Edit LastSession.plist in Xcode? (...to remove adware)

Question

Edit LastSession.plist in Xcode? (...to remove adware)

Looks like someone found a hole in Safari's javascript implementation; I've been seeing many more adware attacks.

The one that recently got me put up a modal dialog box with no way to dismiss it. It's possible there were buttons at the bottom of the dialog box, but it was filled with so much text that it extended off my screen. All options in the main menu bar were disabled, so I couldn't open preferences to turn off javascript. I had to force quit. When I relaunched Safari, all my windows from the previous session re-open. That includes the malicious one, of course.

So the way I thought I would be clever to get around this was I would edit the LastSession file. Just delete the bad page. And Xcode seems to do a good job of it. Everything is laid out neat and tidy when Xcode opens it. I deleted the bad "item" (as Xcode calls it.) Saved my changes. Verified in the Finder, using quicklook, that the change updated. Relaunched Safari and... No good. The nefarious site opened anyway.

And the LastSession file updated live in Xcode to reflect that the bad site was back.

I verified with my clone that this is not something spooky with the Adware. It's just how Safari works. I tried the editing trick on a non-malicious-javascript entry in the lastsession file, and it too came back with a Safari relaunch.

So either I'm doing something wrong in Xcode. Or Safari has a redundant way of reopening windows and tabs at launch.

I looked at the preferences file. Nothing.

I checked out the Saved Application State folder. There are some .data files there that I have no idea how to work with. (I could probably reverse engineer which file is related to which open window (from the way the lastsession file works, it looks like last in list means the window closest to the user. But then again, Apple uses z-axis terminology in other places which sometimes makes zero closest to you...) Anyway, then I would have to figure out how to update the accompanying .plist in that folder.

Does Safari have a bias toward using cached web pages instead of using the LastSession file like a master list?

Looking for any and all ideas,

Thanks.

Mac Pro, OS X Yosemite (10.10.5)

Posted on Sep 22, 2015 12:00 AM

Reply

Answer 1

dominic23

Level 10

83,916 points

Sep 22, 2015 12:14 AM in response to Charles Floading

1. Force Quit Safari.

2. Relaunch Safari holding the shift key down to launch Safari in Safe Mode.

Reply

Answer 2

Sep 22, 2015 11:18 AM in response to dominic23

Thanks for the reply, dominic.

Didn't know you could start Safari in Safe Mode.

Does this work similar to booting the OS in Safe Mode? Where extensions are not loaded, and caches are cleared..?

I don't think this really solves my problem, though, since I have a bunch of other tabs open that I want to re-open. Sure, I could go through my history and use that to get back the tabs I want, but I'm kind of hung up on finding a more clever/geeky way to do this.

On seeing your safe mode tip, I searched around and found that this is something you can do with other Apple apps. For example you can hold down shift when launching TextEdit.

Also, if you don't want an app to save it's state when you quit it, you can hold down option when you quit.

Reply

Answer 3

dominic23

Level 10

83,916 points

Sep 22, 2015 11:32 AM in response to Charles Floading

If you want to reopen other tabs, don't start Safari in Safe Mode.

When you open Safari in safe mode, saved state will not return.

Reply

Answer 4

Oct 13, 2015 1:10 PM in response to Charles Floading

Figured out the solution I was looking for.

You edit the LastSession.plist file in Xcode as described above. Then go to /Users /You /Library /Saved Application State /com.apple.Safari.savedState Delete everything in that folder.

When you relaunch Safari it won't automatically open any of your old windows. (You trashed the information Safari uses for that.) From the History item in the main menu bar, select "Open All Windows from Last Session." This will direct Safari to your edited LastSession.plist.

Voila! Your session is preserved minus the malicious javascript tab.

Reply