How to elegantly stop endless loop ransomware popups

“For the most part, malware on the Mac just isn’t the problem it is for Windows PC users,” BohemianBoomer writes. “There is, however, a notorious malware scam floating around the web and here’s a way to stop it.”

“It’s happened to me twice. Once when I accidentally typed in Ookla’s speedtest.net URL but used .com instead (don’t do that) which attracted a crazy JavaScript popup malware incident in Safari. That caused the popup window to go into an endless loop which was difficult to get out of,” BohemianBoomer writes. “Maybe you’ve seen the popup message which says your Mac is infected with blah blah blah, and there’s a phone number to call get assistance to remove the malware.”

“I can only imagine how many tens of thousands or more Mac users have stumbled upon that little annoyance.” BohemianBoomer writes. “Here’s how to beat it. It’s a free Safari browser extension for your Mac called ScamZapper.

More info in the full article here.

MacDailyNews Take: Another way to get out of those endless loops, of course, is much more brutish, but it works: Force Quit Safari.

32 Comments

  1. I’ve gotten this twice. Force Quitting works – but usually on reopen – Safari opens the last windows open in Safari – and you start the loop again. Being very fast with Command W and Leave this page works – but the sure fire way I found by need-

    my dad called me up as I’m tech support. I logged into his computer and not matter how fast I was I couldn’t get him out. So I went to user/library/Safari and deleted every of History and Last.plist. Re=opened Safari and all was fine.

    The scam works because as I was trying to solve this for dad – he was just let’s call the number! I AGAIN SCOLDED HIM OF SCAMS OF THE INTERNET.

    So the older users of the internet are the targets. And I bet they pay these criminals.

    Ad blockers don’t work. Have those. These are rare scams but becoming more so. Holding hostage from legitimate websites too.

    1. “Force Quitting works – but usually on reopen – Safari opens the last windows open in Safari – and you start the loop again”

      Which is why you should have Safari preferences set to “always open in a blank page”. Puts the Kibosh to this entire scenario.

    1. Turning off Java Script in Safari works but messes up legit websites. I FINALLY killed my adware–after hours of various fixes that didn’t work–with Adwaremedic.

      http://www.adwaremedic.com/index.php

      The normal fixes of clearing internet caches, changing the DNS, deleting launchdaemons, even deleting Java itself(!) did not work! Didn’t realize that Java Script in Safari does not need Java installed on your Mac

      1. No, I mean I turned off JavaScript, was able to close the dialog box, reload the page and it didn’t pop up. Closed the problem page, then turned JavaScript back on.

        1. In our situation, these ads were popping up on just about every webpage–Amazon, any search results from any search engine,my daughter’s official university website, etc., etc. so turning off Java Script worked–until you turned it back on and so many websites rely on Java to work properly–even Duck-Duck-Go.

  2. After force-quitting Safari, restart Safari while pressing the Shift key to launch an empty browser window instead of the problem page from the last session.

    1. Exactly. That’s what’s required to work around getting hammered over and over by these evil web pages. How the hell JavaScript (ECMAScript) is allowed to lock you into a web page is beyond my comprehension. This code requires blocking at the browser level. DO YOU HEAR ME APPLE?

        1. I’ve had great experiences with some people at Apple and occasionally lousy with others. The Mac security gestalt to which I contribute, has had success getting through to them regarding XProtect. But they’ve ignored us about such problems as the Masque Attack. They did their best to ignore my complaints about changes in Yosemite during beta testing. (IOW: Not my fault!). They have at long last coordinated the release of their security updates and the release of corresponding documentation. I was on them about that for a couple years and they finally caught on.

          IOW: Sometime the cat herd pays attention, sometimes not.

            1. Thankfully, I’m constantly in tongue-in-cheek mode or I’d break down and cry. As I’ve said about troll trampling, if you’re not having fun, you’re doing it wrong. IOW: There’s no need to take me THAT seriously.

      1. Please, Derek, can the both of us apply for a position at Apple? You know all this stuff and I am sick and tired of not knowing why Apple is doing some of what it is doing. My Mac apps behaving differently from the iOS apps, the latter being simpler in approach but seemingly understanding what a user want better. Why does my iPhone understand Exchang so much better than my Mail app? Ad infinitum. A company with so much power and yet it seems powerless to truly change the business it has been in for so long. New areas? They thrive! Existing areas? Like novices at times…..Seen the Apple Watch yesterday, it is incredible!

        1. Communication within a business is a constant challenge. Pestering Apple about it has, IMHO and experience, has helped them to focus on their problems.

          My very favorite example of worthless communication is the case of the Shoebox application from Kodak, long since extinct. Two versions were released, one for Mac and one for Windows. What they applications created was a database of a user’s digital images. As such, there is no reason on the planet they two platform databases could not have been entirely compatible. But they were not. Cross platform customers endlessly complained. It turned out that each of the platform version were coded by two programmers sitting in cubicles across the aisle from one another. It could not have been easier for them to collaborate on the database system. Instead, they each created their own with no compatibility or translatability.
          *Face Palm*Face Plant*
          😲😲

  3. I’ve been using ScamZapper all year. It’s a bit odd in that it is NOT just a Safari extension. It also runs its own process in the background. Therefore, it requires an actual installer and its own update installer. It does NOT update from inside Safari.

    I’ve had good communication with the developer and good results from the extension. I even turned in a SCAM site set up to force people to buy crap related to the latest Ron Paul TV FUD advertisement. You visit and you’re NOT ALLOWED TO LEAVE. *evil laugh* Fsck you Ron Paul! – – If you’re using ScamZapper, and Safari won’t allow you to go to the latest Ron Paul FUD scam page, you can thank me. 🙂 That’s the whole point of this extension/app. Users can warn off others from getting scammed.

  4. You can also try this… Click to close annoying popup window, and then immediately (almost at the same time as click), press Cmd-W on keyboard (the close window/tab keyboard shortcut). If you time it right, that scam window will close before the popup can reappear.

  5. Cmd-W works, but having to press it quickly can inadvertently close other windows/tabs you may want to keep open. Force quit Safari and then immediately after opening it, spam Cmd-. (Command and the period key) over and over. This forces the page in the foreground to stop loading before it even starts. Then you can safely close the affected window/tab.

  6. Was at my Sister’s house today and she got that on the iPhone’s screen trying to log in to Netflix.
    Here is what I did- it worked fine.

    Turned the iPhone off.
    Rebooted the iPhone and cleared the cache.

    Bada-bing!

  7. Just curious, but couldn’t you go to Activity Monitor and just kill the onerous Safari process? Or, specifically, type Safari” in the Activity Monitor search window and you get a list of the Safari processes. You can see specific web pages at that point and take action.

  8. Mal Advertizing 2

    When a pop-up window appears warning of a VIRUS and instructs you to click OK on the dialog box. DO NOT CLICK OK!!!!!!!

    Press Command w to close window.

    If that doesn’t work Force Quit Safari.

    In any case after Safari has quit, hold the shift key down and reopen. This will keep Safari from being redirected back to the site.

    If you don’t already have it installed:

    Download – Adware Medic and run to find and delete offending adware.

    http://www.adwaremedic.com/index.php

    Removing Ad Malware With Adware Medic

    You’ve got a Mac and, from what you’ve heard, there’s no evil that can touch you.

    No viruses.

    A Mac App Store with guaranteed clean applications.

    No worries whatsoever.

    And then…your favorite web browser suddenly seems to have a mind of its own; taking you places you have no interest in going and warning you of evils on your Mac that don’t actually exist.

    Over the last several months I’ve had several people report that their computers have been hijacked. This hijacking takes a variety of forms, but most often it’s an inescapable barrage of ads or warnings of impending doom. In many cases these result in pop-up windows loading that can’t be closed or navigated past. The screen shot in the upper right and the one below were taken from a client’s computer in such a state:

    This kind of browser hijacking attempts to create fear about an existing or impending problem on your computer and then offers a solution that consists of calling a toll-free number to get that problem resolved. At worst this is a phishing attempt or ransomware and at best it’s an attempt to sell you software of dubious value that is supposed to “remove” the software causing the problem. In every case it’s a pain in the arse.

    (For an in-depth look at how these scams work, check out Lenny Zeltser’s excellent Conversation With a Tech Support Scammer, which includes audio of conversations he had with “tech support” when calling one of these toll free numbers.)

    Avoiding adware and malware is pretty simple:

    Make sure your Mac’s Security & Privacy settings (System Preferences > Security & Privacy) are set to Allow apps downloaded from the Mac App Store or the Mac App Store and identified developers. Anywhereshould NOT be selected.

    To help avoid the installation of some adware and malware, make sure your security settings are anything but “Anywhere.”

    Don’t install software when you’re unsure of its origin. I know this seems obvious but, when you see a warning about software downloaded from the Internet, don’t open it unless you know what it is.

    If you see a message stating that something you’re opening was downloaded from the Internet and you’re not certain you’ve intentionally downloaded it, click Show Web Page before you open it.

    Avoid sketchy sites for downloading software.
    App developer’s site? Check!
    Mac App Store? Check!
    Softonic? Download.com? Fred’s Undeniably Adware Free File Downloads? Nope, nope, nope!
    Avoid other equally sketchy sites, such as torrent hosting services and… oh… you know you know what I’m talking about…
    Adware Medic
    If you find that your Mac has been hijacked by Adware, not to worry, we’ve got a fix for you. The Safe Mac’s Adware Medic. (The Safe Mac also has an excellent website and Twitter feed if you want the latest, up-to-date info on Mac Adware, Malware, and security concerns.)

    One click in Adware Medic can cure all that ails you.

    Using the app is as simple as it gets.

    Download Adware Medic.
    Open the Adware Medic disk image and drag the app to your Applications folder. Then Open Adware Medic. You should see a message stating that this is an app you’ve just downloaded from the Internet. Go ahead and click Open if it appears, but if you don’t see the message, head on over to System Preferences, open Security & Privacy and change the setting to “Mac App Store and identified developers.”
    Adware Medic is Donationware, which, as the donationware window states, makes the app free for as long as you want it to be. But if it solves your Adware issues, send some cash their way. Seriously!
    Click the “Scan for Adware” button.
    Follow any further instructions you see after the scan is complete.
    Adware Medic can usually remove adware without requiring a restart of your Mac, but in some cases a restart will be required to fully remove any adware that was installed.

    If Adware Medic doesn’t resolve everything that ails your Mac, you can take additional steps to resolve these issues. In many cases these fixes may be as simple as avoiding certain websites, changing your broswer’s home page and search settings, or looking at removing browser extensions you may have installed.

    Instructions for Ad-Injection Software Removal from Apple Support below:

    Ad-injection software is advertising-supported software that can come from third-party download sites. Software that you download from such sites may have been customized to install both the software you want and the ad-injection software. If your Mac has ad-injection software installed, you might see pop-up windows, ads, and graphics while surfing the web, even if “Block pop-up windows” is selected in Safari preferences. Ad-injection software might also change your homepage and preferred search engine.
    Check Safari settings and extensions
    Go to Safari > Preferences, then follow these steps:
    1. Click the General icon and make sure that the Homepage field contains the website you want.
    2. Click the Search icon and make sure that the search engine setting shows your preferred search engine. Some versions of Safari have this setting in the General pane instead.
    3. Click the Extensions icon. If you don’t want an extension or don’t know what it does, select the extension from the list and click Uninstall. These are examples of ad-injection extensions, but there are others:
    • Amazon Shopping Assistant by Spigot Inc.
    • Ebay Shopping Assistant by Spigot Inc.
    • Searchme by Spigot, Inc.
    • Slick Savings by Spigot Inc.
    • GoPhoto.It
    • Omnibar
    Remove certain ad-injection software
    Use this “Go to Folder” method to find and remove each item listed in the sections below, one item at a time:
    1. Drag to select an entire line in the lists below, starting with /System/Library/Frameworks/v.framework, for example.
    2. Choose Edit > Copy.
    3. Open a Finder window, then choose View > As Columns.
    4. Choose Go > Go to Folder.
    5. Choose Edit > Paste to paste the line you copied into the text field.
    6. Press Return.
    • If the item is on your Mac, a window opens with the item you searched for already selected. Drag only that item to the Trash. If you’re asked to enter a password, enter your administrator password.
    • If the item is not on your Mac, you’ll see a message that the folder can’t be found. Continue to the next item in the list.
    Remove Downlite, VSearch, Conduit, Trovi, MyBrand, Search Protect
    Use Go to Folder to find and remove each of these items:
    /System/Library/Frameworks/v.framework
    /System/Library/Frameworks/VSearch.framework
    /Library/PrivilegedHelperTools/Jack
    /Library/InputManagers/CTLoader/
    /Library/Application Support/Conduit/
    ~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
    ~/Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin
    /Applications/SearchProtect.app
    After you remove the items above, restart your Mac. Then choose Finder > Empty Trash to permanently remove them.
    Remove Genieo, InstallMac
    First follow these steps to stop the Genieo or InstallMac processes, if they’re running. Be sure to restart your Mac when instructed.
    1. Open Activity Monitor.
    You can use Spotlight (Command-Space) to search for “Activity Monitor,” then choose Activity Monitor from the search results.
    2. In the Activity Monitor window, click the CPU tab, then click Process Name at the top of that column to sort the list alphabetically.
    3. Look for the process “Genieo.” Select it, then click the Force Quit button (x) in the upper-left corner of the window.
    4. Look for the process “InstallMac.” Select it, then click the Force Quit button.
    5. Quit Activity Monitor.
    6. Use Go to Folder to find and remove /private/etc/launchd.conf.
    Restart your Mac
    Use Go to Folder to find and remove each of these items:
    /Applications/Genieo
    /Applications/InstallMac
    /Applications/Uninstall Genieo
    /Applications/Uninstall IM Completer.app
    /usr/lib/libgenkit.dylib
    /usr/lib/libgenkitsa.dylib
    /usr/lib/libimckit.dylib
    /usr/lib/libimckitsa.dylib
    /Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client
    ~/Library/Application Support/Genieo/
    ~/Library/Application Support/com.genieoinnovation.Installer/
    Restart your Mac
    Now find and remove /Library/Frameworks/GenieoExtra.framework.
    Restart your Mac
    Choose Finder > Empty Trash to permanently remove the items.
    Optionally remove other adware files
    You don’t need to remove these files to disable the adware. If you do remove them, first remove the other files listed in the sections above. Use the same Go to Folder method to find and remove each item.
    /Library/LaunchAgents/com.genieo.completer.update.plist
    /Library/LaunchAgents/com.genieo.engine.plist
    /Library/LaunchAgents/com.genieoinnovation.macextension.client.plist
    /Library/LaunchAgents/com.genieoinnovation.macextension.plist
    /Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist
    /Library/LaunchDaemons/Jack.plist
    ~/Conduit/
    ~/Trovi/
    ~/Library/Caches/com.Conduit.takeOverSearchAssetsMac
    ~/Library/Caches/com.VSearch.bulk.installer
    ~/Library/Caches/com.VSearch.VSinstaller
    ~/Library/LaunchAgents/com.genieo.completer.download.plist
    ~/Library/LaunchAgents/com.genieo.completer.ltvbit.plist
    ~/Library/LaunchAgents/com.genieo.completer.update.plist
    ~/Library/Preferences/com.genieo.global.settings.plist.lockfile
    ~/Library/Preferences/com.geneio.settings.plist.lockfile
    ~/Library/Preferences/com.geneio.global.settings.plist
    ~/Library/Saved Application State/com.genieo.RemoveGenieoMac.savedState
    ~/Library/Saved Application State/com.VSearch.bulk.installer.savedstate
    Go to the /Library/LaunchAgents/ folder and look for a file named com.*.agent.plist. The asterisk (*) could be any word, including “Apple.” Example: com.midnight.agent.plist. Move the file to the Trash.
    Go to the /Library/LaunchDaemons/ folder and look for a file named com.*.daemon.plist and a file named com.*.helper.plist. The asterisk (*) could be any word, but it will be the same word used in the LaunchAgents folder, above. Example: com.midnight.daemon.plist and com.midnight.helper.plist. Move the files to the Trash.
    Go to the /Library/Application Support/ folder and look for a file name that is the same word used in the LaunchAgents and LaunchDaemons folders, above. Example: midnight. Move the file to the Trash.
    Restart your Mac, then choose Finder > Empty Trash to permanently remove the items.
    Source: Apple Inc.

    🖖😀⌚️

  9. I had this earlier today as a matter of fact. You have certain viruses on your computer, blah, blah. I didn’t try taking myself off the network but I did end up for quitting Safari a few times, once before it had loaded everything from the last session. When I opened again, Safari asked if I wanted to restore the windows from the session I hadn’t fully loaded before. Of course I said hell no. Nothing I had open was anything I can’t use history to get back to without the ransomware.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.