-
All replies
-
Helpful answers
-
Mar 27, 2016 10:42 AM in response to raven19994by MrHoffman,Read through the entire thread first, then — if what's discussed there fails — please post up any additional details and questions and the Etrecheck report (in this thread): ChumSearch malware/How to get rid of it?
-
Mar 27, 2016 10:52 AM in response to raven19994by Linc Davis,You may have installed ad-injection malware ("adware").
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
Back up all data first.
Some of the most common types of adware can be removed by following Apple's instructions. But before you follow those instructions, you can attempt an automatic removal.
If you're not already running the latest version of OS X ("El Capitan"), updating or upgrading in the App Store may cause the adware to be removed automatically. If you're already running the latest version of El Capitan, you can nevertheless download the current updater from the Apple Support Downloads page and run it. Again, some kinds of malware will be removed—not all. There is no such thing as automatic removal of all possible malware, either by OS X or by third-party software. That's why you can't rely on software to protect you.
If the malware is removed in your case, you'll still need to make changes to the way you use the computer to protect yourself from further attacks. Ask if you need guidance.
If the malware is not removed automatically, and you can't remove it yourself by following Apple's instructions, see below.
This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.
Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.
If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. That will disable the malware temporarily.
Step 1
Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go â–¹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.
If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.
There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.
Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.
Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.
Leave the folder open for now.
Step 2
Do as in Step 1 with this line:
/Library/LaunchAgents
The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.
Step 3
Repeat with this line:
/Library/LaunchDaemons
This time the folder will be named "LaunchDaemons."
Step 4
Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.
Step 5
If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.
-
Mar 27, 2016 11:58 AM in response to Linc Davisby raven19994,Well I installed an ad-injection software. I reinstalled the update, still have it.
-
Mar 27, 2016 12:04 PM in response to raven19994by Linc Davis,As I wrote earlier, automatic removal doesn't always work. Please take Steps 1-5.
-
Mar 27, 2016 2:54 PM in response to Linc Davisby andymiller320,Trying those steps but don't see the adware
Can I find it in Activity Monitor / Processes?
-
Mar 27, 2016 4:52 PM in response to Linc Davisby Amateur_user1,Thank you Linc Davis. As suggested, attached is the screenshot showing the com.SoftwareUpdater.agent.plist file document that shows a date modification on 3/14/16 at 5:03pm ET. This looks suspicious. Not sure of the other two which are from 2-3 yrs ago (com.citrionline.gotomeeting.g2mupdate.plist; and com.adobe.arm.202.......)
-
Mar 27, 2016 5:28 PM in response to Amateur_user1by Amateur_user1,Step 2 screenshot is attached below....Note: the same file exists 'com.SoftwareUpdater.agent.plist'
---------------------------------------
Step 3 screenshot below - This shows 2 new files that appear strange = 'com.crash plan.engine.plist' and 'com.adobe.fpsaud.plist'
------------------------------
Step 4 - There were no files found in the extensions tab under Safari preferences....
--------------
Appreciate your help on this
-
Mar 27, 2016 5:53 PM in response to Amateur_user1by Linc Davis,attached is the screenshot showing the com.SoftwareUpdater.agent.plist file
Delete both files with that name, then log out or restart the computer. Everything else you showed is OK.
-
Mar 27, 2016 6:17 PM in response to Linc Davisby Amateur_user1,Thanks Linc. I deleted all those files in the screenshots above as suggested and rebooted the machine. That said, I still see two things:
1. under 'Applications' --> I still see 'CrashPlan', and it won't let me delete the folder/file because it says that 'operation can't be completed because the item crashPlan is locked.
2. When I open a new tab in Safari, it still shows www.chumsearch.com as the default search engine browser
Is there anyway I can get rid of these files and change my search engine browser to google?
-
Mar 27, 2016 6:25 PM in response to Linc Davisby Amateur_user1,I was able to change the default search engine browser to Google.com.
The only issue at hand requiring resolution is as follows:
Under 'Applications' --> I still see 'CrashPlan', and it won't let me delete the folder/file because it says that 'operation can't be completed because the item crashPlan is locked.
Thanks for all your help Linc
-
Mar 27, 2016 6:40 PM in response to Amateur_user1by Linc Davis,"CrashPlan" is not malware, and it's not the subject of this thread. If you have a problem with it, I suggest you refer to its developer for support or removal instructions. I don't know anything about it.
-
-
-
Apr 14, 2016 1:34 PM in response to raven19994by gimme_cherry,Hi
The above are my sscreen grabs as per instructions. my macbook pro is now flickering like crazy and goes black every now and then. sigh.




