macOS下malware移除之searchmine & MyCouponsmart劫持（Remove hijacking of searchmine & MyCouponsmart）

声明：
Declaration：

由于网络中的病毒virus/malware等存在随时变异或者对应多种感染方式等情况，本文所针对的处理方法仅针对本次样本负责，个人如有误操作，后果自负。如需帮助，可以关注微信公众号（我在全球村）给我留言，或回复加好友！

Because the virus/malware in the network is mutated at any time or corresponds to multiple infection methods, the processing method targeted in this paper is only responsible for this sample. If the individual has misoperation, the consequences are at your own risk.If you need help, you can pay attention to WeChat official account (MyGlobalVillage), leave a message to me, or reply to your friend!

现象
Phenomenon：

收到网友的抱怨：浏览器被恶意软件劫持， searchmine 劫持了safari browser，另外一个arch item劫持了chrome，能给一些移除的建议吗？
Received complaints from netizens: A Chilltab malware on my MacBook. Nevertheless it keeps on popping up. Any idea's on how to get rid of it ? Thank you, Glenn

 

分析
Analysis：

根据用户反馈提供的信息，收集如下：

Based on the information provided by user feedback, the collection is as follows:

经过对上述文件的分析，初步怀疑跟下述路径及其关联的程序有关：

After analysis of the above documents, initial doubts are related to the following paths and their associated procedures:

/Users/Shared/SearchMine.app/Contents/PlugIns/AnySearch.appex
/Users/Shared/MyCouponsmart.app/Contents/PlugIns/MyCouponsmart-ext.appex

相关插件配置：

Related plugin configuration:

    net.searchmine.SearchMine.AnySearch(1.0)
	            Path = /Users/Shared/SearchMine.app/Contents/PlugIns/AnySearch.appex
	            UUID = 6E3B7CAD-57C8-41F5-8529-1B3AF8A1BB5A
	       Timestamp = 2019-11-28 22:57:04 +0000
	             SDK = com.apple.Safari.extension
	   Parent Bundle = /Users/Shared/SearchMine.app
	    Display Name = AnySearch
	      Short Name = AnySearch
	     Parent Name = SearchMine

     com.shopsmart.MyCouponsmart.MyCouponsmart-ext(1.0)
	            Path = /Users/Shared/MyCouponsmart.app/Contents/PlugIns/MyCouponsmart-ext.appex
	            UUID = 41C16163-1070-4428-8B35-BAE3A4CB2164
	       Timestamp = 2019-11-28 22:57:03 +0000
	             SDK = com.apple.Safari.extension
	   Parent Bundle = /Users/Shared/MyCouponsmart.app
	    Display Name = MyCouponsmart-ext
	      Short Name = MyCouponsmart-ext
	     Parent Name = MyCouponsmart

实际上这个就是用户问题出现的最终原因，因为安装了上述两个恶意插件，上述两个文件其实就是之前的anysearch和Mycoupon的变种。但是这个插件的位置很特别，导致用户无法寻找，甚至有些杀毒软件（用户已经安装了Dr. Antivirus）都没有扫描到这个路径下的文件，恰好恶意插件就安装在这个位置。

In fact, this is the final reason for the user's problem, because two malicious plug-ins are installed, The above two files are actually variants of the previous anysearch and Mycoupon。But the location of the plug-in is very special, which makes it impossible for the user to find, and even some anti-virus software (user has installed Dr. antivirus) does not scan the files in this path, just where the malicious plug-in is installed.

如果你有发现近期出现问题前后才生成的上述文件，请将其通过terminal终端运行进行移除。

If you have found the above files that were generated before and after the recent problem, please remove them through the terminal .

处理方法：
Approach:

rm -rf /Users/Shared/SearchMine.app/Contents/PlugIns/AnySearch.appex
rm -rf /Users/Shared/MyCouponsmart.app/Contents/PlugIns/MyCouponsmart-ext.appex

移除上述路径下的配置文件(根据自己发现的实际路径进行引用)，如果有。检查是否还存在相关的其他配置文件，杀掉该进程，再重启电脑。

Remove the configuration file under the above path(reference according to the actual path you find), if any. Check if there are other related configuration files, kill the process, and restart the computer.

但针对本次的样本，在本地文件夹还真有其它的一些恶意配置存在，需要一并移除，以免死灰复燃！

But for this sample, there are some other malicious configurations in the local folder, which need to be removed together to avoid resurgence!

rm -rf ~/Library/Application\\ Support/.macmmisearch
rm -rf ~/Library/Application\\ Support/.MyCouponsmart
rm -rf ~/Library/LaunchAgents/com.techyutil.*
rm -rf ~/Library/LaunchAgents/com.pcv.hlprmcp.plist
rm -rf /Library/LaunchAgents/com.MyCouponsmart.agent.plist
rm -rf /Library/LaunchDaemons/com.arcsoft.eservutil.plist
rm -rf /Library/LaunchDaemons/com.crashplan.engine.plist

 

实际上，上述文件对当前Mac系统的影响微乎其微，即使有误删，后期根据需要可以重新安装，所以删除不会影响系统的正常运行。

In fact, the above files have little impact on the current Mac system. Even if it is deleted by mistake, it can be reinstalled as needed later, so the deletion will not affect the normal operation of the system.

可疑文件全部移除完成后，最好重置浏览器，或者移除之前保存的状态数据

After all the suspicious files have been removed, it is best to reset the browser or remove the previously saved state data.

~/Library/Saved\\ Application\\ State/com.apple.Safari.savedState
~/Library/Saved\\ Application\\ State/com.google.Chrome.savedState

 

再启动查看是否恢复正常。

Restart to see if it returns to normal.

忠告：
Advice：

1，苹果电脑要更新和下载软件尽量去App Store，其他浏览器突然弹出的说电脑有问题或者软件需要更新，都尽量不要点！！！！

2，电脑设置中安全设置，选项选择只安装认证过的软件！！！

3，要使用破解版软件，就必须做好被安装广告和恶意插件的心理准备！

1, Apple computer to update and download software as far as possible to the App Store, other browsers suddenly pop up saying that the computer has a problem or the software needs to be updated, try not to point! ! ! !

2, the security settings in the computer settings, the option to choose only installed certified software! ! !

3. To use the cracked version of software, you must be mentally prepared to install advertisements and malicious plug-ins!

 

如果觉得本文对你有帮助，那就赞一个或者评论一个吧，您的支持是我继续前进的动力！

If this article is helpful to you, please click like or comment on it. Your support is my motivation to move forward!