Something not particularly dangerous (?) is annoying the heck out of me

[license...@gmail.com]

Does anyone know what it means when whatever I am working on suddenly stops and my screen transfers to Chrome, and a new tab opens at https://www.tamgrt.com/RT with MISSING PIXEL ID in courier on the page?

(This is nothing to do with TripAdvisor which I never use)

[Jolly Roger]

What OS version are you running? It's possible you've installed some
software that came bundled with adware. Run MalwareBytes and get rid of
anything it identifies. And in the future, be more careful about what
you download and where you download it. Use safe computing practices
(including keeping your system up to date, and refraining from
downloading software from untrustworthy sources) and this won't happen.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

[license...@gmail.com]

Is this likely? I never download software unless it comes from Apple or vmware

[Jolly Roger]

On 2017-04-09, license...@gmail.com <license...@gmail.com> wrote:
> Is this likely? I never download software unless it comes from Apple or vmware

Is there some reason you *don't* wish to run MalwareBytes to see for
yourself if your system has adware on it?

[license...@gmail.com]

Sorry for any misunderstanding, I am running 10.11.6 and I did run malwarebytes, which found two innocuous looking threats. Let's see if the innocuous looking tamgrt page stops coming up

Thanks again

[David Empson]

<license...@gmail.com> wrote:

> Is this likely? I never download software unless it comes from Apple or vmware

You don't necessarily need to have "downloaded" software. Some malicious
adware can infect your browser (or other parts of your computer) merely
by visiting a malicious or compromised web site, or if a web site
displays ads from a compromised ad server. If the software versions you
were running at the time were vulnerable, you could be infected.

It could also come in by another method such as email, e.g. by opening
an attachment (MS Word or PDF), or even just displaying a maliciously
crafted image file.

As JR said, run MalwareBytes to check.

--
David Empson
dem...@actrix.gen.nz

[Jolly Roger]

On 2017-04-09, license...@gmail.com <license...@gmail.com> wrote:

> Sorry for any misunderstanding, I am running 10.11.6 and I did run
> malwarebytes, which found two innocuous looking threats.

I'm curious: What specifically did it find?

[license...@gmail.com]

! didnt note them down but does Malwarebytes keep a log? I must have started using it irregularly a few years ago so it would be interesting to see what it has ever found and whether malware comes back

[Lewis]

In message <eksh0s...@mid.individual.net> Jolly Roger <jolly...@pobox.com> wrote:
> On 2017-04-08, license...@gmail.com <license...@gmail.com> wrote:
>>
>> Does anyone know what it means when whatever I am working on suddenly
>> stops and my screen transfers to Chrome, and a new tab opens at
>> https://www.tamgrt.com/RT with MISSING PIXEL ID in courier on the
>> page?
>>
>> (This is nothing to do with TripAdvisor which I never use)

Well, that *IS* related to Trip Advisor, so whether you use it or ot,
something on your system is using it.

Have you tried checking Chrome for addons? Setting Safari as your
default browser?

> What OS version are you running? It's possible you've installed some
> software that came bundled with adware. Run MalwareBytes and get rid of
> anything it identifies. And in the future, be more careful about what
> you download and where you download it. Use safe computing practices
> (including keeping your system up to date, and refraining from
> downloading software from untrustworthy sources) and this won't happen.

Good advice in general, but I don't think Trip Advisor is a malware
site.

Registrant Email: hostm...@tripadvisor.com

--
I don't need no stinking taglines.

[Jolly Roger]

On 2017-04-09, license...@gmail.com <license...@gmail.com> wrote:

The log file is here:

~/Library/Application Support/Malwarebytes/log.txt

You can access it from within MalwareBytes by choosing Scanner > Open
Log File from the menu bar.

[Jolly Roger]

I didn't say it was a malware site; and he can have adware installed
without Trip Advisor being a malware site.

[Lewis]

In message <ekv27e...@mid.individual.net> Jolly Roger <jolly...@pobox.com> wrote:
> On 2017-04-09, Lewis <g.k...@gmail.com.dontsendmecopies> wrote:
>> In message <eksh0s...@mid.individual.net> Jolly Roger <jolly...@pobox.com> wrote:
>>
>>> What OS version are you running? It's possible you've installed some
>>> software that came bundled with adware. Run MalwareBytes and get rid of
>>> anything it identifies. And in the future, be more careful about what
>>> you download and where you download it. Use safe computing practices
>>> (including keeping your system up to date, and refraining from
>>> downloading software from untrustworthy sources) and this won't happen.
>>
>> Good advice in general, but I don't think Trip Advisor is a malware
>> site.

> I didn't say it was a malware site; and he can have adware installed
> without Trip Advisor being a malware site.

It would be weird for malware to be sending him to a trip advisor
domain.


--
When cheese gets its picture taken, what does it say?

[Jolly Roger]

On 2017-04-09, Lewis <g.k...@gmail.com.dontsendmecopies> wrote:
> In message <ekv27e...@mid.individual.net> Jolly Roger <jolly...@pobox.com> wrote:
>> On 2017-04-09, Lewis <g.k...@gmail.com.dontsendmecopies> wrote:
>>> In message <eksh0s...@mid.individual.net> Jolly Roger <jolly...@pobox.com> wrote:
>>>
>>>> What OS version are you running? It's possible you've installed some
>>>> software that came bundled with adware. Run MalwareBytes and get rid of
>>>> anything it identifies. And in the future, be more careful about what
>>>> you download and where you download it. Use safe computing practices
>>>> (including keeping your system up to date, and refraining from
>>>> downloading software from untrustworthy sources) and this won't happen.
>>>
>>> Good advice in general, but I don't think Trip Advisor is a malware
>>> site.
>
>> I didn't say it was a malware site; and he can have adware installed
>> without Trip Advisor being a malware site.
>
> It would be weird for malware to be sending him to a trip advisor
> domain.

Adware that sends someone to a site that advertises hotels and so on?
Say it isn't so! : D

[license...@gmail.com]

Thanks guys, the log shows Adware.Crossrider :invoking something called ShoppyTool
and PUP.JDIBackup which seems to invoke ZipCloud.exe.

(Both of these feature in past scans as well)

[Jolly Roger]

Those were installed along with some other piece of software you
installed on your Mac. In order to avoid such adware in the future, you
need to be more vigilant in ensuring that you never download software
from untrusted sources.

There are untrusted third-party download web sites that are well known
to inject adware into downloads: CNET Downloads, VersionTracker,
MacUpdate, and so on. If you use one of those sites to download software
to install on your computer, you are asking for trouble. If you want to
install a legitimate piece of Mac software, you should avoid such
third-party sites and instead go directly to the software maker's web
site to download their software.

For instance let's say you want to download HandBrake, a popular video
encoding tool from MacUpdate.com. Rather than downloading it from
MacUpdate, you should do a web search for "handbrake" to find that the
official Handbrake site is at https://handbrake.fr, then go there and
download it from there instead.

Another source for Mac malware is any web site that displays a pop-up
message asking you to download and install "Flash" or any web site that
tells you your computer is supposedly insecure and that you need to
download software from the web site to protect yourself (often under the
name MacKeeper, but it could be named just about anything). Web sites
cannot scan your computer directly, which means such messages are bogus
and are only trying to use fear to trick you into downloading and
installing malware. Don't fall for that trick. A legitimate web site
will not tell you your computer is infected. And again you should never
download software from random untrusted sources.

I would also recommend you remove Adobe Flash completely from your
computer and avoid clicking any web notice that insists you install
Flash, since often that web site will bundle malware or adware with that
download. Also, more often than not, Flash is completely unnecessary.
For instance, let's say you've completely removed Flash from your
computer. You visit a web site to watch a video, and the video shows a
banner that says you need Flash installed to watch it. Rather than
installing Flash, you can set your web browser's User Agent string to
any iOS string, and nine times out of ten, the video will play without
issue. This is because the overwhelming majority of web sites are coded
to use Flash when they detect a computer (Mac, Windows) is viewing it,
and use HTML5 when they detect a mobile device (iOS, Android) is viewing
it. With Safari, there is built-in functionality to allow you to change
your User Agent string (go to Safari Preferences > Advanced and enabled
"Show Develop menu", then choose Develop > User Agent from the menu
bar). Instructions are different for other browsers:

<http://osxdaily.com/2013/01/16/change-user-agent-chrome-safari-firefox/>

Finally, if you encounter a web site that you absolutely must view that
won't work with an iOS User Agent string (which, again, is extremely
rare), and you want to install Adobe Flash again, go directly to the
trusted source, which is Adobe's web site, to download it:

<https://get.adobe.com/flashplayer/>

[license...@gmail.com]

Thanks for that. I didnt know that, for example, cnet wasn't a trusted source. But in any event I wouldn't dream of clicking on a link to download any supposed helper or accelerator when trying to download a utility which, itself, I might need

But I would LOVE to find some alternative to either flash or anything to do with Adobe. I dont believe that their hundred megabyte updates with convoluted multilayered install procedures are ever necessary or trustworthy.

What exactly can I use instead of flash to play (eg) the live radio on bbc.co.uk in (eg) EPIC please?

[Jolly Roger]

On 2017-04-10, license...@gmail.com <license...@gmail.com> wrote:

Have you tried doing what I suggested (changing the User Agent to an iOS
string) with bbc.co.uk?

[license...@gmail.com]

> Have you tried doing what I suggested (changing the User Agent to an iOS
> string) with bbc.co.uk?

Please excuse my want of expertise but I have a MBP and a Vaio running linux off which I would like to remove flash and I wouldnt know where even to start changing the User Agent to an IOS string?

[nospam]

In article <423e58cb-c7e9-4990...@googlegroups.com>,

<license...@gmail.com> wrote:

> > Have you tried doing what I suggested (changing the User Agent to an iOS
> > string) with bbc.co.uk?
>
> Please excuse my want of expertise but I have a MBP and a Vaio running linux
> off which I would like to remove flash

uninstalling on mac/windows:
<https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-mac-os.h
tml>
<https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.
html>

flash is no longer supported on linux at all, so either you still have
a horribly outdated version (*very* bad) or it's not there at all
(good).

> and I wouldnt know where even to start
> changing the User Agent to an IOS string?

that depends on the browser.

<http://osxdaily.com/2013/01/16/change-user-agent-chrome-safari-firefox/>

[Jolly Roger]

<license...@gmail.com> wrote:
>
>> Have you tried doing what I suggested (changing the User Agent to an iOS
>> string) with bbc.co.uk?
>
>
> Please excuse my want of expertise but I have a MBP and a Vaio running
> linux off which I would like to remove flash

<http://lmgtfy.com/?q=uninstall+flash+mac>

> and I wouldnt know where even to start changing the User Agent to an IOS string?

*sigh*...

I already told you how to do that just a couple posts back in this thread.
Here's what I wrote:

---

For instance, let's say you've completely removed Flash from your
computer. You visit a web site to watch a video, and the video shows a
banner that says you need Flash installed to watch it. Rather than
installing Flash, you can set your web browser's User Agent string to
any iOS string, and nine times out of ten, the video will play without
issue. This is because the overwhelming majority of web sites are coded
to use Flash when they detect a computer (Mac, Windows) is viewing it,
and use HTML5 when they detect a mobile device (iOS, Android) is viewing
it. With Safari, there is built-in functionality to allow you to change
your User Agent string (go to Safari Preferences > Advanced and enabled
"Show Develop menu", then choose Develop > User Agent from the menu
bar). Instructions are different for other browsers:

<http://osxdaily.com/2013/01/16/change-user-agent-chrome-safari-firefox/>

[license...@gmail.com]

then choose Develop > User Agent from the menu

> bar).Instructions are different for other browsers:


It wasnt that I wasnt listening, I just didnt understand what to do at the last stage.

Is default flash? SO I need to switch to safari 10.1?

[Jolly Roger]

No, like I said:

"Rather than installing Flash, you can set your web browser's User Agent
string to any iOS string, and nine times out of ten, the video will play
without issue."

So when you encounter a web page that claims Flash is required to watch
a video, do this:

1. Go to Safari Preferences > Advanced.
2. Enable the "Show Develop menu" option.
3. From the Safari menu bar, choose Develop > User Agent > Safari - iOS
10 - iPhone (or any other entry with "iOS" in the name).

More often than not, the page will reload and the video will play
without Flash.

The only reason most of these sites claim Flash is required is because
the developer that wrote the page in such a way that the code assumes if
you are viewing the page on a computer you will have Flash installed,
and that same code assumes that if you are viewing the page on a mobile
device (like an iOS device) you will *not* have Flash installed; so the
page uses HTML5 instead. Despite these assumptions, the fact is if you
don't have Flash installed you can view videos with HTML5 *regardless*
of whether you are on a computer or a mobile device. Manually changing
the User Agent to an iOS string simply fools the web page into thinking
you are viewing it on a mobile device so that the silly assumption is
met and the video plays with HTML5 rather than Flash. ; )

[Lewis]

In message <a0aee3c2-71d7-4b3e...@googlegroups.com> license...@gmail.com <license...@gmail.com> wrote:
> Thanks for that. I didnt know that, for example, cnet wasn't a trusted
> source. But in any event I wouldn't dream of clicking on a link to
> download any supposed helper or accelerator when trying to download a
> utility which, itself, I might need

> But I would LOVE to find some alternative to either flash or anything
> to do with Adobe. I dont believe that their hundred megabyte updates
> with convoluted multilayered install procedures are ever necessary or
> trustworthy.

The alternative to Flash is to not install it.

> What exactly can I use instead of flash to play (eg) the live radio on bbc.co.uk in (eg) EPIC please?

BBC sites are super aggressive about lying about requiring Flash. The
simplest way around it is to tell the BBC you are on an iPad.

--
She'd always tried to face towards the light. But the harder you stared into
the brightness the harsher it burned into you until, at last, the temptation
picked you up and bid you turn around to see how long, rich, strong and dark,
streaming away behind you, your shadow had become- --Carpe Jugulum

[license...@gmail.com]

Well, that was absolutely disastrous.

I did what you said and it immediately screwed up my opengmail page, at first telling me that I am not using an iphone instead of displaying my email

then when I tried to undo the damage and revert the user agent back to DEFAULT, it went into my gmail but with some catastrophic wholly text-based page where I cant figure out what is going on

Any idea how I can undo the damage please?

[Jolly Roger]

You're very confused. There is no "damage" to undo.

The User Agent menu command only changes the user agent for the
*current* browser window/tab - no other browser windows/tabs are
affected. And as soon as you switch back to the default User Agent or
close that window/tab, the User Agent is back to normal.

The typical use case, as I described, is:

1. You try to view a video on a web page. 2. The video claims it
requires Flash. 3. You set the User Agent to any iOS string. 4. The
page reloads and you can play the video.

None of that has *anything* to do with GMail. I'm not sure what you are
referring to as an "opengmail page". It could be you mean the standard
http://gmail.com page, or I suppose it could be something else. I see a
stand-alone application called OpenGMail here, but I doubt this is what
you are talking about since it's not something you would access in a web
browser:

<https://sourceforge.net/projects/opengmail/>

I'll just assume you meant http://gmail.com. In that case, it sounds
like you purposefully went to the GMail web site in the same tab that
you had previously set to an iOS User Agent string. Indeed, if you do
that, the GMail web site assumes you are using an iOS device (since
that's what the iOS User Agent string told it) and displays a page that
asks you to instead use the native iOS GMail app:

<https://i.imgur.com/vx4t0LL.png>

All you have to do is close that window/tab and open GMail in another
one.

BTW, there's really no need to use a web browser to access GMAil on a
Mac since the built-in Apple Mail application supports GMail just fine,
allowing you to access your GMail with the same app you use to access
all your other mail. ; )

[license...@gmail.com]

I was indeed very confused but it all worked out OK in the end. Thanks for your kind attentions

Now I have one more symptom. And it is consistent so I thought I should report it here.

Every single time I swipe panes to the right and get to the pane on the far left, and I try to use the calculator, when I hit any second key on the pad, the pane switches to a browser (chrome) and that tamgrt.com/rt pag opens.

[Jolly Roger]

On 2017-04-21, license...@gmail.com <license...@gmail.com>
wrote:

Note: You never answered my initial question of what version macOS you
are running. Can you please tell us now?

It's hard to tell for sure what you are referring to when you say you
"swipe panes to the right to get to the pane on the far left, and try to
use the calculator".

Are you referring to using track pad gestures to view Dashboard to use
the calculator widget?:

<https://support.apple.com/en-us/HT201738>

Or are you perhaps referring to the calculator widget in the
Notification Center?:

<http://notebooks.com/2015/05/24/how-to-put-a-calculator-in-the-mac-notifications-center/>

Or are you referring to something else?

At any rate, whenever a web browser is being invoked sporadically
without your permission, the first suspect is adware. So I have to
wonder if you still have remnants of adware on your system, or if you've
been re-infected since the last time you ran MalwareBytes.

If you run MalwareBytes again, please post the contents of the log here.
Instructions for viewing the log are higher up in this thread, since we
previously discussed it.

One final question: Do you have Chrome set as your default browser? If
you clicked the links above, did they open in Chrome, or another
browser?

[license...@gmail.com]

I am running 10.12.4, def browser is chrome and yes, my description IS the way to get to the dashboard, - on my computer at any rate.

Malwarebytes reports

2017-04-22 11:57:37 : Scanning with signatures version 184 (2017-4-18)
2017-04-22 11:58:20 : Adware.Crossrider : /Users/LicensedToQuill/Library/Application Support/.ShoppyTool
2017-04-22 11:58:36 : PUP.JDIBackup : /Users/LicensedToQuill/ZipCloud.exe
2017-04-22 11:58:44 : *** Scan time: 0d 00:01:06 ***
2017-04-22 11:58:44 : ------ Scan Ended ------
2017-04-22 12:04:21 : Removing detected threats...
2017-04-22 12:04:21 : Removing Item: /Users/LicensedToQuill/Library/Application Support/.ShoppyTool
2017-04-22 12:04:21 : Removing Item: /Users/LicensedToQuill/ZipCloud.exe
2017-04-22 12:04:21 : ---- Threat Removal Complete ----

(The problem is unaffected)

[Jolly Roger]

As I suspected, this shows you have three different adware packages
installed:

* Crossrider
* ZipCloud
* ShoppyTool

All of these can cause your browser to spy on you by gathering
information about you and your computer - especially your web browsing
habits - and deliver a variety of intrusive advertisements.

Crossrider was installed because you downloaded a video recording or
streaming app (fake Flash updates, etc), a download-manager, or a PDF
creator app which came with the adware bundled with its installer.

Likewise, ZipCloud is installed when an untrustworthy web site displays
a pop-up message telling you that you need to install a fake Flash
update, and you go ahead and follow the instructions to install it. The
installer you download in such a case has the ZipCloud install bundled
with it. It's also associated with Yahoo Search extension and
MacKeeper, both of which you should always avoid.

Like the others, ShoppyTool is bundled with installers that you are
tricked into installing thinking they are legitimate when you have
actually obtained them from untrustworthy sources.

Again, you should always refrain from installing anything in the future
unless you know for *certain* it was downloaded from a *trusted* source.

You should always ignore any web site that tells you out of the blue
that you need to download any piece of software, or that your computer
has a virus, or that your computer needs security software. And if you
are ever unsure whether a site or source is trustworthy, you should
*not* trust it by default. As the saying goes: Just Say No ™. ; )

Again, many software repository web sites are known to bundle adware
with installers downloaded from them, and should be avoided, including
these and possibly others:

* CNET Downloads
* VersionTracker
* MacUpdate
* Softonic

If you want to download a piece of software listed on such a site, you
should instead download the installer from the actual software
developer's web site. For instance, if you wanted to download Pixelmator
that is listed on MacUpdate.com, you should download it only from the
developer's website at http://www.pixelmator.com.

Obviously MalwareBytes is unable to completely remove these from your
system. So you'll need to remove them manually instead. The link below
is to a fairly comprehensive step-by-step guide showing how to remove
all vestiges of adware or unwanted software from your system. Be sure to
follow each step in the process thoroughly before moving on to the next.
If you get stuck at a certain spot, reply to this post asking for
assistance.

<http://www.thesafemac.com/arg-identification/>

Once you have gone through the whole process, reboot your computer and
then run MalwareBytes once more (make sure you are running the absolute
latest version first) to see if it reports anything new in the log.

If it does report anything, you've apparently missed something along the
way, or you've again downloaded and installed some untrustworthy piece
of software.

[nicksmit...@gmail.com]

On Saturday, April 8, 2017 at 4:37:16 PM UTC+1, license...@gmail.com wrote:
> Does anyone know what it means when whatever I am working on suddenly stops and my screen transfers to Chrome, and a new tab opens at https://www.tamgrt.com/RT with MISSING PIXEL ID in courier on the page?
>
> (This is nothing to do with TripAdvisor which I never use)

This is Trip Advisor tracking pixel, records sales from their partners. If you clicked something on TA or someone sent you a link from their, may be lingering. Don't think anything malicious with it