Malware

Question

Level 1

0 points

Malware

I have a new-to-me macbook pro, late 2011, running OS X 10.10.2. This computer was completely erased and software re-installed by Apple when the person I bought it from was going to sell it back to Apple. He sold it to me instead. I used it a little and it worked fine. I am trying to get rid of my cable TV and want to use this MacBook to stream TV. I installed a VPN network (ExpressVPN), Sling TV app and Hulu app. Somehow I am now getting what looks like malware. If I go to Amazon Prime, I get ads from "flashmall" that I don't get on my other MacBooks. If I try to sign in to Amazon or hulu, I get redirected to Reimage Repair, which is an ad for a mac OS X Repair Tool. I have gone into the applications and deleted every app installed since I got the computer, but am still getting strange ads and redirected to the repair tool. I cannot even sign in to Hulu.

I had no issues until I started downloading the apps to use to watch TV. I'm concerned that the VPN started the issues as I had downloaded their software onto another MacBook Pro, which completely crashed. I had to erase the disc and reinstall with a back up. I would do that with this MacBook, but I don't have a back up. I assume if I back it up now, I would just continue with the same problem. Can I erase and reinstall from an online source? There isn't anything on this computer that I can't lose....there isn't really anything on this computer at all, which is why I'm at such a loss as to how it's now not working!

Can anyone help a non-tech-savvy person? Or is this what happens when a tech-dummy tries to get rid of their cable?!

Thanks!

MacBook Pro, OS X Yosemite (10.10.2)

Posted on Aug 2, 2015 2:32 PM

Reply

Answer 1

Joe Bailey

Level 6

12,227 points

Aug 2, 2015 3:26 PM in response to macybean

Assuming 10.10.2 was properly installed, boot while holding down ⌘R to boot into the Recovery Drive. From there you can erase the drive and install Yosemite from the internet.

Malwarebytes is free, does not install anything untoward, does a good job of identifying and removing lots of adware and other malware, and in general is safe to use. It might solve your problem cleanly.

Reply

Answer 2

Kurt Lang

Level 9

57,996 points

Aug 2, 2015 3:13 PM in response to macybean

Flashmall is adware you installed along with one of third party apps you mention. It's especially likely if you downloaded them from Softonic.com, or C|NET's www.downloads.com.

Adware is basically just REALLY annoying, and slows your computer down with the enormous amount of system resources they use up retrieving ads from remote servers and then displaying them anytime your web browser is open.

Erasing the drive is overkill for adware. Open Safari's preferences and click on the Extensions tab. Turn them all off. Turn them back on one at a time and test. When the ads come back, you'll know which one is the culprit. Turn it back off and delete the extension. Repeat the same test for all of them as you may have installed more than one adware extension.

Reply

Answer 3

Linc Davis

Level 10

209,547 points

Aug 2, 2015 3:26 PM in response to macybean

You installed the "Flashmall" trojan. Take the steps below to disable it.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

2. Inside the folder you just opened, there may be files with a name beginning in any of the following ways:

com.crossrider

com.extensions

com.flashmall

com.Installer.completer

com.webhelper

com.webtools

flashmall

UpdateDownloader

WebSocketServerApp

Move any such files to the Trash and close the Finder window. Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.

3. Do as in Step 1 with this line:

~/Library/Application Support

A folder named "Application Support" will open. Inside it there may be subfolders with any of these names:

IM.Installer

webHelperApp

WebTools

If so, move those subfolders—not the "Application Support" folder—to the Trash.

4. Open this folder in the same way as above:

~/Library/ScriptingAdditions

and remove an item named

BrowserHelper.osax

if present.

5. Open this folder:

~/Library

Look for subfolders with either of these names:

flashmall

WebTools

and move them to the Trash, if present.

6. Open the Applications folder. If it contains an item named "Flashmall" or "WebTools", move that to the Trash.

Important: You can't delete applications by trying to drag them from the Dock or the LaunchPad. Open the Applications folder in the Finder.

7. Open this folder in the same way as above:

~/Applications

This is not the usual Applications folder, but a different one inside your home folder. Look for an application with a name like this:

flashmall

and move it to the Trash, if present.

Empty the Trash.

8. From the Safari menu bar, select

Safari ▹ Preferences... ▹ Extensions

Uninstall all extensions you don't know you need, including one called "GoldenBoy," if it's present. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

Reply

Answer 4

macybean Author

Level 1

0 points

Aug 2, 2015 5:39 PM in response to Linc Davis

Thanks so much for the help! I'm backing up now and will try to follow your directions above. Is there any way of knowing what download contained the trojan?

Reply

Answer 5

Linc Davis

Level 10

209,547 points

Aug 2, 2015 6:01 PM in response to macybean

Only if you can post links to what you downloaded.

Reply

Answer 6

macybean Author

Level 1

0 points

Aug 2, 2015 6:27 PM in response to macybean

expressvpn.com, clicked on the links to "get express VPN now"

In step 5 I didn't find a WebTools, but there is a WebKit. Should I remove that too?

Otherwise I followed all the steps above...so far so good! Thanks so much!!

Reply

Answer 7

Joe Bailey

Level 6

12,227 points

Aug 2, 2015 6:37 PM in response to macybean

Do not remove WebKit it is installed as a part of OS X and is essential to the operation of Safari and other parts of the OS.

Reply

Answer 8

macybean Author

Level 1

0 points

Aug 2, 2015 6:40 PM in response to Joe Bailey

Thanks...glad I didn't remove it:)

And it still seems to be running normally. No flashmall crap and no redirecting to some fictitious repair tool.

I can't thank you enough! I was very frustrated.

Reply

Answer 9

Linc Davis

Level 10

209,547 points

Aug 2, 2015 7:02 PM in response to macybean

clicked on the links to "get express VPN now"

I don't see any way to download the software without signing up for the service, which I'm not going to do, but I doubt that the trojan came from there.

Reply