Unrecognized Safari Extension Found - AssistSet 1.0

This might have come from installing an Adobe Flash Player update late last night after being prompted by a web page. I know. My bad. That installer looked legit but checking the file name it is just "player.dmg". Usually they are named something like install_flash_player_osx. Also the file cam from an amazon cloud location. Deleted it.

I found a file called "com.LookupTool.plist" in ~/Library/LaunchAgents. It had a modified date and time that matched when I did this Flash Player update. I deleted that file, and then I ran the Flash Player uninstaller and restarted.

If the questionable Safari extension was installed by a bogus Flash Player update last night, then any exposure might be limited since I have not used Safari to enter any passwords since it was run yesterday. It just want to be sure I have cleaned my Mac before handling any more passwords. Any suggestions or advice would be appreciated.

Thanks for the suggestions Eric. I had already gone with the Malwarebytes scan. It found and deleted ~/Library/Application Support/lookupTool and removed the OpenAnyFiles app, which I had already decided was useless but hadn't deleted it yet. Etrecheck found no major issues. The one minor issue on time machine automated backups being off is because I run my own TM scheduler. The others minor issues found didn't appear to be a concern. I see it picked up the Adobe Flash installation yesterday that was I was concerned about, but gives no version.

EtreCheck version: 4.3.1 (4D024)

Report generated: 2018-05-28 14:45:52

Download EtreCheck from https://etrecheck.com

Runtime: 1:57

Performance: Excellent

Problem: No problem - just checking

Major Issues: None

Minor Issues:

These issues do not need immediate attention but they may indicate future problems.

Time Machine auto backup disabled- Time Machine auto backups are disabled.

Unsigned files- There is unsigned software installed. They appear to be legitimate but should be reviewed.

32-bit Apps- This machine has 32-bits apps that may have problems in the future.

Hardware Information:

iMac (Retina 5K, 27-inch, 2017)

iMac Model: iMac18,3

1 4.2 GHz Intel Core i7 (i7-7700K) CPU: 4-core

32 GB RAM - Upgradeable

BANK 0/DIMM0 - 8 GB DDR4 2400 ok

BANK 0/DIMM1 - 8 GB DDR4 2400 ok

BANK 1/DIMM0 - 8 GB DDR4 2400 ok

BANK 1/DIMM1 - 8 GB DDR4 2400 ok

Video Information:

Radeon Pro 580 - VRAM: 8192 MB

iMac

DELL U2412M 1920 x 1200

Drives:

disk0 - APPLE SSD SM1024L 1.00 TB (Solid State - TRIM: Yes)

Internal PCI-Express 8.0 GT/s x4 NVM Express

disk0s1 - EFI [EFI] 315 MB

disk0s2 1.00 TB

disk1s1 - Macintosh HD (APFS) 1.00 TB (558.91 GB used)

disk1s2 - Preboot (APFS) [APFS Preboot] 1.00 TB (23 MB used)

disk1s3 - Recovery (APFS) [Recovery] 1.00 TB (518 MB used)

disk1s4 - VM (APFS) [APFS VM] 1.00 TB (2.15 GB used)

disk2 - Other World Computing 500.11 GB

External FireWire

disk2s1 [Partition Map] 32 KB

disk2s2 29 KB

disk2s3 29 KB

disk2s4 29 KB

disk2s5 29 KB

disk2s6 262 KB

disk2s7 262 KB

disk2s8 262 KB

disk2s10 - M*******t (Journaled HFS+) 499.97 GB

disk3 - OWC Mercury Elite-AL Pro 1.00 TB

External FireWire

disk3s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk3s2 - F******e (Journaled HFS+) 999.86 GB

disk4 - OWC 3.00 TB

External FireWire

disk4s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk4s2 - S*****h (Journaled HFS+) 3.00 TB

disk5 - ST6000DM004-2EH11C 6.00 TB (Mechanical)

External Thunderbolt 6 Gigabit Serial ATA

disk5s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk5s2 - T**********e (Journaled HFS+) 3.00 TB

disk5s3 - B*****X (Journaled HFS+) 3.00 TB

Mounted Volumes:

disk1s1 - Macintosh HD 1.00 TB (438.43 GB free)

APFS

Mount point: /

disk1s4 - VM [APFS VM] 1.00 TB (438.43 GB free)

APFS

Mount point: /private/var/vm

disk2s10 - M*******t 499.97 GB (265.91 GB free)

Journaled HFS+

Mount point: /Volumes/M*******t

disk3s2 - F******e 999.86 GB (400.75 GB free)

Journaled HFS+

Mount point: /Volumes/F******e

disk4s2 - S*****h 3.00 TB (3.00 TB free)

Journaled HFS+

Mount point: /Volumes/S*****h

disk5s2 - T**********e 3.00 TB (1.74 TB free)

Journaled HFS+

Mount point: /Volumes/T**********e

disk5s3 - B*****X 3.00 TB (2.93 TB free)

Journaled HFS+

Mount point: /Volumes/B*****X

Network:

Interface en0: Ethernet

One IPv4 address

Interface en5: Thunderbolt Ethernet Slot 1

Interface en7: iPad

Interface en6: iPhone

One IPv4 address

Interface fw0: Thunderbolt FireWire

Interface en1: Wi-Fi

Interface en4: Bluetooth PAN

Interface bridge0: Thunderbolt Bridge

iCloud Quota: 4.97 GB available

System Software:

macOS High Sierra 10.13.4 (17E199)

Time since boot: About an hour

System Load: 1.50 (1 min ago) 1.97 (5 min ago) 2.17 (15 min ago)

Security:

Unsigned Files:

Launchd: /Library/LaunchAgents/com.oracle.java.Java-Updater.plist

Executable: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater -bgcheck

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.oracle.java.Helper-Tool.plist

Executable: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Helper-Tool

Details: Exact match found in the whitelist - probably OK

32-bit Applications:

33 32-bit apps

Kernel Extensions:

/Library/Extensions

[Loaded] MB_MBAM_Protection.kext (Malwarebytes Corporation, 3.3 - SDK 10.13)

System Launch Agents:

System Launch Daemons:

Launch Agents:

Launch Daemons:

User Launch Agents:

User Login Items:

BlueHarvest Application (? - installed 2014-03-17)

(/Applications/BlueHarvest.app)

Dashlane Application (? - installed 2018-05-28)

(/Applications/Dashlane.app)

Dropbox Application (Dropbox, Inc. - installed 2018-05-23)

(/Applications/Dropbox.app)

Canon IJ Network Scanner Selector EX Application (? - installed 2018-01-30)

(/Applications/Canon Utilities/IJ Network Scanner Selector EX/Canon IJ Network Scanner Selector EX.app)

iTunesHelper Application (Apple - installed 2018-04-14)

(/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

Internet Plug-ins:

QuickTime Plugin: 7.7.3 (installed 2018-04-14)

JavaAppletPlugin: Java 8 Update 161 build 12 (installed 2018-02-01)

Safari Extensions:

3rd Party Preference Panes:

Java (installed 2018-02-01)

Time Machine:

Skip System Files: No

Mobile backups: No

Auto backup: No

Volumes being backed up:

Macintosh HD: Disk size: 1.00 TB - Disk used: 561.81 GB

Destinations:

T**********e [Local] (Last used)

Total size: 3.00 TB

Total number of backups: 44

Oldest backup: 2018-01-21 16:40:24

Last backup: 2018-05-28 03:15:39

Top Processes by CPU:

Top Processes by Memory:

Top Processes by Network Use:

Top Processes by Energy Use:

Virtual Memory Information:

Software Installs (past 30 days):

Diagnostics Information (past 7 days):

2018-05-23 13:46:29 Dropbox.app Crash

/Applications/Dropbox.app

End of report

Thank you. Yes, I did the official Adobe uninstall. Then checked the instructions for a manual uninstall to make sure everything was cleaned out, then did the correct install.

I think the Apple characterization must be very general, when it says what permissions a Safari extension has. When it says it can read passwords and credit cards, etc, it doesn't mean it is a necessarily doing it. It looks like this was adware. I'd think if it was more insidious, I would have found a reference to it by the name of the extension. I changed passwords of key accounts just to be safe, but there seems to be no indication this was anything more than a good reminder to be more careful.