Distressed

Ok, thank you!

Hi, again, alvarnell -- I followed your suggestion to scan with Intego's VirusBarrier (nothing found). Now I am wondering - I left Intego installed, and it is set to do a daily scan. But I still have MalwareBytes Premium installed, with Real Time Protection turned on, and it also does daily scans (at a different time of day). Is this okay? I don't think Intego VirusBarrier (free version) offers real-time protection - am I right? Thank you!

Ok, thanks very much for your help!

Thank you for introducing me to Intego. I ran it, and nothing was detected. If I was, perhaps, never truly infected - if it was a script from the pdf file that opened those browser tabs - then can I skip resetting all the passwords I've used in the several day I opened that pdf file? Or could the illicit program have learned my passwords? I have a few passwords I remember (the important ones: Apple, email, Amazon, etc) - I hate to have to reset those. The rest are BitWarden gibberish, so even tho it's annoying to have to reset them, it's no big deal. I did do online shopping at a few sites on the day(s) I was "infected" - maybe I should at least change those? Oh - and maybe I should change my BitWarden Master Password?? I don't think I will send the email to SpamCop - it came from a legitimate email that had been hacked. SpamCop says they only want you to report unsolicited, bulk email. Thank you again!

1) I ran DetectX Swift "Search"- no problems found. This was run AFTER I had already cleared the Safari and Firefox browser caches. (Safari was the browser that was obviously affected, with unwanted, suspicious tabs opening.) Since DetectX Swift found no problems, does that mean I can feel confident I am clean? Or does anyone here think I need to do anything else? (I may try running BitDefender, if there's a Mac version.) 2) I'm also curious to know why Malwarebytes Premium did not detect this problem, or prevent it. It was running at the time the problem occurred. (And RTProtectionDaemon seems to use about 25% of my CPU, so I'd like to think it's doing something!) 3) I also ran the DetectX Swift "Profile" component - some of the things that are in the Launch folders are a little baffling to me... but not apparently not malware. I'm not techie enough to know if I ought to try to eliminate some of these things. But since they are not malware, this is probably not the appropriate place to ask about them -- although I would be interested to know if anyone thinks Zoho Assist, which can allow you unattended remote access to your computer, is a risk. I installed it before a recent trip, and I know that I still have it running, but I believe I have it set to block access - I'm not 100% positive, but the "Profile" report does show file sharing, remote management, remote login, etc, all OFF. Thanks very much!

Oops, sorry forgot to attach! Pls see below. The reason I'm saying it might be related to iMovie is what I've read here: https://eclecticlight.co/2021/03/06/you-may-notice-something-odd-with-the-latest-version-of-imovie/ https://forums.macrumors.com/threads/weird-new-profiles-section-in-settings.2287201/ I think I am going to try running DetectX Swift, though I've never used it before...

After doing a bit more reading, I think it's benign. Probably okay to either remove or leave. I think I may have I updated iMovie recently (I think I did that in response to a prompt from System Pref's>Software Update), so maybe that's when it was installed, although I'm not sure why it has today's date under "Received".

PS - I read this https://support.malwarebytes.com/hc/en-us/articles/360046436593 and checked my Mac mini's profiles. I found a profile (see attached screenshot). Suspicious because it says "received" with today's date, Oct 6 (although I first opened the suspicious email w/ attachment on Oct 3). For what it's worth, it says "verified". I have not used iMovie recently. I am going to remove it...

Hi - I am running a Mac mini, on MacOS Catalina 10.15.7. Very stupidly, a few days ago, I opened an email from our pet's vet that should have been suspicious because we hadn't had a recent appointment - it had a pdf attachment - said it was an invoice. I use webmail (Fastmail) - I tried to open the attachment, but couldn't read it in Firefox, my usual browser. So then I stupidly tried to open it in Safari (which is what I generally do when Firefox won't display or work a page properly, possibly due to my browser settings/addons). I couldn't read the pdf in Safari, either. But later I noticed that there were suspicious tabs open in Safari that I had not opened - several for an online dating site; two for some sort of gambling(?) site. I ran an on-demand scan with Malwarebytes Premium - nothing found. I think I then closed Safari, re-opened it and cleared all history, closed it and reopened (not 100% sure of the sequence). It seems okay now. And I rebooted my Mac. What else should I do? Why didn't MalwareBytes find this problem? Do I have to change all my passwords (that would be nearly impossible) - or just the ones I may have used in the last several days? Or are they all likely fine? I have used web email, but since I choose to remain logged in, I haven't entered those credentials. But I have logged into several shopping sites, etc. (I will probably consider upgrading to Monterey, at this point - I've been reluctant because of losing the ability to make clone-able backups as a backup strategy.) Thank you. By the way, I still have the suspicious email on my computer... if that is useful.

Thanks!

Where do I find it now? will I still be notified when there's a reply?

ok, sorry - and thanks!

Sorry - I don't know how to find the IP address of the page, but the URL is https://nordpass.com/zh/download/macos/, and the screenshot is attached. Thanks! I'm sure it's a false positive.

Thanks again, plb4333, for this very useful list. I am learning to use ScriptSafe. It seems easier than NoScript. I find it a bit confusing, but I start with allowing the top domain temporarily, and then take it step-wise from there, allowing as little as possible, and avoiding the things that seem to be 3rd party ad-related domains. I've also gone back to using WOT to label my search results -- not a perfect system, but it still makes me feel safer. I also have installed #s 2,3,5, and 6 from your list. Haven't had time to research #4 and #7. And thank you for your explanation of VPNs. I installed Windscribe on my mac and my iphone. I haven't really used it much yet -- I don't get on public wifi, I just use my cell data if I'm checking email -- but I also encouraged a family member to install it while traveling. (If you have a free acct (2GB), you don't even have to give an email address, but I decided to go for Pro for the month when this travel is happening.)

I posted back on Mar 29th that I was having a problem where DreamWeaver was opening my text files, instead of TextEdit. I followed your advice, Alvarnell, and used “get info” in Finder to change the default file opener for all such files, but it didn’t stick. I did a few things to flush caches, like powering off and unplugging, resetting NVRAM, and restarting in Safe Mode. Then I used Onyx, as suggested in the article you linked to, to repair the LaunchServices database. This seemed to work — but only for a few wks. A couple of days ago, the problem recurred - text files trying to open with DW, and DW icons attached to all textfiles in Finder window. I found these recent threads, where people are having similar problems with Illustrator trying to open their jpg (and other) files. Like me, they tried changing the default file opener, and also repairing the LaunchServices database, but were unable to achieve a lasting fix. There seems to be an ongoing argument among these people (and those trying to advise them) about whether the fault lies with Adobe, or the El Capitan OS. And some people seem to be having a similar (?) problem they think is due to the Firefox Quantum 58 or 59 browser. If you are interested, check these threads: https://forums.adobe.com/thread/2405260 https://forums.adobe.com/thread/2412747?start=40&tstart=0 https://forums.macrumors.com/threads/something-keeps-changing-my-open-with-defaults.2103071/ https://bugzilla.mozilla.org/show_bug.cgi?id=1437281#c23 (a solution is proposed — but seems to involve a downgrade in security) My resets/Onyx repair provided relief for awhile. And yesterday, even just changing the default file opener in Finder seems to have worked for now. But if there’s a permanent solution, I would like to know about it. And mostly, I would like to feel sure there isn’t something fishy going on. (I had another clean scan today with MalwareBytes, so hopefully there's not.)