presidio_studios

Q: BEWARE: Malwarebytes Anti Malware for Mac my negative experience

wondering if anyone else has had a similar experience.

 

We had an iMac that was infected with trovi.   We downloaded Malwarebytes Anti Malware for Mac, and ran it.  It said it removed infections.  I also manually killed the firefox profile that seems to have originated the trove problem.  A couple hours later and that iMac still seems to be fine.

 

 

However, I have a macbook pro that has NEVER given me any trouble with malware etc, but since it cleaned up the iMac, I decided to download and run it on my MBP.

 

Bad move, it scanned and said it found nothing. Then literally a couple minutes later I went to Amazon.com using Chrome. Chrome auto downloaded an "f.txt" file twice. (I visit Amazon multiple times weekly on multiple computers and have never had this occur before.)

 

This HAS NEVER HAPPENED BEFORE my installation of Malwarebytes Anti Malware for Mac.

 

Users beware.  I wish I had never ran this on my trusty MBP. 

 

Here is the contents of that f.txt file:

 

if (!window.mraid) {document.write('\x3cdiv class="GoogleActiveViewClass" ' +'id="DfaVisibilityIdentifier_2369268652"\x3e');}document.write('\x3ca target\x3d\x22_blank\x22 href\x3d\x22https://adclick.g.doubleclick.net/pcs/click?xai\x3dAKAOjss7PheHqAB7iyuXKepEytlnJ h-hrZ2z8iHvk1Opi2LtQFQNEhJXnSIeZhVUtLl8gQp3UmH-Akjd5thz6Zo6hRxQqdP6E9rjz1xOUeLm2 6X_bVHyiNyLBO1DdlP6lnk2iaeCQeDUUvfpgb7GxzhIpyfu52AP-xR8\x26amp;sig\x3dCg0ArKJSzA xH4_lL0Bne\x26amp;adurl\x3dhttp://adclick.g.doubleclick.net/aclk%3Fsa%3DL%26ai%3 DB4d-dKf__VbviAe78wAHJ1JiQBO7jqewHAAAAEAEgADgAWJbTsIf3AWDJtuyNgKXUEYIBF2NhLXB1Yi 05Njc3NzgwNzIzNDk0NjY2sgEOd3d3LmFtYXpvbi5jb226AQlnZnBfaW1hZ2XIAQnaARZodHRwOi8vd3 d3LmFtYXpvbi5jb20vmAK6DsACAuACAOoCEzQyMTUvYW16bi51cy5zci5hcHP4AoHSHpAD4AOYA-ADqA MB4AQBkAYBoAYf2AcA%26num%3D0%26cid%3D5Ghcfk5bgq1dGVgapo16rW95%26sig%3DAOD64_2RmE 9o3H6Lebfyuq1gKgYgOsdZ4Q%26client%3Dca-pub-9677780723494666%26adurl%3Dhttp://www .amazon.com/Enhanced-Business-Rewards-American-Express/dp/B007Y7FT3A/ref%253Dsr_ 1_1%253Fs%253Dfinancial%2526ie%253DUTF8%2526qid%253D1430342818%2526sr%253D1-1%25 26keywords%253Dgold\x22\x3e\x3cimg src\x3d\x22https://s0.2mdn.net/viewad/4853148/BGR_Convert_CutCosts_160x600.jpg\x22 alt\x3d\x22Advertisement\x22 border\x3d\x220\x22 width\x3d\x22160\x22 height\x3d\x22600\x22\x3e\x3c/a\x3e');if (!window.mraid) {document.write('\x3c/div\x3e');}if (!window.mraid) {(function() {var avDiv = document.getElementById("DfaVisibilityIdentifier_2369268652");if (avDiv) {avDiv['_avi_'] = 'BP4k7Kf__Vbu5J4rewQGE97bgBgAAAAAQATgByAEC4AQCiAWjzJoEoAY-';avDiv['_avihost_'] = 'pagead2.googlesyndication.com';avDiv['_avm_'] = 'lp\x3d1\x26la\x3d0\x26';}var glidar = document.createElement('script');glidar.type = 'text/javascript';glidar.async = true;glidar.src = '//pagead2.googlesyndication.com/pagead/js/lidar.js';var s = document.getElementsByTagName('script')[0];s.parentNode.insertBefore(glidar, s);})();} else {document.write('\x3cimg src="//pagead2.googlesyndication.com/activeview?id=lidar2&avi=BP4k7Kf__Vbu5J4re wQGE97bgBgAAAAAQATgByAEC4AQCiAWjzJoEoAY-&r=w" style="display:none;"\x3e\x3c/img\x3e');}document.write('\x3cimg src\x3d\x22https://tag.researchnow.com/t/beacon?pr\x3d7041\x26amp;ca\x3d8824355\x26amp;pl\x 3d119481594\x26amp;cr\x3d65067172\x26amp;si\x3d1004072\x26amp;adn\x3d3\x26amp;tt \x3d3\x26amp;a\x3d1\x26amp;ord\x3d2369268652\x22 height\x3d\x221\x22 width\x3d\x221\x22 border\x3d\x220\x22\x3e\x3cimg src\x3d\x22https://aexp.demdex.net/event?d_event\x3dimp\x26amp;d_bu\x3dopenacq\x26amp;d_src \x3d1458\x26amp;d_creative\x3d65067172\x26amp;d_site\x3d1004072\x26amp;d_adgroup \x3d292385704\x26amp;d_placement\x3d119481594\x26amp;d_campaign\x3d8824355\x26am p;d_cb\x3d2369268652\x22 height\x3d\x221\x22 width\x3d\x221\x22 border\x3d\x220\x22\x3e\x3cscript type\x3d\x22text/javascript\x22 src\x3d\x22https://c.betrad.com/surly.js?;ad_wxh\x3d160x600;coid\x3d273;nid\x3d41718;ecaid\ x3d8824355;\x22\x3e\x3c/script\x3e');(function(){var f=function(a,c,b){return a.call.apply(a.bind,arguments)},g=function(a,c,b){if(!a)throw Error();if(2<arguments.length){var d=Array.prototype.slice.call(arguments,2);return function(){var b=Array.prototype.slice.call(arguments);Array.prototype.unshift.apply(b,d);retu rn a.apply(c,b)}}return function(){return a.apply(c,arguments)}},k=function(a,c,b){k=Function.prototype.bind&&-1!=Functio n.prototype.bind.toString().indexOf("native code")?f:g;return k.apply(null,arguments)};var l=document,m=window;var n=function(a){return{visible:1,hidden:2,prerender:3,preview:4}[a.webkitVisibili tyState||a.mozVisibilityState||a.visibilityState||""]||0},p=function(a){var c;a.mozVisibilityState?c="mozvisibilitychange":a.webkitVisibilityState?c="webki tvisibilitychange":a.visibilityState&&(c="visibilitychange");return c};var r=function(){this.g=l;this.j=m;this.i=!1;this.h=[];this.m={};if(3==n(this.g)){v ar a=k(this.o,this);this.n=a;var c=this.g,b=p(this.g);c.addEventListener?c.addEventListener(b,a,!1):c.attachEven t&&c.attachEvent("on"+b,a)}else q(this)};r.p=function(){return r.l?r.l:r.l=new r};var s=/^([^:]+:\/\/[^/]+)/m,t=/^\d*,(.+)$/m,q=function(a){if(!a.i){a.i=!0;for(var c=0;c<a.h.length;++c)a.k.apply(a,a.h[c]);a.h=[]}};r.prototype.q=function(a,c){v ar b=c.target.t();(b=t.exec(b))&&(this.m[a]=b[1])};r.prototype.k=function(a,c){var b;if(b=this.s)i:{try{var d=s.exec(this.j.location.href),e=s.exec(a);if(d&&e&&d[1]==e[1]&&c){var h=k(this.q,this,c);this.s(a,h);b=!0;break i}}catch(y){}b=!1}b||(b=this.j,b.google_image_requests||(b.google_image_request s=[]),d=b.document.createElement("img"),d.src=a,b.google_image_requests.push(d)) };r.prototype.o=function(){if(3!=n(this.g)){q(this);var a=this.g,c=p(this.g),b=this.n;a.removeEventListener?a.removeEventListener(c,b,! 1):a.detachEvent&&a.detachEvent("on"+c,b)}};var u=function(a,c){var b=/(google|doubleclick).*\/pagead\/adview/.test(a),d=r.p(),e=a;if(b){b="&vis="+ n(d.g);c&&(b+="&ve=1");var h=e.indexOf("&adurl"),e=-1==h?e+b:e.substring(0,h)+b+e.substring(h)}d.i?d.k(e,c ):d.h.push([e,c])},v=["pdib"],w=this;v[0]in w||!w.execScript||w.execScript("var "+v[0]);for(var x;v.length&&(x=v.shift());)v.length||void 0===u?w=w[x]?w[x]:w[x]={}:w[x]=u;})();pdib("https://googleads4.g.doubleclick.net/pcs/view?xai\x3dAKAOjss7PheHqAB7iyuXKepEytl nJh-hrZ2z8iHvk1Opi2LtQFQNEhJXnSIeZhVUtLl8gQp3UmH-Akjd5thz6Zo6hRxQqdP6E9rjz1xOUeL m26X_bVHyiNyLBO1DdlP6lnk2iaeCQeDUUvfpgb7GxzhIpyfu52AP-xR8\x26sig\x3dCg0ArKJSzE1W H0wUYnN5EAE\x26adurl\x3d");(function() {if (!window.GoogleTyFxhY || typeof window.GoogleTyFxhY.push !== 'function') {window.GoogleTyFxhY = [];}window.GoogleTyFxhY.push({'_scs_': 'BbpbTKf__Vbu5J4rewQGE97bgBgAAAAA4AeAEAg','_bgu_': 'https://pagead2.googlesyndication.com/bg/hx8mdhyQUK4h_2x42snZXJpmRUZUZi8RHrvewsE 1QDU.js','_bgp_': '1FdDO7la4MxV1Jo7PiN7D3yDzNJ15yrqJSq2SE0jgE5QYU2tQMZejwO4CLLqj9EecXLEbZOydF5D66 AToME0BUtvQECiXO+2M8FyF4ANcFNBpOnGJgefXmfHm+tgS32OhEujvNtdk62nopGtiMs0RPxWCAwhal 8sd9Onku5CKGP0tM8Ul59l1WA8TSYvT2hNaasRS+clxFRrM0Dv8ddOL8zAj2hAmWGJ9GL/Xss678rl0h T4nxyFHExW6+ynJmTCPXu5lavN6BXk5rGfQzHNXbvKlcH48HoMur3rEJG6k2w8G3Xluo4U1iGhNkgofF qY9WQ91ONyu4VvCNh892BSjKkR+JqK7YcW4vp1nwOCxigx46ICeBm6EuMk0mTURnBSUNibOKolQNveQ3 nuZGP3g5CKF2029YIdl8oaHQ5yxyhqGCO1t9m9b+NAiw1Tn3SydkBTA7UD3VOi16jLc9MT+NUE6ELFA5 WsvQXGa9pTMsINWPWQJH2VJgjtuDkLD88Bwes6r2xYWGF8d2C3yeLmtzig/+b0rdwBgnpRqKpxKlXRZj ZlPaszjk3pXJW/fi3UCNUqO8b0lMfQ/9mlgcZz1KvOen+bnhgz95a5588j4xnaxQ78VcUdw3PyManJhN fjgiBJ/N+B+EfvfAXjC9dTfrEPGwBKoP2AiCUN13HmMVilvT6CbUkGkN0wjeyHKHla3lXRiwQnjNft+P L0D5bnl0qOFBlab0Q4M0dcybWmVnE4b8xB/OpvaSM3aKLSMs/rWwYWoPgPG5K/q2yJbD2MUJVF4NQVra EyEihtZtVFZ9q9Tqu+2GV8xhUcCs6nCa7X5d3PNIkTJe+3MU6lmdURJjl+2ncnUmU5V9VVZNGv++clcU 1i/xjTwZp7lLAvk8g5UiqRm6qLByd41XNNJu9T3VbhWNveUA+Aqn6PjTQyV2XOBSR7FTWLEp7tIllAft RsiOReRuN0ohddMEFJaGneWqD9L0cSyMjq6WNfN4DYWN05n+EYg1lnZTjWTOvV+60+hrGdD1qke10j7t zUPJWQGNpdfTymH3odsfHf3GfcRTst7ItsTpg12H57T+iBY6hH7OoDKAAbuTvpwHs4xPdp1bZMQnb2F9 t6VWvmgIREeCT7um5M3hLVAfL3841BMGb+lPL8hdK0iYs/+rOG72bk04E195j1BxRB702pdPpTVd/uKt z+1LX+9sm1tISlme1EtCDdWTA48I7v93y7XjPtxlo7aCbUoPj1pcnc7zrTdIsZqGYNEs7CWGI4q0baox WaTb85s/7EoOtnBjn0sDUDvH9FlwZMTI3nj12ovF12njx2VZluSjfFJG5ope+E8ztFlYsmZNiV4bt2Xt F1bKMH8DQ/SdnMRr4tv9dDyliyvAIfYzTqJSp40rPKZvOjMzERbB2Ii6hslBk0uHl+Cl8X18xLa0d2RD lpkobEIODQauXrNe4Pwpw3Y7sTH7AF7T7z1dY7VBxBfnCQJMgT+d7mXbsnhS5VXKG4fj33Ntg4DkKIHq ILPDCUuAU0bINM2R2e73sPw9iX+Jbhx8xYGx/gs4H81OExbMFLbZIJGuKVhwvMhs+PVFCrKZHSVfe5Dh oK+r0y77g0NHdOfPQ+ebXOqfr8orrIArZhR0lUrVBixx8maKPJqVg2DuDs9TeY2lJBbCOnBaCoPmJtWb 9RzfuQ8gSdxvE2t5xFNCQoHtvAVg633zdMkJGVIMbHeCkDJDXfCH13lLaPMbP2zTWRnDjwkcDL1D0xCL ZhjMtOKKaGfpjXP0EbGxwI/myZVTRomnlD3WqvtdorsNHma+tttlmzQQOVdrq90MfoGOSmpga5ZgDzdX 1o2K8FlWzvBQEIekcaP3H1vrWXLn4Z4Ip8VetCZbafXi0Er6TKxdlCFI5uyuhKmjZAx8Zqw4KYEyA+x3 rnzGRcwRVwBSe1ayXZZSiV9DQG7OIbPp/LxLQeiG0qcfSpDwBdXCB8MVvwX7Kz8z7hMlhuf1hbHqzTfV 3KB9zHQ1orhJaP1o5ueOTfLU0+qfqtq/J6QVBHPa22d/YCOZPnZ5cdJORqjAnm7DwUtO4tcmB2jlLi6w PM+I2QxtuTbheh80Sk0krDMNPLGLMvKtrg4GUlOtZowieez9zRu3c0/jZoNdnNr1TaRQBlvjF/lRtHRc GasPK03OBrRFq/qAu1vMkXB65CAOh3foJDYoQAAUzBBE0SDuJR79kR1qpCUZQl8ZzS61jGUwyB9JGB1N Gev+tzPnlL5q0x4Cew9/CuwwT8Ekho9o5/WKBCH0m9dFHlf9tv1G5BvCljK1O0nqh9zuglPQqjvO+SNE m69U3ZhveIC4MiTVZFCfXWNSZc6EBkonf62rQsX0awFLLa7TMBqmEWzlHMZ54K0Zfr5mnM1geE8XvkIk kkTf6R/+vgNNIXP8A06/AKr5HCGuMbm3xNjC8u9l8j0NEuv90CVbdSL2LLqdJQAYEaUqAXvmlTobiTmA sFhTXQISuz5Fqxc68DwMMvfJC4psi75GEhr5D+dgG+ci2+3I5jdFspnW8iBJPqSWAaA2vnDjmRL7+1dT YOX8rUM1CHn3RlfHS92i7vtXE9tzGCmfg+r9vkfXcUhuGtq3+hQapqbI4phWdLp+HamGaunBREOQXOVo kBltwhOaKANj4uP3/ZZtUns5u5UEupsWzpJqtA8N7R5yC/s2l09KoyXK2u1AoG3vbpo4nKctuW1odN5N 2Vs2VHD1deg1fLfh2Tl9jiujxb4M+gxSfRrWNgXxmQlC2Nptin4EkghhkNyJ+fz+MSZfHTH8miG5a/HA Xd406C9yzw9GAxlfcFdsE2Kd2RoVqD+x9AHnsUcqsXX/Df5GPwtSBEE88y633fj43RNkY4My9dkOk7bW NZk+sQ81ZJFfLXKKP4fgj93V6H4gXuyVDZjbF4NzF9n2MedeMMVfCXzZg8puO6BQpG5YG1bmV54MReD1 X5WYaXu4EvwIzr8PP35AORQwxbls5OvxtYBrb8kzoyDWB7IwONKi+4RlfX4Z0+t+h5Xn4AEYF7qvKcGE LrWypN8+q/9lVJ2hlUQ8FDot41sC0Xz4YevU6uXug9JmWB3W2j/PLb+c6FRUGPrBZU1ON0S4Wq8oqmFs P8lUIlAQUsit+zb87UoCV9k3ybA88VFiiYvVMnyQH+mqXEAdQjm1gxFsRXRHuJbveWsrdb3ccEH8l5pa 2QeIx/keSy/EdHw79zgR4HRfvqutmLQd2IHVqg3yYNqdziYel2ediN/UKY2Pz4BgK3J+DYnDcMROJ6/J /4YmulOCeeVEupMwuAcG8aiGOdCiAiTAUFuMk+anV49DBrQZXeIsd8daPgeeEWLYW3gT4zQTVPB2ivWR 6tl2i4aDsUNxR25xjvf/vvRwwAdUWybP+bEhgP9zEMt0PzFRiOaQ7ukznMV3hOQZLbGV8jXoFatvpgbe 5ZLZyzBAjibz501O551/2Wi/uDd9Z2SPZc2uHR4svqOkbqEzK1ujcjSFmVE2xiAJ/sNWkPoaueLcD+4t EJ3JkcGm1KGPSP0/dfZST1OyJN+z1w2roEgzGWY+qMzX5+ENwKgI2SJP+RDUeRvPMC0Y4qlaDh1IdF6m FujLU0ue+TuI7/+yWqp/fBYKjseBPhojq5tWHiVV4DbAnhL0FJCiJnHujqWOEbHz8iSePYbbODWRMz2Q vluJB6vtcwvbopbQ5ibAdBJMFuFKnIm1N0ZjcbBjr6mek1nclsIjUw5gP2MIVgUlTepkieQMG52pQjky sZoZpLTV6/5UGeA4SIYmf/S+HCm1r1AYNHzQw2lvI+XPhTSsasB1AO/r6oxEIGTu56WL7uGhvfzT9+nt C+xs6YOv7ySnfhnjTSSzkNwijMKvXjPZayyDQnkBxHQKi0rDNvXdEGVR6kZFCr8n4PkkQGzc7EDwQrJ3 zAT6ohh82hmacXlW4zJL7wWki8/WBEjMMeCVfx+xI7ctL0raNCqWWlEiuOzh/p0bRjsh3CGpOgZFSdS/ xtCxz8vrzrtFinfGLKEeEiECjY8JS7bNk015F6IZEppZvoeBlKca2t3Uy/h81XJk6t3Vh2dNpbSiN8oB GrtParGyaJd7/WSgHafROVuIFgED+51UlFnWTjKHQLQo/gY4i+QFRXihYfRpbsi/7s1HMA5UfBgm/GH6 3uxdUmwmdErLeVNVryS0mr7O36HO8RxrNWs6BmGYe538TLmVeHEDAwQ5DayKxUmYp61pceiwMEGGgA8c f2tmg+vWsMJ+zMRgzVKD3pJxjqeUsgbhj+6zlrxlR16W8gyZy5tpiYQ3MKwFLNyGvBd1vkoUhYrvrYX2 WEssWpWTPxUetKEUbb9FXhPLDpcBDL2UfXSPw/5gfizm9zYcUf3DC6/FGuZBkMeBNEBLKVx3S/gzI2gF a5eYy4tX7DXOA1bDQBbU6v/ywjszi9AxBYmv+2Few3rFyZntTDEcqe0cusYPkHX0d9JY6pr8nKmx+P3V 6DFC/Q/7JEvPwH3uP+ESQ3oQgaxZuM/1O/AZzrJB8kyyIfwu+ldjpRLwOKdnGVonP+uUOIf42fccI4US 43t5HbrDU0HO/jvdyiynJdu9HNSKufzgFNG9KrXXoKIX8WqAdVRikWBBvPt7T0/eqYJp072GbxpvoqMR L8m4Wg05cxedf9oJAVR8c/nwakYq0VlaM8w3VD9vEyhspc34XsOxgXJhcLSAIc0H2MJVYYe6TC+tPB5U bHTiXRlPwueslCwI4YKZPR3Y7SDyhL9XcU0NQS80oCH5Y0+NVbxleGswnrmSn0o1m28KpLEmnt8twy/P uNMfa4vByyM7tQbnck+PTjQaqjXAJmprlcxJFiWulKQsy40rfFaJ3rBae0lVr32YlV2X1ghYL+fTPoVC KRUb8boUHx5QXayTcl7wxXJV53wxHwzw5Mw9DmnZPq7o2J+qA+cojlOfDC5L5+HCgkn0wbd4wdbR5+Vt h4mG1v4VqGq9zlVDKzGXoqs06XJby+Om7YNBN1aS3LGdTnJcnCXnbMTo4c1WmoZwDvluaBO7LiqUDVaB KBZbTgxI0TrK2Kx0gN95P7Yw7veOHIyNeA96brl12OECneBnhi7CrTiG7pFa3YFaauCsKn+2m/OD8uit U1JMkIsPAWCZIB6z9RAbwCouFmCFfB0uUfe6Qk92HHgSLE/WxLqitp0raR0Vm7s1TXa6eoLh3Ce7vi6p IEpa5PBUpZ7VBO+aord7NhRSYyXl6s+pfBL9Xlyb9W7z8CZdYyzvdZiv69yfygwSserDKFK5PL9WIOZj mPGCTYuezEDz9EH8UKI7jTK8MHzGMNoOgJyot0ydsZA3O3/LOmaKtmgUxZECBqfPV1g8ydJq8UxeYSuv vsvQh3wGwCjjoOqhMA0nqalO1EQRtCHkuCIp8Mh5LUnSn5yRh8r2YWMUGwZ+CHLH4PEqSU0YetI8ah5D FwbIeYejpMbc/KOmyB7RJ5cecyJYw9C4UeVxfqGvZCzr7zDE14Db4qWz+w3X2s2JeG3plp8hhWO+MGML 2r3WrDQAdXWfIX1aNTh2IEPCKmlSiV5Yt/a3BbBF8S9/x34EYJSiyMsCkYBtDfbPLS7kWBTEw672hI00 Rm5nMFF2JQ48AZ+57p2YsKj34LQx9hpOsY+HFUphPTfvneDkAAU9ABH2WQExL8mjKg1hE42OMEIGJckY x0hmtxjcMmLLB/94Nvp+13gcG4pdR1AZoRF6YayInrqVcnWKkpS4JrJwAZmoBUhSibYOlQp/E48byFRF UyhrnZJ4UDnH0E/9xmh8xtKWkGinGfrF0JFcoibhFYhvRybopkUS+Uexy+3YR2DUMG/l4pj9H/St0rnY cm+OErAWf81jIaOD8Ctew6g/vsTk2SlZnvZec08YtuLaRcXJNXQ+6vK07uHXrK5sWu3MzNzvBmIkknVB Kn+RncUyQpo+aiV++Q4KM7AzmdIOlBy8xeUFFFUgRqGFLPtCzIC0HtIP42dG7ShroyMzyIUk40mdvGWj OMM1AWQX9n+8S/4zj7jt2Uv47NaC0Ex0//0rvrMNOpQ9nYdruqZXUiJZJbOIuNpskgWZIWUb0elHDYMU 2zMofFxlavdEHSqju00j/WRsGI0sb1GdJjCq8Hb+Qt1KZBjAIPivKbIQeUqewy7EWxv5D3X6uAcLYS3N IX6+h5r33b1P7spxiKewVjsCOrYJvd+whcUnzTtry8d70x//r2KyTqDFbK8g9YJxymkctKjq0ELm8ZgM K2sOym9OZP0q8KQ51du/XrjX7IIGZhPbwXOoiiUxfRSnfeiaTdjD+s1CIHL/orKa0ImRirZAGluQFqY+ yc6j/JAEdQpMlR7D40wQ466ZaLBDigONTbOTov58eTThPYby8tABM9LIVzhLf+I+VtawoMsmTWG3M/2E 1QyQSf1x6PdntuTa3RVz2LMFK7o9bcFUNzCsBWo8Kx6k9KgMtH6SB/2M1oO0HkQfLjsOn1oeb0Gc0ivi nOP3HHn9Bzwf/JhLdxmfG2uRkUd99JaTGuHeP58VoMjkbl7EFR9iXDfNy3onyjvaA8hDFkCUrpRZyb2h dKXJuvEzhI4m7BpcUbEGt6tTRDnal8IouUOLHysUw06dWcwEN3YqgqnaxEOIf71PGVxh3L1VCkLeAQZ1 /UD/Sac8B3MUCpXYDlN2tC22d6l0RplSapVZqOKbg7/NB9TA355q3ldz3CXO+m2+8FQSN/wa0lbCRkDB YkggGIcK7L/UF6zYTsChB+kdlzJl6iUPI6kB2oJoWIRSN5swrb/hgihw0H4MMoehotwoT7WYOkvhk1ts dRDKFG7ULG6nUIjrtz9dJYPwOlFBVC7EBN5y4mrkSTWV1Z0ay8l5zGoLxeuB3sRJc+afYmOC+0wRmZCG wILXIceu7ImRC0ZoquxVA4akbnSUnTwwva3jFKs1re/y2nld8X8Lap4K4SVnzUWL/7wDe8g9KO9Fk/FN OMGIaW35pYxFd775lBa9o2D6V72cQ+hmQsAEE9hetBHOYPQzVCk1PRG+CXsip0w6DQCNDWGW4Kwb2pGQ wC3aMho5YkLiP8eHjgzXov4OJXKYC/g13M3b593am6RYgmgAa2+RYKODk3k22ihGjO8O5JUwbzOHx78G hON18rvTfVaDsSZLy2PnMq7vjZhG/HFU2EtGYTV6FGfpymyJPqKxfErdBQsRRfP8JaTAPlvO/y8UL/hn KqHlqDejRLbiGzjgtCQWg4nlE+MAEBIQ/eOr0quF+zHW/voOhVrb4sDYLQvtOW3jml/PLiNm0k9xl6OY SyxQZD9no2CoJ5MmdBdafgDe+LU6QxXG/UB8rfgNqlVfCPdys1YP9HTBoEaN2qr/uCTkOjacPN3tZi0n H0x61hKyE0G1WgCSOt8MY\x3d'});var gsodar = document.createElement('script');gsodar.type = 'text/javascript';gsodar.async = true;gsodar.src = '//tpc.googlesyndication.com/sodar/sbhK2lTE.js';var s = document.getElementsByTagName('script')[0];s.parentNode.insertBefore(gsodar, s);})();

Posted on Sep 21, 2015 8:17 AM

Close

Q: BEWARE: Malwarebytes Anti Malware for Mac my negative experience

  • All replies
  • Helpful answers

Previous Page 2
  • by presidio_studios,

    presidio_studios presidio_studios Sep 21, 2015 11:04 AM in response to Kurt Lang
    Level 1 (0 points)
    Sep 21, 2015 11:04 AM in response to Kurt Lang

    Jimmy, as a test I did the same thing earlier (went directly to malwarebytes.org and downloaded the file.  However it points to the same URL when you download directly from their site.  (perhaps a rond-robin mirror array).

    https://www.malwarebytes.org/downloads/ = https://data-cdn.mbamupdates.com/web/MBAM-Mac-1.0.2.8.dmg

     

    Kurt, thanks.

  • by JimmyCMPIT,

    JimmyCMPIT JimmyCMPIT Sep 21, 2015 11:10 AM in response to presidio_studios
    Level 6 (8,075 points)
    Mac OS X
    Sep 21, 2015 11:10 AM in response to presidio_studios

    Yes, I'm comparing the link you gave and the DL directly from the site and that link. They are same size and URL.

    Well it was a theory, like that chupacabra police think is eating used cars on that lot in Kansas.

    Screen Shot 2015-09-21 at 2.07.59 PM.png

  • by Kurt Lang,

    Kurt Lang Kurt Lang Sep 21, 2015 11:24 AM in response to presidio_studios
    Level 8 (37,946 points)
    Mac OS X
    Sep 21, 2015 11:24 AM in response to presidio_studios

    Hmm, interesting. If I go to MalwareBytes.org and then to the Mac version page, this is the URL that appears when you hover over the link to download it:

     

    https://store.malwarebytes.org/342/puri-mbamm-dl

     

    It then incorrectly initiates the download when you click that button, which also takes you to the next page where the actual "Download" button appears. That button links to:

     

    https://www.malwarebytes.org/mac-download/

     

    Which is an incomplete URL for the download since it ends in a directory separator, and doesn't show what is actually initiating the download from that page. But it downloads the same file anyway when you click the button.

     

    But that's just what Safari shows. I'm not sure how you're resolving the two URLs (I also didn't try real hard ).

  • by Linc Davis,

    Linc Davis Linc Davis Sep 21, 2015 11:17 AM in response to presidio_studios
    Level 10 (208,000 points)
    Applications
    Sep 21, 2015 11:17 AM in response to presidio_studios

    The file you downloaded is genuine. It comes from a content-distribution network (CDN) used by the developer.

  • by Kurt Lang,

    Kurt Lang Kurt Lang Sep 21, 2015 1:53 PM in response to presidio_studios
    Level 8 (37,946 points)
    Mac OS X
    Sep 21, 2015 1:53 PM in response to presidio_studios

    Looking a little further (something I should have done the first time), the f.txt file also gets downloaded via Safari and Firefox. Some reports mention the name of the file is actually f.txt.js, which makes it a Java file. And that makes sense as the initial post shows a lot of calls to Java folders (js). That, and a lot of it appears to be binary code shown as text gibberish, which is normal when trying to display binary data in TextEdit.

     

    Just to check, if you still have a copy of the file on your Mac, highlight f.txt and press Command+I (Get Info). Check the name to see if the option to hide the file extension is on. If it is, it will likely show the full file name as f.txt.js , a trick that has been being used against Windows users ever since MS made it the default to hide file extensions. Hackers and other creeps then started flooding users with things like, "Great nude photo of xxx!". Then you double click the attachment that shows as photo.jpg, when it's actually a program, which if you were showing the full file name, it would actually be photo.jpg.exe .

     

    Anyway, if this is all true, then the next question would be, do you have Java installed and enabled in your web browser?

  • by thomas_r.,

    thomas_r. thomas_r. Sep 21, 2015 2:13 PM in response to presidio_studios
    Level 7 (30,924 points)
    Mac OS X
    Sep 21, 2015 2:13 PM in response to presidio_studios

    presidio_studios wrote:

     

    1. malwarebytes installer installed software on my system (so it's installer did do something)

     

    Malwarebytes Anti-Malware for Mac does not have an installer of any kind. You drag the app to the Applications folder, and that's it. If you ran something that had an installer, that was not a genuine copy of Malwarebytes Anti-Malware for Mac.

     

    2. the first time I opened my browser after installing malwarebytes software the mysterious download occurred twice without my authorization on a site (amazon.com) that I have visited multiple times per week for the last couple years with no previous occurrence of the mysterious download.

     

    As others have said, the fact that these two things coincided in time doesn't mean anything. I'm the developer of AdwareMedic, which is now Malwarebytes Anti-Malware for Mac, and I wrote all of the code for the current release version. I can tell you that there's nothing that Malwarebytes Anti-Malware for Mac could do to make Chrome download a file when it opens.

     

    You will find that this appears to be a common problem for many people using Amazon in the last couple days:

     

    http://www.amazon.com/gp/help/customer/forums/ref=cs_hc_g_tv?ie=UTF8&forumID=Fx1 SKFFP8U1B6N5&cdThread=Tx1N2OHPO650MJ

     

    The issue appears to be related to one of Amazon's ads. The fact that it just started happening is not coincidence at all - it sounds like the same has happened to a number of other people. However, the fact that you downloaded Malwarebytes Anti-Malware for Mac at the same time that Amazon started having a problem with their ads definitely is coincidence.

  • by Old Toad,

    Old Toad Old Toad Sep 21, 2015 2:20 PM in response to presidio_studios
    Level 10 (141,336 points)
    Mac OS X
    Sep 21, 2015 2:20 PM in response to presidio_studios
    Then literally a couple minutes later I went to Amazon.com using Chrome. Chrome auto downloaded an "f.txt" file twice.

     

    You might want to reconsider using Chrome as your browser after reading these:

     

    Google Chrome Listening In To Your Room Shows The Importance Of Privacy Defense In Depth.

     

    Unseen Burdens in Chrome That Can Lead a Mac to Lag

     

    How to Manage the Secret Software That Google Chrome Installs on Your Mac

     

    Google is known to "phone home" with users data as was found out with this new Google Photos service:  Google Photos may be free — but there's still a cost.

     

    Just some food for thought.

    OTsig.png

  • by pinkstones,

    pinkstones pinkstones Sep 21, 2015 2:49 PM in response to presidio_studios
    Level 5 (4,209 points)
    Safari
    Sep 21, 2015 2:49 PM in response to presidio_studios

    I have Malwarebytes on my computer, and it's done nothing wrong.  In fact, the first day I downloaded it, it found adware/malware on my computer I didn't even know I had.  I had no pop-ups, no lagging, nothing.....yet it found something.  It hasn't installed any surreptitious software on my computer, it hasn't damaged or corrupted anything.....I'm sorry that you personally have had a negative experience, but that doesn't mean the program itself is faulty.  There are people out there allergic to penicillin, but you don't see doctors hesitating to prescribe it to people because others have had negative experiences with it.  It's a useful drug that helps make people better.  Equally so, Malwarebytes is a useful program that can help make computers better.  I used the PC version on my Dell laptop for years before buying a MacBook, and it never gave me any problems then, either. 

  • by thomas_r.,

    thomas_r. thomas_r. Sep 21, 2015 7:14 PM in response to Linc Davis
    Level 7 (30,924 points)
    Mac OS X
    Sep 21, 2015 7:14 PM in response to Linc Davis

    Linc Davis wrote:

     

    The file you downloaded is genuine. It comes from a content-distribution network (CDN) used by the developer.

     

    That is correct. However, contrary to your implications, the developer in question is Google (and only incidentally Amazon, apparently, to correct what I said earlier). This is their error, from their ad network. It's a known issue.

     

    See the following topics, which even include the same snippet of JavaScript code:

     

    https://productforums.google.com/forum/#!topic/chrome/tdi2oCXaq_4

    https://productforums.google.com/forum/#!topic/chrome/tdi2oCXaq_4

     

    As well as the following rather lengthy read that points the finger at Google's ad networks, and their ads being displayed by Amazon:

     

    https://medium.com/@unsetbit/dear-amazon-you-dropped-something-fc82375a5bb0

     

    All of this in addition to the earlier link I provided:

     

    http://www.amazon.com/gp/help/customer/forums/ref=cs_hc_g_tv?ie=UTF8&forumID=Fx1 SKFFP8U1B6N5&cdThread=Tx1N2OHPO650MJ

Previous Page 2