dmoran442

Chill Tab Malware

Recommended Posts

On 10/12/2017 at 11:47 PM, MellyKM said:

Hello, 

I don't remember where I read this but I did it and it worked.

I restarted my macbook, and ran the malwarebytes immediately. It found 3 things :

/Library/Application Support/Agent/

/Library/LaunchAgents/com.Sambara.plist

/Library/LaunchAgents/macsearch.plist

and I clicked on delete...

The pop-ups stopped ever since then...this was maybe a week ago. and the Chill-tab in my extensions did not reappear...I hope it helps..

Screen Shot 2017-10-09 at 1.07.14 PM.png

This solved it for me with one adjustment:

I had no Sambara.plist. However, there was another file with the same "added on" date as macsearch.plist in the Library/LaunchAgents directory, so I deleted that too and i've had no pop-ups since :)

 

Share this post


Link to post
Share on other sites

created an account because i cant get rid of this ####. here are 8 files that i managed to delete from library/launchagents, library/(forgot the name), and users/shared/ safarisetter :

(2) very long file names and the safari setter virus:

     a_F440F599 .... Unix E file

     a_F440F599 .... Folder

          SafariExtInstall .... Application file

(5) random other files found :

     App_457D34... .tar.gz .... GZip archive file

     com.unterminable.wd.plist .... property list file

     macsearch .... Unix E file

     macsearch.plist .... property list file

     SafariSetter.safariextz .... Safari extension file

 

The firs 3 keep repopulating in the Users/Shared/ folder location, which opens Safari and runs chill tab's home page. Pop ups occasionally occur. Once I delete the repopulating files its ok but have not found a permanent solution yet. :/

Share this post


Link to post
Share on other sites
10 hours ago, displayNameyo said:

here are 8 files that i managed to delete from library/launchagents, library/(forgot the name), and users/shared/ safarisetter :

Some of those are things that Malwarebytes for Mac should detect, and others look like temporary files that will not cause any issues and will eventually be removed by macOS automatically. What version of Malwarebytes do you have installed?

Share this post


Link to post
Share on other sites
Posted (edited)

3.1, I scanned and it didnt seem to find any for some reason. 

After deleting the files a few times over it hasn't come back. 

Edited by displayNameyo
Update

Share this post


Link to post
Share on other sites
On 12/19/2017 at 3:37 PM, gammakid said:

This solved it for me with one adjustment:

I had no Sambara.plist. However, there was another file with the same "added on" date as macsearch.plist in the Library/LaunchAgents directory, so I deleted that too and i've had no pop-ups since :)

 

Great news !!! :D

Share this post


Link to post
Share on other sites

I got the chill-tab today. Malwarebytes didn't initially pick it up, but after a terrifying restart (where the usual loading icon was replaced with 5 glitchy ones), I ran another scan, which detected some problem files. 

After that, I still manually checked through my files and found a file in Users/Shared called sf.plist that appeared at the same time as I'd accidentally downloaded the malware. 

I deleted it, and then manually changed my search engine back to google and deleted the chill tab search engine. 

Seems to by chill (get it?) now, hopefully doesn't come back. 

Share this post


Link to post
Share on other sites

cont. 

 

I also file in Library/Launch agents that appeared today at the same time (2:30) of my accidental download called com.preacquired.qg.plist

opening it up, I found it called to some other files in my computer that similarly appeared at 2:30. 

<string>/Users/_____/Library/preacquired.qg/preacquired.qg.app/Contents/MacOS/preacquired.qg</string>

also, just in library I found a lonesome file called 'instance' also from 2:30 and a folder called 'ApplicationaContents' which contains two text files 'instance' (another one) and 'uba', which call to 'preacquired.qg' and 'http://i.swiftinstaller.top/c/ci?tm=1&id=' respectively. 

 

one last thing. 

This malware seems to have forced an installation of mackeeper...thoughts?

Edited by munchie
forgot to mention something

Share this post


Link to post
Share on other sites
Quote

Does malwarebytes need to be premium?

In order to remove this issue, no, but to prevent it from ever happening, yes.

Edited by alvarnell

Share this post


Link to post
Share on other sites

I just got hit with Chill Tab today, and I've literally tried everything recommended on this thread. I created an account just so I can continue this.

I have managed to stop the adds from popping up in safari, but not firefox after downloading Malwarebytes.

I re-installed firefox after deleting it to see if that would help change anything since safari stopped showing popups, but nope still there.

I deleted all the files that people have mentioned but still nothing.

I'm on mac OS sierra

Edited by thisisromel

Share this post


Link to post
Share on other sites

Some general advice for folks posting on this topic:

  1. Make sure you are using the latest version of Malwarebytes for Mac, downloaded from here, and not any previous version:
  2. Scan with Malwarebytes for Mac, remove anything detected, and restart the computer
  3. Review your browser settings, and fix them if necessary:
  4. If you have done all this and you're still seeing requests to install Chill Tab that are appearing on their own, not in response to something you're trying to install, please submit a support ticket here:
    • https://support.malwarebytes.com/community/consumer/pages/contact-us
    • Be sure to select Malwarebytes for Mac as the product
    • Run the Get System Profile script that is attached to this message and attach the file it creates to your support request
    • Do not post the output of that script directly here, as it may contain information that you don't want made public; this is why I ask that you submit via a support ticket instead.

Get System Profile.zip

Share this post


Link to post
Share on other sites

I'm so damn grateful to Malwarebytes -- created this account just to thank you people. 

Got the "chill tab" thing exploding some days ago -- almost thought the mac was gonna burn. But got Malwarebytes up n' running, and for now (some hours) its back to good normal. Have to say that thing was sooo bad though, that I worry its still in there somewhere...

A note on where I think I got it: Downloaded what seemed to be a free adobe (or might have been office). Opened the installer the usual way -- everything looking normal. Then, once adobe or office or whatever it was was installed, these things exploded with the extensions-issue in the browser, non-responding apps and in general almost non-usable software all over.

Edited by Patrizio

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.