Jump to content

Play Search Now... MB doesn't see it.


Recommended Posts

I have a couple machines that are infected with Play Search Now adware. Malware Bytes doesn't see it. It affects Safari, Chrome and Firefox. Safari did show an extension called "PlaySearchNow 1.0" and removing it did nothing. All browsers still start up with the Play Search Now page.

What I find particularly concerning is that searching the net for "PlaySearchNow.safariextz" turns up only a few hits, and none of them talk about manual removal.

There appear to be a few variations on this, some of them also come along with a ~/Library/Application Support/guid/guid.app  payload that is somehow involved, or could be another bit of adware.

On one computer, the extension is present, but it hasn't taken over loading the play search now page at launch. I somehow suspect that uninstalling the plugin in Safari Preferences actually makes it dig its claws in deeper.

It does not appear to be a crossrider variation, I don't see any profiles in terminal, and no profile icon in System Preferences.

Where should I go next? 

Link to post
Share on other sites

If you have a copy of that PlaySearchNow extension, we would love to see it. Can you post it over on this forum?

https://forums.malwarebytes.com/forum/193-newest-mac-threats/

Also, if you have a copy of that ~/Library/Application Support/guid/ folder, that would be good. Are you seeing something like a launch agent or daemon that is loading a process inside that folder?

One note: fortunately, Safari extensions really can't make any changes on the file system, so uninstalling it can't result in any new files being created.

Link to post
Share on other sites

In my haste to clean up the machines, I may have killed off all copies of that extension. I will search other machines and see if I can find anyone else with it.

What I did keep was a copy of the bookmarks file of the problematic machine. It had a bookmark in it, that somehow would ALWAYS load. Rather than just toss the bookmarks file of safari, I edited out that bookmark with a text editor, and after that, safari stopped loading the page automatically (even though google was set as the home page!)

I didn't think of it until now, but maybe it is a Reading List item that somehow loads at browser launch

I will post that file in the forum mentioned, see if I can find that browser extension too.

The section chopped out was:

        <dict>
            <key>Children</key>
            <array>
                <dict>
                    <key>ReadingListNonSync</key>
                    <dict>
                        <key>neverFetchMetadata</key>
                        <false/>
                    </dict>
                    <key>URIDictionary</key>
                    <dict>
                        <key>title</key>
                        <string>PlaySearchNow</string>
                    </dict>
                    <key>URLString</key>
                    <string>http://www.homesweeklies.com/homepage/7070/1035/00559/185/United States/US/04342136/F18D8D2D-D7D2-5DA3-B371-BC8455E61C36</string>
                    <key>WebBookmarkType</key>
                    <string>WebBookmarkTypeLeaf</string>
                    <key>WebBookmarkUUID</key>
                    <string>D48F874C-2E51-4056-85B1-4C08B1677592</string>
                </dict>
            </array>
            <key>Title</key>
            <string>new Page</string>
            <key>WebBookmarkType</key>
            <string>WebBookmarkTypeList</string>
            <key>WebBookmarkUUID</key>
            <string>330CC905-AF2C-4E4D-B3FF-A2EC79F57447</string>
        </dict>

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.