Running macOS 10.14.2. Safari 12.0.1.
Symptoms:
- Safari redirects searches through proxy to bing
- Chrome redirects searches through proxy to bing
- In Privacy Settings, under Automation "Finder" with no icon has access to Safari
- When removing it, a preferences pop up shows up.
- Immediately after a memory warning shows up and cancel the preferences pop up.
- "Finder" reappears under "Automation" with safari checked.
- When quitting Safari, it launches alone. (Can't close safari)
Attempts:
Used "tccutil reset AppleEvents", both pop ups appear once after execution.
Used Avira anti-virus with quick scan it found and eliminated 1 virus, ran a full scan and it found and removed 4. Did not run it again.
No clue how to remove this without disabling SIP which is not something I necessarily want to do, nor would I know how to exactly find "Finder".
It also seems to be using some exploit to grant itself Automation privileges even after you uncheck them via some memory issue that triggers the memory warning.
How can malware like this be cleaned?
Best Answer
I wouldn't disable SIP if you have active malware on your system. If you have another Mac you can use or borrow, I'd boot your Mac into Target Disk Mode, connect it to the other Mac with a Thunderbolt cable, and then run both Avira and Malwarebytes on it from the other Mac. This allows the antimalware software to ignore any SIP protection on the TDM'd Mac and perform a full clean.
If you can't use another Mac, then install a bootable copy of macOS onto an external drive, boot from that, and do the same.
If you can't do either, boot into Safe Mode, run Avira, and then if it finds something, let it clean it and then reboot again into Safe Mode. Now run Malwarebytes and do the same. Always reboot after a pass where it found something, because whatever it is that it found may be preventing you from finding anything further until you reboot with it gone.