Remove hmining.mobi

Download and run MalwareBytes. Malwarebytes was developed by one of our own colleagues here in ASC. It is used by Apple Geniuses at Apple Store Genius Bars. It is also recommended by Apple Community Hosts here in the forums, as well as by Apple Telephone Support agents.

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

You installed the "Search Genius" malware. Please take the steps below to disable it.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

2. Inside the folder you just opened, there may be one or more files with a name that begins as follows:

com.mediahm

Move any such files to the Trash. There may not be anything else in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)

Log out or restart the computer.

3. From the Safari menu bar, select

Safari ▹ Preferences... ▹ Extensions

Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

4. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select

Safari ▹ Preferences... ▹ General

and click

Set to Current Page

5. This step is optional. Open this folder as in Step 1:

~/Library/Application Support

and move to the Trash the subfolder with the name

mediahm

if present.

Don't move the Application Support folder or anything else inside it.

6. "Search Genius" is distributed in the form of a fake updater for "Adobe Flash Player." You may have been prompted by a popup on a website to update Flash. Never follow a prompt on any website to install any software, no matter what you think it is. Software should be downloaded only because you—not someone else—decided that you need it, and then only from the developer's website or from the Mac App Store. Some software, including Flash Player, has a buit-in updater that is safe enough to use, provided that the existing installation came from a reliable source.

7. Along with "Search Genius," you may have installed other malware, such as "Advanced Mac Cleaner," and/or the scam applications "MacKeeper" and "MegaBackup." If you still have problems after taking the above steps, ask for other instructions.

You may have installed ad-injection malware ("adware").

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

Back up all data first.

If you're not already running the latest version of OS X, updating or upgrading in the App Store may cause the adware to be removed automatically. If you are already running the latest version, please log out or restart the computer. Again, some kinds of malware will be removed—not all. There is no such thing as automatic removal of all possible malware, either by OS X or by third-party software. That's why you can't rely on software to protect you.

If the malware is removed in your case, you'll still need to make changes to the way you use the computer to protect yourself from further attacks. Ask if you need guidance.

If the malware is not removed automatically, see below.

This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.

Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.

If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. The malware will be disabled temporarily.

Step 1

Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.

If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.

Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.

Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.

Leave the folder open for now.

Step 2

Do as in Step 1 with this line:

/Library/LaunchAgents

The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.

Step 3

Repeat with this line:

/Library/LaunchDaemons

This time the folder will be named "LaunchDaemons."

Step 4

Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.

Step 5

If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.

I generally concur with Linc's warning regarding where downloads should be sought by inexperienced users (only from Apple, developers).

In our diversion into the issue of hmining.mobi, we were performing a required update to Adobe Flash, and misclicked on a site created to look and feel like the Adobe site, including in the DMG, install window, etc. Suspicion nevertheless arose in the midst of the install, and it was interrupted and cancelled.

Even so, all browser homepages were reset, and other tracking software was installed.

Following Linc's series of steps described in the current post, and here, Remove hmining.mobi, accomplished the needed uninstalls and return to normal function.

As for the advice to "Download and run MalwareBytes"—I am with Linc, the last thing that a naive user that has made clear they cannot always differentiate trustworthy sources from untrustworthy... the last thing such a user needs to be doing, in the midst of a malware attack, is to be sent looking to install further software. If this package is indeed used at the Genius Bar (however it may manifest now, and into the future), then the soundest advice—apart from a careful step by step from an expert here—is, "Get Thee to a... [Genius Bar or equivalent]." This is further emphasized by the fact that the game being played between malware crooks and users is an ever-changing landscape, with commercial software and shareware ever having to play catchup to the ploys currently in play. A dated, expert step-by-step, in my experience always trumps a "go and download and trust..." approach. My two cents.

Thanks again Linc, for making clear how to clean things up. Prof D

A link has been posted in this thread to a scam web page, the sort of page that you would find if you searched for help to deal with a malware infection. Everything on that page is nonsense, including the pitch to install "MacKeeper," a fraudulent "utility." Don't follow the link.

I have exactly the same problem.

When I open Chrome, it starts with the hmining.mobi page which turns into the yahoo search website, and a google page.

I have deleted the extensions in Chrome, I followed the steps as you described (the Launch application folders etc), and I used MalwareBytes to remove malware. Right now I am still facing the problem when I open google chrome. Is there anything else I can do to remove the malware? Thanks in advance.

I did all the procedure as you said, but still have the hmining.mobi opening on google chrome, even if i deleted it from the preferencies... so not sure if I'm having a virus, but still my Mac seems slower...

Well, I did delete the item #5 "Search Genius", restarted the MBP but still have the "hmining.mobi" opening and then it opens google...

I don't know if there's another Troian or something, but since a month ago my MBP is warming more than usually, even when watching a movie online...

Thank you for your help

If Safari is not affected, you may have installed a malicious Chrome extension such as "Adblock Super" or "News Ticker Remover." Remove all extensions you don't know you need. If in doubt, remove all of them.

If an extension is not causing the problem, create a new Chrome user profile. Note that you can salvage your bookmarks from the existing profile.

Chrome can sync your account settings between devices, so if you enable that feature, malicious profile data can spread from one to another in a virus-like way.

stefvh88 wrote:

I have deleted the extensions in Chrome, I followed the steps as you described (the Launch application folders etc), and I used MalwareBytes to remove malware.

The items that Linc told you to remove manually are all items that Malwarebytes Anti-Malware for Mac detects and removes. If it did not find them on your system, there is an issue on your system that is preventing it from working properly. If you'd like help with that, choose Contact Support from the Help menu in Malwarebytes Anti-Malware.

The Linc Davis post that begins "You may have installed ad-injection malware..." is not as helpful as some others from you, Linc, because its instructions, as they come to a close, are less clear on how to complete / how you intend to complete the steps that you describe. Prof D

Thanks for your mostly supportive comments. I strongly agree with this statement:

the last thing such a user needs to be doing, in the midst of a malware attack, is to be sent looking to install further software

I can't, however, go along with this:

the soundest advice—apart from a careful step by step from an expert here—is, "Get Thee to a... [Genius Bar or equivalent]."

The truth is that, although Apple has taken some steps, in response to the adware epidemic, to improve the security of OS X, it still doesn't train or equip its customer-facing employees to deal correctly with malware infections. That knowledge exists within the company, but it's not being disseminated at the retail level.

Thanks Link: It's fantastic to know that there are "SurperUsers" that know more than me. I guess that makes me a "former Superuser" who has knowledge that is far obsolete.

Thank you for the contribution!

I made the great mistake to update my flash player from an untrusted website. Immediately my computer prompted to install MacKeeper, which I did not. MacKeeper tried to ran a system scan and someone try to contact me through Mackeeper to offer solutions, etc. However, by just taking the bait from the flash player update I was already in trouble. My computer had a mind of its own by using the hmining.mobi for everything. I followed your guide step by step and the computer is now working normal again. Thanks for the help.

Thank You for being so smart. I searched hi and low to try to fix the yahoo search redirect that was taking me away from Google search.. But it moves so fast in the search bar you can't see that it says mobi.hm unless it gets stuck cause the net slows down.. Which happened then viola this came up in the google search.. Thank you so much.. It completely fixed the issue..