DavidVC

So would one possible remedy have been to simply delete the "bad" Hosts file and let the computer re-create it by itself?

Sorry to bring back an old topic but we just faced this issue on a Mac today. No matter what we did, searches were running on Yahoo and not the search engine set in the prefs. Interestingly, if the search engine was set to something other than Google, it would work! I was pulling my hair out and took a stab at something I read online in some searches that suggested it was a bad "hosts" file. I found a page which claimed to have the right Hosts file syntax so I made one and replaced the Hosts file, sure enough, that worked! I wonder if some of you wizards here can explain this and/or post the right contents of a clean Hosts file. Thank you.

A customer of mine is supposedly dropping off an infected Mac with the Safari home page issue on Thursday. Hopefully I can solve it, and if I do I will document my steps a bit better this time...

I worked it out once but I was getting desperate and just went thermonuclear in the library. I had a second one come up but the customer has vanished. I want very much to see it again in the hopes of doing a much more surgical repair.

I've got another! Another customer I work with has this same thing and my tricks from before have NOT solved Safari. I removed profiles but I didn't have the same items in Accessibility. At this point I'm unable to change the Safari home page on this customer's computer. Thomas - if you want to see it, I can arrange...still trying to pull things out of the System and Library.

So I did eventually solve my issues but I decided to go thermonuclear. I was able to determine that whatever had Chrome hostage was in the user's library folder. When I created a new user, Chrome worked normally. Armed with that, I went through the User->Library folder and I removed anything Chrome or Google. Rebooted and it was back to normal. Sadly I think we will see this again, and when I do I'll take better notes of what I remove. Special thanks to Thomas Reed who is just an amazing dude and huge help to the Mac Community.

Hello Thomas, once again thank you for your help. Unfortunately that does not work. I followed your advice to the letter and the URL does not change. To add something else, which again points me to believe it's still somewhere in the system, Chrome also can not be properly reset. In Settings to advanced I've chosen the Reset Settings option and even doing that, the new tab page will open up the weknow.ac! This has got to be somewhere deeper in the system. Remember, in Safari I've trashed Safari prefs and even the Safari folder in the library and it still has weknow.ac. Any more advise would be greatly appreciated. Thank you, David

Thomas, you're always so kind to reply quickly. I'm with you on this, what's new however is the inability to change the home page despite removing all the profiles. I removed them which allowed entry into the URL field but it just keeps going back to the bad address regardless of what is typed and clicking the "set to current page" button does the same thing, weknow.ac. I visited terminal and typed sudo profiles list which returned a response that the were no profiles installed. Yet, typing a URL into the homepage section of the Safari General Prefs will not stick. Something else is at play. Is this new or something broken in my user's OS? I'm not sure but something is getting in the way without profiles. Any additional thoughts? Thank you... David

Hello Folks, I may have come upon a new threat (or variant on an existing threat). A customer of mine just yesterday downloaded some Malware and had a web page called weknow.ac taking over home page duties. Malwarebytes was run and removed 11 threats BUT the home page (of course) was not changed. When I tried to change it in Safari, I could not even click into the box where the URL was located. That was fixed by removing two nasty "profiles" that appeared in System Prefs. Ok, a restart later and now I can get into the URL box however when I finish typing and leave the box, the URL reverts back to the weknow.ac address! I've gone as deep as I usually do to resolve this. I've tried removing the entire Safari folder in Library, I've killed Safari Prefs, nothing changes the home page. It will always be this bad one. Anyone have any ideas how to resolve this? I appreciate any help you can offer. David

My customer said Malwarebytes did scan when in Safe mode (and found nothing) so for the moment, I think we are good to go. If items are found that it can not remove, I'd just do it manually so thank you for your help and I look forward to 1.2.5 when it's released. DM

Hello again Thomas, Since we are doing this in safe mode, I've passed the directions onto my customer and asked them to let me know. He replied with the following: I followed the instructions, malwarebytes cannot install the helper tool now, i can scan w/out the helper tool, no problems found, but every time i open it it wants to get password to install the helper tool and closes when i put in the password and click install. so it seems that if it found something i would not be able actuate any activity to deal with it. next? I'm not sure he is right that if it did find something it couldn't resolve it. I suppose if the Safe Boot works, that would be an acceptable workaround to whatever other issues exist on this particular Mac. I don't know what the helper tool does to know if it's important. Please advise. Thank you, DM

Hello Thomas, Wow, the man himself, thank you for helping me. Unfortunately no luck however on this first try. I followed your directions to the letter. I did the reboot before attempting to make it work, I also downloaded a fresh copy of Malwarebytes. It did the exact same thing, I see the prompt for password with Malwarebytes open in the background but as soon as I authenticate, it just flashes off the screen. Here is the console log: 10/19/16 10:32:33.631 AM diagnosticd[125]: error evaluating process info - pid: 462, puniqueid: 46210/19/16 10:32:33.661 AM com.apple.xpc.launchd[1]: (com.apple.ReportCrash[467]) Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash10/19/16 10:32:34.318 AM ReportCrash[467]: Saved crash report for Malwarebytes Anti-Malware[462] version 1.2.4 (1.2.4.584) to /Users/evb/Library/Logs/DiagnosticReports/Malwarebytes Anti-Malware_2016-10-19-103234_13-MacBook-Pro-Retina.crash10/19/16 10:32:34.322 AM ReportCrash[467]: Removing excessive log: file:///Users/evb/Library/Logs/DiagnosticReports/Malwarebytes%20Anti-Malware_2016-10-13-101609_13-MacBook-Pro-Retina.crash10/19/16 10:32:41.415 AM com.apple.xpc.launchd[1]: (com.iskysoft.TunesOverWatchDemo[468]) Service could not initialize: 15G1004: xpcproxy + 12684 [1462][F7717708-ACF7-307D-B04E-998DFC36598F]: 0xd10/19/16 10:32:41.416 AM com.apple.xpc.launchd[1]: (com.iskysoft.TunesOverWatchDemo) Service only ran for 0 seconds. Pushing respawn out by 10 seconds.10/19/16 10:32:51.422 AM com.apple.xpc.launchd[1]: (com.iskysoft.TunesOverWatchDemo[469]) Service could not initialize: 15G1004: xpcproxy + 12684 [1462][F7717708-ACF7-307D-B04E-998DFC36598F]: 0xd If you have any thoughts I'd be happy to try them. Again, thank you for your help and thank you for this wonderful tool! DM

First off, I LOVE Malwarebytes for Mac! It's predecessor, Adwaremedic, was also amazing. I recommend this software to everyone. One of my customers is having a problem and I can't resolve it. He when he launches Malwarebytes, it flashes on the screen for a second and goes away. There is no error, it is just gone. I tried removing all the prefs and some support files I found in the System library, I trashed the App and downloaded a fresh copy of the latest version (1.2.4) but the same error happens. After I did all that I did see the popup allowing the software so it was up for more than a second but once I agreed, it just went away. I did check console and this is what I found: 10/17/16 4:25:56.501 PM authd[139]: server[622]: Failed to update rule com.malwarebytes.HelperTool.InstallTool10/17/16 4:25:56.503 PM com.apple.xpc.launchd[1]: (com.malwarebytes.antimalware.234592[622]) Service exited due to signal: Abort trap: 610/17/16 4:25:56.502 PM diagnosticd[132]: error evaluating process info - pid: 622, puniqueid: 62210/17/16 4:25:56.532 PM com.apple.xpc.launchd[1]: (com.apple.ReportCrash[623]) Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.ReportCrash10/17/16 4:25:56.876 PM ReportCrash[623]: Saved crash report for Malwarebytes Anti-Malware[622] version 1.2.4 (1.2.4.584) to /Users/evb/Library/Logs/DiagnosticReports/Malwarebytes Anti-Malware_2016-10-17-162556_13-MacBook-Pro-Retina.crash Got any ideas? Thank you! DM