Looking for OS X/Linux/network infection help [Solved/Closed]

nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen - Jan 7, 2015 at 08:32 PM - Latest reply: smed_79 1304 Posts Saturday September 20, 2008Registration dateContributorStatus March 16, 2017 Last seen
- Jan 23, 2015 at 08:36 PM
Hello,

smed79 over in the EasyList forums sent me here for assistance. I do not know Kioskea's view regarding ad-blockers, so, if Kioskea is negative toward them, I will confine future posts strictly to this thread's title.

While testing Adblock Plus on Safari, I encountered a site, Newser.com, that displays some ads (mostly MacKeeper banners and AdSupply page-unders) through the adblocker. All adblockers in all browsers I've tested in all OS's I've tested and on all networks and machines I've tested, actually. That includes Firefox, Chrome, and Ubuntu Linux. For more detail please see the thread at: http://forums.lanik.us/viewtopic.php?f=62&t=20215&sid=4e50f8080f08ddccf88660c9cb0123a3

I followed smed79's and fanboy's advice for cleaning my machines, as well as the malware and adware removal guides over at thesafemac.com. I cannot find anything on my machines. Apparently, they do not see the ads that I do, nor similar ones, so, presumably, something is up with my systems, no matter how unlikely that may seem to me. (I've been at this computer thing, digging into them since 1984, so I thought I could figure something like this out. Apparently not.)

Without further input, I don't know what else to say, other than help! I've been dealing with this for more than 10 days now, and I feel I cannot trust my systems until I know what is (or isn't) going on. Can someone else, with known clean machines, at least check the newser.com site for what I describe over at the EasyList forums (above link) and see if the same thing occurs?

Thanks for any help,
Shawn


See more 

20 replies

kieferschild 2428 Posts Sunday October 5, 2008Registration dateModeratorStatus September 21, 2018 Last seen - Jan 7, 2015 at 08:44 PM
0
Thank you
Hello Shawn,

the likeliness of your Mac being infected is very slim.

i've just visited the website on my Windows laptop and I too go an advert in the bottom right corner.

This is nothing to worry about. The cookies on your Mac will tell the site that you're on a Macbook and it will give you Mac related adverts to try and boost their sales.

Obviously, what you seem to be saying is that you're using Adblocker on several web browsers and it is still occuring - Am i correct?

And just to clarify - Are you trying to stop the advert from popping up?

Also, have you checked your applications to ensure you've got no adware programs installed?

I've tried this website in IE with no adblocker and i can tell you that there are A LOT of adverts on that website.


**UPDATE

I've been doing some testing and find that if you use Firefox and run the latest version of Adblocker Plus with YesScript and you blacklist newser.com, that annoying slide in advert does NOT appear.

https://addons.mozilla.org/en-us/seamonkey/addon/yesscript/

If at first you don't succeed; call it version 1.0
nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen - Jan 7, 2015 at 09:39 PM
Thanks for checking!

You are correct, whichever adblocking software I use in/with whichever browser, I still see the ads I referenced. I checked Newser without any adblocking, and, I agree, it is a mess! Prime example of the need for adblocking, not to mention questioning the quality of "news" on such a site.

I get similar page-unders and banners in a fresh download of Ubuntu Linux running on a flash drive with only Adblock Plus added on to Firefox. Safari in OS X, sans any non-Apple software installed in the OS, with only Adblock Plus added, does the same thing. I actively avoid any adware-based software and have been unable to find any malware or adware on my machines.

Though I find almost all ads as presented today extremely annoying (and a turnoff for me in regard to the sites pushing them and the companies advertising), mostly, I wanted to report them to the EasyList maintainers, so that they could consider updating their lists to include AdSupply ads that currently get through their lists. However, they seem insistent that it isn't the lists, but my machines being infected with something, instead.

I'll give your YesScript suggestion a try.

** UPDATE

YesCript in Firefox blocked the floating banner. For Safari users, JavaScript Blocker (similar to NoScript) works. At the moment, Adblock Plus still lets the floating banners through. Blocking javascript also works with the page-under windows on Newser.com, as is, Adblock Plus after updating the filters a few minutes ago. ABP is also blocking the page-unders in the AdSupply's demos on their corporate site. So it looks like they're getting the filters updated.
nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen > nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen - Jan 7, 2015 at 10:53 PM
*YesScript in Firefox...

*Too late to edit: I spoke too soon: using ABP without YesScript in Firefox or JavaScript Blocker in Safari, clearing browser website data brought the page-under windows back.
smed_79 1304 Posts Saturday September 20, 2008Registration dateContributorStatus March 16, 2017 Last seen - Jan 13, 2015 at 04:12 PM
I wanted to report them to the EasyList maintainers, so that they could consider updating their lists to include AdSupply ads that currently get through their lists. However, they seem insistent that it isn't the lists, but my machines being infected with something, instead. 


@nwahs

AdSupply ads is already blocked by ||adsupply.com^$third-party found on Easylist.

I told you I have no ads no floating banner ! how to explain ?

screenshot:

1: http://img110.xooimage.com/files/e/9/f/capture-d-cran---...22-08-48-4973bd5.png

2: http://img110.xooimage.com/files/6/8/5/capture-d-cran---...22-09-10-4973bde.png

3: http://img110.xooimage.com/files/0/d/7/capture-d-cran---...22-09-36-4973be5.png

4: http://img110.xooimage.com/files/e/e/5/capture-d-cran---...22-09-52-4973bed.png

?
nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen > smed_79 1304 Posts Saturday September 20, 2008Registration dateContributorStatus March 16, 2017 Last seen - Jan 13, 2015 at 10:05 PM
smed_79 1304 Posts Saturday September 20, 2008Registration dateContributorStatus March 16, 2017 Last seen - Jan 13, 2015 at 04:19 PM
0
Thank you
Do not install MacKeeper https://discussions.apple.com/docs/DOC-3691
nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen - Jan 13, 2015 at 09:49 PM
I see, per your user profile, that you run linux. See my post below for a screenshot, from Ubuntu 14.10, of the adsupplyads.com page-under and floating banner on newser.com.
nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen - Jan 13, 2015 at 09:04 PM
0
Thank you
smed_79,

Thanks for your input, and for your time with this issue and with EasyList in general.

I understand that you are not seeing the ads on newser.com. However, that does not mean that others don't see them. kefierschild, above, has stated that he sees a floating banner on newser.com in Windows, though I do not know his system setup. I see them in OS X and in Ubuntu Linux.

I have checked my systems extensively, and, as far as is possible to know, I do not have any adware installed on them. I do not install any ad-supported programs, and I only install known, trustable software from known, trustable sources. I do not have MacKeeper installed on my computers, and I've known about that mess of a program for many years and would never install it or any software like it. Besides, why would MacKeeper keep advertising for itself if I already had it installed (no sarcasm intended)? And, to my knowledge, MacKeeper and the various advertising engines out there cannot be installed in linux.

At the moment, the MacBook Air I am typing this on only has installed on it Apple software, Firefox (d/l'd from Mozilla), and f.lux (d/l'd from the developer). The MacBook Pro I've checked Newser.com with, additionally, has Google Chrome (direct from Google) on it. Only well-known, trusted, ad-free extensions have been installed in the browsers, and during testing of this issue, only Adblock Plus is active. The linux install I've tested with is installed on a flash drive and cannot modify itself on the drive. I have to install ABP fresh each time I use it.

The screenshots below are from newser.com today, in OS X and the current Ubuntu linux distro. ABP and filters are up-do-date, the following running: EasyList, Malware Domains, Fanboy's Social Blocking List, EasyPrivacy, and "Allow some non-intrusive advertising unticked" (thus, blocked). Looking closely at the OS X screenshot, Adblock Plus has even blocked 4 elements on the adsupplyads.com page-under, but did not block the page-under itself. Bear in mind when checking newser.com, the page-unders and floating banners do not necessarily re-appear once they've displayed, unless site preferences are cleared and the site is browsed some more.



nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen - Jan 14, 2015 at 12:13 AM
0
Thank you
smed_79,

Here's one additional screenshot, this one in OpenSuse 13.2 GNOME edition. This one, ABP and EasyList just installed, only the EasyList filter set active and non-obtrusive advertising allowed (stock install of ABP). As you can see in the linux screenshots, either the ad images for the floating banners are failing to load, or ABP/EasyList is catching those particular images and leaving the floating banner box; however, the particular OS X (MacKeeper) ad image loads through the EasyList filters. The adsupplyads.com page-under loads successfully through ABP/EasyList, triggered by random newser.com pages (but, again, only newser.com pages), regardless of computer, OS, or network used.

I don't know how it may be that you do not see the ads on newser.com, but I am able to reproduce them readily from various machines and OS's. Maybe they are location-specific? I'm in the U.S., and keiferschild is in the U.K. Perhaps the ads do not display to countries where English is not an official or dominant language, as it does seem to be a U.S.-based and -oriented site?

I don't see at all how these ads on newser.com could possibly be from adware/malware... OS X, Windows, Ubuntu, OpenSuse... If you have not done so, please go take a look at the demos on AdSupply's corporate website. You can see both of these sorts of ads demonstrated there (scroll down the page a bit).

smed_79 1304 Posts Saturday September 20, 2008Registration dateContributorStatus March 16, 2017 Last seen - Jan 14, 2015 at 07:52 PM
0
Thank you
Hi nwahs,
1. run an OS on a flash drive for exemple Ubuntu Linux without any Adblock installed.
2. edit your hosts file (DNS settings) requires superuser permissions.
#
sudo gedit /etc/hosts
and replace by http://sharetext.org/awDs
(add an empty line at the end of file)
save the file and try to browse Newser.com

about location: i have try from my location (ALGERIA), using VPN with an ip adresse from France an Canada and browse Newser more then one hours and i cant see ads.

My Adblock Plus Subscriptions:
Liste AR+Liste FR+EasyList
EasyPrivacy
Fanboy's Annoyances
https://adblockplus.org/fr/subscriptions

Greasemonkey :
Anti-Adblock Killer | Reek https://monkeyguts.com/code.php?id=351
AdsBypasser https://monkeyguts.com/code.php?id=351
nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen - Jan 15, 2015 at 12:12 AM
The hosts file alone catches everything but a few small direct-link ad images. None of the ad elements from my screenshots appear. Same in OS X. Using Adblock Plus, too, removes those few ads that get through the hosts list.

I'd think that the ads would display in Canada since they do in the U.K. Do you see the mess of ads without ABP and the hosts file?
smed_79 1304 Posts Saturday September 20, 2008Registration dateContributorStatus March 16, 2017 Last seen - Jan 15, 2015 at 01:13 AM
1. try to change your ip adresse using this free vpn nlfreevpn, FrozenWay or AnonymoX and visite Newser.com to see if this ads have relation with your location.

to check you ip adsress > http://eth0.me/

2. if you still show ad from on Newser.com (without my hosts) via Adblock plus settings (icon) add this rule to your custom filter :

||feljack.com^

Screeshot: http://i.imgbox.com/as5SQRdZ.png
nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen - Jan 15, 2015 at 02:17 AM
Without your hosts file, Adblock Plus (Firefox and Safari) with that custom filter rule added blocks the ads that appear in my screenshots.
nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen - Jan 15, 2015 at 01:59 AM
0
Thank you
I gave the AnonymoX extension a quick test. Set to the U.K., the ads that bypass Adblock Plus did change region.

smed_79 1304 Posts Saturday September 20, 2008Registration dateContributorStatus March 16, 2017 Last seen - Jan 15, 2015 at 06:34 PM
0
Thank you
I can reproduce now : http://forums.lanik.us/viewtopic.php?f=62&t=20215&start=15#p65594
sorry and thank you for insisting to solve this problem.
nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen - Jan 15, 2015 at 06:42 PM
...and thank you for keeping on with me, even when you weren't able to see it! :)

Your AnonymoX suggestion was excellent.

I'll mark this thread solved.
smed_79 1304 Posts Saturday September 20, 2008Registration dateContributorStatus March 16, 2017 Last seen - Jan 16, 2015 at 09:56 AM
nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen > smed_79 1304 Posts Saturday September 20, 2008Registration dateContributorStatus March 16, 2017 Last seen - Jan 16, 2015 at 03:37 PM
Got it. Works. Done! :)
nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen > smed_79 1304 Posts Saturday September 20, 2008Registration dateContributorStatus March 16, 2017 Last seen - Jan 21, 2015 at 07:27 PM
@smed_79:

If you're still listening here, it's back (but the floating banner box remains empty). Using AnonymoX, I also tested the UK (same thing), as well as the Netherlands (page-under ads, but no floating banner box appeared). I filed reports and posted the links on the EasyList thread I started previously.
smed_79 1304 Posts Saturday September 20, 2008Registration dateContributorStatus March 16, 2017 Last seen > nwahs 13 Posts Wednesday January 7, 2015Registration date January 21, 2015 Last seen - Jan 23, 2015 at 08:36 PM
Thank you for your contribution.