The palmall spyware virus somehow got onto my computer. Now it displays popup ads all over everything every time I use my browser. How do I get rid of it? I'm on a 2009 Macbook Pro running Mavericks.
Thanks
Mac Pro, OS X Mavericks (10.9.4)
Helpful Links Regarding Malware Problems
If you are having an immediate problem with ads popping up see The Safe Mac » Adware Removal Guide and The Safe Mac » Adware Removal Tool. Open Safari, select Preferences from the Safari menu. Click on Extensions icon in the toolbar. Disable all Extensions. If this stops your problem, then re-enable them one by one until the problem returns. Now remove that extension as it is causing the problem.
An excellent link to read is Tom Reed's Mac Malware Guide.
Also, visit The XLab FAQs and read Detecting and avoiding malware and spyware.
See these Apple articles:
Mac OS X Snow Leopard and malware detection
OS X Lion- Protect your Mac from malware
OS X Mountain Lion- Protect your Mac from malware
OS X Mavericks- Protect your Mac from malware
If you require anti-virus protection Thomas Reed recommends using ClamXAV. (Thank you to Thomas Reed for this recommendation.)
From user Joe Bailey comes this equally useful advice:
The facts are:
1. There is no anti-malware software that can detect 100% of the malware out there.
2. There is no anti-malware that can detect anything targeting the Mac because there
is no Mac malware in the wild, and therefore, no "signatures" to detect.
3. The very best way to prevent the most attacks is for you as the user to be aware that
the most successful malware attacks rely on very sophisticated social engineering
techniques preying on human avarice, ****, and fear.
4. Internet popups saying the FBI, NSA, Microsoft, your ISP has detected malware on
your computer is intended to entice you to install their malware thinking it is a
protection against malware.
5. Some of the anti-malware products on the market are worse than the malware
from which they purport to protect you.
6. Be cautious where you go on the internet.
7. Only download anything from sites you know are safe.
8. Avoid links you receive in email, always be suspicious even if you get something
you think is from a friend, but you were not expecting.
9. If there is any question in your mind, then assume it is malware.
thanks. ill give it a try.
Ok, that was easy. It was the only extension listed. I'd like to delete it completely from my hard drive if possible. I can't find it using spotlight. Any idea where it might be saved?
Uninstalling Software: The Basics
Most OS X applications are completely self-contained "packages" that can be uninstalled by simply dragging the application to the Trash. Applications may create preference files that are stored in the /Home/Library/Preferences/ folder. Although they do nothing once you delete the associated application, they do take up some disk space. If you want you can look for them in the above location and delete them, too.
Some applications may install an uninstaller program that can be used to remove the application. In some cases the uninstaller may be part of the application's installer, and is invoked by clicking on a Customize button that will appear during the install process.
Some applications may install components in the /Home/Library/Applications Support/ folder. You can also check there to see if the application has created a folder. You can also delete the folder that's in the Applications Support folder. Again, they don't do anything but take up disk space once the application is trashed.
Some applications may install a startupitem or a Log In item. Startupitems are usually installed in the /Library/StartupItems/ folder and less often in the /Home/Library/StartupItems/ folder. Log In Items are set in the Accounts preferences. Open System Preferences, click on the Accounts icon, then click on the LogIn Items tab. Locate the item in the list for the application you want to remove and click on the "-" button to delete it from the list.
Some software use startup daemons or agents that are a new feature of the OS. Look for them in /Library/LaunchAgents/ and /Library/LaunchDaemons/ or in /Home/Library/LaunchAgents/.
If an application installs any other files the best way to track them down is to do a Finder search using the application name or the developer name as the search term. Unfortunately Spotlight will not look in certain folders by default. You can modify Spotlight's behavior or use a third-party search utility, EasyFind, instead.
Some applications install a receipt in the /Library/Receipts/ folder. Usually with the same name as the program or the developer. The item generally has a ".pkg" extension. Be sure you also delete this item as some programs use it to determine if it's already installed.
There are many utilities that can uninstall applications. Here is a selection:
1. AppZapper
2. AppDelete
3. Automaton
4. Hazel
5. AppCleaner
6. CleanApp
7. iTrash
8. Amnesia
9. Uninstaller
10. Spring Cleaning
For more information visit The XLab FAQs and read the FAQ on removing software.
Vote-4-Pedro wrote:
I'd like to delete it completely from my hard drive if possible.
We have not been able to identify the installer for this one or a web site where we could obtain it. TheSafeMac's ART will remove the extensions from Safari, Firefox and Chrome, but will not be able to locate anything else. It would help the community immensely if you have any ideas along those lines. Most adware is concealed within the installer downloaded for some other third party software. It may come from a software distribution site such as C|Net's download.com, Softonic or most any BitTorrent site. It might have shown up on a web site where it ask that you download an update to FlashPlayer or install some sort of plugin or codec in order to view a movie or video or listen to music.
It's doubtful that it would have come from anything named palmall and Spotlight isn't likely to look in any of the right places for in in any case. And I'm not sure where you got the idea it was Spyware as there has not been any indication that it is.
See what's in your download folder that you might have gotten around the time your problems started.
From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Remove any extensions you don't know you need, including one called "palmall" or similar. If in doubt, remove all of them.
I actually have a pretty good idea where it came from. A couple days ago, I tried to install Skype. When I did, it downloaded an installer. I went to my downloads and double clicked on what I thought was the Skype installer. It wasn't. The installer I clicked on installed MacKeeper. Once I realized that's what was installed, I immediately deleted it. When I did, it asked if I wanted to uninstall it. I clicked yes. I just checked my trash and I have both the MacKeeper app and the original installer in there. I can email it to you if it will help.
Vote-4-Pedro wrote:
I can email it to you if it will help.
Please send to thomas [at] thesafemac.com. I'll let him know it's coming.
From where did you download it?
I'm pretty sure it came from a sports streaming site that forces you to close a ton of popups before you can watch your game. The address is vipleague dot se. Every once in a while, it automatically downloads an installer. I usually delete them immediately, but I must have missed one.
I sent him the installer. When I went to drag MacKeeper onto my desktop so that I could email it, it asked for my password, so I cancelled.
Vote-4-Pedro wrote:
I sent him the installer.
Thanks.
When I went to drag MacKeeper onto my desktop so that I could email it, it asked for my password, so I cancelled.
That's OK. I suspect the installer is the main problem.
MacKeeper may ask for your password when you try to empty the trash. That's normal and will allow it to remove some of the files that were installed initially. It usually takes care of itself now, but if you want to be doubly sure check how to uninstall MacKeeper - updated.
I've been poking around the vipleague site, but haven't been offered even an add yet. Do you recall the specific sport and game involved?
You installed the "SearchProtect" browser hijack, perhaps under a different name. Remove it as follows.
Malware is constantly changing to get around the defenses against it. The instructions in this comment are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.
Back up all data before proceeding.
Triple-click anywhere in the line below on this page to select it:
/Library/LaunchDaemons/com.perion.searchprotectd.plist
Right-click or control-click the line and select
Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.* A folder should open with an item named "com.perion.searchprotectd.plist" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.
Restart the computer and empty the Trash. Then delete the following items in the same way:
/Applications/SearchProtect~/Library/Application Support/Firefox/searchplugins/MyBrand.xml
~/Library/Application Support/Google/Chrome/External Extensions/fjadmdmahkpbhgbmmkiiaanlnlekelmn.json
~/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/deacruzemiliano@outlook.com
~/Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin
~/Trovi
Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.
Quit and relaunch Safari. From the menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall any extensions you don't know you need, including any that have the word "Trovi" or "palmall" in the description. If in doubt, uninstall all extensions.
Reset the default search engine and home page to what it was before.
"SearchProtect" may be distributed along with two other applications: "MacKeeper," which is a scam, and "ZipCloud," which, if not actually a scam, has a dubious reputation. Ask if you need instructions to remove those items.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
Remove "MacKeeper" as follows. First, back up all data.
"MacKeeper" is a scam with only one useful feature: it deletes itself.
Note: These instructions apply to the version of the product that I downloaded and tested in early 2012. I can't be sure that they apply to other versions.
If you have incompletely removed MacKeeper—for example, by dragging the application to the Trash and emptying—then you'll have to reinstall it and start over.
IMPORTANT: "MacKeeper" has what the developer calls an “encryption” feature. In my tests, I didn't try to verify what this feature really does. If you used it to “encrypt” any of your files, “decrypt” them before you uninstall, or (preferably) restore the files from backups made before they were “encrypted.” As the developer is not trustworthy, you should assume that the "decrypted" files are corrupt unless proven otherwise.
In the Finder, select
Go ▹ Applications
from the menu bar, or press the key combination shift-command-A. The "MacKeeper" application is in the folder that opens. Quit it if it's running, then drag it to the Trash. You'll be prompted for your login password. Click the Uninstall MacKeeper button in the dialog that appears. All the functional components of the software will be deleted. Restart the computer.
☞ Quit MacKeeper before dragging it to the Trash.
☞ Don't empty the Trash. Let MacKeeper delete itself.
☞ Don't try to drag the MacKeeper Dock icon to the Trash.
Thanks for the help. I just ran The Safe Mac Ad Removal Tool. Thomas at TSM said he found a couple things in the installer and added them to his script. Did it uninstall everything, or do I also need to go through these steps manually?
Thanks
How do I delete palmall spyware virus?
