After no problems for years on my Mac+, quarantine after quarantine...

[Summertime]

Malwarebytes is quarantining malware after malware after malware on my map -- sudden problem... How do I fix what is going on?  Latest (today at 2:31pm) labeled lgfehfbnofiffladdnocgfcbimealokp...14  -- so many others with same or different letters. Any suggestions as to how to fix -- what does this mean?

[Summertime]

On my Mac+

 

[alvarnell]

Mac+ were built from 1987-1990 and operated on System 3.0 thru 7.5.5, so surely that isn't what you have. But it really doesn't matter what Mac you have as Malwarebytes works the same way on all Macs running a recent version of macOS.

What does matter is an exact description of what is being Quarantined, both the path to the file as well as the name of the infection. All that appears in the "Scan" tab of your Malwarebytes application window at the time that they have been identified. If the list is too long just take a screen shot of that window (Command-4, then hit the space bar and click on the window) and post it back here.

the file name you posted is incomplete, so I cannot say for certain, but it might be a Chrome browser extension. Again the Scan window will tell us. If you no longer have that information then at least tell us what you see in the Quarantine folder, if you haven't cleared that.

[Summertime]

Not sure what you are asking for -  i more file quarantined tonight - there is nothing in the 'scan report" - page is empty.  I have quite a full quarantine folder - not cleared - here it is ---

These are all files from April 2019

cpgoblgcfemdmaolmfhpoifikehgbjbf

cpgoblgcfemdmaolmfhpoifikehgbjbf_2_

cpgoblgcfemdmaolmfhpoifikehgbjbf_3_

cpgoblgcfemdmaolmfhpoifikehgbjbf_4_

lfkbihkpdpilfajoiaboelfbefhbnpjg

lgfehfbnofiffladdncogfobimealokp

lgfehfbnofiffladdncogfobimealokp_2_

lgfehfbnofiffladdncogfobimealokp_3_

lgfehfbnofiffladdncogfobimealokp_4_

lgfehfbnofiffladdncogfobimealokp_5_

lgfehfbnofiffladdncogfobimealokp_6_

lgfehfbnofiffladdncogfobimealokp_7_

lgfehfbnofiffladdncogfobimealokp_8_

lgfehfbnofiffladdncogfobimealokp_9_

lgfehfbnofiffladdncogfobimealokp_10_

lgfehfbnofiffladdncogfobimealokp_11_

lgfehfbnofiffladdncogfobimealokp_12_

lgfehfbnofiffladdncogfobimealokp_13_

lgfehfbnofiffladdncogfobimealokp_14_

lgfehfbnofiffladdncogfobimealokp_15_

naedfjpkboljpmbmdnfnibcndmmgdnen

pcmniihfmagioiohkgpenobechoemjpk

The latest, deleted today at 9:26 pm, is lgfehfbnofiffladdncogfobimealokp_15_

If you open it - the following comes up: 50.158.15.10208_0

And if you open the file - you get subfiles:

_locales

_metadata

config

icons

js

libs

manifest.json

The "manifest.jdon says -

 "background": {
      "scripts": [ "libs/PartnerId.js", "js/chrome.js", "js/util.js", "js/templateParser.js", "js/ajax.js", "js/ul.js", "js/dlpHelper.js", "js/dlp.js", "js/logger.js", "js/storageUtils.js", "js/background.js", "js/index.js", "js/content_script.js", "js/urlUtils.js", "js/settingsOverridesUtils.js", "js/internationalSearchUtils.js" ]
   },
   "chrome_settings_overrides": {
      "search_provider": {
         "encoding": "UTF-8",
         "favicon_url": "http://ak.imgfarm.com/images/vicinio/232530392/16x16_1471446408681.ico",
         "is_default": true,
         "keyword": "askweb",
         "name": "Ask Web Search",
         "search_url": "https://search.tb.ask.com/search/GGmain.jhtml?searchfor={searchTerms}&enableSearch=true&rdrct=no&redirect=CPC",
         "suggest_url": "https://ss.search.ask.com/ss?li=ff&sstype=prefix&limit=10&hl=en&q={searchTerms}&enableSearch=true&rdrct=no"
      }
   },
   "content_scripts": [ {
      "all_frames": true,
      "js": [ "js/logger.js", "js/chrome.js", "js/util.js", "js/content_script.js" ],
      "matches": [ "https://ext.dl.tb.ask.com/blank.jhtml" ],
      "run_at": "document_end"
   }, {
      "all_frames": false,
      "js": [ "js/logger.js", "js/chrome.js", "js/util.js", "js/extension_detect.js" ],
      "matches": [ "*://*.ask.com/*" ],
      "run_at": "document_start"
   } ],
   "default_locale": "en",
   "description": "__MSG_marketingDescription__",
   "homepage_url": "http://ext.ask.com/index.jhtml",
   "icons": {
      "128": "icons/icon128.png",
      "16": "icons/icon19on.png",
      "48": "icons/icon48.png"
   },
   "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwEsv59eceZ+SEdMG4SZ2/YykUW3PLXmxKxjxTAqO9THc6Bu0llvPX/glPUz/SKpZfhuj9BzhrH1GLNClmg0qunw1BwvPYiDYrPMZGAqda2Js+4uA+2tdZfgXPmB/ontq3Rs8AOPfUDVMy0/M0hcotUYEhSsS4QaN7MCNc+XH0s9rfXgygLeUFHuNPVE5Thm370ZHTStPNFycUYfTd0q5zRiJQVfcBqCe3HQhen9IbPFnOQ71dsQoQtCoqa5DpBGzBEeMSiUc3Mrcxmx0lMoxT00dOevymxyo0AMHEOE2TPqCBe34AiT7GAEvlxrQhULUWzdMS5DpbOY6b4JuJmjS9wIDAQAB",
   "manifest_version": 2,
   "name": "__MSG_productName__",
   "permissions": [ "alarms", "contextMenus", "tabs", "storage", "activeTab", "webNavigation", "webRequestBlocking", "webRequest", "\u003Call_urls>", "management", "history", "downloads", "cookies" ],
   "update_url": "https://clients2.google.com/service/update2/crx",
   "version": "50.158.15.10208",
   "web_accessible_resources": [  ]
}
 

Is this helpful?

Thanks!

Summertime

[Summertime]

I have a MacbookPro (15-inch late 2016) . Clearly I am an amateur at this....

[alvarnell]

That tells me that you are using Google's Chrome browser that has had at one time all of the following extensions installed:

• Search Manager *
• InboxAce
• Search Extension by Ask *
• From Doc to Pdf Toolbar
• ProPDFConverter

So got to the right end of the Address bar where you see 3 vertical dots and click, then select "More Tools" and finally "Extensions" as shown here.

 

If you see any of the listed extension then click the "Remove" button to get rid of them along with any other that you don't recognize having installed.

Clearly something has been reinstalling the two that I annotated with an asterisk "*" so this is probably not going to be enough. If any of these keep coming back then take a look at the pinned article at the top of this forum, paying particular attention to the topic "Nuke Chrome":

 

Edited May 3, 2019 by alvarnell

[adas]

Hi @Summertime,

We can turn off the sync feature on chrome

refer to the below article on how to turn off sync function.

https://support.google.com/chrome/answer/185277?co=GENIE.Platform%3DDesktop&hl=en-GB

Then delete the extension manually

• open chrome 
• click on setting / three dots > more tools > extensions OR type chrome://extensions/ in address bar
• delete the unwanted extensions

After that run a scan and clear quarantine