You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How to Remove Malware? KeyWordsSearch forced my chrome/safari to shut down and installed unauthorized extension.


I looked through all my folders and have deleted so many weird files, but this still happened. It's becoming very annoying and would appreciate any tips to remove this malware.

MacBook Pro 13″, macOS 10.14

Posted on Jun 17, 2020 10:39 AM

Reply
6 replies

Jun 18, 2020 10:42 AM in response to skowi

You're welcome. Glad to help.


Now that you know what to look for, removing adware is pretty simple.


Adding to what you already did, be vigilant for any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. A Profile has nearly limitless potential to impose restrictions on what you do with your Mac.


If any Profiles are installed on your Mac an icon like this will appear in System Preferences:



If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.


Just like adware a Profile requires your permission to be installed on your Mac, but people are often deceived into installing it. Deception is how those scams work.

Jun 17, 2020 10:47 AM in response to skowi

To ascertain the cause so that you can eliminate it, start by inspecting the contents of the following folder:


~/Library/LaunchAgents


To open that folder, copy the entire line above and paste it in the Finder's Go menu > Go to Folder... field. Make it look like this:



... and click the Go button.


A Finder window will open. Make sure all its file names are readable by selecting View > as List or other selection that shows that folder's complete contents. Then, take a screenshot of that Finder window.



Often, there is nothing in that Launch Agents folder so don't be surprised to find it empty.


In the same manner as the above, navigate to this next folder:


/Library/LaunchDaemons


The Finder's Go menu > Go to Folder... field should look like this:



... and click the Go button once again.


Once again ensure all its files and their names are readable and capture a screenshot.


Then, repeat that exercise with the following folder:


/Library/LaunchAgents


Notice its pathname is different than the other two. The Finder's Go menu > Go to Folder... field should look like this:



In the end, you will have captured the contents of the following three separate folders:


~/Library/LaunchAgents

/Library/LaunchDaemons

/Library/LaunchAgents


All three will be saved to your Mac's Desktop with names "Screen Shot... " followed by the date and time they were captured. Please be sure to include or otherwise indicate the name of the folder that corresponds to each screenshot, so that you and I can keep track of which ones they are.


Post the entire contents of all three windows, one at a time, using the "picture" icon that appears below your reply text:


Jun 17, 2020 3:33 PM in response to skowi

Yes, delete the two files the top—the ones with a lot of numbers in their names. Delete "Spigot" also, even though it's probably inert by now.


Then, restart your Mac, and confirm the malware is no longer affecting it. If it does, please write back for instructions. Among them would involve repeating those actions while in "Safe Mode", which ensures the processes spawning those files are rendered inactive. That, plus a few other steps to ensure its complete eradication.

How to Remove Malware? KeyWordsSearch forced my chrome/safari to shut down and installed unauthorized extension.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.