Mackeeper pop-up

[urcomputech]

I've cleaned my share of MacKeeper infested Macs, but I've never come across a variant like this one. No matter what I do, it keeps returning. I've been telling my client that it is relatively benign, but i'm beginning to doubt myself. To save sometime, i've already tried everything listed on this page:
https://www.imore.com/removing-mackeeper-your-mac
Not to mention, i've already tried both malwarebytes and detectx. Both claim to have found and cleaned the malware, only to return after a short time. They tend to appear only while using Safari, and yes i've checked extensions. I'd love some suggestions or links.
Here's an image of the pop-up:

 

[GTP]

Is it being restored from a Time machine backup?
Usually MBytes destroys it, but it's unusual to keep coming back.
Have you tried scanning with Bitdefender's free Mac Scanner?
Have you scanned the time machine backup source, like the ext drive or wherever the TMB's are stored?
Might pay to uninstall all the extensions from Safari (and other browsers) to see if it continues.

 

[Markverhyden]

Many times it attaches itself to another app they have installed and that app is calling home. Those tools may not catch that. So scan the app folder. Also scan startup items.

Forgot to mention you may need to reset the browsers as well.

 

[urcomputech]

Is it being restored from a Time machine backup?
Usually MBytes destroys it, but it's unusual to keep coming back.
Have you tried scanning with Bitdefender's free Mac Scanner?
Have you scanned the time machine backup source, like the ext drive or wherever the TMB's are stored?
Might pay to uninstall all the extensions from Safari (and other browsers) to see if it continues.

I'll check time machine, but i'm curious how it could self-restore from there?
I'll also check out Bitdefender .... Thank you for the tips Barcelona.

 

[urcomputech]

Many times it attaches itself to another app they have installed and that app is calling home. Those tools may not catch that. So scan the app folder. Also scan startup items.
Forgot to mention you may need to reset the browsers as well.

Resetting browser, I have not done - great suggestion. Thank you!

 

[timeshifter]

What application has the focus when you see that pop up? i.e. look in the top left of the screen you'll see the Apple logo, next to that it will say Finder or Safari or Word or whatever program is running.

 

[urcomputech]

What application has the focus when you see that pop up? i.e. look in the top left of the screen you'll see the Apple logo, next to that it will say Finder or Safari or Word or whatever program is running.

Safari seems to be the culprit. I've removed all extensions, cleared cached, scanned with malwarebytes plus detectx - all to no joy. I'm scheduled to continue to work on it later this afternoon, I will then try some of the previous suggestions. Thank you timeshifter.

 

[Archon Prime]

Same your time.. backup, N&P.

 

[timeshifter]

It looks like a web pop up ad, maybe not an actual executable running on the machine. Wonder about your homepage setting in Safari or if you're going to a site that causes that. Would also check your DNS settings. One reputable site I frequent had issues with their ad network injecting some similar questionable ads.

 

[urcomputech]

Same your time.. backup, N&P.

Not sure what you mean .... restore from TM backup perhaps - if so, I agree this would be a "nuclear" option. Until then, it's a puzzle I would love to solve.

 

[urcomputech]

It looks like a web pop up ad, maybe not an actual executable running on the machine. Wonder about your homepage setting in Safari or if you're going to a site that causes that. Would also check your DNS settings. One reputable site I frequent had issues with their ad network injecting some similar questionable ads.

There was an executable removed/quarantined according to both malwarebytes +detectx, but that did not keep pop-ups from returning. I agree that it is a browser generated issue at this point, but trying to pinpoint the exact site/source within the browser environment has so far been elusive.
It is likely though that I may be making progress thanks to some great suggestions from this thread, including checking the DNS. Thank you again.

 

[Archon Prime]

Not sure what you mean .... restore from TM backup perhaps?

Oh gods.... Friday. I can't even type properly. I would not restore from a TM backup, in case that thing is lingering somewhere. But maybe just certain files. It's up to you. I don't know if you had any luck getting rid of it or not since I wrote that.

But yes, check the DNS for sure.

 

[Markverhyden]

Safari seems to be the culprit. I've removed all extensions, cleared cached, scanned with malwarebytes plus detectx - all to no joy. I'm scheduled to continue to work on it later this afternoon, I will then try some of the previous suggestions. Thank you timeshifter.

Did you do a reset of Safari? The reason I mentioned browser resets is I've had similar situations. Ran tools, did things. After the browser is launched the popup shows up, sometimes can take a while.

All the steps here - https://www.macissues.com/2015/06/22/how-to-fully-reset-safari-on-your-mac/

 

[urcomputech]

It looks like a web pop up ad, maybe not an actual executable running on the machine. Wonder about your homepage setting in Safari or if you're going to a site that causes that. Would also check your DNS settings. One reputable site I frequent had issues with their ad network injecting some similar questionable ads.

It looks like timeshifter called it - it was an infected site (webmail.earthlink.net) my client frequently logs into. He may had installed the executable that I later removed with malwarebytes/detectx from the link this popup provides, but the site still generated the same "infection" notices. At the moment, no exe's detected plus no pop-ups, as long as he stays logged out of site. Later today, I will configure his machine to use the mac mail client.
Thank you all for your inputs!

 

[urcomputech]

Did you do a reset of Safari? The reason I mentioned browser resets is I've had similar situations. Ran tools, did things. After the browser is launched the popup shows up, sometimes can take a while.

All the steps here - https://www.macissues.com/2015/06/22/how-to-fully-reset-safari-on-your-mac/

Thank you Mark for your suggestion of resetting browser. I went through the steps but later found the popups return. The reset instructions were so thorough though, it forced me to realize that it could not have been his machine that was infected. I'm pretty sure I'll be returning to these instructions in the future, so thank you.

 

[Markverhyden]

It looks like timeshifter called it - it was an infected site (webmail.earthlink.net) my client frequently logs into. He may had installed the executable that I later removed with malwarebytes/detectx from the link this popup provides, but the site still generated the same "infection" notices. At the moment, no exe's detected plus no pop-ups, as long as he stays logged out of site. Later today, I will configure his machine to use the mac mail client.
Thank you all for your inputs!

That URL is the standard webmail URL for Earthlink which I have used often over the years. It may be possible Earthlink may have had a poisoned iFrame or the EU clicked on an embedded email link. I've had an Earthlink email address for close to 25 years and have only had one problem. Back then the password was very simple and got hacked, I'm guessing, some 10 years ago. Got a phone call from them that they shutdown the account until I contacted them.

 

[urcomputech]

That URL is the standard webmail URL for Earthlink which I have used often over the years. It may be possible Earthlink may have had a poisoned iFrame or the EU clicked on an embedded email link. I've had an Earthlink email address for close to 25 years and have only had one problem. Back then the password was very simple and got hacked, I'm guessing, some 10 years ago. Got a phone call from them that they shutdown the account until I contacted them.

Yes, first time i've had issues related with earthlink site, except for the occasional complaint about pushing unnecessary AV on clients. It does look like the site and webmail portal are out of date, in my opinion. I speak as a former employee of earthlink; worked there during the good old dial-up days. Thank you again Mark for your input.