I have been using Malwarebytes for Mac and it has detected and eliminated a bunch of files in my system. I noticed that this application was in the list and that it's still there and I can't find anything meaningful on the web. Does anyone know this thing, what it does and and how do I get rid of it?
Thanks to all...
iMac (20-inch Early 2008), Mac OS X (10.6.8)
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
You installed one or more variants of the "InstallMac" trojan. Take the steps below to disable it.
The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
Back up all data before continuing.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.
2. Inside the folder you just opened, there may files with a name of the form
something.download.plist
something.ltvbit.plist
something.update.plist
where something is usually a meaningless string, such as any of the following:
InKeepr
InstallMac
Javeview
Leperdvil
Manroling
Otwexplain
These are examples, not a complete list. The string could be anything. The point is that the same string will appear in the name of three files.
You could have more than one copy of the malware, with different values of something.
Move all such items to the Trash. There may not be any other files in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)
Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.
3. Open this folder in the same way as above:
~/Library/Application Support
and move to the Trash any subfolders named with the same something you found in Step 2.
Don't move the Application Support folder or anything else inside it.
4. Open the Applications folder. If there is an item with the same name as in Step 3, or any of the other names listed in Step 2, drag it to the Trash.
If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.
Empty the Trash.
If you get an alert that the application is in use, force it to quit.
5. From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
6. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
You installed one or more variants of the "InstallMac" trojan. Take the steps below to disable it.
The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
Back up all data before continuing.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.
2. Inside the folder you just opened, there may files with a name of the form
something.download.plist
something.ltvbit.plist
something.update.plist
where something is usually a meaningless string, such as any of the following:
InKeepr
InstallMac
Javeview
Leperdvil
Manroling
Otwexplain
These are examples, not a complete list. The string could be anything. The point is that the same string will appear in the name of three files.
You could have more than one copy of the malware, with different values of something.
Move all such items to the Trash. There may not be any other files in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)
Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.
3. Open this folder in the same way as above:
~/Library/Application Support
and move to the Trash any subfolders named with the same something you found in Step 2.
Don't move the Application Support folder or anything else inside it.
4. Open the Applications folder. If there is an item with the same name as in Step 3, or any of the other names listed in Step 2, drag it to the Trash.
If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.
Empty the Trash.
If you get an alert that the application is in use, force it to quit.
5. From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
6. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
Thanks for the quick answer Linc.
Done the procedure and I will keep it for future reference. Nothing got rid of that "Olivernetko" thing though so I finaly trashed it as I did the last time and will check if it pops up again? I did rearrange the applications by date and Olivernetko is in the " less that 7 days" ... list.
Anyway, all this stuff about malware on Mac is interesting and I'm changing my views on this, trying to adapt...
For your info, this a screen shot of the "before and after" LaunchAgent (I don't know how mackeeper got there!):
No malware there, but you did have "Avast" and "MacKeeper," both of which are scams. That wasn't the question, however.
Right, I'll watch Safari for the Olivertnetko interference, if it jumps into the "Homepage" again...? Thanks for the good points.
Richard
Hi Linc. I was able to remove this pesty malware from my old mac today. I deleted/trashed all those weird files you mentioned plus a few others.
I had this junk on my mac for a few months. It finally got intolerable today and thats when I found your helpful post.
What exactly does olivernetko do to my mac ? Does it steal personal info like passwords ? I appreciate your help
Hi Linc. Thanks for your work on this trojan matter.
I got stumped in the beginning of the process, though. pasting the string:
~/Library/LaunchAgents
into the Go to Folder got me a The folder can't be found error message.
I don't seem to be able to get past that on my
mid 2007 Macbook, (Macbook 2,1), OS 10.7.5.
I'm having the same problem as @Mark.46. I own a mid 2012 MacBook Pro (10.10.5) and am unable to understand or get past the "~/Library/LaunchAgents" part. Even when I try to at least look for "LaunchAgents" in my finder, nothing shows up with any results... I'm so sick of this **** virus, but can't seem to find a way to get rid of it.
make sure you are in the ' go to ' Folder.
And the command for my OS was ~/Library/Application Support
because thats where all the nasty malware folders are located- in the Application Support group.
I had at least 6 junk folders with weird names like mppes , uppes, etc. Look at the post above with more junk folder names.
you have to drag drop these into trash. if you want make sure of the folder names before deleting, feel free to post them. We probably
had the same folders to get rid of. what a relief it is to eliminate this malware
make sure you are in the ' go to ' Folder.
And the command for my OS was ~/Library/Application Support
because thats where all the nasty malware folders are located- in the Application Support group.
I had at least 6 junk folders with weird names like mppes , uppes, etc. Look at the post above with more junk folder names.
you have to drag drop these into trash. if you want make sure of the folder names before deleting, feel free to post them. We probably
had the same folders to get rid of. what a relief it is to eliminate this malware
What is olivernetko.app?
