Apple Event: May 7th at 7 am PT
I was working on my computer when all of a sudden a window opens indicating something was installed and I was to click ok. However, the cursor was locked up and I had to shut down my computer. There was also something about a Safari extension called MixBuilder. When I restarted the computer, I found an extension in Safari and an application installed called MixBuilder. I deleted both. Has anyone else run into this?
MacBook Pro 15", macOS 10.14
Original poster here. It has been over 2 weeks since my incident with mixbuilder, and I thought that I would report that simply trashing the application and uninstalling the safari extension seems to have been sufficient in removing this intruder from my computer. (The other stuff I did at the suggestion of repliers was after the fact.) There have been no further incidents. I have no idea where it came from (I try to be very sensible about what websites I visit and what emails I open, and sometimes use "private windows" in Safari, but otherwise make no extraordinary efforts to guard against intruders beyond the regularly recommended Apple routines). It would be nice to know how it got on my computer, just to satisfy my curiosity. And it has certainly been an experience being involved in the discovery of a new malware/intruder/whatever-it-is.
You really should download and run Malwarebytes and report the findings, but it's not really required to post or upload to their Forum.
Forum membership is open to all that register.
That said, they do now have a copy of the MixBuilder.app now from one of the other participants here for evaluation and we'll let you know what they have to say.
Yes, I uploaded the copy of MixBuilder to malwarebytes and they say they have added it to their database. If you already have Malwarebytes, make sure you update it to the latest version before scanning. They suggest you scan, send to quarantine, delete quarantine and then restart. It seems to have worked as far as I can tell.
FYI, to send the copy to Malwarebytes I had to drag it out of the trash, zip it, then put it back in the trash - a few seconds. Doing this was enough to start Mixbuilder automatically reinstalling itself, adding it's extension to safari again and removing my existing extensions again!
I too experienced the same download, cursor freeze up, need to restart my computer, Safari launching with my normal extensions missing/deactivated. I immediately looked into Safari prefs, found my extensions deactivated and the mixbuilder extension activated. As this was not what I had in mind, I unchecked mixbuilder and rechecked my usual extensions. Once that was done I wanted to see if my extensions functioned as usual, signed into the main application for the first extension, and was asked to change my password. I checked that I was in the appropriate application and not some fabricated look alike. Once secure that that was my site, I changed the password. I then went to apple.support, in search for chat help on my Safar problemi. The chat helper invited me to download a malware app. and run it. (This was a free trial). I did as asked, and within 5 minutes or so, had the culprit mixbuilder with addition 6 or 7 items quarantined, with option to see what they were, and then to delete. They are no longer residing on my computer, and I am again a happy camper. Thank you APPLE-CHAT Support.
A strange coincidence in my application folder is another app called "ExpertFirstExtension.app" which has the very same icon as mixbuilder. I have not yet ruled out whether these two are related in some fashion. They are similar in their limit of Internet information.
The malware app I was invited to try is called "Malwarebytes.app". It instantly found mixbuilder, and additional items, but did not call into quarantine or question "ExpertFirstExtension". If anyone knows what "ExpertFirstExtension" is or does, please leave a note.
Can you tell us what you mean by "popping up"? Screenshot, perhaps?
Also, we are still looking for the source of this thing, so if you know when it started and can tell us from your browser history what site it came from that would be awesome.
How can you tell where it came from by looking at browser history? What do you look for?
I should mention that since I removed the application (moved to trash) and the extension (clicked uninstall in Safari preferences/extensions), I have had no further occurrences. (I also removed the 2 pieces of adware identified by EtreCheck.)
Further edit: I just looked at my history. Just in time because I have my settings to clear after 1 week and therefore had no history beyond the day mix builder manifested. That day there were no strange websites, only legitimate ones (such as the website of one of our utilities).
Download EtreCheck, run it to see if there is any adware installed or not.
Click “Click to download” button,
Open Downloads folder, click on it to open, and then select ”Open”.
“Choose a problem” from the popup menu box, and then “Start EtreCheck” in the dialog.
Click “Share Report” button in the toolbar, select “Copy report” .
Paste the report when you reply if you wish.
Note: This is a diagnostic test.
If 5000 words limit applies:
Split the report into two parts and post as two separate posts.
Please don't remove the malware yet.
I encountered it yesterday and I removed the mix builder app. I'll have to look for the Safari extension.
I also used Malwarebytes to identify other adware that downloaded to my MacBook Air. Used the free version, not premium.
To elHw: I'm not an expert by any means, so you can take this for what it's worth. But I'm going to make a suggestion. Try starting a new discussion with ExpertFirstExtension prominent in the title. When people search the problem, they are more likely to find your question. That's what I did. You might also do a search at the malwarebytes website. If it is something new, they may not know about it yet.
Same thing happened to my computer this morning. Could you please tell me how you deleted the Safari extension and MixBuilder? I am not very computer literate. Thanks!
Sarahfromranchos I have the same issue! Have you tried what Dominic 23 suggested and did it work?
It can only read passwords and personal information you entered into web sites. It can't access your computer to get all of your passwords.
Yeah, same thing here. I didn't reboot however, I was able to unlock my cursor by holding esc and shift. I deleted both too.
If anybody here still have the app and / or Safari extension, will you please upload it here so it can be analyzed:
Malwarebytes https://forums.malwarebytes.com/forum/193-newest-mac-threats/
If you could post step by step instructions for uploading the extension, it would be helpful.
Best.
Instructions can be found as a pinned article at the top of that forum.
mixbuilder application and safari extension???
