Jump to content

Recommended Posts

Hi,

So I've started having some weird re-directs and pop-ups on my macbook pro. They all seem to be centered around something called "chill tab". Something happened and suddenly my preferred search engine was changed in Chrome and Safari. Ran Malwarebytes and it seemed to resolve the issue with Chrome, but Safari will randomly start now with a pop-up window that says "Scanning for Browser updates" and then a new window that says "Your Browser is Up to date" as well as opening the extensions manager with the alert that chill tab extension is trying to be installed. Ran Malwarebytes again and it found nothing, ran bitdefender and nothing.

Share this post


Link to post
Share on other sites

Update on this, I downloaded Little Snitch Network Monitor and had it open when the safari pop-up happened again. What it caught trying to make a connection was was labeled as "macsearch" "hkijingy.me" "updates.ijnewhb.com" and "cdn.macapproduct.com". I have no idea what is happening but I'm kinda freaked out. 

Share this post


Link to post
Share on other sites

I've been scouring my computer in application support, caches, and the shared user folder deleting anything involving safariextinstall, macsearch, linkury, etc. Can someone please just tell me how worried I should be about what this is doing to my computer/with my information?

Share this post


Link to post
Share on other sites

I assume you realize it's the weekend and I would guess several staff members are receiving from last week's conference in Las Vegas, so you're not likely to get any Company feedback until Monday.

In the meanwhile, here are some other ideas to try: Terminal tricks for defeating adware.

Everything you have posted points to adware. Not sure what is leading you to believe any of your information is at risk here.

Share this post


Link to post
Share on other sites

I saw your support ticket and answered there... looks like you have a new variant of VSearch. This is malware that is solely focused in pushing ads and search engine redirects. You are not the direct victim, only a machine for generating views, so that they can get paid by the advertisers and search engines.

Malwarebytes should actually detect that variant at this point, but I'd still like to see a copy of the file I requested via the support system.

Share this post


Link to post
Share on other sites

I'm having this same problem with a sudden appearance of Safariextinstall. I'd like to know if there's a solution out there. I noticed that it's activity is based around an executable file appearing in the Shared user account which then leads to other things happening culminating in the attempt to install an extension in Safari. The temporary solution I've come up with is to make the Shared user account read only, but I'd love to know if there is a permanent solution out there to remove it once and for all.

 

Thanks,

Share this post


Link to post
Share on other sites

I'm guessing that by "Shared user account" you are referring to /Users/Shared/ which is actually a directory (folder), not really an account. If so, by restricting it read only you are making it more difficult or impossible for anti-malware software to be able to quarantine or delete any infected files found there. I understand that it may prevent selected malware from using that location, but it is commonly used by legitimate programs to store files that need to be accessed by all users accounts, so you should not consider that a long term, permanent solution.

If you are following some sort of guidance from others on this issue, it would help us all if you could provide a link to it.

Share this post


Link to post
Share on other sites
3 hours ago, alvarnell said:

I'm guessing that by "Shared user account" you are referring to /Users/Shared/ which is actually a directory (folder), not really an account. If so, by restricting it read only you are making it more difficult or impossible for anti-malware software to be able to quarantine or delete any infected files found there. I understand that it may prevent selected malware from using that location, but it is commonly used by legitimate programs to store files that need to be accessed by all users accounts, so you should not consider that a long term, permanent solution.

If you are following some sort of guidance from others on this issue, it would help us all if you could provide a link to it.

Thanks for your feedback. Yes, I am talking about /Users/Shared/. No, I don't consider it a long term solution. It is just something I came up with a way to "stick a finger in a hole in the dike" as it were, until a proper solution could be found. I think I've already run into a couple of quirky things happening with new installations.

Do you have any ideas about how I can rid my system of this? I would be most grateful for any solution you can offer. 

Edited by JoeBoggs

Share this post


Link to post
Share on other sites

No, it's not anything I've run across so it might be something new and since there's already a support ticket on this one we need to let the staff weigh in on why it's not being handled.

Share this post


Link to post
Share on other sites
On 8/18/2017 at 0:44 AM, JoeBoggs said:

I'm having this same problem with a sudden appearance of Safariextinstall.

I just sent you a private message to ask for more information.

Share this post


Link to post
Share on other sites

I'm having the same issue however I may have fixed it using EtreCheck.

There are two main paths that are being used to produce the safari extension application. This path is: library/ApplicationSupport/Agent/Macsearch

in this folder there is a lot of junk to delete and it seems to be producing the safari extension in a separate folder.

The separate folder is located under users/shared and you will find a folder there with multiple safari extensions individually produced on a timed basis.

I'm not sure if this has fully fixed it but I found malware bytes didn't pick up anything.

To be honest I've never had anything so aggressive on a mac before.

 

 

Screen Shot 2017-09-01 at 18.50.46.png

Share this post


Link to post
Share on other sites

That is a file that Malwarebytes already should detect, and has detected for some time. What version of the software are you using?

Share this post


Link to post
Share on other sites

I currently don't have malwarebytes installed as I am testing a variety of software but I can tell you that I ran the malwarebytes test one week ago on the latest version then and it didn't pick up anything. I've had the adware issue for around a month now. 

Share this post


Link to post
Share on other sites

Well, without more information, I can't tell you what went wrong... but we've been detecting that file since mid-July, and it's definitely responsible for the Chill-Tab issue. If it wasn't detected, something must have been wrong on your end. Perhaps something blocked the download of protection updates.

Share this post


Link to post
Share on other sites

I have just reinstalled Malwarebytes to test again.

The Version number is: 3.0.2.422

Nothing was detected however that may be because of the method used in the previous post.

Share this post


Link to post
Share on other sites

Yes, if you've already removed that file, and the corresponding folder in Application Support, using some other method, there won't be anything left to detect.

Share this post


Link to post
Share on other sites

Has anyone found a solution to this problem? I removed all files Etrecheck suggested but I am still getting Chilltab extension popping up. I can't get rid of it.

Share this post


Link to post
Share on other sites
1 hour ago, Duvall2417 said:

Has anyone found a solution to this problem? I removed all files Etrecheck suggested but I am still getting Chilltab extension popping up. I can't get rid of it.

Have you already scanned with Malwarebytes? If not, do so now:

https://malwarebytes.com/mac

If so, and it didn't detect anything, please send me a direct message so I can get more information.

Share this post


Link to post
Share on other sites

Same issue on my girlfriends computer. Malwarebytes won't detect it. The folders Edmundostudios mentioned are, I believe, causing issues. I changed permissions (so only I can write to it) on the shared folder and removed all the garbage from it. This is hyper aggressive. Waiting to see if it's actually gone now.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.