpenH264 video codec (Cisco)
    Widevine Content Decryption Modile Google
    Adobe Acrobat NPAPI
    Default Browser Helper
    DivX Plus Web Player
    DivX VOD Helper
    Flip4Mac
    Google Talk
    iPhotoPhotocast
    MIG Contents Plugin
    PDF Browser Plugin
    QuickTime Plug-in
    Shockware Flash
    Shocker for Director
    Silverlight
     
  25. thomasareed macrumors member

    thomasareed

    Joined:
    Aug 24, 2015
    #25
    You've got to use the Scanner menu, in the menu bar at the top of the screen.

    In any case, though, I can't say that I can identify any of those right away as suspicious, but that doesn't mean that they're all good either. Open Firefox and choose Add-Ons from the Tools menu, then click the Extensions item on the left side of the window. In the list of extensions, try disabling them one at a time (making sure to restart Firefox each time), then browse for a while and see if the problem is gone. When the problem goes away, you'll know the last extension you removed was the bad one.

    Also, I usually recommend using as few browser extensions as possible, preferably 5 or less. Every browser extension you have installed is a potential security vulnerability waiting to happen in your browser.
     

Share This Page