Q: How do I delete palmall spyware virus?

The Adware Removal Tool does not remove any of the "SearchProtect" browser highjack files, so you should go ahead and check to see if you also have that one for by some chance.

I haven't tested that script and I don't know what it does. As a general rule, I'm not in favor of that approach. When you've already gotten in trouble by downloading and clicking some unknown thing, to download and click another unknown thing is not what I'd call a step in the right direction. The right direction is to stop downloading and clicking unknown things. If you get the idea that there will always be a point-and-click solution for malware problems, you'll be learning very much the wrong lesson from this experience. The "anti-virus software" approach to security is a proven failure.

Linc,

The following items are part of the PalMall adware, and were contained in the installer that Vote-4-Pedro sent me:

~/Library/Application Support/Google/Chrome/External Extensions/fjadmdmahkpbhgbmmkiiaanlnlekelmn.json
~/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/deacruzemiliano@outlook.com

However, the rest of the items listed are not installed by that installer. I have seen some PalMall items and some of the SearchProtect items you mention installed together in some user's reports, but they are not installed together in all cases. It's possible that PalMall and SearchProtect are related, but I think it's more likely that they are simply installed together by some installers, in much the same way that varying combinations of Genieo/InstallMac, Downlite, GoPhoto.it and Spigot have been installed together.

Do you have a source for this information that you wouldn't mind sharing?

Also, I believe your instructions contain an error. The following item:

~/Library/Application Support/Firefox/searchplugins/MyBrand.xml

looks like it needs to be broken up to a separate line. In addition, I'm not sure whether a searchplugins folder should actually be found in that location. I'm not an expert when it comes to Firefox, but the only searchplugins folders that I have seen in any Firefox installation are in the default profile folder (~/Library/Application Support/Firefox/Profiles/xxxxxxxx.default/) and inside the Firefox app itself. Is this a third possible location for a searchplugins folder, or was this an error?

What I found on the site was a codesigned network installer for "JDownloader" (probably legitimate) and "Trovi" (i.e. "SearchProtect") with options to install "PallMall" (a Safari extension), "ZipCloud" (not necessarily malware, but not to be trusted),  and MacKeeper. The Chrome and Firefox extensions seemed to be part of SearchProtect, which also includes a different Safari extension. I could be mistaken, as I installed all the items at once. I'm not sure it would have been possible to separate PallMall from SearchProtect, but there are definitely two different Safari extensions. SearchProtect seems to be a derivative of Conduit.

The source of the information is a before/after comparison done on a test system, as well as packet captures done during the installation.

JIve did garble my earlier comment so I'll try to repost it below.

You installed the "SearchProtect" browser hijack, perhaps under a different name. Remove it as follows.

Malware is constantly changing to get around the defenses against it. The instructions in this comment are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.

Back up all data before proceeding.

Triple-click anywhere in the line below on this page to select it:

/Library/LaunchDaemons/com.perion.searchprotectd.plist

Right-click or control-click the line and select

          Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item named "com.perion.searchprotectd.plist" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.

Restart the computer and empty the Trash. Then delete the following items in the same way:

/Applications/SearchProtect
~/Library/Application Support/Firefox/searchplugins/MyBrand.xml
~/Library/Application Support/Google/Chrome/External Extensions/fjadmdmahkpbhgbmmkiiaanlnlekelmn.json
~/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/deacruzemiliano@outlook.com
~/Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin
~/Trovi

Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.

Quit and relaunch Safari. From the menu bar, select

          Safari ▹ Preferences... ▹ Extensions

Uninstall any extensions you don't know you need, including any that have the word "Trovi" or "palmall" in the description. If in doubt, uninstall all extensions.

Reset the default search engine and home page to what it was before.

"SearchProtect" may be distributed along with two other applications: "MacKeeper," which is a scam, and "ZipCloud," which, if not actually a scam, has a dubious reputation. Ask if you need instructions to remove those items.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination  command-C. In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

I've seen some indications that Trovi is another form of the Conduit adware. SearchProtect appears to be the same.

Conduit is rapidly becoming one of the nastiest bits of adware for the Mac, taking a wide variety of forms and even making modifications to the internals of the Firefox app itself in some cases. I believe it's on its way to eclipsing both Genieo and Downlite, which I've seen far less frequently of late.