In my excitement, I immediately deleted it (with rm), so. Looking at the extension details, I could see it was installed locally from /private/var/tmp/95EE66A0-1E4F-43D0-85B6-C721950DE325. On opening a new window, something still closed the browser and re-opened a new instance, but since extensions were disabled, we could now go to chrome://extensions and take a closer look at the malicious extension. We spent some more time flailing around doing things that did not work, and eventually just reset the Chrome settings entirely, which disables all extensions on restart. The new instance, of course, was started without logging, so this gave me no insight into what it was doing. Mach rendezvous failed, terminating process (parent died?) bootstrap_look_up .1: Permission denied (1100) GPU process exited unexpectedly: exit_code=15 GPU state invalid after WaitForGetOffsetInRange. $ /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome -enable-logging -v=1 I tried launching Chrome with logging, which led to these cryptic loglines when the first instance was killed. I ran a full scan and didn't find anything! It's been a very long time since I've dealt with malware, so I reached for the tried-and-true Malwarebytes. I don't know what TID, OPTID, or COOK were, but agec was a Unix timestamp of a recent time, probably when the malware was installed. Normally, you can disable extensions from the Extensions settings (chrome://extensions).īut this extension would programmatically close chrome://extensions and open chrome://settings in a new tab - so you couldn't disable it in the normal way.īesides that, periodically a new browser would open to the malicious site /?tid=TID&optid=OPTID&cook=COOK&agec=UNIXTIMESTAMP, which redirected through a bunch of ads to some random website (I wouldn't try fixing this link to visit it, personally). It was called "Properties" and looked incredibly generic, trying to masquerade as a part of the browser itself. On closer look, the newly opened browser would have a new extension. In this new window, searches from the omnibox would use Bing as the search engine instead of the default Google.
When you first opened a new instance of Google Chrome, after a delay of a few seconds, sometimes more, it would close itself and re-open to the same set of tabs.
I recently found some interesting malware on my partner's computer, a Macbook, and removed it (I think). Update 6/28/22: a reader reached out to me and let me know that Malwarebytes now detects and removes this malware as Adware.Choprex and - so if you're reading this because you are affected, go download Malwarebytes and run a full scan.
0 kommentar(er)
