You can make a difference in the Apple Support Community!
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
I was working on my computer when all of a sudden a window opens indicating something was installed and I was to click ok. However, the cursor was locked up and I had to shut down my computer. There was also something about a Safari extension called MixBuilder. When I restarted the computer, I found an extension in Safari and an application installed called MixBuilder. I deleted both. Has anyone else run into this?
MacBook Pro 15", macOS 10.14
Original poster here. It has been over 2 weeks since my incident with mixbuilder, and I thought that I would report that simply trashing the application and uninstalling the safari extension seems to have been sufficient in removing this intruder from my computer. (The other stuff I did at the suggestion of repliers was after the fact.) There have been no further incidents. I have no idea where it came from (I try to be very sensible about what websites I visit and what emails I open, and sometimes use "private windows" in Safari, but otherwise make no extraordinary efforts to guard against intruders beyond the regularly recommended Apple routines). It would be nice to know how it got on my computer, just to satisfy my curiosity. And it has certainly been an experience being involved in the discovery of a new malware/intruder/whatever-it-is.
Original poster here. It has been over 2 weeks since my incident with mixbuilder, and I thought that I would report that simply trashing the application and uninstalling the safari extension seems to have been sufficient in removing this intruder from my computer. (The other stuff I did at the suggestion of repliers was after the fact.) There have been no further incidents. I have no idea where it came from (I try to be very sensible about what websites I visit and what emails I open, and sometimes use "private windows" in Safari, but otherwise make no extraordinary efforts to guard against intruders beyond the regularly recommended Apple routines). It would be nice to know how it got on my computer, just to satisfy my curiosity. And it has certainly been an experience being involved in the discovery of a new malware/intruder/whatever-it-is.
1. There is adware installed on your Mac.
Run the latest release of Malwarebytes for Mac to remove malware/adware installed on your Mac.
For instructions: Install Malwarebytes for Mac Uninstall Malwarebytes for Mac
Click the “Scan Now” button. Once done, quit Malwarebytes for Mac.
Repeat the scan couple of times.
Restart the computer and relaunch Safari holding the shift key down.
2. Uninstall unknown extensions: Safari > Preferences > Extensions
https://support.apple.com/guide/safari/use-safari-extensions-sfri32508/mac
Two things:
That is all I have done so far. I have not yet tried Dominic 23's suggestion. Maybe you should wait before doing anything.
I had the same issue. I was watching a YouTube video and the next thing you now my computer had installed this safari extension and my computer froze. I forced a shutdown and then turned my computer back on. I immediately uninstalled the program, but I am concerned because it seems that this extension has access to all my passwords. I am very worried that my personal information has been compromised. Apple, please help
Does anyone have "ExpertFirstExtension.app" on their computer, know what it is, why it is...any info at all???
I found no further reference or extension of "mixbuilder" on my computer after using Malwarebytes.app. HOWEVER...
I continue to question the presence of "ExpertFirstExtension.app" appearing in my app folder as of Jan 8th 2019. I did not download it, and am the only user on this computer.
This morning I checked my Safari extensions, and found an extension for "ExpertFirstExtension 1.0".
I don't know what it is, and am quite suspicious as it's icon is the same as "mixbuilder" and it is now starting to behave like mixbuilder, by adding the extension I did not approve.
I searched the internet for any info on this app, and found NOTHING AT ALL, which feeds my suspicious.
The only reason I have not deleted it is that I am not sure the app isn't an intended part of the Mojave OS system, or some important item.
I ran Malwarebytes.app. which reports NO problem.
Info on this possible intruder is appreciated.
This is the first time I read about this extension MixBuilder.
It would be very helpful if you post an EtreCheck report.
EtreCheck is a system diagnostic test.
Download EtreCheck, run it to see if there is any adware installed or not.
Click “Click to download” button,
Open Downloads folder, click on it to open, and then select ”Open”.
“Choose a problem” from the popup menu box, and then “Start EtreCheck” in the dialog.
Click “Share Report” button in the toolbar, select “Copy report” .
Paste the report when you reply if you wish.
Note: This is a diagnostic test.
If 5000 words limit applies:
Split the report into two parts and post as two separate posts.
I have selected portions of the report that might be related. Will take several posts. Comments?
EtreCheck version: 5.2 (5C006)
Report generated: 2019-04-24 11:03:28
Download EtreCheck from https://etrecheck.com
Runtime: 2:49
Performance: Excellent
Problem: Other problem
Description:
safari extension and corresponding application installed automatically
without permission (MixBuilder)
Major Issues:
Anything that appears on this list needs immediate attention.
Battery failure - Your battery is reporting that it needs to be serviced.
Adware - Adware detected.
Minor Issues:
These issues do not need immediate attention but they may indicate future problems or opportunities for improvement.
High battery cycle count - Your battery may be losing capacity.
Apps crashing - There have been numerous app crashes.
Clean up - There are orphan files that could be removed.
Unsigned files - There are unsigned software files installed. They appear to be legitimate but should be reviewed.
32-bit Apps - This machine has 32-bits apps will not work after macOS 10.14 “Mojave”.
Limited drive access - More information may be available with Full Drive Access.
Hardware Information:
MacBook Pro (Retina, 15-inch, Mid 2012)
MacBook Pro Model: MacBookPro10,1
1 2.3 GHz Intel Core i7 (i7-3615QM) CPU: 4-core
8 GB RAM - Not upgradeable
BANK 0/DIMM0 - 4 GB DDR3 1600 ok
BANK 1/DIMM0 - 4 GB DDR3 1600 ok
Battery: Health = Service Battery - Cycle count = 895
Network:
Interface en0: AirPort
802.11 a/b/g/n
Interface Bluetooth-Modem: Bluetooth DUN
Interface en4: Bluetooth PAN
Interface bridge0: Thunderbolt Bridge
Interface fw0: Thunderbolt FireWire
Interface en3: USB Ethernet
Interface en6: iPad
Interface en5: iPhone
System Software:
macOS Mojave 10.14.4 (18E226)
Time since boot: About a day
Security:
Gatekeeper: Enabled
System Integrity Protection: Enabled
Adware:
Launchd: /Library/LaunchDaemons/com.HermesLookupDaemon.plist
Reason: Adware pattern match
Executable: /Library/Application Support/com.HermesLookupDaemon/HermesLookup r
Launchd: ~/Library/LaunchAgents/com.HermesLookup.plist
Reason: Adware pattern match
Executable: ~/Library/Application Support/com.HermesLookup/HermesLookup r
Unsigned Files:
Launchd: ~/Library/LaunchAgents/com.adobe.ARM.***.plist
Executable: /Applications/Adobe Reader 9/Adobe Reader.app/Contents/MacOS/Updater/Adobe Reader Updater Helper.app/Contents/MacOS/Adobe Reader Updater Helper
Details: Close match found in the whitelist - probably OK
Launchd: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Java-Updater.plist
Executable: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck
Details: Exact match found in the whitelist - probably OK
Launchd: /Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist
Executable: /Library/PrivilegedHelperTools/com.microsoft.office.licensing.helper
Details: Exact match found in the whitelist - probably OK
Launchd: ~/Library/LaunchAgents/com.dtv.vgconnect.uninstall.plist
Executable: /bin/sh -c /tmp/vgconnect.DTV/condUninstall.sh
2nd set of report
Details: Exact match found in the whitelist - probably OK
Launchd: /Library/LaunchAgents/com.oracle.java.Java-Updater.plist
Executable: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck
Details: Exact match found in the whitelist - probably OK
Launchd: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool.plist
Executable: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Helper-Tool
Details: Exact match found in the whitelist - probably OK
Launchd: ~/Library/LaunchAgents/com.nds.pcshow.plist
Executable: /bin/sh -c $HOME/Library/NDSPCShowServer/NDSPCShowServer.bundle/Contents/Resources/launch.sh
Details: Exact match found in the whitelist - probably OK
Launchd: /Library/LaunchDaemons/com.oracle.java.Helper-Tool.plist
Executable: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Helper-Tool
Details: Exact match found in the whitelist - probably OK
Launchd: ~/Library/LaunchAgents/com.nds.pcshow.uninstall.plist
Executable: /bin/sh -c /tmp/vgconnect/condUninstall.sh
Details: Exact match found in the whitelist - probably OK
Launchd: ~/Library/LaunchAgents/com.dtv.vgconnect.plist
Executable: /bin/sh -c $HOME/Library/NDSPCShowServer.DTV/NDSPCShowServer.DTV.bundle/Contents/Resources/launch.sh
Details: Exact match found in the whitelist - probably OK
32-bit Applications:
37 32-bit apps
Kernel Extensions:
/System/Library/Extensions
[Not Loaded] NovatelWireless3G.kext (v3.0.2 (003))
[Not Loaded] NovatelWirelessFilter.kext (v2.0.6)
[Not Loaded] SierraSupport.kext (1.4.11)
[Not Loaded] SierraSwitch.kext (1.2.2)
[Not Loaded] SierraSwitchKicker.kext (1.0.0)
[Not Loaded] SMSIWirelessModem.kext (3.2.6)
/System/Library/Extensions/NovatelWireless3G.kext/Contents/Plugins
[Not Loaded] NovatelWireless3GData.kext (v3.0.2 (003))
/System/Library/Extensions/SMSIWirelessModem.kext/Contents/PlugIns
[Not Loaded] SMSIWirelessCDC.kext (3.2.6)
[Not Loaded] SMSIWirelessSerial.kext (3.2.6)
System Launch Agents:
[Not Loaded] 16 Apple tasks
[Loaded] 156 Apple tasks
[Running] 129 Apple tasks
System Launch Daemons:
[Not Loaded] 36 Apple tasks
[Loaded] 181 Apple tasks
[Running] 120 Apple tasks
Launch Agents:
[Loaded] com.google.keystone.agent.plist (Google, Inc. - installed 2019-04-01)
[Loaded] com.google.keystone.xpcservice.plist (Google, Inc. - installed 2019-04-01)
[Loaded] com.microsoft.update.agent.plist (Microsoft Corporation - installed 2019-04-17)
[Not Loaded] com.oracle.java.Java-Updater.plist (? 48864dc8 - installed 2018-12-15)
Launch Daemons:
[Loaded] com.HermesLookupDaemon.plist (Adware - installed 2019-01-14)
[Loaded] com.adobe.fpsaud.plist (Adobe Systems, Inc. - installed 2019-03-26)
[Not Loaded] com.apple.installer.osmessagetracing.plist (Apple - installed 2019-03-21)
[Loaded] com.google.keystone.daemon.plist (Google, Inc. - installed 2019-04-01)
[Loaded] com.microsoft.autoupdate.helper.plist (Microsoft Corporation - installed 2019-04-17)
[Loaded] com.microsoft.office.licensing.helper.plist (? 6d8cb30e - installed 2011-03-10)
[Not Loaded] com.oracle.java.Helper-Tool.plist (? e3fefdd2 - installed 2018-12-15)
User Launch Agents:
[Loaded] com.HermesLookup.plist (Adware - installed 2018-12-17)
[Loaded] com.adobe.ARM.***.plist (? 0 - installed 2017-08-16)
[Loaded] com.citrixonline.GoToMeeting.G2MUpdate.plist (Citrix Online LLC - installed 2018-03-16)
3rd set of report
[Loaded] com.dropbox.DropboxMacUpdate.agent.plist (Dropbox, Inc. - installed 2019-02-13)
[Running] com.dtv.vgconnect.plist (? 0 - installed 2019-03-21)
[Loaded] com.dtv.vgconnect.uninstall.plist (? 0 - installed 2019-03-21)
[Running] com.hp.devicemonitor.plist (HP Inc. - installed 2019-04-23)
[Loaded] com.logmein.GoToMeeting.G2MUpdate.plist (Citrix Online LLC - installed 2018-03-16)
[Running] com.nds.pcshow.plist (? 0 - installed 2019-03-21)
[Loaded] com.nds.pcshow.uninstall.plist (? 0 - installed 2019-03-21)
[Not Loaded] jp.co.canon.Inkjet_Extended_Survey_Agent.plist (? 0 - installed 2009-08-30)
User Login Items:
Dropbox.app (Dropbox, Inc. - installed 2019-04-05)
(Application - /Applications/Dropbox.app)
Internet Plug-ins:
WebVideoPlugin: 3.0.5.26 (? - installed 2016-12-22)
o1dbrowserplugin: 5.41.3.0 (? - installed 2015-12-15)
Flip4Mac WMV Plugin: 2.3.8.1 (? - installed 2011-01-13)
Silverlight: 5.1.41212.0 (? - installed 2016-06-13)
FlashPlayer-10.6: 32.0.0.171 (Adobe Systems, Inc. - installed 2019-04-09)
Flash Player: 32.0.0.171 (Adobe Systems, Inc. - installed 2019-04-09)
iPhotoPhotocast: 7.0 (Apple - installed 2010-03-31)
googletalkbrowserplugin: 5.41.3.0 (? - installed 2015-12-11)
SharePointBrowserPlugin: 14.7.7 (? - installed 2019-01-27)
AdobePDFViewer: 9.5.5 (? - installed 2017-08-16)
GarminGpsControl: 4.0.4.0 Release (? - installed 2012-11-02)
EPPEX Plugin: 3.0.5.0 (? - installed 2009-07-29)
JavaAppletPlugin: Java 8 Update 201 build 09 (? - installed 2019-03-22)
User Internet Plug-ins:
OctoshapeWeb: 1.0 (? - installed 2015-01-30)
Audio Plug-ins:
AppleTimeSyncAudioClock: 1.0 (Apple - installed 2019-04-03)
BluetoothAudioPlugIn: 6.0.11 (Apple - installed 2019-04-03)
AirPlay: 2.0 (Apple - installed 2019-04-03)
AppleAVBAudio: 740.1 (Apple - installed 2019-04-03)
BridgeAudioSP: 5.39 (Apple - installed 2019-04-03)
iSightAudio: 7.7.3 (Apple - installed 2019-04-03)
3rd Party Preference Panes:
Flash Player (installed 2019-03-26)
Flip4Mac WMV (installed 2011-01-13)
Java (installed 2019-03-22)
MacFUSE (installed 2010-09-10)
Software Installs (past 30 days):
Install Date Name (Version)
2019-03-29 Numbers (6.0)
2019-03-29 Pages (8.0)
2019-04-03 Keynote (9.0)
2019-04-09 Adobe Flash Player (32.0.0.171)
2019-04-17 Microsoft AutoUpdate (4.10.19041401)
2019-04-19 XProtectPlistConfigData (2102)
2019-04-19 Gatekeeper Configuration Data (165)
Clean up:
~/Library/LaunchAgents/jp.co.canon.Inkjet_Extended_Survey_Agent.plist
/Applications/Canon Utilities/Inkjet Extended Survey Program/Inkjet Extended Survey Program.app/Contents/Resources/Canon_Inkjet_Extended_Survey_Agent
Executable not found
Diagnostics Information (past 7 days):
2019-04-24 10:57:59 NDSPCShowServer Crash (160 times)
Executable: /Users/***/Library/NDSPCShowServer/NDSPCShowServer.bundle/Contents/MacOS/NDSPCShowServer
Details:
~/Library/NDSPCShowServer/NDSPCShowServer.bundle/Contents/MacOS/libDrm
Singleton.1.22.0..dylib
terminating with uncaught exception of type nds::vgk::util::VgkUtilExc
eption
abort() called
2019-04-24 09:06:09 syspolicyd CPU
Executable: /usr/libexec/syspolicyd
2019-04-23 16:33:44 backupd CPU (2 times)
Executable: /System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd
2019-04-23 15:09:33 MixBuilder.app Hang
Executable: /Applications/MixBuilder.app
Also try using Etrecheck to remove the adware.
Run EtreCheck again.
In the Sidebar, click the Security button.
Locate and remove entries under Adware and Unsigned files.
Click the “Remove” button.
Yep. Saw that.
I decided to go with EtreCheck instead to remove the adware (as recommended by Eric Root).
This cleans things up a bit (it looks like I wasn't in bad shape), BUT it doesn't explain what MixBuilder is and why it so visibly downloaded & installed itself on my computer.
FYI: I opened and email Subject title (Domain Service) Final notice. I opened the email, and then the cursor froze up etc. Here is the header of email:
Return-Path: <****>
Delivered-To: ****
From info@nckiwebdesign.gdn Wed Apr 24 15:46:19 2019
Return-Path: <****>
Delivered-To: ****
Received: (qmail 25490 invoked by uid 89); 24 Apr 2019 15:46:19 -0000
Received: by simscan 1.2.0 ppid: 25466, pid: 25472, t: 1.2462s
scanners: attach: 1.2.0 clamav: 0.96.5/m: spam: 3.1.4
X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on
qsmtp001.serverphase.com
X-Spam-Level:
X-Spam-Status: No, score=-4.6 required=10.0 tests=DATE_IN_PAST_24_48,
HTML_MESSAGE,HTML_TAG_EXIST_TBODY,MIME_HTML_ONLY,UNPARSEABLE_RELAY,
USER_IN_WHITELIST_TO autolearn=disabled version=3.1.4
Received: from unknown (HELO mail.bbsar.org) (42.231.163.42)
by qsmtp001.serverphase.com with SMTP; 24 Apr 2019 15:46:18 -0000
Received-SPF: pass (qsmtp001.serverphase.com: SPF record at nckiwebdesign.gdn designates 42.231.163.42 as permitted sender)
dkim-signature:v=1; c=relaxed/relaxed; h=to:subject:message-id:date:from:reply-to:mime-version:list-unsubscribe:content-type:content-transfer-encoding;
d=nckiwebdesign.gdn; s=default; a=rsa-sha256;
bh=Byi8ptHQuJHoBg1F1BJPgQYTO8fRaPbsJxRP7chCW18=;
b=E2XXtj5+kjoZ0oFPvjyJF3AQ2deuwERKAMtSdS/3gMl5Gm0YiUlRELTFlyxJNtySe
18W7CepIN7lu6hkG64WHLNtCoweCK94/n+evjpHGhsA206ScFeBZVNGDPR/T8ZVYtDM
CmVZCS9t0gaEVC1OCQq//uzbnKfNBzNldu+xuM8=;
Received: from ([127.0.0.1]) with MailEnable ESMTP; Wed, 24 Apr 2019 08:46:07 -0700
To: ****
Subject: malletshop.com Final Notice
Message-ID: <cbde887c4543a41bd9ef9f33f86632ea@px021.nckiwebdesign.gdn>
Return-Path: ****
Date: Tue, 23 Apr 2019 05:42:43 -0400
From: "Domain Service" ****
Reply-To: ****
MIME-Version: 1.0
X-Mailer-LID: 35
List-Unsubscribe: <http://px021.nckiwebdesign.gdn/em/unsubscribe.php?M=1048030&C=4f700bc45ebcb1cc139e0c3550bb2f54&L=35&N=29>
X-Mailer-RecptId: 1048030
X-Mailer-SID: 29
X-Mailer-Sent-By: 1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-ME-Bayesian: 0.000000
[Emails Edited by Moderator]
This happened to me this morning. Last night I quit all apps and shutdown. Turned on this morning and EXACTLY the same thing happened. I sent the Mixbuilder app to the trash and cleared my Safari history. But all my extensions have disappeared - including 1Password. This is extremely worrying. I did not download anything from the web. Is this the first instance of a true Mac virus?
To add to what I have written above, after I had sent the Mixbuilder app to the trash and discovered all my Safari extensions were gone, I reinstalled my 1Password extension, but when I tried to reinstall my Todoist extension, the extensions page just says "open". It won't let me re-install it.
Any ideas how I can reinstall it?
I suspect this is the first couple of days of this malware and it is going to a huge thing. An application that installs itself on a Mac and logs all your passwords you enter online (how many people check their extensions in preferences every time they use Safari) is a very serious piece of malware, unprecedented, in my experience, on a Mac.
I hope Apple are taking this very seriously and don't try to cover it up. How do we make Apple aware of it?
To users who are having this MaxBuilder issue:
Please try these suggestions.
Quoting treed:
“1) Open Malwarebytes
2) In the right-hand pane of the Malwarebytes window, find a label that says "Protection updates". Next to that will be a blue link reading "Current". Click that to force an update... it should change to say "Checking," "Downloading," etc.
3) Start a scan
4) Remove anything that is detected
5) Switch to the Quarantine tab in the Malwarebytes app
6) Click the Clear Quarantine button
7) Restart your computer
Also, note that if you're using a Premium subscription in the latest version of Malwarebytes for Mac, the App Block feature will prevent the MaxBuilder app - and any other apps by the same developer - from running.”
Credit: Thomas Reed, Malwarebytes for Mac.
For instructions: Install Malwarebytes for Mac Uninstall Malwarebytes for Mac
mixbuilder application and safari extension???
