package wanting to install only viewed on shutdown

A

You may have installed the "Genieo" or "InstallMac" ad-injection malware. Follow the instructions on this Apple Support page to remove it.

Back up all data before proceeding.

Malware is always changing to get around the defenses against it. In addition to the files listed in the support article, you may also have some of the following:

~/Library/LaunchAgents/com.Installer.completer.download.plist

~/Library/LaunchAgents/com.Installer.completer.ltvbit.plist

~/Library/LaunchAgents/com.Installer.completer.update.plist

~/Library/LaunchAgents/com.spigot.SearchProtection.plist

~/Library/Application Support/IM.Installer

Removing these files, if they exist, is optional if you've already followed Apple's instructions.

One of the steps in the article is to remove malicious Safari extensions. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

After removing the malware, remember to reset your home page in all the web browsers affected, if it was changed.

If you don't find any of the files or extensions listed, or if removing them doesn't stop the ad injection, then you may have one of the other kinds of adware covered by the support article. Follow the rest of the instructions in the article.

If you find Apple's instructions too hard to follow, ask for an alternative that doesn't require you to trust a black-box application without knowing what it does.

Make sure you don't repeat the mistake that led you to install the malware. Chances are you got it from an Internet cesspit such as "Softonic," "CNET Download," or "SourceForge." Never visit any of those sites again. You might also have downloaded it from an ad in a page on some other site. The ad would probably have included a large green button labeled "Download" or "Download Now" in white letters. The button is designed to confuse people who intend to download something else on the same page. If you ever download a file that isn't obviously what you expected, delete it immediately.

In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.

Still in System Preferences, open the App Store or Software Update pane and check the box marked

Install system data files and security updates (OS X 10.10 or later)

or

Download updates automatically (OS X 10.9 or earlier)

if it's not already checked.

B

"MacKeeper" is a scam with only one useful feature: it deletes itself.

First, back up all data.

Note: These instructions apply to the version of the product that I downloaded and tested in early 2012. I can't be sure that they apply to other versions.

If you have incompletely removed MacKeeper—for example, by dragging the application to the Trash and immediately emptying—then you'll have to reinstall it and start over.

IMPORTANT: "MacKeeper" has what the developer calls an “encryption” feature. In my tests, I didn't try to verify what this feature really does. If you used it to “encrypt” any of your files, “decrypt” them before you uninstall, or (preferably) restore the files from backups made before they were “encrypted.” As the developer is not trustworthy, you should assume that the "decrypted" files are corrupt unless proven otherwise.

In the Finder, select

Go ▹ Applications

from the menu bar, or press the key combination shift-command-A. The "MacKeeper" application is in the folder that opens. Quit it if it's running, then drag it to the Trash. You'll be prompted for your login password. Click the Uninstall MacKeeper button in the dialog that appears. All the other functional components of the software will be deleted. Restart the computer and empty the Trash.

☞ Quit MacKeeper before dragging it to the Trash.

☞ Let MacKeeper delete its other components before you empty the Trash.

☞ Don't try to drag MacKeeper from the Dock or the Launchpad to the Trash.

☞ Don't try to remove MacKeeper while running in safe mode.

1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.

The test works on OS X 10.7 ("Lion") and later. I don't recommend running it on older versions of OS X. It will do no harm, but it won't do much good either.

Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.

2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.

There are ways to back up a computer that isn't fully functional. Ask if you need guidance.

3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.

You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.

In this case, however, there are a couple of ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the necessary skill can verify what it does.

You may not be able to understand the script yourself. But variations of it have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message. See, for example, this discussion.

Another indication that the test is safe can be found in this thread, and this one, for example, where the comment in which I suggested it was recommended by one of the Apple Community Specialists, as explained here.

Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.

4. Here's a general summary of what you need to do, if you choose to proceed:

☞ Copy a particular line of text to the Clipboard.

☞ Paste into the window of another application.

☞ Wait for the test to run. It usually takes a few minutes.

☞ Paste the results, which will have been copied automatically, back into a reply on this page.

These are not specific instructions; just an overview. The details are in parts 7 and 8 of this comment. The sequence is: copy, paste, wait, paste again. You don't need to copy a second time.

5. Try to test under conditions that reproduce the problem, as far as possible. For example, if the computer is sometimes, but not always, slow, run the test during a slowdown.

You may have started up in safe mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.

6. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.

7. Load this linked web page (on the website "Pastebin.") The title of the page is "Diagnostic Test." Below the title is a text box headed by three small icons. The one on the right represents a clipboard. Click that icon to select the text, then copy it to the Clipboard on your computer by pressing the key combination command-C.

If the text doesn't highlight when you click the icon, select it by triple-clicking anywhere inside the box. Don't select the whole page, just the text in the box.

8. Launch the built-in Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

Click anywhere in the Terminal window to activate it. Paste from the Clipboard into the window by pressing command-V, then press return. The text you pasted should vanish immediately.

9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter

exec bash

and press return. Then paste the script again.

10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. If you don't know the password, or if you prefer not to enter it, just press return three times at the password prompt. Again, the script will still run.

If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.

11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, a series of lines will appear in the Terminal window like this:

[Process started]

Part 1 of 8 done at … sec
…
Part 8 of 8 done at … sec

The test results are on the Clipboard.

Please close this window.

[Process completed]

The intervals between parts won't be exactly equal, but they give a rough indication of progress. The total number of parts may be different from what's shown here.

Wait for the final message "Process completed" to appear. If you don't see it within about ten minutes, the test probably won't complete in a reasonable time. In that case, press the key combination control-C or command-period to stop it and go to the next step. You'll have incomplete results, but still something.

12. When the test is complete, or if you stopped it because it was taking too long, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.

At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.

If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.

13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "The message contains invalid characters." That's a bug in the forum software. Please post the test results on Pastebin, then post a link here to the page you created.

14. This is a public forum, and others may give you advice based on the results of the test. They speak for themselves, not for me. The test itself is harmless, but whatever else you're told to do may not be. For others who choose to run it, I don't recommend that you post the test results on this website unless I asked you to.

______________________________________________________________

Copyright © 2014, 2015 by Linc Davis. As the sole author of this work (including the referenced "Diagnostic Test"), I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

A

You installed one or more variants of the "InstallMac" trojan. Take the steps below to disable it.

The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

2. Inside the folder you just opened, there may files with a name of the form

something.download.plist

something.ltvbit.plist

something.update.plist

where something is usually a meaningless string, such as any of the following:

InKeepr

InstallMac

Javeview

Leperdvil

Listchack

Oliverto

Texiday

These are examples, not a complete list. The string could be anything. The point is that the same string will appear in the name of three files.

You could have more than one copy of the malware, with different values of something. In your case, "something" is both "Epolife" and "Manroling," and some of the latter files are absent.

Move all such items to the Trash. There may not be any other files in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)

Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.

3. Open this folder in the same way as above:

~/Library/Application Support

and move to the Trash any subfolders named with the same something you found in Step 2.

Don't move the Application Support folder or anything else inside it.

4. Open the Applications folder. If there is an item with the same name as in Step 3, or any of the other names listed in Step 2, drag it to the Trash.

If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.

Empty the Trash.

If you get an alert that the application is in use, force it to quit.

5. From the Safari menu bar, select

Safari ▹ Preferences... ▹ Extensions

Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

6. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select

Safari ▹ Preferences... ▹ General

and click

Set to Current Page

B

"MacKeeper" is a scam with only one useful feature: it deletes itself.

First, back up all data.

Note: These instructions apply to the version of the product that I downloaded and tested in early 2012. I can't be sure that they apply to other versions.

If you have incompletely removed MacKeeper—for example, by dragging the application to the Trash and immediately emptying—then you'll have to reinstall it and start over.

IMPORTANT: "MacKeeper" has what the developer calls an “encryption” feature. In my tests, I didn't try to verify what this feature really does. If you used it to “encrypt” any of your files, “decrypt” them before you uninstall, or (preferably) restore the files from backups made before they were “encrypted.” As the developer is not trustworthy, you should assume that the "decrypted" files are corrupt unless proven otherwise.

In the Finder, select

Go ▹ Applications

from the menu bar, or press the key combination shift-command-A. The "MacKeeper" application is in the folder that opens. Quit it if it's running, then drag it to the Trash. You'll be prompted for your login password. Click the Uninstall MacKeeper button in the dialog that appears. All the other functional components of the software will be deleted. Restart the computer and empty the Trash.

☞ Quit MacKeeper before dragging it to the Trash.

☞ Let MacKeeper delete its other components before you empty the Trash.

☞ Don't try to drag MacKeeper from the Dock or the Launchpad to the Trash.

☞ Don't try to remove MacKeeper while running in safe mode.

C

Remove "NetBarrier" and/or "VirusBarrier" by following the instructions on this page. If you have a different version, the procedure may be different.

Back up all data before making any changes. Never install any commercial "anti-virus" or "anti-malware" product again.

D

Some of your user files (not system files) have incorrect permissions or are locked. This procedure will unlock those files and reset their ownership, permissions, and access controls to the default. If you've intentionally set special values for those attributes, they will be reverted. In that case, either stop here, or be prepared to recreate the settings if necessary. Do so only after verifying that those settings didn't cause the problem. If none of this is meaningful to you, you don't need to worry about it, but you do need to follow the instructions below.

Back up all data before proceeding.

Step 1

If you have more than one user, and the one in question is not an administrator, then go to Step 2.

Enter the following command in the Terminal window in the same way as before (triple-click, copy, and paste):

sudo find ~ $TMPDIR.. -exec chflags -h nouchg,nouappnd,noschg,nosappnd {} + -exec chown -h $UID {} + -exec chmod +rw {} + -exec chmod -h -N {} + -type d -exec chmod -h +x {} + 2>&-

You'll be prompted for your login password, which won't be displayed when you type it. Type carefully and then press return. You may get a one-time warning to be careful. If you don’t have a login password, you’ll need to set one before you can run the command. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.

The command may take several minutes to run, depending on how many files you have. Wait for a new line ending in a dollar sign ($) to appear, then quit Terminal.

Step 2 (optional)

Take this step only if you have trouble with Step 1, if you prefer not to take it, or if it doesn't solve the problem.

Start up in Recovery mode. When the OS X Utilities screen appears, select

Utilities ▹ Terminal

from the menu bar. A Terminal window will open. In that window, type this:

resetp

Press the tab key. The partial command you typed will automatically be completed to this:

resetpassword

Press return. A Reset Password window will open. You’re not going to reset a password.

Select your startup volume ("Macintosh HD," unless you gave it a different name) if not already selected.

Select your username from the menu labeled Select the user account if not already selected.

Under Reset Home Directory Permissions and ACLs, click the Reset button.

Select

 ▹ Restart

from the menu bar.

E

Back up all data.

Run the following command in the same way as before. It moves to the Trash "semaphore" files that have not been cleaned up by the system and may be interfering with normal operation. The files are empty; they contain no data. There will be no output this time.

find L*/{Con*/*/Data/L*/,}Pref* -type f -size 0c -name *.plist.??????? -exec mv {} .Trash/ \; 2>&-

Log out or restart the computer and empty the Trash.

Some more info, for the OP or anyone else stumbling across this malware/adware...

The same advice for backups applies...

If you have Firefox installed on your Mac, then there will be a rogue Firefox extension that you will need to delete. Make sure that Firefox is not running...

In that same Application Support folder mentioned by Steve in this thread...

Navigate to subfolder Firefox, and then subfolder Profiles. If you only have one (default) profile then it will be a folder with a nonsense name. If not then look in each profile subfolder...

Navigate to the profile subfolder, and then the extensions subfolder...

Any subfolder here is an extension. Many extensions have nonsense names. If so, there is an .rdf file within each extension's subfolder. Open it with TextEdit to figure out if it is something intentionally installed.

Delete the folder for the malware extension. There will only be one. If you only have one extension, and it is malware, then you can safely delete the extensions folder. It will be recreated if you ever wish to add another Firefox extension. Check additional profiles, if that applies.