RightLurker

Q: What is AppEH, and how do I get rid of it permanently?

About two weeks ago my MacBook 2.1, OS 10.6.8, started slowing down and then freezing up completely.  I found the culprit to be something called AppEH in the Activity Monitor, which was sucking up about 90%+ of the CPU.  As soon as I quit AppEH, everything is back to normal, but AppHE keeps turning itself back on - especially when I got to a website like msn.com or google news.  What is AppEH, and how can I get rid of it permanently.  Thanks.

MacBook, Mac OS X (10.6.8), MacBook 2.1

Posted on Nov 7, 2015 4:53 AM

Close

Q: What is AppEH, and how do I get rid of it permanently?

  • All replies
  • Helpful answers

  • by Linc Davis,Helpful

    Linc Davis Linc Davis Nov 7, 2015 5:46 AM in response to RightLurker
    Level 10 (208,037 points)
    Applications
    Nov 7, 2015 5:46 AM in response to RightLurker

    You installed one or more variants of the "InstallMac" trojan. Take the steps below to disable it.

    The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

    Back up all data before continuing.

    1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

    ~/Library/LaunchAgents

    In the Finder, select

              Go Go to Folder...

    from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

    2. Inside the folder you just opened, there may be files with a name of the form

              something.AppRemoval.plist

              something.download.plist

              something.ltvbit.plist

              something.update.plist

    where something is usually a meaningless string, such as any of the following:

              Epolife

              InstallMac

              Javeview

              Kuklorest

              Manroling

              Otwexplain

    These are examples, not a complete list. The string could be anything. The point is that the same string will usually appear in the name of three or four files.

    You could have more than one copy of the malware, with different values of something.

    Move all such items to the Trash. If there are any other files with a name that begin with something, move them to the Trash also. After you've done that, there may not be anything left in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)

    Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.

    3. Open this folder in the same way as above:

    ~/Library/Application Support

    and move to the Trash any subfolders named with the same something you found in Step 2.

    Don't move the Application Support folder or anything else inside it.

    4. Open the Applications folder. If there is an item with the same name as in Step 3, or any of the other names listed in Step 2, or with the name "Zip Devil," drag it to the Trash.

    If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.

    Empty the Trash.

    If you get an alert that the application is in use, force it to quit.

    5. From the Safari menu bar, select

              Safari Preferences... Extensions

    Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

    6. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select

              Safari Preferences... General

    and click

              Set to Current Page

  • by levi6900,

    levi6900 levi6900 Nov 9, 2015 7:02 PM in response to Linc Davis
    Level 1 (0 points)
    Nov 9, 2015 7:02 PM in response to Linc Davis

    I started to have slowness problems about 2 days ago. This solution worked on my outdated OS 10.9.5. This is the only source on the internet that I could find that accurately describes what it was and how to get rid of it. Otherwise I only found links to download AppEH and InstallMac from.

  • by douggyi,Helpful

    douggyi douggyi Nov 9, 2015 8:56 PM in response to RightLurker
    Level 1 (10 points)
    Nov 9, 2015 8:56 PM in response to RightLurker

    I know that Linc Davis posted his excellent and thorough removal procedure here but I thought I'd add my bit as well. The free and excellent MalwareBytes Antimalware for Mac, available here https://www.malwarebytes.org/antimalware/mac/ also removes this Malware and many others. I found two instances of the AppEH process running on a client's Mac this afternoon. One iteration of the process was taking up 13GB of virtual RAM and the other 14GB, which had brought her Mac to a halt (it only has 6GB of RAM so the Virtual Memory system was working overtime).

     

    I installed the said software, ran it and it identified and removed many of the malware versions mentioned by Linc, as well as others. In all there are around 30 pieces of Malware on her Mac. I'm as comfortable as many with opening up the system folders and removing such beasts manually, but I have found this software and its predecessor, Adware Medic, to be thorough and top value at the $0.00 price.

  • by RightLurker,

    RightLurker RightLurker Nov 14, 2015 10:23 AM in response to RightLurker
    Level 1 (1 points)
    Nov 14, 2015 10:23 AM in response to RightLurker

    Thanks to all.  Sorry for the late reply, but I was tied up with work.  Linc's method worked, although I had to use the old cut and paste under the edit drop down menu - the control key plus letters (c, v, etc.) don't work on my computer.  My computer has never run faster.  The malware software recommended by douggyi won't run on 10.6.8, unfortunately - my Macbook is nearly an antique.  Thanks again.   

  • by iamhiren,

    iamhiren iamhiren Nov 16, 2015 3:38 AM in response to Linc Davis
    Level 1 (0 points)
    Nov 16, 2015 3:38 AM in response to Linc Davis

    You saved whole lot of time by laying out complete procedure. It helps lot. Thank you very much buddy.

  • by calsal8,

    calsal8 calsal8 Nov 16, 2015 11:08 AM in response to douggyi
    Level 1 (0 points)
    Nov 16, 2015 11:08 AM in response to douggyi

    Thank you so much for this info, no need to delete files manually or even use anything else. The Malware Bytes application deleted it all for me!

  • by paoHSU,

    paoHSU paoHSU Nov 19, 2015 3:43 PM in response to douggyi
    Level 1 (0 points)
    Nov 19, 2015 3:43 PM in response to douggyi

    Thank you so much for the link to Malware. I have been restarting my computer every other day for months and I didn't know what the problem was until now that I checked the **** appEH... Thanks a lot!

  • by lovevintage,

    lovevintage lovevintage Nov 20, 2015 8:43 AM in response to Linc Davis
    Level 1 (0 points)
    Nov 20, 2015 8:43 AM in response to Linc Davis

    thanks a lot for the procedure !!! my computer was overheating and losing all its memory, I had no idea why !

  • by thepink,

    thepink thepink Dec 6, 2015 3:22 AM in response to RightLurker
    Level 1 (0 points)
    Dec 6, 2015 3:22 AM in response to RightLurker

    Thank you very much, I had the same problem and couldn't find a solution anywhere else!

  • by alexsimonmx,

    alexsimonmx alexsimonmx Dec 9, 2015 8:42 AM in response to Linc Davis
    Level 1 (0 points)
    Dec 9, 2015 8:42 AM in response to Linc Davis

    You are a genius. Thanks for sharing the knowledge

  • by Tedster05,

    Tedster05 Tedster05 Dec 18, 2015 3:17 PM in response to Linc Davis
    Level 1 (0 points)
    Dec 18, 2015 3:17 PM in response to Linc Davis

    Top bloke Linc! Your process worked a treat & normal service has been resumed. Cheers

  • by almost clueless,

    almost clueless almost clueless Jan 11, 2016 5:49 AM in response to Linc Davis
    Level 1 (0 points)
    Jan 11, 2016 5:49 AM in response to Linc Davis

    Thanks for this vital information.  I've done everything I could infer from your post, deleted many folders, reentered my start pages,  but then found Launch Agents that are partially like the names you mention, but  have recognizable names like Citrix, adobe, etc...  Do you know if these are valid extensions, or an evolution of the malware?  I've been having odd problems for a while now, so difficult to figure out when they started. Any thoughts would be greatly appreciated.

     

    file:///Library/LaunchAgents/com.google.keystone.agent.plist

    file:///Library/LaunchAgents/com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c9 5072f92651fb65e1bf9c8e43c37a23d420d.plist

    file:///Library/LaunchAgents/com.divx.dms.agent.plist

    file:///Library/LaunchAgents/jp.co.canon.CUPSCAPT.BG.plist

    file:///Library/LaunchAgents/com.divx.update.agent.plist

    file:///Library/LaunchAgents/com.oracle.java.Java-Updater.plist

    file:///Library/LaunchAgents/com.citrix.AuthManager_Mac.plist

    file:///Library/LaunchAgents/com.citrix.ReceiverHelper.plist

    file:///Library/LaunchAgents/com.citrix.ServiceRecords.plist

    file:///Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist