Recently, because of the epidemic situation, I have been closed at home, and I will be closed for one month next week. Fortunately, the surrounding area is empty and you can turn around. There are also netizens asking for help. It is not boring! A few days ago, I helped a few netizens to solve the problem of browser redirection. Some people have some basic knowledge of the network, some are completely white, and they have a specialization in the surgery industry. There is only step-by-step guidance if they don't get it!


In addition, some people reported that according to my article, some of them were removed. Some of them are a bit clean. Some of the modified settings need to be reset. Some are missing. They are not completely removed. The virus is always mutating and disguising Seriously suspecting that these abominable sellers of anti-virus products or advertisers are creating malicious plug-ins that are constantly disguised!


In the end, the most important thing is to find my companion next time. Be sure to keep the installation package or link when you were infected. Leave it to me so that I can easily find out their merits Help you get rid of the devil completely, so that he no longer possesses others, haha.


Screenshots of feedback from some of these netizens are as follows:

macOS下malware移除之SearchMine/MyCouponsmart劫持(Remove hijacking of SearchMine variant)_ide


Of course it is the perfect solution, full of happiness!



Because the virus / malware in the network mutates at any time or corresponds to multiple infection modes, the processing method targeted in this article is only responsible for this sample. If you personally misuse it, you will be at your own risk. Scared). If you need help, you can follow the WeChat public account (MyGlobalVillage) to leave a message for me, or add me on WeChat (KingisOK) or add messager through the QR code at the end of the text to contact me!


macOS下malware移除之SearchMine/MyCouponsmart劫持(Remove hijacking of SearchMine variant)_chrome_02

前些天收到某些网友抱怨安装了某些恶意软件,虽然根据文章进行了清理,但是并没有清理干净,并请求帮助:浏览器被恶意软件劫持了,即SearchMine 劫持了他的浏览器,修改了其主页,而且主页再也不能被还原成默认值,是不可用状态。他已经看见了我前面的某篇文章,但是找不到对应的处理方法,有些说自己是一个外行。

macOS下malware移除之SearchMine/MyCouponsmart劫持(Remove hijacking of SearchMine variant)_ide_03


A few days ago I received a complaint from a netizen that some malicious software was installed. Although it was cleaned according to the article, it was not cleaned up and asked for help: the browser was hijacked by the malware, that is, SearchMine hijacked his browser and modified it. Its home page, and the home page can no longer be restored to the default value, is unavailable. He has seen one of my previous articles, but couldn't find a corresponding solution, saying that he is a layman.

Seeing this, I first realized that there must be a variant of SearchMine, so he could not find the corresponding configuration. I sent his script to run and let him provide the collected information to me for analysis. Fortunately, I had to rest at home on weekends. Time processing, and soon after careful screening, it was found that he was the corresponding malicious configuration infected in mid-September and provided a solution to it. Finally, after some guidance, he successfully removed the corresponding malicious plug-in, and the homepage of the browser returned to normal, but unfortunately he couldn't remember the malicious software package installed at that time, and there were no samples to analyze.



Based on the information provided by user feedback, the collection is as follows:


Based on the analysis of the above documents, it is preliminarily suspected that it is related to the following paths and related procedures:

~/Library/Application\ Support/.macmmisearch
~/Library/Application\ Support/.upd2006
~/Library/Application\ Support/.MyCouponsmart
~/Library/Application\ Support/mcpnw


Related plug-in configuration:  MyCouponsmart




In fact, this is the ultimate cause of user problems. Because the above malicious plug-ins are installed, the system browser is artificially modified. The configuration location of this plug-in is very special, which makes it impossible for users to find. Even some anti-virus software does not scan the files in this path, and the configuration of malicious plug-ins is installed in this location.

Since some malicious configurations have been removed by users themselves according to my previous articles, the above configuration paths may not be comprehensive.


If you have found the above files that were generated before and after the recent problem, please remove them through the terminal .


macOS下malware移除之SearchMine/MyCouponsmart劫持(Remove hijacking of SearchMine variant)_sed_04


First, remove all the configuration under the profiles file in the screenshot above and restore it to the blank default value.


Secondly, Remove the configuration file under the above path(reference according to the actual path you find), if any. Check if there are other related configuration files, kill the process, and restart the computer.


But for this sample, there are some other malicious configurations in the local folder, which need to be removed together to avoid resurgence!

~/Library/Application\ Support/.macmmisearch
~/Library/Application\ Support/.upd2006
~/Library/Application\ Support/.MyCouponsmart
~/Library/Application\ Support/mcpnw


Remove the plug-in corresponding to Chrome above, it may be displayed under another name.


In fact, the above files have little impact on the current Mac system. Even if it is deleted by mistake, it can be reinstalled as needed later, so the deletion will not affect the normal operation of the system.


After all the suspicious files have been removed, it is best to reset the browser or remove the previously saved state data.

~/Library/Saved\\ Application\\ State/com.apple.Safari.savedState
~/Library/Saved\\ Application\\ State/com.google.Chrome.savedState



Restart to see if it returns to normal.


In addition, after the feedback was finally removed, some browser configurations did not change back, such as the first screenshot below:

macOS下malware移除之SearchMine/MyCouponsmart劫持(Remove hijacking of SearchMine variant)_chrome_05

macOS下malware移除之SearchMine/MyCouponsmart劫持(Remove hijacking of SearchMine variant)_chrome_06


Since the homepage is set as the default homepage by the malicious plugin by default, of course, this option is not removed from the list. You must first change the default homepage, and then the searchmine below can of course have the option to remove it from the list by right-clicking, as above Picture.



1,苹果电脑要更新和下载软件尽量去App Store,其他浏览器突然弹出的说电脑有问题或者软件需要更新,都尽量不要点!!!!



1, Apple computer to update and download software as far as possible to the App Store, other browsers suddenly pop up saying that the computer has a problem or the software needs to be updated, try not to point! ! ! !

2, the security settings in the computer settings, the option to choose only installed certified software! ! !

3. To use the cracked version of software, you must be mentally prepared to install advertisements and malicious plug-ins!



If this article is helpful to you, please click like or comment on it. Your support is my motivation to move forward!