Home
Posted By: Rain Do I have Malware? - 03/26/20 03:13 PM
I use a MacBook Pro 2013 running 10.12.
About a month ago I opened a link on an email that I believed was a FlashPlayer update from Adobe. When I examined the sent from address it was from "adobes systems.com" (with a double s).
My Mac has started to behave strangely over the past 3-4 weeks, initially It wouldn't send or receive emails (then they started to drip through slowly), this is still occurring.
Now I find that I can't change my default search engine in Safari, I use Bing but now it says Bing in the preferences but goes to Yahoo and won't let me change it. If I go to say "google.co.uk" and perform search the result page comes up as Yahoo.
The machine is getting a bit sluggish and doesn't seem to want to load pages very quickly.
I believe that this may be Malware.........any thoughts? (and if it is what should I do)
Thanks
Posted By: Ira L Re: Do I have Malware? - 03/26/20 03:32 PM
Start by running some sort of malware/virus checker. If you don't have one, download and run in free mode MalwareBytes.
Posted By: jchuzi Re: Do I have Malware? - 03/26/20 03:34 PM
Download, install, and run MalwareBytes It may pick something up. You can also try Scam Zapper as well as Virus Barrier (at App Store).

When the dust settles, either ditch Flash or download only directly from Adobe.
Posted By: joemikeb Re: Do I have Malware? - 03/26/20 03:40 PM
A cardinal anti-malware rule is never install updates or upgrades from links in emails. If you believe the update may be valid navigate directly to the publishers web site in your browser and download the latest version from there.

At this point you are going to need help in determining whether or not your MBP is infected and if so with what. There are any number of anti-malware products on the market and you can take you pick. The one I use is MalwareBytes which you can downloaded use free for 14 days.

P.S. After I posted I saw Jon and Ira got in while I was thinking. At least we all had the same recommendation for MawareBytes.
Posted By: Rain Re: Do I have Malware? - 03/26/20 05:37 PM
Thanks for the swift replies everyone. So I have downloaded and used Malwarebytes which reported 6 items quarantined.
After a restart the email is back working fine again, but the search engine in Safari is stuck firmly on Yahoo........... but says Bing.
Any further thoughts?
Posted By: jchuzi Re: Do I have Malware? - 03/26/20 05:51 PM
A stab in the dark: delete any Yahoo and/or Bing cookies. You could also clear Safari caches by pressing Command-Control-E. Restart Safari and see if that worked. (The downside of clearing caches is that site icons will have been reset to generic, but they will regenerate as you revisit those sites.)
Posted By: artie505 Re: Do I have Malware? - 03/26/20 06:00 PM
Originally Posted By: Rain
...the search engine in Safari is stuck firmly on Yahoo........... but says Bing.

What do you see at Safari > Prefs > Websites > Search engine:?
Posted By: jchuzi Re: Do I have Malware? - 03/26/20 06:09 PM
Artie:

In Safari 13.1, I don't see "Search engine" listed in Safari > Preferences > Websites but I do see "Search engine" in Safari > Preferences > Search
Posted By: artie505 Re: Do I have Malware? - 03/26/20 06:19 PM
I spaced out there, Jon. You're correct: Safari > Prefs > Search > Search engine:

Thanks.
Posted By: Rain Re: Do I have Malware? - 03/26/20 07:51 PM
Hi, thanks for the suggestions. I have deleted two Bing & two Yahoo cookies and cleared the cache. Still no change.
Safari-prefs-search; still says Bing and stays on Bing when I try to change it.
Posted By: artie505 Re: Do I have Malware? - 03/27/20 12:38 AM
I looked through Safari's entire configuration and couldn't find a single file that sounded like a likely candidate, so more or less for the heck of it, try quitting Safari, moving Yourhomefolder/Library/Preferences/com.apple.Safari.plist to your desktop, restarting your Mac, and launching Safari to see what happens. Safari will create a new file, and if your issue is corrected, you can trash the one on your desktop, and if not, you can move it back and overwrite the newly created one. (I'll concede in advance that I"m not terribly optimistic about this, but it can't hurt and may actually turn the trick.)
Posted By: Rain Re: Do I have Malware? - 03/27/20 06:16 AM
Thanks for the new idea. I have tried it but no change...............looks like i'm stuck in Yahoo hell!
Posted By: artie505 Re: Do I have Malware? - 03/27/20 06:57 AM
I took a more focused look and found the file that changes when I change search engines.

Try the exact same procedure with Yourhomefolder/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist (Be sure to quit, move, restart, launch, and with a bit of luck it'll be your answer.)

Other prefs will be affected if you wind up trashing that file, so I suggest that you check all of yours afterwards.
Posted By: Rain Re: Do I have Malware? - 03/27/20 03:38 PM
Ok I have followed the pathway you suggest and I have a slight difference.
Where you have: containers/com.apple.safari
I have: containers/com.apple.Safari.CacheDeleteExtension

Also where you have Preferences/com.apple.Safari.plist
I have: com.apple.Safari.CacheDeleteExtension.LSSharedFileList.plist

Should I continue?
Posted By: artie505 Re: Do I have Malware? - 03/27/20 09:12 PM
Safari in Sierra is a different beast than Safari in Catalina, but luckily I've still got a High Sierra installation, and its Safari appears to be the same as yours.

That said, ignore my previous suggestion and try the procedure with: YourShortUserName/Library/Cookies/com.apple.Safari.SearchHelper.binarycookies

It's the most likely culprit I could find.
Posted By: joemikeb Re: Do I have Malware? - 03/27/20 10:21 PM
Artie you were right they first time the search engine setting is in ~/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist
or at least that is the case on my system running MacOS 10.15.4.

Why the directory structure to get to that is so baroque I have no idea.

Posted By: artie505 Re: Do I have Malware? - 03/27/20 11:17 PM
That's the Catalina file that changed when I changed my search engine pref, but it doesn't exist in either Rain's Sierra or my High Sierra.

Nor have I been able to locate its exact equivalent. The last file I fingered exists in both High Sierra and Catalina, but its contents may differ between the two.
Posted By: joemikeb Re: Do I have Malware? - 03/27/20 11:42 PM
After numerous unsuccessful attempts using ⌘F (Finder) and Spotlight, I switched to Find Any File and searched for content containing DuckDuckGo (my chosen search engine) and a file name ending in .plist which turned up several files. I then opened the suspects in Xcode to confirm it was the file I was looking for.

That technique should work in almost any version of MacOS. If Xcode isn't available to verify it is the correct file TextEdit should work.
Posted By: artie505 Re: Do I have Malware? - 03/27/20 11:53 PM
Find Any File is my go to. (I haven't even got a Spotlight icon in my menu bar!)

I already tried your search and wasn't successful, but I tried without booting into High Sierra. I'm going to boot into it later and report back. Changing my search engine pref will hopefully flag a file with an in-your-face modification date, same as it enabled me to identify the correct Catalina file.

Since TextWrangler bit the dust I use BBEdit (Basic) for examining files.
Posted By: artie505 Re: Do I have Malware? - 03/28/20 06:16 AM
I. AM. TRULY. BEAT!!!

I booted into High Sierra, changed my search engine pref time after time after time, and searched with Find Any File after each change, and not a single search, either by name, file content, or last modified date identified whatever changed along with my pref.

¯\_(ツ)_/¯


Update: Found it!

Well, maybe.

The only file in High Sierra that changes as I change my search engine pref is /Users/artie/Library/Preferences/.GlobalPreferences.plist. Note the dot. I originally missed the file because I was filtering out invisibles.

Code:
<key>NSPreferredWebServices</key>
	<dict>
		<key>NSWebServicesProviderWebSearch</key>
		<dict>
			<key>NSDefaultDisplayName</key>
			<string>DuckDuckGo</string>
			<key>NSProviderIdentifier</key>
			<string>com.duckduckgo</string>
		</dict>
	</dict>

I'm confused, though, by the info being stored in two places in Catalina, i.e. the file I previously identified AND this new one.

The file in question seems to be the repository for an awful lot of prefs, so I hesitate to tell Rain to delete it.

I've got no idea where to go from here.
Posted By: Rain Re: Do I have Malware? - 03/28/20 08:14 AM
Hi Guys, I have tried the cookies suggestion and no luck.
Posted By: artie505 Re: Do I have Malware? - 03/28/20 08:29 AM
Totally not surprised. frown

My previous post kinda sums up the situation from my point of view, but joemike may be able to help. (A "defaults write" command may be the way to go, but composing it is beyond my capability.)
Posted By: Rain Re: Do I have Malware? - 03/28/20 09:17 AM
Well I really appreciate your efforts, and at least my email is working again.
Thanks
Posted By: artie505 Re: Do I have Malware? - 03/28/20 09:24 AM
I've been meaning to ask if there's a particular reason that you're stuck in Sierra, because if you upgrade to just High Sierra your Safari will be updated to a later version, which may make your problem easier to deal with.
Posted By: Rain Re: Do I have Malware? - 03/28/20 04:25 PM
Mainly because I have quite old kit and applications, which seem to falter after each upgrade, and to keep a bit of consistency over the 3 machines in our household.

Thanks again.
Posted By: artie505 Re: Do I have Malware? - 03/28/20 06:19 PM
I can't argue with that, so I'll suggest that you run, or, as the case may be, rerun the macOS Sierra 10.12.6 Combo Update. It affects Safari and may be your answer.
Posted By: artie505 Re: Do I have Malware? - 03/29/20 02:01 AM
Afterthought: I wonder if it was a situation like yours that prompted Apple to create a dedicated search engine plist?
Posted By: Rain Re: Do I have Malware? - 03/29/20 07:08 AM
Ok, thanks Artie
Posted By: ROBG_1mperi0n Re: Do I have Malware? - 03/01/21 12:01 AM
greeting


sory pics of this file https://i.imgur.com/S3QQl7c.png


I'm interested in whether this file is a virus or malware because I also came across it so I can ask if you know

nothing download from weird sites only from verified if anyone can tell me I would be grateful

or it's just part of the safari file


thank you
Posted By: artie505 Re: Do I have Malware? - 03/01/21 12:40 AM
Hi, and welcome to FineTunedMac. smile

I can't see your screenshot, so maybe try posting it again at imgur.com.

To post a screenshot or other type of image...
  1. Go to https://imgur.com/upload.
  2. Either drag your image into the window or browse for it.
  3. Click on "Copy" in the next window to copy your image's URL to your clipboard.
  4. Create a link using FTM's "Create a link..." tag...5th icon from the right.


You may have to create an account, but at the least, you'll have to disable any content blockers.
Posted By: ROBG_1mperi0n Re: Do I have Malware? - 03/01/21 01:40 AM
generaly me tho dont see pics what to sent
Posted By: artie505 Re: Do I have Malware? - 03/01/21 01:55 AM
Reposting your screenshot worked.

I've got 4 instances of that file in my Big Sur installation, all of them being system files that shouldn't be messed with.

Your file is not a problem.
Posted By: ROBG_1mperi0n Re: Do I have Malware? - 03/01/21 01:57 AM
ok thnx
© FineTunedMac