Difference between revisions of "Macintosh Adware Removal"
| (32 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
==Symptoms of Macintosh Adware Presence== | ==Symptoms of Macintosh Adware Presence== | ||
* Troubles accessing web pages in Safari or Chrome (browser hijacking) | * Troubles accessing web pages in Safari or Chrome (browser hijacking) | ||
| + | * Popup windows load up instantly when opening web browsers. | ||
* Abnormal picture ads on google.com main page and search results. | * Abnormal picture ads on google.com main page and search results. | ||
| − | *Unable to create a new message on the 鶹Ƶ webmail interface. | + | * Unable to create a new message on the 鶹Ƶ webmail interface. |
| − | ==Services | + | ==Services Provided== |
The Technology Helpline staff is available to help with malware removal from personally owned Macintosh computers during regular hours. Institutionally owned Macintosh computers that are infected will be re-imaged. | The Technology Helpline staff is available to help with malware removal from personally owned Macintosh computers during regular hours. Institutionally owned Macintosh computers that are infected will be re-imaged. | ||
| − | Malware removal involves uninstalling applications such as '''Search Conduit''', '''Mackeeper''', '''MPlayerX''', etc and deleting files from both the System Library and the User Library. | + | Malware removal involves uninstalling applications such as '''Search Conduit''', '''Mackeeper''', '''MPlayerX''', '''Genieo''', '''InstallMac''', '''Downlite''', etc and deleting files from both the System Library and the User Library. |
| − | == | + | ==Automated Removal== |
| + | We recommend using the '''MalwareBytes''' product for Macintosh as a first step in the removal process for malware on Macintosh computers. | ||
| + | # Download and install the Malwarebytes for Macintosh application from [https://www.malwarebytes.org/antimalware/mac/ Malwarebytes.org]. | ||
| + | # Run the installer | ||
| + | # Launch the Application (from the Applications folder) | ||
| + | ## Read and accept the license agreement | ||
| + | # '''Check for Updates''' - from the Malwarebytes Anti-Malware menu, select Check for Updates | ||
| + | # To '''Scan''' - click the Scan button. | ||
| + | # Remove any found items. | ||
| − | === | + | ==Manual Removal== |
| + | ===Location of Malicious Files/Processes=== | ||
| + | Malware may be installed in any number of locations on the Macintosh HD, following are some of the most common locations, access information and additional tools that may be useful for a manual removal process. | ||
| + | |||
| + | ====Applications folder==== | ||
The applications folder is at the root of the Macintosh HD. To find the Applications folder: | The applications folder is at the root of the Macintosh HD. To find the Applications folder: | ||
*in '''Finder''' | *in '''Finder''' | ||
| Line 18: | Line 31: | ||
*you should see a '''Applications''' folder at this location. | *you should see a '''Applications''' folder at this location. | ||
| − | + | ====System Library==== | |
| − | === | ||
The System Library is the Library folder at the root of the Macintosh HD. To find the System Library: | The System Library is the Library folder at the root of the Macintosh HD. To find the System Library: | ||
*in '''Finder''' | *in '''Finder''' | ||
| Line 26: | Line 38: | ||
*you should see a '''Library''' folder at this location. | *you should see a '''Library''' folder at this location. | ||
| − | === | + | ====User Library (~/Library)==== |
The User Library (typically denoted ~/Library) is the the Library folder in root of your user directory. To find the User Library: | The User Library (typically denoted ~/Library) is the the Library folder in root of your user directory. To find the User Library: | ||
*in '''Finder''' | *in '''Finder''' | ||
| Line 33: | Line 45: | ||
*select '''Library''' | *select '''Library''' | ||
| − | == | + | ====Accessing Activity Monitor==== |
| + | The Activity Monitor application is in the Utilities folder located in the Applications folder: | ||
| + | *in '''Finder''' | ||
| + | *from the '''Go Menu''' select '''Computer''' | ||
| + | *double-click '''Macintosh HD''' | ||
| + | *you should see a '''Applications''' folder at this location. | ||
| + | *Go to the Utilities folder | ||
| + | *Open Activity Monitor and select '''All Processes.''' | ||
| + | |||
| + | ====Accessing Login Items==== | ||
| + | The Login Items menu is responsible for telling the computer what applications to start when logging into the computer after a restart. It is located in the System Preferences menu, under User and Groups | ||
| + | * Apple menu (upper left corner) | ||
| + | * System Preferences | ||
| + | * User and Groups | ||
| + | * For the user with the popup problems, click their user on the left, usually the current user | ||
| + | * On the right, click Login Items. | ||
| − | *From the '''System Library''' (Macintosh HD | + | ===Removal=== |
| + | '''After removing files, a restart of the computer is necessary.''' | ||
| + | |||
| + | *From the '''System Library''' (Macintosh HD/Library) | ||
*Check the '''Launch Agents''', '''LaunchDaemons''' and '''Application Support''' folders | *Check the '''Launch Agents''', '''LaunchDaemons''' and '''Application Support''' folders | ||
*remove any files or folders with zeobit, MacKeeper, 911 or 911bundle, Vsearch, or MPlayerX in their names. | *remove any files or folders with zeobit, MacKeeper, 911 or 911bundle, Vsearch, or MPlayerX in their names. | ||
| Line 43: | Line 73: | ||
*remove any files or folders with zeobit, MacKeeper, 911 or 911bundle, Vsearch, or MPlayerX in their names. | *remove any files or folders with zeobit, MacKeeper, 911 or 911bundle, Vsearch, or MPlayerX in their names. | ||
---- | ---- | ||
| − | *From the Applications folder | + | *From the '''Applications folder''' (Macintosh HD/Applications) |
*remove any applications with zeobit, MacKeeper, 911 or 911bundle, Vsearch, SearchConduit, or MPlayerX in their names. | *remove any applications with zeobit, MacKeeper, 911 or 911bundle, Vsearch, SearchConduit, or MPlayerX in their names. | ||
---- | ---- | ||
| − | *From Activity Monitor (Macintosh HD/Applications/Utilities | + | *From '''Activity Monitor''' (Macintosh HD/Applications/Utilities) |
*Delete any processes with zeobit, MacKeeper, 911 or 911bundle, Vsearch, SearchConduit, or MPlayerX in their names | *Delete any processes with zeobit, MacKeeper, 911 or 911bundle, Vsearch, SearchConduit, or MPlayerX in their names | ||
---- | ---- | ||
| − | *Also check all browsers for suspicious extensions | + | *From the '''User and Groups''' menu in the '''System Preferences''' menu |
| + | *Click on the user on the left | ||
| + | *Click on the '''Login Items''' tab on the right | ||
| + | *Highlight '''Mackeeper or other malicious process''' | ||
| + | *Click the '''(-)''' button to delete it | ||
| + | ---- | ||
| + | *Also check '''all''' browsers for suspicious extensions (MacCost, Coupon extensions, Search extensions) | ||
*Empty the Trash | *Empty the Trash | ||
| − | *Reboot computer | + | *Clear caches in Chrome, Safari, and Firefox |
| + | *Manually reset home pages in Chrome, Safari, and Firefox | ||
| + | *'''Reboot computer''' | ||
| + | |||
| + | ==Software Updates== | ||
| + | After removing malware: | ||
| + | *Verify that all System Updates (App Store - Updates) have been applied. | ||
| + | *Verify that all browsers are up to date. Check '''About Chrome''' or '''About FireFox''' from the Chrome or FireFox menu. | ||
| + | *Verify that all Plug-ins are up to date. In FireFox from the Tools menu select Add-ons - on the Plug-ins tab, click the '''Check to see if your plug-ins are up to date.''' Update any outdated Plug-ins. | ||
==Additional Help== | ==Additional Help== | ||
| Line 64: | Line 108: | ||
The directions on the website don't mention anything about Vsearch, but any file that says Vsearch should be treated the same, delete or kill the file/process. | The directions on the website don't mention anything about Vsearch, but any file that says Vsearch should be treated the same, delete or kill the file/process. | ||
| − | + | More resources - | |
| − | http://www.thesafemac.com/arg-identification/ | + | *http://www.thesafemac.com/arg-identification/ |
| + | *http://support.apple.com/en-us/HT203987 | ||
==Other== | ==Other== | ||
* Try removing the website data in Safari. Safari menu, Reset Safari, Remove website data. | * Try removing the website data in Safari. Safari menu, Reset Safari, Remove website data. | ||
| + | |||
| + | ==See also== | ||
| + | * [[Virus and Malware Removal]] | ||
| + | * [[Malwarebytes]] | ||
| + | * [[Symantec Anti-Virus]] | ||
| + | * [[Safe Mode]] | ||
| + | |||
| + | [[Category:Viruses]] | ||
| + | [[Category:Malware]] | ||
Latest revision as of 14:32, 6 May 2020
Contents
Symptoms of Macintosh Adware Presence
- Troubles accessing web pages in Safari or Chrome (browser hijacking)
- Popup windows load up instantly when opening web browsers.
- Abnormal picture ads on google.com main page and search results.
- Unable to create a new message on the 鶹Ƶ webmail interface.
Services Provided
The Technology Helpline staff is available to help with malware removal from personally owned Macintosh computers during regular hours. Institutionally owned Macintosh computers that are infected will be re-imaged.
Malware removal involves uninstalling applications such as Search Conduit, Mackeeper, MPlayerX, Genieo, InstallMac, Downlite, etc and deleting files from both the System Library and the User Library.
Automated Removal
We recommend using the MalwareBytes product for Macintosh as a first step in the removal process for malware on Macintosh computers.
- Download and install the Malwarebytes for Macintosh application from .
- Run the installer
- Launch the Application (from the Applications folder)
- Read and accept the license agreement
- Check for Updates - from the Malwarebytes Anti-Malware menu, select Check for Updates
- To Scan - click the Scan button.
- Remove any found items.
Manual Removal
Location of Malicious Files/Processes
Malware may be installed in any number of locations on the Macintosh HD, following are some of the most common locations, access information and additional tools that may be useful for a manual removal process.
Applications folder
The applications folder is at the root of the Macintosh HD. To find the Applications folder:
- in Finder
- from the Go Menu select Computer
- double-click Macintosh HD
- you should see a Applications folder at this location.
System Library
The System Library is the Library folder at the root of the Macintosh HD. To find the System Library:
- in Finder
- from the Go Menu select Computer
- double-click Macintosh HD
- you should see a Library folder at this location.
User Library (~/Library)
The User Library (typically denoted ~/Library) is the the Library folder in root of your user directory. To find the User Library:
- in Finder
- Hold down Option key (holding the option key shows the user library in the Go menu - without the option key - it won't show.
- from the Go Menu
- select Library
Accessing Activity Monitor
The Activity Monitor application is in the Utilities folder located in the Applications folder:
- in Finder
- from the Go Menu select Computer
- double-click Macintosh HD
- you should see a Applications folder at this location.
- Go to the Utilities folder
- Open Activity Monitor and select All Processes.
Accessing Login Items
The Login Items menu is responsible for telling the computer what applications to start when logging into the computer after a restart. It is located in the System Preferences menu, under User and Groups
- Apple menu (upper left corner)
- System Preferences
- User and Groups
- For the user with the popup problems, click their user on the left, usually the current user
- On the right, click Login Items.
Removal
After removing files, a restart of the computer is necessary.
- From the System Library (Macintosh HD/Library)
- Check the Launch Agents, LaunchDaemons and Application Support folders
- remove any files or folders with zeobit, MacKeeper, 911 or 911bundle, Vsearch, or MPlayerX in their names.
- From the User Library (~/Library)
- Check the Caches, Application Support, Preferences, and LaunchAgents folders
- remove any files or folders with zeobit, MacKeeper, 911 or 911bundle, Vsearch, or MPlayerX in their names.
- From the Applications folder (Macintosh HD/Applications)
- remove any applications with zeobit, MacKeeper, 911 or 911bundle, Vsearch, SearchConduit, or MPlayerX in their names.
- From Activity Monitor (Macintosh HD/Applications/Utilities)
- Delete any processes with zeobit, MacKeeper, 911 or 911bundle, Vsearch, SearchConduit, or MPlayerX in their names
- From the User and Groups menu in the System Preferences menu
- Click on the user on the left
- Click on the Login Items tab on the right
- Highlight Mackeeper or other malicious process
- Click the (-) button to delete it
- Also check all browsers for suspicious extensions (MacCost, Coupon extensions, Search extensions)
- Empty the Trash
- Clear caches in Chrome, Safari, and Firefox
- Manually reset home pages in Chrome, Safari, and Firefox
- Reboot computer
Software Updates
After removing malware:
- Verify that all System Updates (App Store - Updates) have been applied.
- Verify that all browsers are up to date. Check About Chrome or About FireFox from the Chrome or FireFox menu.
- Verify that all Plug-ins are up to date. In FireFox from the Tools menu select Add-ons - on the Plug-ins tab, click the Check to see if your plug-ins are up to date. Update any outdated Plug-ins.
Additional Help
Here is a helpful web page that has been proven to work multiple times to guide you through removing pesky Macintosh Adware.
Please only delete those files that have the words zeobit, MacKeeper, 911 or 911bundle, or Vsearch.
The directions on the website don't mention anything about Vsearch, but any file that says Vsearch should be treated the same, delete or kill the file/process.
More resources -
Other
- Try removing the website data in Safari. Safari menu, Reset Safari, Remove website data.