An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Previous Thread
Next Thread
Print Thread
Page 1 of 2 1 2
Do I have Malware?
#53803 03/26/20 03:13 PM
Joined: Jul 2011
Rain Offline OP
OP Offline

Joined: Jul 2011
I use a MacBook Pro 2013 running 10.12.
About a month ago I opened a link on an email that I believed was a FlashPlayer update from Adobe. When I examined the sent from address it was from "adobes systems.com" (with a double s).
My Mac has started to behave strangely over the past 3-4 weeks, initially It wouldn't send or receive emails (then they started to drip through slowly), this is still occurring.
Now I find that I can't change my default search engine in Safari, I use Bing but now it says Bing in the preferences but goes to Yahoo and won't let me change it. If I go to say "google.co.uk" and perform search the result page comes up as Yahoo.
The machine is getting a bit sluggish and doesn't seem to want to load pages very quickly.
I believe that this may be Malware.........any thoughts? (and if it is what should I do)
Thanks

Re: Do I have Malware?
Rain #53804 03/26/20 03:32 PM
Joined: Aug 2009
Likes: 8
Offline

Joined: Aug 2009
Likes: 8
Start by running some sort of malware/virus checker. If you don't have one, download and run in free mode MalwareBytes.


On a Mac since 1984.
Currently: 24" M1 iMac, M2 Pro Mac mini with 27" BenQ monitor, M2 Macbook Air, MacOS 14.x; iPhones, iPods (yes, still) and iPads.
Re: Do I have Malware?
Rain #53805 03/26/20 03:34 PM
Joined: Aug 2009
Likes: 7
Online

Joined: Aug 2009
Likes: 7
Download, install, and run MalwareBytes It may pick something up. You can also try Scam Zapper as well as Virus Barrier (at App Store).

When the dust settles, either ditch Flash or download only directly from Adobe.


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: Do I have Malware?
Rain #53806 03/26/20 03:40 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
A cardinal anti-malware rule is never install updates or upgrades from links in emails. If you believe the update may be valid navigate directly to the publishers web site in your browser and download the latest version from there.

At this point you are going to need help in determining whether or not your MBP is infected and if so with what. There are any number of anti-malware products on the market and you can take you pick. The one I use is MalwareBytes which you can downloaded use free for 14 days.

P.S. After I posted I saw Jon and Ira got in while I was thinking. At least we all had the same recommendation for MawareBytes.

Last edited by joemikeb; 03/26/20 03:44 PM. Reason: P.S.

If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Do I have Malware?
Rain #53810 03/26/20 05:37 PM
Joined: Jul 2011
Rain Offline OP
OP Offline

Joined: Jul 2011
Thanks for the swift replies everyone. So I have downloaded and used Malwarebytes which reported 6 items quarantined.
After a restart the email is back working fine again, but the search engine in Safari is stuck firmly on Yahoo........... but says Bing.
Any further thoughts?

Re: Do I have Malware?
Rain #53811 03/26/20 05:51 PM
Joined: Aug 2009
Likes: 7
Online

Joined: Aug 2009
Likes: 7
A stab in the dark: delete any Yahoo and/or Bing cookies. You could also clear Safari caches by pressing Command-Control-E. Restart Safari and see if that worked. (The downside of clearing caches is that site icons will have been reset to generic, but they will regenerate as you revisit those sites.)

Last edited by jchuzi; 03/26/20 05:52 PM.

Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: Do I have Malware?
Rain #53812 03/26/20 06:00 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Originally Posted By: Rain
...the search engine in Safari is stuck firmly on Yahoo........... but says Bing.

What do you see at Safari > Prefs > Websites > Search engine:?


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Do I have Malware?
artie505 #53813 03/26/20 06:09 PM
Joined: Aug 2009
Likes: 7
Online

Joined: Aug 2009
Likes: 7
Artie:

In Safari 13.1, I don't see "Search engine" listed in Safari > Preferences > Websites but I do see "Search engine" in Safari > Preferences > Search


Jon

macOS 11.7.10, iMac Retina 5K 27-inch, late 2014, 3.5 GHz Intel Core i5, 1 TB fusion drive, 16 GB RAM, Epson SureColor P600, Photoshop CC, Lightroom CC, MS Office 365
Re: Do I have Malware?
jchuzi #53814 03/26/20 06:19 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
I spaced out there, Jon. You're correct: Safari > Prefs > Search > Search engine:

Thanks.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Do I have Malware?
artie505 #53815 03/26/20 07:51 PM
Joined: Jul 2011
Rain Offline OP
OP Offline

Joined: Jul 2011
Hi, thanks for the suggestions. I have deleted two Bing & two Yahoo cookies and cleared the cache. Still no change.
Safari-prefs-search; still says Bing and stays on Bing when I try to change it.

Re: Do I have Malware?
Rain #53816 03/27/20 12:38 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
I looked through Safari's entire configuration and couldn't find a single file that sounded like a likely candidate, so more or less for the heck of it, try quitting Safari, moving Yourhomefolder/Library/Preferences/com.apple.Safari.plist to your desktop, restarting your Mac, and launching Safari to see what happens. Safari will create a new file, and if your issue is corrected, you can trash the one on your desktop, and if not, you can move it back and overwrite the newly created one. (I'll concede in advance that I"m not terribly optimistic about this, but it can't hurt and may actually turn the trick.)


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Do I have Malware?
artie505 #53817 03/27/20 06:16 AM
Joined: Jul 2011
Rain Offline OP
OP Offline

Joined: Jul 2011
Thanks for the new idea. I have tried it but no change...............looks like i'm stuck in Yahoo hell!

Re: Do I have Malware?
Rain #53818 03/27/20 06:57 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
I took a more focused look and found the file that changes when I change search engines.

Try the exact same procedure with Yourhomefolder/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist (Be sure to quit, move, restart, launch, and with a bit of luck it'll be your answer.)

Other prefs will be affected if you wind up trashing that file, so I suggest that you check all of yours afterwards.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Do I have Malware?
artie505 #53823 03/27/20 03:38 PM
Joined: Jul 2011
Rain Offline OP
OP Offline

Joined: Jul 2011
Ok I have followed the pathway you suggest and I have a slight difference.
Where you have: containers/com.apple.safari
I have: containers/com.apple.Safari.CacheDeleteExtension

Also where you have Preferences/com.apple.Safari.plist
I have: com.apple.Safari.CacheDeleteExtension.LSSharedFileList.plist

Should I continue?

Re: Do I have Malware?
Rain #53832 03/27/20 09:12 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Safari in Sierra is a different beast than Safari in Catalina, but luckily I've still got a High Sierra installation, and its Safari appears to be the same as yours.

That said, ignore my previous suggestion and try the procedure with: YourShortUserName/Library/Cookies/com.apple.Safari.SearchHelper.binarycookies

It's the most likely culprit I could find.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Do I have Malware?
artie505 #53833 03/27/20 10:21 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
Artie you were right they first time the search engine setting is in ~/Library/Containers/com.apple.Safari/Data/Library/Preferences/com.apple.Safari.plist
or at least that is the case on my system running MacOS 10.15.4.

Why the directory structure to get to that is so baroque I have no idea.



If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Do I have Malware?
joemikeb #53834 03/27/20 11:17 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
That's the Catalina file that changed when I changed my search engine pref, but it doesn't exist in either Rain's Sierra or my High Sierra.

Nor have I been able to locate its exact equivalent. The last file I fingered exists in both High Sierra and Catalina, but its contents may differ between the two.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Do I have Malware?
artie505 #53836 03/27/20 11:42 PM
Joined: Aug 2009
Likes: 16
Moderator
Offline
Moderator

Joined: Aug 2009
Likes: 16
After numerous unsuccessful attempts using ⌘F (Finder) and Spotlight, I switched to Find Any File and searched for content containing DuckDuckGo (my chosen search engine) and a file name ending in .plist which turned up several files. I then opened the suspects in Xcode to confirm it was the file I was looking for.

That technique should work in almost any version of MacOS. If Xcode isn't available to verify it is the correct file TextEdit should work.


If we knew what it was we were doing, it wouldn't be called research, would it?

— Albert Einstein
Re: Do I have Malware?
joemikeb #53837 03/27/20 11:53 PM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Find Any File is my go to. (I haven't even got a Spotlight icon in my menu bar!)

I already tried your search and wasn't successful, but I tried without booting into High Sierra. I'm going to boot into it later and report back. Changing my search engine pref will hopefully flag a file with an in-your-face modification date, same as it enabled me to identify the correct Catalina file.

Since TextWrangler bit the dust I use BBEdit (Basic) for examining files.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Do I have Malware?
artie505 #53838 03/28/20 06:16 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
I. AM. TRULY. BEAT!!!

I booted into High Sierra, changed my search engine pref time after time after time, and searched with Find Any File after each change, and not a single search, either by name, file content, or last modified date identified whatever changed along with my pref.

¯\_(ツ)_/¯


Update: Found it!

Well, maybe.

The only file in High Sierra that changes as I change my search engine pref is /Users/artie/Library/Preferences/.GlobalPreferences.plist. Note the dot. I originally missed the file because I was filtering out invisibles.

Code:
<key>NSPreferredWebServices</key>
	<dict>
		<key>NSWebServicesProviderWebSearch</key>
		<dict>
			<key>NSDefaultDisplayName</key>
			<string>DuckDuckGo</string>
			<key>NSProviderIdentifier</key>
			<string>com.duckduckgo</string>
		</dict>
	</dict>

I'm confused, though, by the info being stored in two places in Catalina, i.e. the file I previously identified AND this new one.

The file in question seems to be the repository for an awful lot of prefs, so I hesitate to tell Rain to delete it.

I've got no idea where to go from here.

Last edited by artie505; 03/28/20 07:33 AM. Reason: Update

The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Do I have Malware?
artie505 #53839 03/28/20 08:14 AM
Joined: Jul 2011
Rain Offline OP
OP Offline

Joined: Jul 2011
Hi Guys, I have tried the cookies suggestion and no luck.

Re: Do I have Malware?
Rain #53840 03/28/20 08:29 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
Totally not surprised. frown

My previous post kinda sums up the situation from my point of view, but joemike may be able to help. (A "defaults write" command may be the way to go, but composing it is beyond my capability.)


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Do I have Malware?
artie505 #53841 03/28/20 09:17 AM
Joined: Jul 2011
Rain Offline OP
OP Offline

Joined: Jul 2011
Well I really appreciate your efforts, and at least my email is working again.
Thanks

Re: Do I have Malware?
Rain #53842 03/28/20 09:24 AM
Joined: Aug 2009
Likes: 15
Online

Joined: Aug 2009
Likes: 15
I've been meaning to ask if there's a particular reason that you're stuck in Sierra, because if you upgrade to just High Sierra your Safari will be updated to a later version, which may make your problem easier to deal with.


The new Great Equalizer is the SEND button.

In Memory of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire
Re: Do I have Malware?
artie505 #53847 03/28/20 04:25 PM
Joined: Jul 2011
Rain Offline OP
OP Offline

Joined: Jul 2011
Mainly because I have quite old kit and applications, which seem to falter after each upgrade, and to keep a bit of consistency over the 3 machines in our household.

Thanks again.

Page 1 of 2 1 2

Moderated by  alternaut, dkmarsh, joemikeb 

Link Copied to Clipboard
Powered by UBB.threads™ PHP Forum Software 7.7.4
(Release build 20200307)
Responsive Width:

PHP: 7.4.33 Page Time: 0.073s Queries: 65 (0.063s) Memory: 0.7039 MB (Peak: 0.8787 MB) Data Comp: Zlib Server Time: 2024-03-29 12:19:07 UTC
Valid HTML 5 and Valid CSS