I was working on my computer when all of a sudden a window opens indicating something was installed and I was to click ok. However, the cursor was locked up and I had to shut down my computer. There was also something about a Safari extension called MixBuilder. When I restarted the computer, I found an extension in Safari and an application installed called MixBuilder. I deleted both. Has anyone else run into this?
MacBook Pro 15", macOS 10.14
I too experienced the same download, cursor freeze up, need to restart my computer, Safari launching with my normal extensions missing/deactivated. I immediately looked into Safari prefs, found my extensions deactivated and the mixbuilder extension activated. As this was not what I had in mind, I unchecked mixbuilder and rechecked my usual extensions. Once that was done I wanted to see if my extensions functioned as usual, signed into the main application for the first extension, and was asked to change my password. I checked that I was in the appropriate application and not some fabricated look alike. Once secure that that was my site, I changed the password. I then went to apple.support, in search for chat help on my Safar problemi. The chat helper invited me to download a malware app. and run it. (This was a free trial). I did as asked, and within 5 minutes or so, had the culprit mixbuilder with addition 6 or 7 items quarantined, with option to see what they were, and then to delete. They are no longer residing on my computer, and I am again a happy camper. Thank you APPLE-CHAT Support.
A strange coincidence in my application folder is another app called "ExpertFirstExtension.app" which has the very same icon as mixbuilder. I have not yet ruled out whether these two are related in some fashion. They are similar in their limit of Internet information.
The malware app I was invited to try is called "Malwarebytes.app". It instantly found mixbuilder, and additional items, but did not call into quarantine or question "ExpertFirstExtension". If anyone knows what "ExpertFirstExtension" is or does, please leave a note.
FYI: I opened and email Subject title (Domain Service) Final notice. I opened the email, and then the cursor froze up etc. Here is the header of email:
Return-Path: <****>
Delivered-To: ****
From info@nckiwebdesign.gdn Wed Apr 24 15:46:19 2019
Return-Path: <****>
Delivered-To: ****
Received: (qmail 25490 invoked by uid 89); 24 Apr 2019 15:46:19 -0000
Received: by simscan 1.2.0 ppid: 25466, pid: 25472, t: 1.2462s
scanners: attach: 1.2.0 clamav: 0.96.5/m: spam: 3.1.4
X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on
qsmtp001.serverphase.com
X-Spam-Level:
X-Spam-Status: No, score=-4.6 required=10.0 tests=DATE_IN_PAST_24_48,
HTML_MESSAGE,HTML_TAG_EXIST_TBODY,MIME_HTML_ONLY,UNPARSEABLE_RELAY,
USER_IN_WHITELIST_TO autolearn=disabled version=3.1.4
Received: from unknown (HELO mail.bbsar.org) (42.231.163.42)
by qsmtp001.serverphase.com with SMTP; 24 Apr 2019 15:46:18 -0000
Received-SPF: pass (qsmtp001.serverphase.com: SPF record at nckiwebdesign.gdn designates 42.231.163.42 as permitted sender)
dkim-signature:v=1; c=relaxed/relaxed; h=to:subject:message-id:date:from:reply-to:mime-version:list-unsubscribe:content-type:content-transfer-encoding;
d=nckiwebdesign.gdn; s=default; a=rsa-sha256;
bh=Byi8ptHQuJHoBg1F1BJPgQYTO8fRaPbsJxRP7chCW18=;
b=E2XXtj5+kjoZ0oFPvjyJF3AQ2deuwERKAMtSdS/3gMl5Gm0YiUlRELTFlyxJNtySe
18W7CepIN7lu6hkG64WHLNtCoweCK94/n+evjpHGhsA206ScFeBZVNGDPR/T8ZVYtDM
CmVZCS9t0gaEVC1OCQq//uzbnKfNBzNldu+xuM8=;
Received: from ([127.0.0.1]) with MailEnable ESMTP; Wed, 24 Apr 2019 08:46:07 -0700
To: ****
Subject: malletshop.com Final Notice
Message-ID: <cbde887c4543a41bd9ef9f33f86632ea@px021.nckiwebdesign.gdn>
Return-Path: ****
Date: Tue, 23 Apr 2019 05:42:43 -0400
From: "Domain Service" ****
Reply-To: ****
MIME-Version: 1.0
X-Mailer-LID: 35
List-Unsubscribe: <http://px021.nckiwebdesign.gdn/em/unsubscribe.php?M=1048030&C=4f700bc45ebcb1cc139e0c3550bb2f54&L=35&N=29>
X-Mailer-RecptId: 1048030
X-Mailer-SID: 29
X-Mailer-Sent-By: 1
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-ME-Bayesian: 0.000000
[Emails Edited by Moderator]
How can you tell where it came from by looking at browser history? What do you look for?
I should mention that since I removed the application (moved to trash) and the extension (clicked uninstall in Safari preferences/extensions), I have had no further occurrences. (I also removed the 2 pieces of adware identified by EtreCheck.)
Further edit: I just looked at my history. Just in time because I have my settings to clear after 1 week and therefore had no history beyond the day mix builder manifested. That day there were no strange websites, only legitimate ones (such as the website of one of our utilities).
Does anyone have "ExpertFirstExtension.app" on their computer, know what it is, why it is...any info at all???
I found no further reference or extension of "mixbuilder" on my computer after using Malwarebytes.app. HOWEVER...
I continue to question the presence of "ExpertFirstExtension.app" appearing in my app folder as of Jan 8th 2019. I did not download it, and am the only user on this computer.
This morning I checked my Safari extensions, and found an extension for "ExpertFirstExtension 1.0".
I don't know what it is, and am quite suspicious as it's icon is the same as "mixbuilder" and it is now starting to behave like mixbuilder, by adding the extension I did not approve.
I searched the internet for any info on this app, and found NOTHING AT ALL, which feeds my suspicious.
The only reason I have not deleted it is that I am not sure the app isn't an intended part of the Mojave OS system, or some important item.
I ran Malwarebytes.app. which reports NO problem.
Info on this possible intruder is appreciated.
Sarahfromranchos I have the same issue! Have you tried what Dominic 23 suggested and did it work?
If you could post step by step instructions for uploading the extension, it would be helpful.
Best.
As far as I can remember, I opened no strange emails or visited any questionable websites at or near the time that this incident occurred.
I have a virus that keep popping up macOS.mix builder.1.r
2nd set of report
Details: Exact match found in the whitelist - probably OK
Launchd: /Library/LaunchAgents/com.oracle.java.Java-Updater.plist
Executable: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck
Details: Exact match found in the whitelist - probably OK
Launchd: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool.plist
Executable: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Helper-Tool
Details: Exact match found in the whitelist - probably OK
Launchd: ~/Library/LaunchAgents/com.nds.pcshow.plist
Executable: /bin/sh -c $HOME/Library/NDSPCShowServer/NDSPCShowServer.bundle/Contents/Resources/launch.sh
Details: Exact match found in the whitelist - probably OK
Launchd: /Library/LaunchDaemons/com.oracle.java.Helper-Tool.plist
Executable: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Helper-Tool
Details: Exact match found in the whitelist - probably OK
Launchd: ~/Library/LaunchAgents/com.nds.pcshow.uninstall.plist
Executable: /bin/sh -c /tmp/vgconnect/condUninstall.sh
Details: Exact match found in the whitelist - probably OK
Launchd: ~/Library/LaunchAgents/com.dtv.vgconnect.plist
Executable: /bin/sh -c $HOME/Library/NDSPCShowServer.DTV/NDSPCShowServer.DTV.bundle/Contents/Resources/launch.sh
Details: Exact match found in the whitelist - probably OK
32-bit Applications:
37 32-bit apps
Kernel Extensions:
/System/Library/Extensions
[Not Loaded] NovatelWireless3G.kext (v3.0.2 (003))
[Not Loaded] NovatelWirelessFilter.kext (v2.0.6)
[Not Loaded] SierraSupport.kext (1.4.11)
[Not Loaded] SierraSwitch.kext (1.2.2)
[Not Loaded] SierraSwitchKicker.kext (1.0.0)
[Not Loaded] SMSIWirelessModem.kext (3.2.6)
/System/Library/Extensions/NovatelWireless3G.kext/Contents/Plugins
[Not Loaded] NovatelWireless3GData.kext (v3.0.2 (003))
/System/Library/Extensions/SMSIWirelessModem.kext/Contents/PlugIns
[Not Loaded] SMSIWirelessCDC.kext (3.2.6)
[Not Loaded] SMSIWirelessSerial.kext (3.2.6)
System Launch Agents:
[Not Loaded] 16 Apple tasks
[Loaded] 156 Apple tasks
[Running] 129 Apple tasks
System Launch Daemons:
[Not Loaded] 36 Apple tasks
[Loaded] 181 Apple tasks
[Running] 120 Apple tasks
Launch Agents:
[Loaded] com.google.keystone.agent.plist (Google, Inc. - installed 2019-04-01)
[Loaded] com.google.keystone.xpcservice.plist (Google, Inc. - installed 2019-04-01)
[Loaded] com.microsoft.update.agent.plist (Microsoft Corporation - installed 2019-04-17)
[Not Loaded] com.oracle.java.Java-Updater.plist (? 48864dc8 - installed 2018-12-15)
Launch Daemons:
[Loaded] com.HermesLookupDaemon.plist (Adware - installed 2019-01-14)
[Loaded] com.adobe.fpsaud.plist (Adobe Systems, Inc. - installed 2019-03-26)
[Not Loaded] com.apple.installer.osmessagetracing.plist (Apple - installed 2019-03-21)
[Loaded] com.google.keystone.daemon.plist (Google, Inc. - installed 2019-04-01)
[Loaded] com.microsoft.autoupdate.helper.plist (Microsoft Corporation - installed 2019-04-17)
[Loaded] com.microsoft.office.licensing.helper.plist (? 6d8cb30e - installed 2011-03-10)
[Not Loaded] com.oracle.java.Helper-Tool.plist (? e3fefdd2 - installed 2018-12-15)
User Launch Agents:
[Loaded] com.HermesLookup.plist (Adware - installed 2018-12-17)
[Loaded] com.adobe.ARM.***.plist (? 0 - installed 2017-08-16)
[Loaded] com.citrixonline.GoToMeeting.G2MUpdate.plist (Citrix Online LLC - installed 2018-03-16)
3rd set of report
[Loaded] com.dropbox.DropboxMacUpdate.agent.plist (Dropbox, Inc. - installed 2019-02-13)
[Running] com.dtv.vgconnect.plist (? 0 - installed 2019-03-21)
[Loaded] com.dtv.vgconnect.uninstall.plist (? 0 - installed 2019-03-21)
[Running] com.hp.devicemonitor.plist (HP Inc. - installed 2019-04-23)
[Loaded] com.logmein.GoToMeeting.G2MUpdate.plist (Citrix Online LLC - installed 2018-03-16)
[Running] com.nds.pcshow.plist (? 0 - installed 2019-03-21)
[Loaded] com.nds.pcshow.uninstall.plist (? 0 - installed 2019-03-21)
[Not Loaded] jp.co.canon.Inkjet_Extended_Survey_Agent.plist (? 0 - installed 2009-08-30)
User Login Items:
Dropbox.app (Dropbox, Inc. - installed 2019-04-05)
(Application - /Applications/Dropbox.app)
Internet Plug-ins:
WebVideoPlugin: 3.0.5.26 (? - installed 2016-12-22)
o1dbrowserplugin: 5.41.3.0 (? - installed 2015-12-15)
Flip4Mac WMV Plugin: 2.3.8.1 (? - installed 2011-01-13)
Silverlight: 5.1.41212.0 (? - installed 2016-06-13)
FlashPlayer-10.6: 32.0.0.171 (Adobe Systems, Inc. - installed 2019-04-09)
Flash Player: 32.0.0.171 (Adobe Systems, Inc. - installed 2019-04-09)
iPhotoPhotocast: 7.0 (Apple - installed 2010-03-31)
googletalkbrowserplugin: 5.41.3.0 (? - installed 2015-12-11)
SharePointBrowserPlugin: 14.7.7 (? - installed 2019-01-27)
AdobePDFViewer: 9.5.5 (? - installed 2017-08-16)
GarminGpsControl: 4.0.4.0 Release (? - installed 2012-11-02)
EPPEX Plugin: 3.0.5.0 (? - installed 2009-07-29)
JavaAppletPlugin: Java 8 Update 201 build 09 (? - installed 2019-03-22)
User Internet Plug-ins:
OctoshapeWeb: 1.0 (? - installed 2015-01-30)
Audio Plug-ins:
AppleTimeSyncAudioClock: 1.0 (Apple - installed 2019-04-03)
BluetoothAudioPlugIn: 6.0.11 (Apple - installed 2019-04-03)
AirPlay: 2.0 (Apple - installed 2019-04-03)
AppleAVBAudio: 740.1 (Apple - installed 2019-04-03)
BridgeAudioSP: 5.39 (Apple - installed 2019-04-03)
iSightAudio: 7.7.3 (Apple - installed 2019-04-03)
3rd Party Preference Panes:
Flash Player (installed 2019-03-26)
Flip4Mac WMV (installed 2011-01-13)
Java (installed 2019-03-22)
MacFUSE (installed 2010-09-10)
Software Installs (past 30 days):
Install Date Name (Version)
2019-03-29 Numbers (6.0)
2019-03-29 Pages (8.0)
2019-04-03 Keynote (9.0)
2019-04-09 Adobe Flash Player (32.0.0.171)
2019-04-17 Microsoft AutoUpdate (4.10.19041401)
2019-04-19 XProtectPlistConfigData (2102)
2019-04-19 Gatekeeper Configuration Data (165)
Clean up:
~/Library/LaunchAgents/jp.co.canon.Inkjet_Extended_Survey_Agent.plist
/Applications/Canon Utilities/Inkjet Extended Survey Program/Inkjet Extended Survey Program.app/Contents/Resources/Canon_Inkjet_Extended_Survey_Agent
Executable not found
Diagnostics Information (past 7 days):
2019-04-24 10:57:59 NDSPCShowServer Crash (160 times)
Executable: /Users/***/Library/NDSPCShowServer/NDSPCShowServer.bundle/Contents/MacOS/NDSPCShowServer
Details:
~/Library/NDSPCShowServer/NDSPCShowServer.bundle/Contents/MacOS/libDrm
Singleton.1.22.0..dylib
terminating with uncaught exception of type nds::vgk::util::VgkUtilExc
eption
abort() called
2019-04-24 09:06:09 syspolicyd CPU
Executable: /usr/libexec/syspolicyd
2019-04-23 16:33:44 backupd CPU (2 times)
Executable: /System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd
2019-04-23 15:09:33 MixBuilder.app Hang
Executable: /Applications/MixBuilder.app
1. There is adware installed on your Mac.
Run the latest release of Malwarebytes for Mac to remove malware/adware installed on your Mac.
For instructions: Install Malwarebytes for Mac Uninstall Malwarebytes for Mac
Click the “Scan Now” button. Once done, quit Malwarebytes for Mac.
Repeat the scan couple of times.
Restart the computer and relaunch Safari holding the shift key down.
2. Uninstall unknown extensions: Safari > Preferences > Extensions
https://support.apple.com/guide/safari/use-safari-extensions-sfri32508/mac
Also try using Etrecheck to remove the adware.
Run EtreCheck again.
In the Sidebar, click the Security button.
Locate and remove entries under Adware and Unsigned files.
Click the “Remove” button.
This happened to me this morning. Last night I quit all apps and shutdown. Turned on this morning and EXACTLY the same thing happened. I sent the Mixbuilder app to the trash and cleared my Safari history. But all my extensions have disappeared - including 1Password. This is extremely worrying. I did not download anything from the web. Is this the first instance of a true Mac virus?
To add to what I have written above, after I had sent the Mixbuilder app to the trash and discovered all my Safari extensions were gone, I reinstalled my 1Password extension, but when I tried to reinstall my Todoist extension, the extensions page just says "open". It won't let me re-install it.
Any ideas how I can reinstall it?
I suspect this is the first couple of days of this malware and it is going to a huge thing. An application that installs itself on a Mac and logs all your passwords you enter online (how many people check their extensions in preferences every time they use Safari) is a very serious piece of malware, unprecedented, in my experience, on a Mac.
I hope Apple are taking this very seriously and don't try to cover it up. How do we make Apple aware of it?
To users who are having this MaxBuilder issue:
Please try these suggestions.
Quoting treed:
“1) Open Malwarebytes
2) In the right-hand pane of the Malwarebytes window, find a label that says "Protection updates". Next to that will be a blue link reading "Current". Click that to force an update... it should change to say "Checking," "Downloading," etc.
3) Start a scan
4) Remove anything that is detected
5) Switch to the Quarantine tab in the Malwarebytes app
6) Click the Clear Quarantine button
7) Restart your computer
Also, note that if you're using a Premium subscription in the latest version of Malwarebytes for Mac, the App Block feature will prevent the MaxBuilder app - and any other apps by the same developer - from running.”
Credit: Thomas Reed, Malwarebytes for Mac.
For instructions: Install Malwarebytes for Mac Uninstall Malwarebytes for Mac
To elHw: I'm not an expert by any means, so you can take this for what it's worth. But I'm going to make a suggestion. Try starting a new discussion with ExpertFirstExtension prominent in the title. When people search the problem, they are more likely to find your question. That's what I did. You might also do a search at the malwarebytes website. If it is something new, they may not know about it yet.
mixbuilder application and safari extension???
