User profile for user: MarkAnton
MarkAnton Author
User level: Level 1
5 points

How to roll back before malware (Adload)

Hi,


I‘m going to help an elder relative whose MacBook is infected with malware (specifically Adload). I will only be there for two hours so I want to come up with a plan now. I don’t know which OS version she has.


I would have thought I could just revert the system part via TimeMachine? If so, how can I achieve this without affecting her personal files?


If this is not possible then I will have to weed out the malware. I don’t really trust Malwarebytes too much (who pays for the free version? I don’t want to combat adware with adware). So I thought I’d use KnockKnock to check for persistent installs. I would run multiple scans, restarting in between runs.


If this doesn’t help then the same procedure with Malewarebytes.


But really this should be solvable with TimeMachine, right?


Thanks in advance!

Posted on Mar 31, 2024 1:23 PM

Reply
Question marked as Top-ranking reply
User profile for user: John Galt
John Galt
User level: Level 10
155,390 points

Posted on Apr 1, 2024 5:15 AM

Time Machine no longer backs up macOS itself so that's not an option. However, macOS is quite impervious to unauthorized alteration, so that's not where the problem lies anyway. Reinstalling macOS wouldn't fix anything (it usually doesn't).


The best time to restore a Time Machine backup is within hours of having inadvertently done something you want to undo; perhaps a few days at most. Beyond that, its usefulness diminishes.


Since TM won't be the simple fix you would like it to be, I'd start by posting those three screenshots described in Removing "Search Marquis" / "Search Baron" / etc on your own - Apple Community. They are likely to identify files you need to delete. Failing that, proceed with using EtreCheck. EtreCheck is far more comprehensive and will include additional details that may be germane to the problem at hand.


I don't know if its most recent version will offer to eradicate the subject malware but it will not do anything without your consent.

View in context

Similar questions

3 replies
Question marked as Top-ranking reply
User profile for user: John Galt
John Galt
User level: Level 10
155,390 points

Apr 1, 2024 5:15 AM in response to MarkAnton

Time Machine no longer backs up macOS itself so that's not an option. However, macOS is quite impervious to unauthorized alteration, so that's not where the problem lies anyway. Reinstalling macOS wouldn't fix anything (it usually doesn't).


The best time to restore a Time Machine backup is within hours of having inadvertently done something you want to undo; perhaps a few days at most. Beyond that, its usefulness diminishes.


Since TM won't be the simple fix you would like it to be, I'd start by posting those three screenshots described in Removing "Search Marquis" / "Search Baron" / etc on your own - Apple Community. They are likely to identify files you need to delete. Failing that, proceed with using EtreCheck. EtreCheck is far more comprehensive and will include additional details that may be germane to the problem at hand.


I don't know if its most recent version will offer to eradicate the subject malware but it will not do anything without your consent.

Reply
User profile for user: John Galt
John Galt
User level: Level 10
155,390 points

Mar 31, 2024 2:43 PM in response to MarkAnton

Yes, provided she knows just when that malware was installed. The reason is that you will need to restore a Time Machine backup created prior to that time.


To my knowledge "Adload" is just one of a number of popular things that result in search queries being redirected. They can go by any number of names.


Try this. Instead of "Malwarebytes" (which often fails to find such things) use EtreCheck instead. It requires no installation procedure, which means all you have to do is download and run it. It does not ask for authorization to do that, does not ask for any passwords, and does not alter a Mac in any manner whatsoever.


Instructions are here: How to use the Add Text Feature When Posting Large Amounts of Text, i.e. an Etrecheck Report - Apple Community


When you're finished with EtreCheck you can just drag its app icon to the Trash or simply ignore it. When it's not running, it does exactly nothing.


If you don't even want to use EtreCheck either, then I posted these remediation instructions here: Removing "Search Marquis" / "Search Baron" / etc on your own - Apple Community. It explains how to open three separate folders and post three corresponding screenshots of them. Experienced helpers on this site have grown fairly adept at identifying what needs to be removed and how to remove them.


The bottom line is that you don't have to install anything to fix these things.

Reply
User profile for user: MarkAnton
MarkAnton Author
User level: Level 1
5 points

Apr 1, 2024 12:11 AM in response to John Galt

Thanks for helping! So when I select a TimeMachine point from 3 months ago it won’t just revert every personal file back to that date? How do I constrain it to system files only?



Does EtreCheck detect and remove the malware or does it simply list all paths where suspicious files are located so I have to figure out myself what’s benign? You said EtreCheck doesn’t alter the Mac in any way … of course I’m happy for it to delete the malware.


Posting logs won’t likely be possible because of the tight timeframe.


Again, thanks for helping.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How to roll back before malware (Adload)

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up