Browser hijacker

I made a mistake and hijacked Safari. The option to change my landing page, where this appears, is greyed out. I was hoping the new OS would somehow clear out this bug but it didn't. None of the fixes suggested online sorted me out. So I can't use Safary anymore.


[Link Edited by Moderator]


iMac Line (2012 and Later)

Posted on Oct 9, 2019 8:20 AM

Reply

Similar questions

69 replies

Oct 13, 2019 10:28 AM in response to macjack

Here's something I've been holding off on. Safari works as expected in your test user. You could upgrade your test user to an Admin account and move the content of your present user account into the new Admin, with the exception of your Library folder. Here's how to do that:


  • In System Preferences > User & Groups Make Admin Select “Allow user to administer this computer.”
  • Move the contents of the folders (not the folders themselves i.e. Desktop/Downloads/Documents/etc) in your present account into Users/Shared with the exception of Library.
  • From Users/Shared then move them into your new Admin Account

(Some applications may open as new and there may some items you want to selectively retrieve from your old user Library)

  • Test for several days, if all is well after that you can delete the old admin.




Oct 21, 2019 10:55 PM in response to TheLittles

Me again. Sorry to say that even though we've hardly used Safari, I see this morning that "SafeFinderforMac" has hijacked the browser again. Just for interest's sake, some details. The home page preference was greyed again but with the usual Google URL in it. I looked again for the plist I deleted last time (recommended here and it worked) I found it again. The path was:

Macintosh HD > Library > Managed Preferences > myfullname. In there were two files called com.apple.Safari.plist and complete.plist. I'm attaching screen shots. After deleting the entire folder the home page preference was no longer greyed out and I could change it. So the only remaining question, I suppose, is how this thing managed to claw its way back onto my system?

Oct 22, 2019 7:23 AM in response to pvdlugt

“How” is easy. You, or someone with access to your login.

How it persists? Interesting, but we’re remote and have no access to your system to dig into what has been added.

And malware adapts, and is re-coded to make this detection more difficult, and is increasingly infection-unique.

Assuming MalwareBytes does not locate this...

Back up. Back up again. Build a bootable installer Wipe this system. Do not copy over applications.

Somebody has installed some application that persists this, some launch script, some login script, etc.

https://www.myantispyware.com/2018/10/22/how-to-remove-homesweeklies-com-chrome-firefox-safari/

I would not install any add-on anti-malware other than MalwareBytes. There are a lot of sketchy removal tools.

Oct 10, 2019 5:52 AM in response to pvdlugt

Arrgh! That should have worked. OK replace the folder on your Desktop to the same location. Now, try starting up in Safe Mode:

Use safe mode to isolate issues with your Mac - Apple Support

If it works as expected in Safe Mode, then go to System Preferences > Users & Groups > Login Items and use the (-) button to delete them. (You can always add them back with the (+) button) then restart normally.

Oct 10, 2019 7:57 AM in response to pvdlugt

Something in your user account is preventing it from working correctly.

If you want to give up, I can understand that. If you want to try one more thing thing, Etrecheck  is a diagnostic tool that's very useful to us in finding problems. It will create a snapshot of your Mac. After it runs post the log file here. It will contain no personal information. Allowing full drive access will improve the quality of the report.


To post the log file click on share report and use the Page icon in your reply window.

Oct 10, 2019 12:33 PM in response to pvdlugt

Get complete and current backups before the following, in the off chance something goes wrong with a command here, or some other sequence listed in this thread. Always have backups.


There are several missing or corrupted apps. TeamViewer, chmod BPF (usually libpcap or Wireshark, a network packet-capture-related tool, presumably), MalwareBytes itself. This does not bode well...


I’d hope that enabling full drive access on EtreCheck would also show it and so too should the System Preferences mentioned earlier, but on the off chance this has been buried more deeply (somehow), launch Terminal.app and issue the following one-line command and press return, and then specifying your admin password when prompted:


sudo profiles -P


This command will display all configuration profiles present, if any. Profiles can be used to override settings.


Unlikely to help, but should also be harmless:

diskutil resetUserPermissions / `id -u`

Note those are back-ticks, and not apostrophes.


Unless you really need it, I’d remove Flash Player. The removal tool is a download at the Adobe web site. Fake Flash players have been an ongoing problem, and Flash itself has had security problems.

Oct 13, 2019 5:51 AM in response to pvdlugt

I found instructions for removing homeweeklies:

https://www.pcrisk.com/removal-guides/13902-homesweeklies-com-redirect-mac

Do NOT download any so-called "cleaners". Use the manual removal instructions.

Also instructions from Malwaretips (which says Malwarebytes should remove it. You may need to reinstall it to remove it.)

https://malwaretips.com/blogs/remove-homesweeklies-com/



Oct 13, 2019 11:40 PM in response to pvdlugt

Perhaps move the Preferences first to the desktop - to be sure! Later you may delete them.


In Users/Library/Preferences are some Safari Preferences:


com.apple.Safari.SafeBrowsing.plist
com.apple.Safari.SandboxBroker.plist
com.apple.Safari.plist
com.apple.SafariBookmarksSyncAgent.plist
com.apple.SafariCloudHistoryPushAgent.plist


I would start with com.apple.Safari.plist


Hope this helps


marek


Oct 10, 2019 10:49 AM in response to pvdlugt

DElete these files & Restart...


/Library/LaunchDaemons/com.teamviewer.teamviewer_service.plist


/Library/LaunchDaemons/com.malwarebytes.mbam.rtprotection.daemon.plist


/Library/LaunchAgents/com.teamviewer.teamviewer.plist


/Library/LaunchDaemons/org.tcpdump.chmod_bpf.plist


/Library/LaunchAgents/com.teamviewer.teamviewer_desktop.plist


/Library/LaunchAgents/com.malwarebytes.mbam.frontend.agent.plist


Do another etrecheck report after restart.

Oct 10, 2019 12:19 PM in response to pvdlugt

Don't worry about anyone's time. As user-to-user volunteers, we wouldn't be here if we didn't have the time to devote to helping others.


So GOG is out. But we do know something in your normal user account is locking Safari's settings. The problem is finding it. And that isn't turning out to be easy. An EtreCheck report normally uncovers anything suspicious since the OS itself reports all running processes.


I have no other ideas a the moment. You've already run MalwareBytes for Mac, and we've gone through the EtreCheck report.

Oct 13, 2019 10:33 AM in response to macjack

Something here is not what it pretends, most likely. If the reset permissions was done, and if no user and no system profiles are present, and if no Safari extensions, then one of the other apps installed here is probably not what it claims to be. Whether that other app is bootleg, or is itself patched. Seemingly the last EtreCheck posted was not showing full access, either. I’m left with validating the digital signature for each app present, and that’s a slog.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Browser hijacker

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.