User profile for user: blazedj420
blazedj420 Author
User level: Level 1
12 points

Got malware, want to wipe clean and start from scratch, but with current OS - Sierra

So I accidentally got a virus by clicking on one of those 'you need to update Flash' while trying to find a free Fantasy Football cheat sheet. Amateur I know, first time in 17 years of being a Mac owner. I tried a subscription based anti-virus (MacKeeper) and it was unsuccessful by itself, they wanted me to upgrade to some super premium thing and have a professional remote control my laptop for hundreds of dollars. No thanks. I'd rather just wipe it clean and start from scratch with just my important files backed up on a hard drive or cloud (but not full system backup which would still have the malware). Problem is I'm running Sierra and would like to continue to use this as I have several music plug-ins that are 32-bit and the new Catalina runs 64-bit only. I use 32 Lives to make it work for the plug-ins I have for now, but apparently that won't work with Catalina. So the question is, where do I get the disc image for Sierra, and then what's the best way to wipe the computer?

MacBook Pro (Retina, 13-inch, Early 2015)

Mac OS 10.12.6

2.7GHz Intel i5


MacBook Pro 13", macOS 10.12

Posted on Oct 22, 2019 2:02 PM

Reply

Similar questions

7 replies
User profile for user: MrHoffman
MrHoffman
User level: Level 10
147,049 points

Oct 22, 2019 2:51 PM in response to blazedj420

You’re not going to like any of this...


Use current software. Not Sierra.


(Wouldn’t go below High Sierra, at this point... That’s the oldest that’s still typically getting security patches.)


Getting old installer kits is increasingly difficult, particularly after subsequent releases ship.


This Mac can run Catalina, and which has better protections against sketchy apps.


Catalina deprecates 32-bit apps, and you’ll want to check your key apps, check that your printer and scanner vendors have drivers available, and upgrade. (And maybe keep a copy of the Catalina installer around.)


MacKeeper is a controversial choice here, too—see allegations that "neither the free trial nor the full registered versions of MacKeeper performed any credible diagnostic testing"” referenced there, among other details.


Your credentials and the rest are either gone, or should be assumed to be.


MalwareBytes might be able to decontaminate, but it’s best to roll in your backups from immediately prior.


But your passwords and tokens are best assumed compromised. Revoke and recreate app authentication tokens, too.


Reply
User profile for user: Lexiepex
Lexiepex
User level: Level 6
14,108 points

Nov 1, 2019 8:39 AM in response to MrHoffman

You can get rid of it:

  1. http://osxdaily.com/uninstall-mackeeper-from-mac/
  2. download Malwarebytes: https://www.malwarebytes.com/mac/ and run it.
  3. run it again.
  4. Safari:

Shut down Safari, then open Safari while holding the Shift key.

In Safari->Preferences->Advaced: check "Show Develop menu in menu bar";

Then Safari->History->ClearHistory->Clear All:

Then in Safari->Develop->Empty Caches.

Now you should not get the pop ups.


Reply
User profile for user: blazedj420
blazedj420 Author
User level: Level 1
12 points

Oct 22, 2019 3:48 PM in response to MrHoffman

Thanks for the reply. What exactly do you mean by 'credentials and rest are gone'?

And passwords are compromised? So everything in my keychain? Do I need to change passwords on everything that I log onto with this computer? And do I need to wipe it and start fresh before I do that? (assuming if my passwords got taken once they're still at risk of getting taken until it's cleaned.)

Thanks again!

Reply
User profile for user: blazedj420
blazedj420 Author
User level: Level 1
12 points

Oct 30, 2019 1:01 PM in response to MrHoffman

Following up more on this. So I do have a Time Machine backup from just before the breach. Just opening Time Machine, I'm only seeing how to restore individual files or such. Is it possible to use Time Machine to restore my entire system back to its pre-breach state, thereby eliminating all malware?

And some more detail on the actual malware, the symptoms are basically any time I'm using Safari, pop-up tabs within the same window that's open come up very regularly. The tab goes through a string of redirects in the address bar, ends up on some random unsecure address, and the page is either a 'your flash player is out of date' with a pop up or 'your mac is infected, download this antivirus software'. Occasionally there will be a small separate popup window that has the Safari logo and a 'congratulations' message on it. Only way to get rid of it is to completely close Safari. And when that particular thing pops up, my AppStore opens up to the Safari Extensions page. Nothing else seems to be affected besides Safari. I can use Firefox fine with no problems. Also, these are the symptoms that initially happened when I first downloaded the malware. The MacKeeper was able to make it stop for a while, but it eventually started up again. Don't know if that helps or not.

As for the security of my passwords and such, I've been checking all my banking accounts and everything else and haven't noticed any irregular activity. Not saying it didn't get compromised, I do plan on changing everything, but I want to get the computer fixed first so that changing passwords doesn't just send my new passwords out as well.

Thanks!

Reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
147,049 points

Oct 22, 2019 4:08 PM in response to blazedj420

Imagine handing (evil) me your admin password, and then handing me your Mac.


That’s what happened.


You granted admin access, right?


That means you granted the keys to the whole kingdom.


Access to everything.


What actually got uploaded if anything, we don’t know.


But with admin access, it’s all in play.


Which means assuming passwords are compromised.


All of them.


Including your recovery email accounts and passwords.


Roll in your backups from prior to the breach.


If you don’t have routine backups, decontamination is a yet bigger project.


Which would involve starting over with backups, wiping, and a fresh install.


Migrating in just docs from your now-just-created post-breadh backups.


MalwareBytes might be able to clean up rogue files, but it might not.


And I’d still assume that your credentials and credit cards and the rest was uploaded.



Reply
User profile for user: MrHoffman
MrHoffman
User level: Level 10
147,049 points

Oct 30, 2019 1:51 PM in response to blazedj420

MacKeeper is a contentious hunk of software, and not one I prefer to have installed on any system I manage.


More generally and across all of what’s available, add-on anti-malware, add-on anti-virus, add-on VPN clients, add-on cleaners, free stuff and free coupons, stuff from app aggregators, various of that is problematic at best. And some of it is malware. Some of the legitimate stuff introduces vulnerabilities, too. Some makes systems unstable. And there are fake versions of legitimate software.


The built-in macOS anti-malware works reasonably well.


Most folks get in trouble with what they’ve decided to download and install and authenticate.


Make a backup, cloning your storage using Disk Utility or Carbon Copy Cloner or otherwise, maybe make another one, boot Recovery, wipe, reload macOS, and migrate in your files and not your apps. Reload your app files from a known-good source. Downloads from the Mac App Store and from vendor/developer sites are usually okay.


The MalwareBytes stuff has a decent reputation around the forum, though I don’t run that. That might be able to clean up this, prior to performing a reload.




Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Got malware, want to wipe clean and start from scratch, but with current OS - Sierra

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up