lralou26

Q: How do I remove "MegaBackup" malware?

I was installing updates and accidentally installed some Malware.  I've removed everything except I cannot delete this "MegaBackup."  When I try to send it to the trash it says "cannot be deleted because MegaBackup is running", however I have closed it.  Can anyone help?

MacBook Air (13-inch Mid 2013)

Posted on Aug 16, 2015 6:46 AM

Close

Q: How do I remove "MegaBackup" malware?

  • All replies
  • Helpful answers

first Previous Page 3 of 5 last Next
  • by laurafromdresden,

    laurafromdresden laurafromdresden Jan 2, 2016 8:51 AM in response to lralou26
    Level 1 (0 points)
    Jan 2, 2016 8:51 AM in response to lralou26

    Screen Shot 2016-01-02 at 11.50.31 AM.png

  • by laurafromdresden,

    laurafromdresden laurafromdresden Jan 2, 2016 8:54 AM in response to lralou26
    Level 1 (0 points)
    Jan 2, 2016 8:54 AM in response to lralou26

    Screen Shot 2016-01-02 at 11.52.14 AM.png

  • by laurafromdresden,

    laurafromdresden laurafromdresden Jan 2, 2016 8:57 AM in response to Linc Davis
    Level 1 (0 points)
    Jan 2, 2016 8:57 AM in response to Linc Davis

    Screen Shot 2016-01-02 at 11.41.19 AM.png

  • by laurafromdresden,

    laurafromdresden laurafromdresden Jan 2, 2016 9:04 AM in response to Linc Davis
    Level 1 (0 points)
    Jan 2, 2016 9:04 AM in response to Linc Davis

    Screen Shot 2016-01-02 at 11.50.31 AM.png

  • by laurafromdresden,

    laurafromdresden laurafromdresden Jan 2, 2016 9:07 AM in response to Linc Davis
    Level 1 (0 points)
    Jan 2, 2016 9:07 AM in response to Linc Davis

    Screen Shot 2016-01-02 at 11.52.14 AM.png

  • by laurafromdresden,

    laurafromdresden laurafromdresden Jan 2, 2016 9:12 AM in response to Linc Davis
    Level 1 (0 points)
    Jan 2, 2016 9:12 AM in response to Linc Davis

    Screen Shot 2016-01-02 at 11.55.28 AM.png

  • by Linc Davis,

    Linc Davis Linc Davis Jan 2, 2016 12:26 PM in response to laurafromdresden
    Level 10 (207,926 points)
    Applications
    Jan 2, 2016 12:26 PM in response to laurafromdresden

    A

    You seem to have a new type of malware that I haven't seen before. To characterize it further, please take Step C below. If you prefer not to do that, remove the items in your screenshots that have a name beginning with "com.updater", and also remove the Safari extension. Those steps will inactivate the malware, though it won't be completely removed.

    B

    "MacKeeper" is a scam (not malware in the usual sense) with only one useful feature: it deletes itself.

    If you have incompletely removed MacKeeper—for example, by dragging the application to the Trash and immediately emptying—then you'll have to reinstall it and start over.

    Note: These instructions apply to the version of the product that I downloaded and tested in early 2012. I can't be sure that they apply to other versions.

    IMPORTANT: "MacKeeper" has what the developer calls an “encryption” feature. In my tests, I didn't try to verify what this feature really does. If you used it to “encrypt” any of your files, “decrypt” them before you uninstall, or (preferably) restore the files from backups made before they were “encrypted.” As the developer is not trustworthy, you should assume that the "decrypted" files are corrupt unless proven otherwise.

    Please back up all data before making any changes.

    In the Finder, select

              Go Applications

    from the menu bar, or press the key combination shift-command-A. The "MacKeeper" application is in the folder that opens. Quit it if it's running, then drag it to the Trash. You'll be prompted for your login password. Click the Uninstall MacKeeper button in the dialog that appears. All the other functional components of the software will be deleted. Restart the computer and empty the Trash.

    Quit MacKeeper before dragging it to the Trash.

    Let MacKeeper delete its other components before you empty the Trash.

    Don't try to drag MacKeeper from the Dock or the Launchpad to the Trash.

    Don't try to remove MacKeeper while running in safe mode.

    C

    1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.

    The test works on OS X 10.7 ("Lion") and later. I don't recommend running it on older versions of OS X. It will do no harm, but it won't do much good either.

    Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.

    2. If you don't already have a current backup, please back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.

    There are ways to back up a computer that isn't fully functional. Ask if you need guidance.

    3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.

    You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.

    In this case, however, there are ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the requisite skill can verify what it does.

    You may not be able to understand the script yourself. But variations of it have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message. See, for example, this discussion.

    Another indication that the test is safe can be found in this thread, and this one, for example, where the comment in which I suggested it was recommended by one of the Apple Community Specialists, as explained here.

    Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.

    4. Here's a general summary of what you need to do, if you choose to proceed:

    ☞ Copy a particular line of text to the Clipboard.

    ☞ Paste into the window of another application.

    ☞ Wait for the test to run. It usually takes a few minutes.

    ☞ Paste the results, which will have been copied automatically, back into a reply on this page.

    These are not specific instructions; just an overview. The details are in parts 7 and 8 of this comment. The sequence is: copy, paste, wait, paste again. You don't need to copy a second time.

    5. Try to test under conditions that reproduce the problem, as far as possible. For example, if the computer is intermittently slow, run the test during a slowdown.

    You may have started up in safe mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual before running it. If you can only test in safe mode, do that.

    6. If you have more than one user, and only one user is affected by the problem,, and the affected user is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.

    7. Load this linked web page (on the website "Pastebin.") Press the key combination command-A to select all the text, then copy it to the Clipboard by pressing command-C.

    8. Launch the built-in Terminal application in any one of the following ways:

    ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

    ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

    ☞ Open LaunchPad and start typing the name.

    Click anywhere in the Terminal window to activate it. Paste from the Clipboard into the window by pressing command-V, then press return. The text you pasted should vanish immediately.

    9. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. If you don't know the password, or if you prefer not to enter it, just press return three times at the password prompt. Again, the script will still run.

    If the test is taking much longer than usual to run because the computer is very slow, you might be prompted for your password a second time. The authorization that you grant by entering it expires automatically after five minutes.

    If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.

    10. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, a series of lines will appear in the Terminal window like this:

        Test started
            Part 1 of 4 done at: … sec
            …
            Part 4 of 4 done at: … sec
        The test results are on the Clipboard.
        Please close this window.

    The intervals between parts won't be exactly equal, but they give a rough indication of progress.

    Wait for the final message "Please close this window" to appear. If you don't see it within about 15 minutes, the test probably won't complete in a reasonable time. In that case, press the key combination control-C or command-period to stop it. Then go to the next step. You'll have incomplete results, but still something. If you close the Terminal window while the test is still running, the partial results won't be saved and you'll have to start over.

    11. When the test is complete, or if you stopped it because it was taking too long, quit Terminal. The results will have been saved to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.

    At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "close this window" message. Please wait for it and try again.

    If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.

    12. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "The message contains invalid characters." That's a bug in the software that runs this website. Please post the test results on Pastebin, then post a link here to the page you created.

    If you have an account on Pastebin, please don't select Private from the Paste Exposure menu on the page, because then no one but you will be able to see it.

    13. This is a public forum, and others may give you advice based on the results of the test. They speak for themselves, not for me. The test itself is harmless, but whatever else you're told to do may not be. For others who choose to run it, I don't recommend that you post the test results on this website unless I asked you to.

    14. The linked UNIX shell script incorporates a notice of copyright. Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

  • by MendonMA,

    MendonMA MendonMA Jan 19, 2016 4:13 PM in response to Linc Davis
    Level 1 (0 points)
    Jan 19, 2016 4:13 PM in response to Linc Davis

    I have that same thing too :{ here's the screenshots

     

    LaunchAgents 2016-01-19 19-16-34.pngLaunchAgents 2016-01-19 19-17-32.pngLaunchDaemons 2016-01-19 19-18-13.png

    please help i want this removed very soon

  • by Jack rocky,

    Jack rocky Jack rocky Jan 22, 2016 11:09 AM in response to Linc Davis
    Level 1 (0 points)
    Jan 22, 2016 11:09 AM in response to Linc Davis

    Screen Shot 2016-01-22 at 2.09.19 PM.png

  • by karenmendy,

    karenmendy karenmendy Feb 9, 2016 2:56 PM in response to Eric Root
    Level 1 (0 points)
    Feb 9, 2016 2:56 PM in response to Eric Root

    Thank you. This was an easy fix. At least I think it was. I'll find out the next time I turn off and reboot my Mac Pro laptop. I'm such a techno-illiterate it might not actually be gone. Thank you for sharing that link.

  • by MendonMA,

    MendonMA MendonMA Feb 9, 2016 3:01 PM in response to karenmendy
    Level 1 (0 points)
    Feb 9, 2016 3:01 PM in response to karenmendy

    Thanks everybody, i got it cleaned by booting in safe mode and deleting it (booing in safe mode wont load it at startup) also i got malwarebytes which cleaned a lot of my PUPs and popups that i was being plagued with

  • by buteop,

    buteop buteop Feb 15, 2016 5:01 PM in response to Linc Davis
    Level 1 (0 points)
    Feb 15, 2016 5:01 PM in response to Linc Davis

    Screen Shot 2016-02-15 at 5.02.43 PM.png

  • by buteop,

    buteop buteop Feb 15, 2016 6:52 PM in response to Linc Davis
    Level 1 (0 points)
    Feb 15, 2016 6:52 PM in response to Linc Davis

    Screen Shot 2016-02-15 at 5.02.43 PM.pngScreen Shot 2016-02-15 at 5.56.13 PM.pngScreen Shot 2016-02-15 at 6.08.59 PM.pngI'm trying...

  • by zemozits,

    zemozits zemozits Feb 15, 2016 8:24 PM in response to lralou26
    Level 1 (0 points)
    Feb 15, 2016 8:24 PM in response to lralou26

    Screen Shot 2016-02-15 at 10.12.22 PM.pngScreen Shot 2016-02-15 at 10.21.40 PM.png

  • by tonymoon,

    tonymoon tonymoon Mar 27, 2016 5:23 AM in response to Linc Davis
    Level 1 (4 points)
    Mar 27, 2016 5:23 AM in response to Linc Davis

    Hi Linc Davis-

     

    I have this same problem, it started with MacKeeper, which I finally got off my computer and it started again when I mistook an Adobe update for something called MegaBackup. Below is my Launch Agent screenshot. It still seems to have some of the MacKeeper bits. Please help if you can. This is only affectin my Safari browser, mainly when I start a Google search. Thanks!Screen Shot 2016-03-27 at 8.06.02 AM.png

first Previous Page 3 of 5 last Next