Your VERY disconcerting website

[rswc90]

I have tried to reset my password several times over the course of several days. I gave up. You sent me an email to my original email address  to reset my password and the email included NOT the email of the account  I wanted to reset, but rather a newer email that I had not yet verified.  YIKES!  Is this how a security software company really works?  I tried to contact you but cannot find a place to send you an email or fill in a form. The only place I found keeps freezing up so I cant send the original malware concern and I have to post this publicly here. How do I get my original account back?! 

And BTW,, your program is not picking up ANY of the malware that  has taken over my Mac. That's what I was originally writing about!

 

[AdvancedSetup]

Hello @rswc90 and

Very sorry to hear of your recent issues. I've asked someone from Macintosh Support to reach out to you. Our system should not be doing that, and they should be able to assist you and get to the bottom of this.

Thank you

Ron

 

[treed]

I moved this topic over to the Mac Malware Removal forum, as it wasn't really appropriate for where it was posted.

I'm not sure that I understand about the password issue. Where are you trying to reset a password?

For the Mac issue, can you describe what specifically you are seeing that you believe is due to malware?

[rswc]

48 minutes ago, treed said:

I moved this topic over to the Mac Malware Removal forum, as it wasn't really appropriate for where it was posted.

I'm not sure that I understand about the password issue. Where are you trying to reset a password?

 

For the Mac issue, can you describe what specifically you are seeing that you believe is due to malware?

I have tried to login several times to your site. Your site did not accept my original password using a gmail email. I tried to reset it and when it asked for my email address, to send me the reset, the message I received was that the account was already in use by someone else.   Then, I created another account using a yahoo email address I have. I created a password. I logged out to try to log in and it said either my email or my password was incorrect. I asked to reset THAT password. I was then sent a reset email to the ORIGINAL gmail email address rather than the newest yahoo address. The email was sent to gmail, wording, however said that the reset was for my yahoo account.  The reset would not work.  Maybe it's not immediate and I was trying too quickly to log in?  So I just tried AGAIN to log in and had to reset my password yet again. 
The REAL issue is that my computer has been overtaken my "Safe Finder" -My computer is infected by Safe Finder. In Safari my homepage is greyed out. I have manually walked through all the options for removing it in Safari, Chrome (and I have not even dared to open Firefox). including emptying the cache, deleting history, deleting cookies, resetting to default, emptying trash, restarting Safari holding shift key.  I have downloaded Malwarebytes and now have 16 .plists in quarantine. Please help. Nothing is working to rid me of this. I have included screen shots supporting the fact that I have no extensions to remove, The greyed out homepage click ads, Safe Finder is NOT in my applications and it's not in my user/login files.

This is the text that keeps getting quarantined and removed. There are 23 right now.   sisinfo_23.plist 

<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http:// www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>isExist</key> <string>YES</string> </dict> </plist>

Here is what the original Safari plist looked like. I have since removed it.

bplist00“_SafariHomepageModifiableXHomePageQ1_xhttp://www.homesweeklies.com/homepage/8080/1391/00549/195/United States/US/08688437/B15F64C9-8034-5AF5-8166-454FCB4D6009 (13Æ

Nothing on the computer works as it did.. I have deleted and reinstalled Chrome - that seemed to help with a browser. Safari still cannot work correctly. 

Maybe I need a new plan of action. Apple seems unable to assist me so far. I have a tech person who has to check with her supervisor after each question I pose. I have sent several files where I see the malware hiding. Malwarebytes is not picking it up. It does pick up one file (I included previously here). 

EtreCheck found nothing either although my homepage in Safari was hijacked and greyed out 

I have walked through the getting-rid-of-malware processes I have found here and on many other sites - a few times.

I tried to RESTORE Safari from TimeMachine from the day before all this started, but I am unable to restore any of the Apple products. 

Safari is still unable to allow for resetting the homepage, although I must have deleted one of the plists because now it does not have the "homesweeklies.com" as the greyed out homepage. 

I have found suspect files in Launch Agents, Launch Daemon and several plists which I sent to Apple.   See the attached screen shot - The highlighted files is about the time the issue started - I was messing with my weather widget that is not working in Mojave so I downloaded some stuff to try and fix it.

I uninstalled and reinstalled Chrome - I can now at least open with about:blank and get a blank page.

When I restarted my computer, I got 143 items dumped onto the desktop seemingly copied from Trash, Dropbox, Google Drive. I assume that's because the Apple rep had me rename and move my plists to the desktop. Just a guess on my part.

I am wondering if I have to wipe my system clean and then hope that time machine can reinstall from the day before all this occurred. Does this look like the only thing that will help?

Thanks.

[treed]

I'm still not sure I understand what you're referring to about the account. Is this an account on these forums, or an account at my.malwarebytes.com?

If it's an account on the forum, it looks like you are using two different accounts here. You have posted just now from an account using a GMail address, which was created on Sunday, and at the top of this thread with a Yahoo account created today. Neither has any posting history outside this thread, as far as I can see. Without more information, I can't say what you saw. You may have already been logged in to the GMail account when trying to reset the password.

For the malware issue, the first thing I'd like you to be aware of is that many of the symptoms you're referring to are effects caused by changes to browser or system settings by adware, and they can persist even after the adware has been removed. Malwarebytes for Mac will not attempt to change your browser settings - and, in fact, cannot change your browser settings in the case of Safari, due to changes Apple has made to Safari for security purposes. Adware uses hacks to change Safari settings that would not be okay for us to use.

Here's what I'd like you to do first:

1. Open Malwarebytes
2. Start a scan
3. When the scan is complete, remove anything that was detected
4. Go to the Quarantine tab in the Malwarebytes app and click Clear Quarantine
5. Restart your computer

Next, you will need to fix your browser, and possibly system, settings. For that, see the following post:

https://forums.malwarebytes.com/topic/236261-how-to-remove-weknow-malware-and-others/

If that does not solve the problem, send me a direct message here, and I will work with you to gather some information from your Mac to see what might be going on.

[rswc]

Thanks for this -- I have already done ALL the suggestions you listed. I agree that adware has gotten into places that are deep down (my words, not yours) - I am still unable to change the homepage of Safari, for example. I "nuked" Chrome and all Google - which meant that my Google drive has been re-loading for the past 24 hours because I removed all the library/google files.  My applications take up to 30 seconds to simply open or to even open a pulldown menu. Photos program gets stuck opening, excel keeps freezing... and the list goes on and on.

From your site,
If Safari's home page is stuck

In Safari, choose Preferences from the Safari menu.
In the window that opens, click the General icon (if necessary)
Enter your desired home page in the "Homepage" field, but DO NOT press return!
At the top of the window, click any of the other icons (eg, Tabs, AutoFill, etc).
You may see a prompt asking for confirmation for changing the home page. If so, confirm.
Switch back to the General page and check to make sure the home page has been changed.

None of this worked because I cannot type anything into the field.  

[rswc]

One more thing... This is the "homepage" that Safari opens in  
 

http://search.safefinderformac.com/?aid=80801391&affid=kW6XPeyJhSUQiOjUxMDQsImciOiJVUyIsInBpZCI6IlJWWjgwODAxMzkxIiwidWlkIjoiMDg2ODg0MzciLCJiSUQiOiIxOTUiLCJ1dWlkIjoiQjE1RjY0QzktODAzNC01QUY1LTgxNjYtNDU0RkNCNEQ2MDA5IiwiaWlkIjoiMDA1NDkifQDHHIF1fCN4pSV6jc1SIf

 

Edited April 3, 2019 by AdvancedSetup
Removed live hyperlink

[alvarnell]

As requested you need to DM @treed. To do that, hover over his icon in a posting above and click on "Message." He'll give you instructions on how to gather the additional information he needs to help you fix that.

[alvarnell]

From ASC posting I see that OP has been having several other issues which AppleCare has been unable to help him solved and decided to wipe his system clean and use time machine to reinstall from the day before all this occurred. That may preclude getting to the bottom of what appears to be a new safefinder variant.

[rswc]

1 hour ago, alvarnell said:

From ASC posting I see that OP has been having several other issues which AppleCare has been unable to help him solved and decided to wipe his system clean and use time machine to reinstall from the day before all this occurred. That may preclude getting to the bottom of what appears to be a new safefinder variant.

I DM’d treed with specifics and hopefully something good will come of the analysis I sent. It’s been a week that I have been crippled by this virus/malware and am growing tired of not having safe access to my computer. But knowing that I might be able to contribute to a cure is exciting enough for me to wait another day or two 🙂 

[treed]

Yup, your help has been very useful!

For those interested, this was a minor new variant of the Geneio adware. We've got the database updated to detect it now.

[rswc]

Thanks for all your help!