I was working on my computer when all of a sudden a window opens indicating something was installed and I was to click ok. However, the cursor was locked up and I had to shut down my computer. There was also something about a Safari extension called MixBuilder. When I restarted the computer, I found an extension in Safari and an application installed called MixBuilder. I deleted both. Has anyone else run into this?
MacBook Pro 15", macOS 10.14
I too experienced the same download, cursor freeze up, need to restart my computer, Safari launching with my normal extensions missing/deactivated. I immediately looked into Safari prefs, found my extensions deactivated and the mixbuilder extension activated. As this was not what I had in mind, I unchecked mixbuilder and rechecked my usual extensions. Once that was done I wanted to see if my extensions functioned as usual, signed into the main application for the first extension, and was asked to change my password. I checked that I was in the appropriate application and not some fabricated look alike. Once secure that that was my site, I changed the password. I then went to apple.support, in search for chat help on my Safar problemi. The chat helper invited me to download a malware app. and run it. (This was a free trial). I did as asked, and within 5 minutes or so, had the culprit mixbuilder with addition 6 or 7 items quarantined, with option to see what they were, and then to delete. They are no longer residing on my computer, and I am again a happy camper. Thank you APPLE-CHAT Support.
A strange coincidence in my application folder is another app called "ExpertFirstExtension.app" which has the very same icon as mixbuilder. I have not yet ruled out whether these two are related in some fashion. They are similar in their limit of Internet information.
The malware app I was invited to try is called "Malwarebytes.app". It instantly found mixbuilder, and additional items, but did not call into quarantine or question "ExpertFirstExtension". If anyone knows what "ExpertFirstExtension" is or does, please leave a note.
I too experienced the same download, cursor freeze up, need to restart my computer, Safari launching with my normal extensions missing/deactivated. I immediately looked into Safari prefs, found my extensions deactivated and the mixbuilder extension activated. As this was not what I had in mind, I unchecked mixbuilder and rechecked my usual extensions. Once that was done I wanted to see if my extensions functioned as usual, signed into the main application for the first extension, and was asked to change my password. I checked that I was in the appropriate application and not some fabricated look alike. Once secure that that was my site, I changed the password. I then went to apple.support, in search for chat help on my Safar problemi. The chat helper invited me to download a malware app. and run it. (This was a free trial). I did as asked, and within 5 minutes or so, had the culprit mixbuilder with addition 6 or 7 items quarantined, with option to see what they were, and then to delete. They are no longer residing on my computer, and I am again a happy camper. Thank you APPLE-CHAT Support.
A strange coincidence in my application folder is another app called "ExpertFirstExtension.app" which has the very same icon as mixbuilder. I have not yet ruled out whether these two are related in some fashion. They are similar in their limit of Internet information.
The malware app I was invited to try is called "Malwarebytes.app". It instantly found mixbuilder, and additional items, but did not call into quarantine or question "ExpertFirstExtension". If anyone knows what "ExpertFirstExtension" is or does, please leave a note.
This is the first time I read about this extension MixBuilder.
It would be very helpful if you post an EtreCheck report.
EtreCheck is a system diagnostic test.
Download EtreCheck, run it to see if there is any adware installed or not.
Click “Click to download” button,
Open Downloads folder, click on it to open, and then select ”Open”.
“Choose a problem” from the popup menu box, and then “Start EtreCheck” in the dialog.
Click “Share Report” button in the toolbar, select “Copy report” .
Paste the report when you reply if you wish.
Note: This is a diagnostic test.
If 5000 words limit applies:
Split the report into two parts and post as two separate posts.
Yes, I uploaded the copy of MixBuilder to malwarebytes and they say they have added it to their database. If you already have Malwarebytes, make sure you update it to the latest version before scanning. They suggest you scan, send to quarantine, delete quarantine and then restart. It seems to have worked as far as I can tell.
FYI, to send the copy to Malwarebytes I had to drag it out of the trash, zip it, then put it back in the trash - a few seconds. Doing this was enough to start Mixbuilder automatically reinstalling itself, adding it's extension to safari again and removing my existing extensions again!
Download EtreCheck, run it to see if there is any adware installed or not.
Click “Click to download” button,
Open Downloads folder, click on it to open, and then select ”Open”.
“Choose a problem” from the popup menu box, and then “Start EtreCheck” in the dialog.
Click “Share Report” button in the toolbar, select “Copy report” .
Paste the report when you reply if you wish.
Note: This is a diagnostic test.
If 5000 words limit applies:
Split the report into two parts and post as two separate posts.
Please don't remove the malware yet.
I have selected portions of the report that might be related. Will take several posts. Comments?
EtreCheck version: 5.2 (5C006)
Report generated: 2019-04-24 11:03:28
Download EtreCheck from https://etrecheck.com
Runtime: 2:49
Performance: Excellent
Problem: Other problem
Description:
safari extension and corresponding application installed automatically
without permission (MixBuilder)
Major Issues:
Anything that appears on this list needs immediate attention.
Battery failure - Your battery is reporting that it needs to be serviced.
Adware - Adware detected.
Minor Issues:
These issues do not need immediate attention but they may indicate future problems or opportunities for improvement.
High battery cycle count - Your battery may be losing capacity.
Apps crashing - There have been numerous app crashes.
Clean up - There are orphan files that could be removed.
Unsigned files - There are unsigned software files installed. They appear to be legitimate but should be reviewed.
32-bit Apps - This machine has 32-bits apps will not work after macOS 10.14 “Mojave”.
Limited drive access - More information may be available with Full Drive Access.
Hardware Information:
MacBook Pro (Retina, 15-inch, Mid 2012)
MacBook Pro Model: MacBookPro10,1
1 2.3 GHz Intel Core i7 (i7-3615QM) CPU: 4-core
8 GB RAM - Not upgradeable
BANK 0/DIMM0 - 4 GB DDR3 1600 ok
BANK 1/DIMM0 - 4 GB DDR3 1600 ok
Battery: Health = Service Battery - Cycle count = 895
Network:
Interface en0: AirPort
802.11 a/b/g/n
Interface Bluetooth-Modem: Bluetooth DUN
Interface en4: Bluetooth PAN
Interface bridge0: Thunderbolt Bridge
Interface fw0: Thunderbolt FireWire
Interface en3: USB Ethernet
Interface en6: iPad
Interface en5: iPhone
System Software:
macOS Mojave 10.14.4 (18E226)
Time since boot: About a day
Security:
Gatekeeper: Enabled
System Integrity Protection: Enabled
Adware:
Launchd: /Library/LaunchDaemons/com.HermesLookupDaemon.plist
Reason: Adware pattern match
Executable: /Library/Application Support/com.HermesLookupDaemon/HermesLookup r
Launchd: ~/Library/LaunchAgents/com.HermesLookup.plist
Reason: Adware pattern match
Executable: ~/Library/Application Support/com.HermesLookup/HermesLookup r
Unsigned Files:
Launchd: ~/Library/LaunchAgents/com.adobe.ARM.***.plist
Executable: /Applications/Adobe Reader 9/Adobe Reader.app/Contents/MacOS/Updater/Adobe Reader Updater Helper.app/Contents/MacOS/Adobe Reader Updater Helper
Details: Close match found in the whitelist - probably OK
Launchd: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Java-Updater.plist
Executable: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck
Details: Exact match found in the whitelist - probably OK
Launchd: /Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist
Executable: /Library/PrivilegedHelperTools/com.microsoft.office.licensing.helper
Details: Exact match found in the whitelist - probably OK
Launchd: ~/Library/LaunchAgents/com.dtv.vgconnect.uninstall.plist
Executable: /bin/sh -c /tmp/vgconnect.DTV/condUninstall.sh
Yep. Saw that.
I decided to go with EtreCheck instead to remove the adware (as recommended by Eric Root).
This cleans things up a bit (it looks like I wasn't in bad shape), BUT it doesn't explain what MixBuilder is and why it so visibly downloaded & installed itself on my computer.
You really should download and run Malwarebytes and report the findings, but it's not really required to post or upload to their Forum.
Forum membership is open to all that register.
That said, they do now have a copy of the MixBuilder.app now from one of the other participants here for evaluation and we'll let you know what they have to say.
I encountered it yesterday and I removed the mix builder app. I'll have to look for the Safari extension.
I also used Malwarebytes to identify other adware that downloaded to my MacBook Air. Used the free version, not premium.
Two things:
That is all I have done so far. I have not yet tried Dominic 23's suggestion. Maybe you should wait before doing anything.
Original poster here. It has been over 2 weeks since my incident with mixbuilder, and I thought that I would report that simply trashing the application and uninstalling the safari extension seems to have been sufficient in removing this intruder from my computer. (The other stuff I did at the suggestion of repliers was after the fact.) There have been no further incidents. I have no idea where it came from (I try to be very sensible about what websites I visit and what emails I open, and sometimes use "private windows" in Safari, but otherwise make no extraordinary efforts to guard against intruders beyond the regularly recommended Apple routines). It would be nice to know how it got on my computer, just to satisfy my curiosity. And it has certainly been an experience being involved in the discovery of a new malware/intruder/whatever-it-is.
Can you tell us what you mean by "popping up"? Screenshot, perhaps?
Also, we are still looking for the source of this thing, so if you know when it started and can tell us from your browser history what site it came from that would be awesome.
Instructions can be found as a pinned article at the top of that forum.
It can only read passwords and personal information you entered into web sites. It can't access your computer to get all of your passwords.
Yeah, same thing here. I didn't reboot however, I was able to unlock my cursor by holding esc and shift. I deleted both too.
I had the same issue. I was watching a YouTube video and the next thing you now my computer had installed this safari extension and my computer froze. I forced a shutdown and then turned my computer back on. I immediately uninstalled the program, but I am concerned because it seems that this extension has access to all my passwords. I am very worried that my personal information has been compromised. Apple, please help
mixbuilder application and safari extension???
