Jump to content

Chill Tab Malware


Recommended Posts

Hi,

So I've started having some weird re-directs and pop-ups on my macbook pro. They all seem to be centered around something called "chill tab". Something happened and suddenly my preferred search engine was changed in Chrome and Safari. Ran Malwarebytes and it seemed to resolve the issue with Chrome, but Safari will randomly start now with a pop-up window that says "Scanning for Browser updates" and then a new window that says "Your Browser is Up to date" as well as opening the extensions manager with the alert that chill tab extension is trying to be installed. Ran Malwarebytes again and it found nothing, ran bitdefender and nothing.

Link to post
Share on other sites

  • Replies 71
  • Created
  • Last Reply

Top Posters In This Topic

Update on this, I downloaded Little Snitch Network Monitor and had it open when the safari pop-up happened again. What it caught trying to make a connection was was labeled as "macsearch" "hkijingy.me" "updates.ijnewhb.com" and "cdn.macapproduct.com". I have no idea what is happening but I'm kinda freaked out. 

Link to post
Share on other sites

I've been scouring my computer in application support, caches, and the shared user folder deleting anything involving safariextinstall, macsearch, linkury, etc. Can someone please just tell me how worried I should be about what this is doing to my computer/with my information?

Link to post
Share on other sites

I assume you realize it's the weekend and I would guess several staff members are receiving from last week's conference in Las Vegas, so you're not likely to get any Company feedback until Monday.

In the meanwhile, here are some other ideas to try: Terminal tricks for defeating adware.

Everything you have posted points to adware. Not sure what is leading you to believe any of your information is at risk here.

Link to post
Share on other sites

  • Staff

I saw your support ticket and answered there... looks like you have a new variant of VSearch. This is malware that is solely focused in pushing ads and search engine redirects. You are not the direct victim, only a machine for generating views, so that they can get paid by the advertisers and search engines.

Malwarebytes should actually detect that variant at this point, but I'd still like to see a copy of the file I requested via the support system.

Link to post
Share on other sites

  • 3 weeks later...

I'm having this same problem with a sudden appearance of Safariextinstall. I'd like to know if there's a solution out there. I noticed that it's activity is based around an executable file appearing in the Shared user account which then leads to other things happening culminating in the attempt to install an extension in Safari. The temporary solution I've come up with is to make the Shared user account read only, but I'd love to know if there is a permanent solution out there to remove it once and for all.

 

Thanks,

Link to post
Share on other sites

I'm guessing that by "Shared user account" you are referring to /Users/Shared/ which is actually a directory (folder), not really an account. If so, by restricting it read only you are making it more difficult or impossible for anti-malware software to be able to quarantine or delete any infected files found there. I understand that it may prevent selected malware from using that location, but it is commonly used by legitimate programs to store files that need to be accessed by all users accounts, so you should not consider that a long term, permanent solution.

If you are following some sort of guidance from others on this issue, it would help us all if you could provide a link to it.

Link to post
Share on other sites

3 hours ago, alvarnell said:

I'm guessing that by "Shared user account" you are referring to /Users/Shared/ which is actually a directory (folder), not really an account. If so, by restricting it read only you are making it more difficult or impossible for anti-malware software to be able to quarantine or delete any infected files found there. I understand that it may prevent selected malware from using that location, but it is commonly used by legitimate programs to store files that need to be accessed by all users accounts, so you should not consider that a long term, permanent solution.

If you are following some sort of guidance from others on this issue, it would help us all if you could provide a link to it.

Thanks for your feedback. Yes, I am talking about /Users/Shared/. No, I don't consider it a long term solution. It is just something I came up with a way to "stick a finger in a hole in the dike" as it were, until a proper solution could be found. I think I've already run into a couple of quirky things happening with new installations.

Do you have any ideas about how I can rid my system of this? I would be most grateful for any solution you can offer. 

Edited by JoeBoggs
Link to post
Share on other sites

No, it's not anything I've run across so it might be something new and since there's already a support ticket on this one we need to let the staff weigh in on why it's not being handled.

Link to post
Share on other sites

  • 2 weeks later...

I'm having the same issue however I may have fixed it using EtreCheck.

There are two main paths that are being used to produce the safari extension application. This path is: library/ApplicationSupport/Agent/Macsearch

in this folder there is a lot of junk to delete and it seems to be producing the safari extension in a separate folder.

The separate folder is located under users/shared and you will find a folder there with multiple safari extensions individually produced on a timed basis.

I'm not sure if this has fully fixed it but I found malware bytes didn't pick up anything.

To be honest I've never had anything so aggressive on a mac before.

 

 

Screen Shot 2017-09-01 at 18.50.46.png

Link to post
Share on other sites

  • Staff

Well, without more information, I can't tell you what went wrong... but we've been detecting that file since mid-July, and it's definitely responsible for the Chill-Tab issue. If it wasn't detected, something must have been wrong on your end. Perhaps something blocked the download of protection updates.

Link to post
Share on other sites

  • 2 weeks later...
  • Staff
1 hour ago, Duvall2417 said:

Has anyone found a solution to this problem? I removed all files Etrecheck suggested but I am still getting Chilltab extension popping up. I can't get rid of it.

Have you already scanned with Malwarebytes? If not, do so now:

https://malwarebytes.com/mac

If so, and it didn't detect anything, please send me a direct message so I can get more information.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.