jbgriffee
Level 1
(4 points)
Appear that I downloaded malware. I removed MegaBackup and Mac Defender but now safari goes to a blank window with a search field and the web address is ChumSearch. How do I get rid of this and get back to having Safari go to my preference search engine?
Q: malware
Please post an EtreCheck report of your system. We can then look for obvious issues. Please click the link, download the app and run the report. Once you have the report, please copy and paste it to your reply to this post.
If you would like more info on what EtreCheck is, simply click the link and you will find a description of the app.
You may have installed ad-injection malware ("adware").
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
Back up all data first.
Some of the most common types of adware can be removed by following Apple's instructions. But before you follow those instructions, you can attempt an automatic removal.
If you're not already running the latest version of OS X ("El Capitan"), updating or upgrading in the App Store may cause the adware to be removed automatically. If you're already running the latest version of El Capitan, you can nevertheless download the current updater from the Apple Support Downloads page and run it. Again, some kinds of malware will be removed—not all. There is no such thing as automatic removal of all possible malware, either by OS X or by third-party software. That's why you can't rely on software to protect you.
If the malware is removed in your case, you'll still need to make changes to the way you use the computer to protect yourself from further attacks. Ask if you need guidance.
If the malware is not removed automatically, and you can't remove it yourself by following Apple's instructions, see below.
This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.
Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.
If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. That will disable the malware temporarily.
Step 1
Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.
If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.
There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.
Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.
Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.
Leave the folder open for now.
Step 2
Do as in Step 1 with this line:
/Library/LaunchAgents
The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.
Step 3
Repeat with this line:
/Library/LaunchDaemons
This time the folder will be named "LaunchDaemons."
Step 4
Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.
Step 5
If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.
A
Please back up all data before making any changes.
Below is a suggested procedure to inactivate the malware you installed.
The numbers refer to the items in the screenshots, in the order shown. Use the screenshots as a guide. #1 would be the topmost item, #2 the one below, and so on.
The names in quotes refer to malware types, not to the names of the files. Don't expect the files to have similar names. For example, if you installed the "VSearch" malware, usually none of the files will have the word "VSearch" in the name. Malware attackers don't make it that easy for you.
In the first folder arranged as shown in the screenshots, delete these items:
#1 ("Flashmall")
In the second folder:
None
Restart the computer. Until you've done that, the malware will still be active, even after you delete the files.
Uninstall any Safari extensions you don't know you need. If in doubt, remove all of them. None is needed for normal operation.
Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
Reset the Safari home page, if it was changed. You may need to do the same in the other browsers.
From the Applications folder (not shown in the screenshots), delete items with any of the following names:
EasyShopper
mediaDownloader
SoftwareUpdater
These steps will permanently inactivate the malware, as long as you never reinstall it. A few small files may remain in hidden folders, but they have no effect.
The instructions above apply only to you. I'm including more general—and complete—self-contained removal instructions below for the benefit of others who may find this discussion. You can skip the remaining steps, but you should read them.
B (optional)
You installed a variant of the "Flashmall" trojan. To remove it, start by backing up all data.
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
1. Please triple-click anywhere in the line below on this page to select it:
/Library/LaunchAgents
Right-click or control-click the highlighted line and select
Services ▹ Open
from the contextual menu.* A folder named "LaunchAgents" should open.
In the folder, there may be one or more files with a name that begins in either of the following ways:
com.EasyShopper
com.SoftwareUpdater
Move each such file to the Trash. You may be prompted for your administrator password.
2. Log out or restart the computer.
3. Open the Applications folder in the Finder. It may have subfolders with any of these names:
EasyShopper
mediaDownloader
SoftwareUpdater
Move each such subfolder to the Trash. Empty the Trash.
4. From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall all extensions you don't know you need, including one called "SearchAssist," if it's present. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
My wife downloaded an Acrobat Reader update and Chumsearch showed up. Brand new used iMac. Super clean machine, in and out.
I tried the Linc Davis answer and it did not work, although I think it should have. One of the LauchAgents was Adobe.
I poked around and noticed she did not have Acrobat Reader installed. I deleted the Adobe LaunchAgent.
chumsearch did not come up again...until she opened mapquest, bang! a chumsearch tab opened next to the mapquest one. I deleted the only cookie I could find for mapquest, but it still pops up.
I haven't figured out what to do next.
You may have installed some other kind of ad-injection malware ("adware").
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
Back up all data first.
Some of the most common types of adware can be removed by following Apple's instructions. But before you follow those instructions, you can attempt an automatic removal.
If you're not already running the latest version of OS X ("El Capitan"), updating or upgrading in the App Store may cause the adware to be removed automatically. If you're already running the latest version of El Capitan, you can nevertheless download the current updater from the Apple Support Downloads page and run it. Again, some kinds of malware will be removed—not all. There is no such thing as automatic removal of all possible malware, either by OS X or by third-party software. That's why you can't rely on software to protect you.
If the malware is removed in your case, you'll still need to make changes to the way you use the computer to protect yourself from further attacks. Ask if you need guidance.
If the malware is not removed automatically, and you can't remove it yourself by following Apple's instructions, see below.
This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.
Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.
If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. That will disable the malware temporarily.
Step 1
Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.
If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.
There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.
Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.
Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.
Leave the folder open for now.
Step 2
Do as in Step 1 with this line:
/Library/LaunchAgents
The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.
Step 3
Repeat with this line:
/Library/LaunchDaemons
This time the folder will be named "LaunchDaemons."
Step 4
Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.
Step 5
If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.
Aufklaer wrote:
My wife downloaded an Acrobat Reader update and Chumsearch showed up. Brand new used iMac. Super clean machine, in and out.
I tried the Linc Davis answer and it did not work, although I think it should have. One of the LauchAgents was Adobe.
I poked around and noticed she did not have Acrobat Reader installed. I deleted the Adobe LaunchAgent.
chumsearch did not come up again...until she opened mapquest, bang! a chumsearch tab opened next to the mapquest one. I deleted the only cookie I could find for mapquest, but it still pops up.
I haven't figured out what to do next.
Return the machine to the seller. Buy one from Apple's refurbished program.
Duhhh. I reset the home page and it's now all gone. It just occurred to me and then I checked your instructions and you said that, just read too fast.
I don't know where that Adobe download came from, though. There is an Adobe Flashplayer installer in her Utilities folder. I suspect that the downloader she accepted included the real Adobe link as well as installing the chumware things. She won't be installing without asking about it again.
I did not know those folders' names, although I knew they had to exist somewhere. Thanks for that.
Thanks for the detailed help on the malware,
You installed a variant of the "Flashmall" trojan. To remove it, start by backing up all data.
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
1. Please triple-click anywhere in the line below on this page to select it:
/Library/LaunchAgents
Right-click or control-click the highlighted line and select
Services ▹ Open
from the contextual menu.* A folder named "LaunchAgents" should open.
In the folder, there may be one or more files with a name that begins in either of the following ways:
com.EasyShopper
com.SoftwareUpdater
Move each such file to the Trash. You may be prompted for your administrator password.
2. Open this folder as in Step 1:
~/Library/LaunchAgents
Move to the Trash any files with one of the names listed in the last step.
3. Log out or restart the computer.
4. Open the Applications folder in the Finder. It may have subfolders with any of these names:
EasyShopper
mediaDownloader
SoftwareUpdater
Move each such subfolder to the Trash. Empty the Trash.
5. From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall all extensions you don't know you need, including one called "SearchAssist," if it's present. If in doubt, remove all of them. None is required for normal operation.
If the search engine setting was changed, change it back in the Search tab.
Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
theratter
