My roommate brought me her iMac this afternoon because it's been behaving very badly since she upgraded to High Sierra. It turns out that her boyfriend has gotten a lot of malware onto it, and I'm having real problems getting rid of it.
The biggest culprit is a set of browser hijackers (they may all be related, or they may be separate malware, I'm not sure), including well-known ones like G-Search.Pro, and others (feedvertizus, beleelashopper, etc).
I cannot figure out where these things have stuck themselves to get rid of them. So far, I have:
- Deleted any installed applications I didn't recognize.
- Installed and run MalwareBytes, which claims I have no malware.
- Installed and run AVG Anti-Virus, which claims I'm clean.
- Completely deleted Chrome and Firefox from the machine and reinstalled.
- Checked the LaunchAgents folders in /Library, /System/Library, and /Users/user/Library for anything odd.
- Checked the LaunchDemons folders in the same places.
- Removed anything from Application Support folders that looked suspicious.
All to no avail. A clean, fresh install of Chrome immediately gets infected with G-Search.pro and these other things. I'm at my limit of OS X knowledge so I have no idea where else to look.
Where could these things be hiding, or where can I go (are there system logs, etc.?) to find out?
Best Answer
In case anyone else gets infected by this, here's what I ultimately discovered:
The virus had installed a local web proxy, and a background service that was constantly monitoring the system's proxy settings and "restoring" them to point to itself. I discovered this when I noticed that Safari was throwing SSL warnings for everything, and that YouTube was returning empty responses and proxy errors trying to watch videos.
The proxy also appears to have been preventing Chrome's sync from working, and preventing me from activating several anti-virus programs that require online activation.
I was able to find it using lsof to see what was listening on the port that kept setting itself up as the local proxy. It had installed a mono application using the Titanium web proxy NuGet package, into /usr/local/srcsrv.
Once I killed that, the behavior of the web browser returned to normal except for the "New Tab" page in Google still pointing to G-Search.pro. I haven't yet tried to delete and reinstall Chrome a second time, but I did add several domains to /etc/hosts to prevent them from phoning home.