[Michael P.]

The name says it all.

For some reason, Safari will occasionally--especially through google links--redirect to some horrible malware installation page that tries to install Windows software on my Mac (something called "Antivirus 2009". That's obviously not going to work, however, it has somehow managed to insinuate itself into Safari to the point where it does it a couple of times a day. This has been happening since Saturday, coincidentally the same day that I allowed someone else to use my computer.

Now, I've googled around, I've looked in the official Apple forums, and all I've seen is people insisting that this couldn't possibly happen--much like the luminaries in the Royal Academy of Science who denied that meteors existed because "rocks do not fall from the sky." Clearly it's happening to me. I would like to make it stop. Does anyone have any idea what I need to do? I'm relatively new to the Mac. Since it probably matters, I'm using a late 2007 MacBook Pro, 2.2 C2D with 4 GB of RAM (not that it should matter for this). I'm running 10.5.5 and Safari 3.1.2 (5525.20.1).

Any help would be much appreciated.

[Banana]

In Safari preferences, check if the "Download Safe Files" is checked, and if so, clear it. That's one bad default and may be the cause (though I don't think it'd randomly install Windows software....)

(Speaking of which, I *think* it could be the website itself that's feeding you the crap, not Safari... maybe someone more knowledgeable can verify that?)

[Michael P.]

Yeah, that's kind of what I was thinking. I think the website is getting in the way. Maybe it has something to do with DNS entries? I am a little fuzzy on what those are, but I've seen references to them in discussions of this sort of thing. I've no idea how to check for changes/restore them in Safari, though.

[Michael P.]

It seems to come up when I try to open Google links. It also seizes control of the browser, and I can neither shut down the computer or force-quit the program until I click cancel--at which point it maxes the window and starts running some pseudo-WinXP virus scan.

Also, it's running as javascript, at least partly, I guess. I turned off javascript, and clicked on the google link (a real link), and it redirected to DO NOT CLICK http://premiumlivescan.com/2009/1/fr....php?id=880147 (DO NOT CLICK), but couldn't load the page.

[Banana]

Wheee!

That was fun!

Not.


So, yes, it's definitely the website that's pushing crappy javascript on you. Everything else seems to be working as expected- that is, Safari didn't go ahead and install it; I got a dialog asking if I really wanted to download it, which I cancelled it. It did wonky thing to the tab, which I've never seen before.

But the answer is that it's not Safari being hijacked. If you turn off javascript, the website just straight up won't work at all.

So in conclusion, don't visit the website. (Especially *not* ones linked on the right sidebar on Google, or the top highlighted hits. They're usually screwy. As long you confine yourself to the ten hits listed, you will be fine.)

[Michael P.]

Thanks for the help.

I'm still confused, though. Even with javascript off, it's still redirecting to that site when I try to open what is, to the best of my knowledge, a safe site. And it doesn't do it every time either, but only intermittently. It's just not doing the whole nine yards, but only the redirect without all the bells and whistles.

[Paranoid666au]

If it where me I'd be doing everything to kill this. Empty cache, delete cookies, delete history, delete databases, set cookies to never, reset Safari. Is that overkill?

[Banana]

Well, it wouldn't hurt to reset Safari and clear out cache once in every while. The problem, however, lies with the said website, and nothing you can do is going to make it any less of a delinquent.

[Mugge]

The most annoying this is when they use Java Script add on other sites. I've seen this happen on a couple of larger sites. Including a newspaper. That's always good cause to send them a fiery email with a couple of screenshots.

Wouldn't OpenDNS' filtering tool help prevent this? Alternatively Firefox has an add-on called NoScript that can block these bastards.

[scratt]

Submit it to Digg and ask people to DoS it.
See how long they keep it up.

[rob05au]

The site belongs to the following

Shestakov Yuriy alexeyvas@safe-mail.net +7.9218839910
Shestakov Yuriy
Lenina 21 16
Mirniy,MSK,RU 102422


Domain Nameremiumlivescan.com
Record last updated at 2008-10-24 12:30:55
Record created on 2008/10/24
Record expired on 2009/10/24


Domain servers in listed order:
ns1.freefastdns.com ns2.freefastdns.com

Administrator:
nameShestakov Yuriy)
Emailalexeyvas@safe-mail.net) tel-- +7.9218839910
Shestakov Yuriy
Lenina 21 16
\r
t Mirniy
MSK,
RU

zipcode:102422

Technical Contactor:
nameShestakov Yuriy)
Emailalexeyvas@safe-mail.net) tel-- +7.9218839910
Shestakov Yuriy
Lenina 21 16
\r
t Mirniy
MSK,
RU

zipcode:102422

Billing Contactor:
nameShestakov Yuriy)
Emailalexeyvas@safe-mail.net) tel-- +7.9218839910
Shestakov Yuriy
Lenina 21 16
\r
t Mirniy
MSK,
RU

zipcode:102422


Registration Service Provider:
name: Shestakov Yuriy
tel: +7.9218839910
fax: +7.9218839910
web:


It is a front for a hacker/s