brian163

I would also find it useful if the release notes (https://support.malwarebytes.com/community/mac, right column) actually covered all of the sub-release changes and not just the .x revisions which started happening around Dec. 2018. 🙁

Apologies for the delay. .plist file: https://virustotal.com/en/file/a370c47da00b57d60cdc0b9c8e57bc9cda8c76aca9273a08a23c3f57d0eda635/analysis/1481295580/ App Policy folder: https://virustotal.com/en/file/e535bb183066c7da0013ef0ccc9cd0796410c2f319644aa815d71669d16b8545/analysis/1481295802/ I also ran an analysis of the package installer that I thought could have been involved and it came up clean. Also looked through the installer package files myself. So that lead is dead. I have a repository of over 500 installers and as I said I update frequently. So unfortunately I see no way of identifying the source. But at least this new code could be identified and included in your removal processes once validated. Brian

Thomas, thanks for the response. I did keep the files and willing to share. As someone with Info Sec experience my goal is to help improve any product that can help others. I'm just having a particularly hectic week and will do so as soon as possible. I too would love to know. I put a lot of effort into keeping my computer applications (as well as my OS) up to date. But that of course doesn't mean that everything I've installed over the years is as reputable (or has remained reputable) as I once thought it was. I took the clearly optimistic approach of examining the time stamps of the related files/directories and compared them to the OS software installion log (under System report) in an attempt to identify a particular install. Unfortunately, it was not going to be that easy. However, the fact that the outbound connection was something new leads me to believe it was a fairly recent install or update. So the log does provide some context and I now have a particular suspect. I just want to run a few tests before I point fingers publicly at a potential culprit. For now I'll just say it's a branch of a "free and open" media player that Malwarebytes has blogged about in the past. ;-) I'll follow up as soon as I can.

LittleSnitch (3rd party firewall) prompted me on an outbound connection from an application I didn't recognize in ~/Library/Application Support/AppPolicy/AppBox. It was attempting to connect to www. unionsoftwareonline. com. Doing some digging this site appeared to be associated with the PUP/Adware "AppMonitor". I ran a Malwarebytes scan and it detected three components related to Adware.Spigot: 2016-11-29 16:43:56 : Adware.Spigot : /Users/xxx/Library/Application Support/Firefox/Profiles/6kxmn62h.default/searchplugins/YahooEngine.xml 2016-11-29 16:43:56 : Adware.Spigot : /Users/xxx/Library/Application Support/AppCommon 2016-11-29 16:43:56 : Adware.Spigot : /Users/xxx/Library/LaunchAgents/com.unionsoftwareonline.AppMonitor.plist However, it did not identify or offer to remove the directory or binary I noted above. Using LaunchControl (a GUI for examining your launchd configuration), I identified a User Agent was installed ( /Users/xxx/Library/LaunchAgents/com.appbox.AppBox.plist) with the following parameters: /Users/xxx/Library/Application Support/AppPolicy/AppBox" -i -c <6 digit number> -isn <string of digits and letters separated by dashes> I know malware can download and install other components. But I believe Malwarebytes should try to clean them up as well... Is this a known or possibly new variant/component of Adware.Spigot? I tried searching the Malwarebytes labs Threat Center. But I couldn't even get a hit on "Adware.Spigot" or "Spigot" and that is clearly something it identifies. (Is there a searchable compendium of all threats that Malwarebytes identifies? Sorry, new around here...) I unloaded the launchd agent and disabled it but held onto the binary for the moment in case it is of use for further analysis.