My wife recently accidentally downloaded what I think was a fake Flash update which resulted in a bunch of Adware being installed on our MacBook Air. I've gotten rid of some, but every time we restart the computer, a ZipCloud advertisement pops up. I tried Adwaremedic but it didn't remove the Adware. Any suggestions? I'm fearful of what else is installed on the computer that I don't know about...
You can't rely on any software to remove malware automatically, as you've already discovered.
A
"ZipCloud" is some sort of cloud-storage service with a doubtful reputation. The OS X client is sometimes distributed along with malware. Although ZipCloud may not be malicious itself, it should be deemed suspect by virtue of the company it keeps.
To remove ZipCloud, start by backing up all data (not with ZipCloud itself, of course.)
Quit the application, if it's running, and drag it from the Applications folder to the Trash.
Triple-click anywhere in the line below on this page to select it:
~/Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist
Right-click or control-click the highlighted line and select
Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.* A folder should open with a file selected. Move the selected file to the Trash.
In the same folder, there may also be a file named
com.jdibackup.ZipCloud.notify.plist
Move that to the Trash as well.
Log out or restart the computer and empty the Trash.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
B
It's likely that you also installed one or more of the common types of ad-injection malware. Follow the instructions on this Apple Support page to remove it. It's been reported that some variants of the "VSearch" malware block access to the page. If that happens, start in safe mode by holding down the shift key at the startup chime, then try again.
Back up all data before making any changes.
One of the steps in the article is to remove malicious Safari extensions. Do the equivalent in the Chrome and Firefox browsers, if you use either of those. If Safari crashes on launch, skip that step and come back to it after you've done everything else.
If you don't find any of the files or extensions listed, or if removing them doesn't stop the ad injection, ask for further instructions.
Make sure you don't repeat the mistake that led you to install the malware. Chances are you got it from an Internet cesspit such as "Softonic," "CNET Download," or "SourceForge." Never visit any of those sites again. You might also have downloaded it from an ad in a page on some other site. The ad would probably have included a large green button labeled "Download" or "Download Now" in white letters. The button is designed to confuse people who intend to download something else on the same page. If you ever download a file that isn't obviously what you expected, delete it immediately.
Malware is also found on websites that traffic in pirated content such as video. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.
In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.
Still in System Preferences, open the App Store or Software Update pane and check the box marked
Install system data files and security updates (OS X 10.10 or later)
or
Download updates automatically (OS X 10.9 or earlier)
if it's not already checked.
You can't rely on any software to remove malware automatically, as you've already discovered.
A
"ZipCloud" is some sort of cloud-storage service with a doubtful reputation. The OS X client is sometimes distributed along with malware. Although ZipCloud may not be malicious itself, it should be deemed suspect by virtue of the company it keeps.
To remove ZipCloud, start by backing up all data (not with ZipCloud itself, of course.)
Quit the application, if it's running, and drag it from the Applications folder to the Trash.
Triple-click anywhere in the line below on this page to select it:
~/Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist
Right-click or control-click the highlighted line and select
Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.* A folder should open with a file selected. Move the selected file to the Trash.
In the same folder, there may also be a file named
com.jdibackup.ZipCloud.notify.plist
Move that to the Trash as well.
Log out or restart the computer and empty the Trash.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
B
It's likely that you also installed one or more of the common types of ad-injection malware. Follow the instructions on this Apple Support page to remove it. It's been reported that some variants of the "VSearch" malware block access to the page. If that happens, start in safe mode by holding down the shift key at the startup chime, then try again.
Back up all data before making any changes.
One of the steps in the article is to remove malicious Safari extensions. Do the equivalent in the Chrome and Firefox browsers, if you use either of those. If Safari crashes on launch, skip that step and come back to it after you've done everything else.
If you don't find any of the files or extensions listed, or if removing them doesn't stop the ad injection, ask for further instructions.
Make sure you don't repeat the mistake that led you to install the malware. Chances are you got it from an Internet cesspit such as "Softonic," "CNET Download," or "SourceForge." Never visit any of those sites again. You might also have downloaded it from an ad in a page on some other site. The ad would probably have included a large green button labeled "Download" or "Download Now" in white letters. The button is designed to confuse people who intend to download something else on the same page. If you ever download a file that isn't obviously what you expected, delete it immediately.
Malware is also found on websites that traffic in pirated content such as video. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.
In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.
Still in System Preferences, open the App Store or Software Update pane and check the box marked
Install system data files and security updates (OS X 10.10 or later)
or
Download updates automatically (OS X 10.9 or earlier)
if it's not already checked.
sl7z wrote:
I've gotten rid of some, but every time we restart the computer, a ZipCloud advertisement pops up.
Is it a ZipCloud advertisement, or is it actually the ZipCloud application that is opening? If the latter, you should see something like this:
If you are simply seeing ZipCloud open, note that although it is frequently installed alongside adware, it is not adware itself, thus AdwareMedic will not remove it. It is junk software, though, and should be removed, so follow the directions Linc has given for removing it. You will not need to follow the rest of the instructions below unless you continue having problems.
If that's not what is happening, please use AdwareMedic to take a system snapshot (choose Take System Snapshot from the Scanner menu in the menu bar within AdwareMedic), then submit it to The Safe Mac (ie, me). I'll get back to you ASAP and let you know what I see. In addition, post a screenshot showing the advertisement in question. Make a screenshot by following the directions here:
http://support.apple.com/kb/HT5775
Be sure no sensitive personal information is displayed. To add that image to a post here, click the camera icon in the post editor toolbar.
Sorry for the inaccuracy -- yes, it was the ZipCloud application, not the advertisement. It is now gone from our laptop. Thanks both of you for your help, I appreciate it!
No problem, glad to be of assistance!
How to get rid of ZipCloud adware?
