遇到一个macOS下malware中毒很深的网友，安装的恶意软件MyCouponsmart、SearchMine.AnySearch、Advanced Mac Cleaner等真多！

前言：
Foreword:

最近一段时间很久没有收到网友的求助了，不知道是因为觉得寻求帮助麻烦，还是因为最近疫情的原因，恶意软件活动的少了。我还是希望是后者导致的吧，如果是前者，那我只能说自己加个好友这么简单的事都不争取下，还期望别人牺牲宝贵的时间帮您看问题吗？愿意继续接受恶意软件的骚扰？何况我的帮助都没有强制要求任何人收费！

I haven't received help from netizens for a long time recently. I don't know if it's because of the trouble of asking for help, or because of the recent epidemic, and the malware activity is less. I still hope it is caused by the latter. If it is the former, then I can only say that I am not as simple as adding a friend. Do you expect others to sacrifice precious time to help you see the problem? Willing to continue to be harassed by malware? What's more, my help does not force anyone to charge!

还是来说说这两天遇到的一个网友，她非常有耐心，写了很多感染的过程细节，对我非常有帮助。

Still speaking about a netizen I met in the past two days, she was very patient and wrote a lot of details of the infection process, which was very helpful to me.

但是，当我看到她按我要求运行脚本后，发给我收集到的信息时，我傻眼了，怎么这么多可疑配置，我忍不住还说了她几句，你都是写程序的（因为安装了一些编程工具），还真是能忍，不晓得有没有伤着她。

However, when I saw her running the script as I requested, and sent me the information I collected, I was dumbfounded. I could n’t help saying a few words about her because of so many suspicious configurations. (Because some programming tools are installed), it is really bearable, I do not know if it hurt her.

不过，还好我因为对她安装的那几个恶意配置已经了如指掌，直接就被我抓出来了。

最后，当然是完美解决啦，满满的幸福感！非常感谢该同学的认可和红包啦！

Fortunately, though, I knew everything about the malicious configurations that she had installed, and I was caught directly.

Finally, of course, the perfect solution, full of happiness! Thank you very much for your recognition and red envelope!

下面还是老套路，分析下哪些文件该删除。

The following is the old routine, analyze which files should be deleted.

声明：
Declaration：

由于网络中的病毒virus/malware等存在随时变异或者对应多种感染方式等情况，本文所针对的处理方法仅针对本次样本负责，个人如有误操作，后果自负（一般没啥问题的，别被吓着了）。如需帮助，可以关注微信公众号（我在全球村）给我留言，或回复加好友！

Because the virus / malware in the network mutates at any time or corresponds to multiple infection modes, the processing method targeted in this article is only responsible for this sample. If you personally misuse it, you will be at your own risk. Scared). If you need help, you can follow the WeChat public account (MyGlobalVillage) to leave a message for me, or add me on WeChat !

现象
Phenomenon：

首先她请求的帮助也是：浏览器被恶意软件劫持了，即SearchMine 劫持了他的浏览器，修改了其主页，而且主页再也不能被还原成默认值，是不可用状态。他已经看见了我前面的某篇文章，处理过，但是过一段时间又回来了。

看到这里，我首先意识到肯定是SearchMine出现了变种或者根本就没有删除干净，我发给其脚本运行，让他把收集到的信息提供给我分析，最后仔细查找后得出的恶意配置基本都占全了，主要有下面那些。

First of all, she asked for help: the browser was hijacked by malware, that is, SearchMine hijacked his browser, modified its homepage, and the homepage can no longer be restored to the default value, which is unusable. He has seen an article in front of me, processed it, but came back after a while.

Seeing this, I first realized that there must be a variant of SearchMine or that it was not deleted at all. I sent it to the script to run and let him provide me with the collected information for analysis. Finally, the malicious configuration obtained after careful search is basically All accounted for, mainly the following.

分析
Analysis：

根据用户反馈提供的信息，收集如下：

Based on the information provided by user feedback, the collection is as follows:

1）经过对上述文件的分析，初步怀疑跟下述路径及其关联的程序有关：

Based on the analysis of the above documents, it is preliminarily suspected that it is related to the following paths and related procedures:

~/Library/LaunchAgents/com.MyMacUpToDate.agent.plist
~/Library/LaunchAgents/com.uptodatemac.upd.agent.plist
~/Library/LaunchAgents/com.MyMacUpToDate.agent.plist
~/Library/Preferences/com.pcv.hlprmcp.plist
~/Library/Application\ Support/.MyShopMate
~/Library/Application\ Support/Advanced Mac Cleaner
~/Library/Application\ Support/Mac File Opener
~/Library/Application\ Support/ChumSearch
/Library/LaunchDaemons/com.vix.cron.plist
~/Library/Application\ Support/.macmmisearch
~/Library/Application\ Support/.updXXXX  很多个
~/Library/Application\ Support/.MyCouponsmart

2）相关插件配置：MyCouponsmart

Related plug-in configuration: MyCouponsmart

Chrome/Default/Extensions/lfbenaabfliihodeianphjhhhcjgddlh   这个她自己已经移除

3）但是有两个插件是在Application目录下，仍然活的好好的，仔细看path字段的路径，这个是主程序啊，必须得移除才行。

However, there are two plug-ins in the Application directory, and they are still alive and well. Look at the path of the path field carefully. This is the main program and must be removed.

     net.searchmine.SearchMine.AnySearch(1.0)Path = /Users/Shared/SearchMine.app/Contents/PlugIns/AnySearch.appexUUID = 77C63A59-94CD-46B6-9D27-5B42C239D741Timestamp = 2020-05-10 20:03:03 +0000SDK = com.apple.Safari.extensionParent Bundle = /Users/Shared/SearchMine.appDisplay Name = AnySearchShort Name = AnySearchParent Name = SearchMinecom.shopsmart.MyCouponsmart.MyCouponsmart-ext(1.0)Path = /Users/Shared/MyCouponsmart.app/Contents/PlugIns/MyCouponsmart-ext.appexUUID = 0BE3EC9E-788C-40C4-B4E9-FC66135D2152Timestamp = 2020-05-10 20:03:02 +0000SDK = com.apple.Safari.extensionParent Bundle = /Users/Shared/MyCouponsmart.appDisplay Name = MyCouponsmart-extShort Name = MyCouponsmart-extParent Name = MyCouponsmart

4）其次还有一个不确定的系统配置，反正我最终还是一起给他清理了

Secondly, there is an uncertain system configuration, anyway, I eventually cleaned it up together for she。

profileIdentifier: com.securew2.eduroam
There are 1 configuration profiles installed

5）然后她反馈回来的Chrome policy是下面这样的：

Then the Chrome policy that she returned is like this:

天啊，怎么这里也有问题，你说怎么可能轻易移除干净！

所以我说她中毒很深，一共6个地方，她全都占完了，其它网友一般在3个左右。

Oh my god, there is a problem here, how can you easily remove it cleanly!

So I said that she was very poisoned. She had totally taken up 6 places, and other netizens were generally around 3.

以上这些就是用户问题出现的最终原因，因为安装了上述恶意插件，导致系统浏览器被人为修改，这个插件的配置位置很特别，导致用户无法寻找，甚至有些杀毒软件都没有扫描到这个路径下的文件，恰好恶意插件的配置就安装在这个位置。

由于用户自己根据我以前的文章，已经移除了一部分恶意配置，所以上述配置路径可能并不全面。

In fact, this is the ultimate cause of user problems. Because the above malicious plug-ins are installed, the system browser is artificially modified. The configuration location of this plug-in is very special, which makes it impossible for users to find. Even some anti-virus software does not scan the files in this path, and the configuration of malicious plug-ins is installed in this location.

Since some malicious configurations have been removed by users themselves according to my previous articles, the above configuration paths may not be comprehensive.

如果你有发现近期出现问题前后才生成的上述文件，请将其通过terminal终端运行进行移除。

If you have found the above files that were generated before and after the recent problem, please remove them through the terminal .

处理方法：
Approach:

1）首先，移除步骤3中即下述截图中的profiles文件下的所有配置，恢复成空白默认值。

First, remove all the configuration under the profiles file in the screenshot above and restore it to the blank default value.

2）其次，移除上述路径下的配置文件(根据自己发现的实际路径进行引用)，如果有。检查是否还存在相关的其他配置文件，杀掉该进程，再重启电脑。

Secondly, Remove the configuration file under the above path(reference according to the actual path you find), if any. Check if there are other related configuration files, kill the process, and restart the computer.

但针对本次的样本，在本地文件夹还可能有其它的一些恶意配置存在，需要一并移除，以免死灰复燃！

But for this sample, there are some other malicious configurations in the local folder, which need to be removed together to avoid resurgence!

~/Library/LaunchAgents/com.MyMacUpToDate.agent.plist
~/Library/LaunchAgents/com.uptodatemac.upd.agent.plist
~/Library/LaunchAgents/com.MyMacUpToDate.agent.plist
~/Library/Preferences/com.pcv.hlprmcp.plist
~/Library/Application\ Support/.MyShopMate
~/Library/Application\ Support/Advanced Mac Cleaner
~/Library/Application\ Support/Mac File Opener
~/Library/Application\ Support/ChumSearch
/Library/LaunchDaemons/com.vix.cron.plist
~/Library/Application\ Support/.macmmisearch
~/Library/Application\ Support/.updXXXX  很多个
~/Library/Application\ Support/.MyCouponsmart

3）移除上面Chrome所对应的插件，可能会以其他名称显示。

Remove the plug-in corresponding to Chrome above, it may be displayed under another name.

Chrome/Default/Extensions/lfbenaabfliihodeianphjhhhcjgddlh

4）移除User shares目录下的插件主程序

Remove the main plug-in program in the User shares directory

/Users/Shared/SearchMine.app
/Users/Shared/MyCouponsmart.app

5）清除掉截图Chrome policy中的Chrome配置

Clear the Chrome configuration in the screenshot Chrome policy

com.google.Chrome HomepageIsNewTabPage -bool false
com.google.Chrome NewTabPageLocation -string "https://www.google.com/"
com.google.Chrome HomepageLocation -string "https://www.google.com/"
com.google.Chrome DefaultSearchProviderSearchURL
com.google.Chrome DefaultSearchProviderNewTabURL
com.google.Chrome DefaultSearchProviderName

实际上，上述所有移除文件对当前Mac系统的影响微乎其微，即使有误删，后期根据需要可以重新安装，所以删除不会影响系统的正常运行。

In fact, the above files have little impact on the current Mac system. Even if it is deleted by mistake, it can be reinstalled as needed later, so the deletion will not affect the normal operation of the system.

可疑文件全部移除完成后，最好重置浏览器，或者移除之前保存的状态数据

After all the suspicious files have been removed, it is best to reset the browser or remove the previously saved state data.

~/Library/Saved\\ Application\\ State/com.apple.Safari.savedState
~/Library/Saved\\ Application\\ State/com.google.Chrome.savedState

再启动查看是否恢复正常。

Restart to see if it returns to normal.

忠告：
Advice：

1，苹果电脑要更新和下载软件尽量去App Store，其他浏览器突然弹出的说电脑有问题或者软件需要更新，都尽量不要点！！！！

2，电脑设置中安全设置，选项选择只安装认证过的软件！！！

3，要使用破解版软件，就必须做好被安装广告和恶意插件的心理准备！

1, Apple computer to update and download software as far as possible to the App Store, other browsers suddenly pop up saying that the computer has a problem or the software needs to be updated, try not to point! ! ! !

2, the security settings in the computer settings, the option to choose only installed certified software! ! !

3. To use the cracked version of software, you must be mentally prepared to install advertisements and malicious plug-ins!

如果觉得本文对你有帮助，那就赞一个或者关注我吧，您的支持是我继续前进的动力！

If this article is helpful to you, please click like or comment on it.

Your support is my motivation to move forward!

以上内容均为原创，如需转载请微信联系授权或注明出处！