safari hijacked...

fisherking

macrumors 604
Original poster
Jul 16, 2010
6,710
1,686
ny somewhere
my GF got a virus warning on her mac. we rebooted, ran malwarbytes, deleted the one file it found... but she still can't change the search engine (from google) or input a homepage.

i deleted the safari folder in her user library (i kept the bookmarks). same problem. i created a TEST account.. and it's happening there too. so the problem is global, not tied to her account.

any ideas? i looked thru the entire HD library, can't find anything obviously suspect...
 

fisherking

macrumors 604
Original poster
Jul 16, 2010
6,710
1,686
ny somewhere
ran etrecheck. nothing suspicious. i also deleted logmein and gotomeeting files... even after rebooting, we still can't change the search engine from google, or input a homepage. there must be a way to remedy this? anyone?
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
29,137
8,806
California
ran etrecheck. nothing suspicious. i also deleted logmein and gotomeeting files... even after rebooting, we still can't change the search engine from google, or input a homepage. there must be a way to remedy this? anyone?
Try holding the shift key at boot to boot to safe mode. That will stop any third party items from launching. If that fixes you likely have missed something in the Etrecheck report.

Reboot out of safe mode and run EtreCheck again and post the report here for us to look at. It is anonymized, so nothing to worry about.
 

fisherking

macrumors 604
Original poster
Jul 16, 2010
6,710
1,686
ny somewhere
Try holding the shift key at boot to boot to safe mode. That will stop any third party items from launching. If that fixes you likely have missed something in the Etrecheck report.

Reboot out of safe mode and run EtreCheck again and post the report here for us to look at. It is anonymized, so nothing to worry about.
thanks will try that!
 

fisherking

macrumors 604
Original poster
Jul 16, 2010
6,710
1,686
ny somewhere
i was able to set a homepage, by entering an address, clicking out of that preference tab, then closing safari prefs. but, even in safe boot, i can't change the search engine.

i've seen this before, and helped a friend thru it, by deleting a 'bad' extension. anyway, it's going to 'google.com', so it's NOT being hijacked. she's going to live with it for now (she's definitely not up for a reinstall right now).

thank for your help, both of you!
 

dianeoforegon

macrumors 6502a
Apr 26, 2011
907
137
Oregon
The reinstall is just the time to run the full installer. No new setup required.
Be sure to let us know what finally fixes this.
 

fisherking

macrumors 604
Original poster
Jul 16, 2010
6,710
1,686
ny somewhere
i checked the hosts file, all good. but... in safari permissions, there's an entry i've NEVER seen; it shows "custom".
it's not on either of my macs. i can't delete it, or change it to 'no access', or... change it to anything.

any thoughts?

 

dianeoforegon

macrumors 6502a
Apr 26, 2011
907
137
Oregon
I've seen this before. I know you know the basics, but including details for others that might find this thread later.

Follow these steps to reset the permissions:

From the Finder menu bar, choose Go > Home. Your home folder opens.

Choose File > Get Info. An Info window for your home folder opens.

If the “Sharing & Permissions” section at the bottom of the window isn't open, click the triangle in that section to open it.

If the Lock button at the bottom of the window shows a closed lock lock , click the lock and enter an administrator name and password.

Click the Action menu in the bottom corner of the window, then choose “Apply to enclosed items.” Click OK to confirm the action. A progress bar appears at the top of the window.

When the progress bar completes, open the Terminal app from the Utilities folder of your Applications folder.

Paste or type this command in Terminal, then press Return:

diskutil resetUserPermissions / `id -u`

On U.S. keyboards, the ` character is just above the Tab key. After entering the diskutil command, if Terminal says that permissions reset on user home directory failed (error -69841), enter

chflags -R nouchg ~

then enter the diskutil command again.

When the process completes, quit Terminal.
 
  • Like
Reactions: komatsu

fisherking

macrumors 604
Original poster
Jul 16, 2010
6,710
1,686
ny somewhere
I've seen this before. I know you know the basics, but including details for others that might find this thread later.

Follow these steps to reset the permissions:

From the Finder menu bar, choose Go > Home. Your home folder opens.

Choose File > Get Info. An Info window for your home folder opens.

If the “Sharing & Permissions” section at the bottom of the window isn't open, click the triangle in that section to open it.

If the Lock button at the bottom of the window shows a closed lock lock , click the lock and enter an administrator name and password.

Click the Action menu in the bottom corner of the window, then choose “Apply to enclosed items.” Click OK to confirm the action. A progress bar appears at the top of the window.

When the progress bar completes, open the Terminal app from the Utilities folder of your Applications folder.

Paste or type this command in Terminal, then press Return:

diskutil resetUserPermissions / `id -u`

On U.S. keyboards, the ` character is just above the Tab key. After entering the diskutil command, if Terminal says that permissions reset on user home directory failed (error -69841), enter

chflags -R nouchg ~

then enter the diskutil command again.

When the process completes, quit Terminal.
you think this will then alow me to delete the custom option in safari? or?? thanks btw...
 

fisherking

macrumors 604
Original poster
Jul 16, 2010
6,710
1,686
ny somewhere
This will reset permissions. Hopefully that will let you reset Safari.
thanks dianeof. will try this tomorrow, and report back. otherwise will suggest the combo installer.

EDIT: no change, sigh. still can't change permissions on safari, same 'you do not have privledges' error. so, she's gonna run the (10.12.6) combo update tonite, and we'll see how that goes.

meanwhile, no popups, google is google, so... not bad overall. but frustrating not being able to change the search engine.

again, thanks. will report in finally tomorrow about what happens...
 
Last edited:

Sital

macrumors 68000
May 31, 2012
1,840
333
New England
I don't have a solution to your problem, but my Safari permissions also show "Custom" and Safari is running as it usually does for me.
 

fisherking

macrumors 604
Original poster
Jul 16, 2010
6,710
1,686
ny somewhere
the combo update fixed it. nothing bad was happening, but she feels better about it. still, scary... thanks so much, dianeof...