-
All replies
-
Helpful answers
-
-
by Linc Davis,★HelpfulAug 27, 2015 9:45 AM in response to lora from lake orion
Linc Davis
Aug 27, 2015 9:45 AM
in response to lora from lake orion
Level 10 (208,000 points)
ApplicationsDon't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
You installed one or more variants of the "InstallMac" trojan. Take the steps below to disable it.
The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
Back up all data before continuing.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.
2. Inside the folder you just opened, there may files with a name of the form
something.download.plist
something.ltvbit.plist
something.update.plist
where something is usually a meaningless string, such as any of the following:
InKeepr
InstallMac
Javeview
Kuklorest
Manroling
Otwexplain
These are examples, not a complete list. The string could be anything. The point is that the same string will appear in the name of three files.
You could have more than one copy of the malware, with different values of something.
Move all such items to the Trash. There may not be any other files in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)
Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.
3. Open this folder in the same way as above:
~/Library/Application Support
and move to the Trash any subfolders named with the same something you found in Step 2.
Don't move the Application Support folder or anything else inside it.
4. Open the Applications folder. If there is an item with the same name as in Step 3, or any of the other names listed in Step 2, drag it to the Trash.
If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.
Empty the Trash.
If you get an alert that the application is in use, force it to quit.
5. From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
6. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
-
Sep 2, 2015 11:31 AM in response to Linc Davisby mescudero,Hello Linc Davis,
Thanks!!! I just cleaned kuklorest from my system. I really appreciate your taking the time to explain, step by step, how to do it. It worked!!!!
-
Sep 3, 2015 9:22 AM in response to Linc Davisby Texasboymom,Thank you! Thank you! Thank you! Your instructions worked great!
-
Sep 10, 2015 3:16 AM in response to lora from lake orionby natashajb15,Hi, thank you so much for posting this - your step by step instructions were easy to follow. Unfortunately though I still have kuklorest on my Mac after following these steps, please can you help? Many thanks
-
-
Oct 13, 2015 12:25 AM in response to Linc Davisby mdwjrk,Thanks so much for your help. I believe I got rid of everything. I have only one problem remaining. I am using a browser-based software for a Spanish class called vhlcentral.com The text book is provided via a pop up window. Text acces now works in Firefox and in Chrome but not in Safari. All other components work fine. The VHL support just say-- use the other browsers, but I am concerned that something might be lurking on my computer that has caused this popup window error. The text popup window opens but is blank.
-
Nov 3, 2015 7:14 AM in response to Linc Davisby Vellen,I found this very helpful. It seems to have worked!
-
Nov 9, 2015 5:50 PM in response to Linc Davisby Studio804,Thank you so much!!! You just saved my bacon on a serious deadline night. This crazy adware was creating a memory leak and rendering my MBP useless. Thank you, thank you, thank you!!! Happy clients are a good thing.
-
Nov 15, 2015 7:57 PM in response to Linc Davisby gsenser,Thank you. It seems to be gone. What can I do to keep it from coming back?
-
Nov 15, 2015 8:00 PM in response to natashajb15by stevejobsfan0123,natashajb15 wrote:
Hi, thank you so much for posting this - your step by step instructions were easy to follow. Unfortunately though I still have kuklorest on my Mac after following these steps, please can you help? Many thanks
Read through lllaass' post, even easier to follow.
-
Nov 15, 2015 8:43 PM in response to gsenserby Linc Davis,What can I do to keep it from coming back?
Never run any software just because someone on a website tells you to. Never run any software you don't need (such as "anti-virus" or "anti-malware" software), no matter who tells you to. Only use software that you've personally researched as safe, and then only if it does something directly useful to you. For example, if you want to edit video, you need a video editor. If you want to write a book, you need a word processor. But you never need a "virus scanner." You didn't buy a computer so that you could scan for viruses.
-
Nov 15, 2015 8:52 PM in response to gsenserby stevejobsfan0123,You shouldn't go rummaging through system directories that you're not familiar with just because someone on a website tells you to, either.
-
Nov 18, 2015 10:21 PM in response to Linc Davisby Michael VanVooren,God bless you for sharing this quick, and effective help, Mr. Davis!
Our machine is now clean thanks to you!