


A few days ago, I received another netizen for help, saying that I was troubled by Qsearch. After asking him to explain the approximate phenomenon and the time point, I collected the information according to the old method and began to analyze the source of the infected malicious files. But according to the time point she said, she could not find suspicious files related to Qsearch, and she replied that she had deleted the relevant configuration according to the article, which was more troublesome. Because the problem of hijacking still exists, we can only expand the scope of the inspection. According to the surviving process, we can analyze which may be activated by the malware. Finally, let it send the relevant configuration multiple times for detection and analysis to determine the source of infection. In fact, it has been as early as 2019. There have been relevant configurations for years, but I do not know why he only recently discovered that he is troubled by Qsearch.

Is there a new mutation or strategy in Qsearch?


Screenshots of feedback from some of these netizens are as follows:


Finally,Of course it is the perfect solution, full of happiness!



Because the virus / malware in the network mutates at any time or corresponds to multiple infection modes, the processing method targeted in this article is only responsible for this sample. If you personally misuse it, you will be at your own risk. Scared). If you need help, you can follow the WeChat public account (MyGlobalVillage) to leave a message for me, or add me on WeChat (KingisOK) !





The Chrome browser was hijacked by malware, that is, Qsearch hijacked his browser, modified its homepage, and the homepage can no longer be restored to the default value, which is unavailable. He has already seen an article in front of me and made some basic removals.

Seeing this, I first realized that there must be a variant of Qsearch, so he could not find the corresponding configuration, I sent it to the script to run, let him provide me with the collected information for analysis, and soon after careful screening , Found that he was the corresponding malicious configuration infected last year, and provided a solution to it. Finally, after some instructions, he successfully removed the corresponding malicious plug-in, and the homepage of the browser returned to normal, thank you very much.



Based on the information provided by user feedback, the collection is as follows:


Based on the analysis of the above documents, it is preliminarily suspected that it is related to the following paths and related procedures:



Related plug-in configuration:  MyCouponsmart




In fact, this is the ultimate cause of user problems. Because the above malicious plug-ins are installed, the system browser is artificially modified. The configuration location of this plug-in is very special, which makes it impossible for users to find. Even some anti-virus software does not scan the files in this path, and the configuration of malicious plug-ins is installed in this location.

Since some malicious configurations have been removed by users themselves according to my previous articles, the above configuration paths may not be comprehensive.


If you have found the above files that were generated before and after the recent problem, please remove them through the terminal .



First, remove all the configuration under the profiles file in the screenshot above and restore it to the blank default value.


Secondly, Remove the configuration file under the above path(reference according to the actual path you find), if any. Check if there are other related configuration files, kill the process, and restart the computer.


But for this sample, there are some other malicious configurations in the local folder, which need to be removed together to avoid resurgence!



Remove the plug-in corresponding to Chrome above, it may be displayed under another name.


In fact, the above files have little impact on the current Mac system. Even if it is deleted by mistake, it can be reinstalled as needed later, so the deletion will not affect the normal operation of the system.


After all the suspicious files have been removed, it is best to reset the browser or remove the previously saved state data.

~/Library/Saved\\ Application\\ State/com.apple.Safari.savedState
~/Library/Saved\\ Application\\ State/com.google.Chrome.savedState



Restart to see if it returns to normal.


1,苹果电脑要更新和下载软件尽量去App Store,其他浏览器突然弹出的说电脑有问题或者软件需要更新,都尽量不要点!!!!



1, Apple computer to update and download software as far as possible to the App Store, other browsers suddenly pop up saying that the computer has a problem or the software needs to be updated, try not to point! ! ! !

2, the security settings in the computer settings, the option to choose only installed certified software! ! !

3. To use the cracked version of software, you must be mentally prepared to install advertisements and malicious plug-ins!



If this article is helpful to you, please click like or comment on it. Your support is my motivation to move forward!

posted on 2022-07-05 18:11  我在全球村  阅读(8)  评论(0编辑  收藏  举报