Apple Event: May 7th at 7 am PT
My macbook is very hot and my batterie is shutting down too fast, I don't know what's going on. I have this AppYM which is using a lot of my processor, so maybe it's a virus? I don't know, can someone help me please? I have this macbook air for 2 years an d I never had any issues before today.
MacBook Air, OS X Yosemite (10.10.5)
You installed one or more variants of the "InstallMac" trojan. Take the steps below to disable it.
The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
Back up all data before continuing.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go â–¹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.
2. Inside the folder you just opened, there may be files with a name of the form
something.AppRemoval.plist
something.download.plist
something.ltvbit.plist
something.update.plist
where something is usually a meaningless string, such as any of the following:
Epolife
InstallMac
Javeview
Kuklorest
Manroling
Otwexplain
These are examples, not a complete list. The string could be anything. The point is that the same string will usually appear in the name of three or four files.
You could have more than one copy of the malware, with different values of something.
Move all such items to the Trash. If there are any other files with a name that begin with something, move them to the Trash also. After you've done that, there may not be anything left in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)
Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.
3. Open this folder in the same way as above:
~/Library/Application Support
and move to the Trash any subfolders named with the same something you found in Step 2.
Don't move the Application Support folder or anything else inside it.
4. Open the Applications folder. If there is an item with the same name as in Step 3, or any of the other names listed in Step 2, or with the name "Zip Devil," drag it to the Trash.
If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.
Empty the Trash.
If you get an alert that the application is in use, force it to quit.
5. From the Safari menu bar, select
Safari â–¹ Preferences... â–¹ Extensions
Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
6. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
Safari â–¹ Preferences... â–¹ General
and click
Set to Current Page
Thanks a million Link. I may have "overdone it", to wit: I didn't write down all of the several "something.plist" and after going through your procedures for LaunchAgents and LaunchDaemons I got to looking around and found dozens of other "something.plist" throughout the Application Support File (sub folders included Adobe and Apple). They were partially labeled info.....plist, manifest.....plist, TableOfContents.....plist, Version.....plist, and so on. Did I trash too many items? The good news is iMac is working like a charm! Do I need any of those items deleted? Thanks again........
Generally, a program will recreate a default plist if you delete one. You might lose some application settings (which is what the plist is for) but no permanent harm done.
THANK YOU SO MUCH! I followed your instructions and found a bunch of them. Now everything works again wonderfully. Such a big relief.
Thank you for this very thorough explanation. My computer seems to be working much better since following these steps. Very much appreciated!!!!
Thanks. I found about 200 .plst and had not deleted them all, until I read your response. It so happens that about the same time I read your response, the AppYM showed up again in my activity monitor, reeking havoc on my process speed! So now ALL the .plst are deleted.......... Now comes the re-boot to see if "all is well"....
Having the same issues with YMAPP eating up memory. I followed your instructions to identify and delete files in the ~lunchagents library. I found several files there, but when I tried to move to the trash, I get the error:
"The operation cannot be completed because one or more of the required items can't be found. (euro code - 43)"
Are there any solutions for this problem?
Many thanks!
This "FIX" worked great and immediately returned functionality to my iMac which showed 0 memory available and was stalled with the color wheel of death with no apps running.
I found three of the "something" files and their sub files and deleted all. Also found Safari extensions to delete.
Would be interested if anyone know where these originated.
I guess malware has finally come to Mac Land. ****!
Thanks Linc Davis for this excellent and quick FIX, your contribution is definitely appreciated.
This was incredibly helpful. My Mac was incredibly slow, and some other odd things were happening. Getting rid of AppYM and the accompanying kuklorest files has saved the day. Thanks, Linc Davis!
You are a God
Another Kudo for your expertise & help!
I figured out where I picked up my copy of this computer cootie. There was a link on OOKLA's website for a free little utility for doing internet speed tests. It is called "Download Speed Test" by AB Tools.
It turns out that cnet did a review of this product and gave it 5-stars (incredibly inept, horrible advice).
**CAUTION**: The link is still alive and well at cnet for you to observe: http://download.cnet.com/Download-Speed-Test/3000-2381_4-75448535.html
Whatever you do, DON'T ACCIDENTALLY DOWNLOAD OR ATTEMPT TO INSTALL THIS APP.
Cheers!
Bob
As people are still replying to this thread, I should reiterate that the instructions I posted in November 2015 have a limited shelf life. As of now, they still seem to be working, because the attacker has been too lazy to change his MO. Eventually he will change it, and anyway there are other kinds of adware in circulation. If the instructions don't work for you, look for newer ones or start your own thread, and resist the blandishments of those who will tell you to use "anti-malware" software.
Saw APPYM in my Activity Monitor sucking memory and quit it, but don't see any of the files you mentioned. 😟 In my LaunchAgents directory I only have:
com.adobe.ARMDC...c37a23d420d.plist
com.oracle.java.Java-Updated.plist
edu.mit.appinventor.aiStarter.plist
In my ApplicationSupport directory I have:
Adobe, App Store, Apple, com.apple.TCC, CrashReporter, Fitbit Connect, Garage Band, iLifeMediaBrowser, Macromedia, Microsoft, Oracle, ProApps, Script Editor, and VMware
I'll go look for newer threads, although this still seems pretty recent.
Hey
I found this post really helpful when I noticed that AppYm was on my mac - thanks.
I checked both locations ~/Library/Application Support and ~/Library/Launch Agents and found some of the files you mentioned, and removed them.
I also found 'gUpdater.plist' and wondered if you've heard of it? And if you could advise if I should remove it?
I think it may be linked to google software that automatically updates chrome, without asking permission, but I thought it might be worth double checking before I remove it.
Thanks a lot.
Garage girl wrote:
I checked both locations ~/Library/Application Support and ~/Library/Launch Agents and found some of the files you mentioned, and removed them.
I also found 'gUpdater.plist' and wondered if you've heard of it? And if you could advise if I should remove it?
The gUpdater.plist file is usually part of the the "bait" software you installed. The only purpose of the bait is to get you to install the actual adware payload. Technically speaking, gUpdater.plist isn't adware, but adware isn't always black and white. In the case of this file, it is more of a mid-tone charcoal or dark grey colour.
Also, I should caution anyone against using the instructions posted in this thread. If you think you have an adware infection, please start your own thread. Don't attempt to identify and delete these files on your own. Unless you have a lot of experience with adware, you may not be able to tell the difference between adware and legitimate software. As noted above, sometimes it is a grey area.
In most cases, the easiest thing to do is use a tool like EtreCheck (http://etrecheck.com) to identify and remove the adware. If you don't want to have EtreCheck automatically remove the adware, you can just post the EtreCheck report and it will list all of the adware it finds. Then other helpers can give you specific instructions about what files you need to delete. If you don't even want to run EtreCheck at all, you can take screen shots of the contents of various hidden directories as instructed in Linc Davis' more recent postings. Then, people can look at the screen shots to identify the adware files and tell you which ones to remove and how.
Disclaimer: Although EtreCheck is free, there are other links on my site that could give me some form of compensation, financial or otherwise.
And if you could advise if I should remove it?
Yes, you should remove it.
Here's what you should not do, if you want to avoid similar, or worse, episodes in the future:
1. Do not blithely download and run unknown software that you don't need, merely because some stranger on a website tells you to. Never install any software at all unless it does something intrinsically useful to you, such as word processing or photo editing. A "virus scanner" or "cleanup utility" is not intrinsically useful. You didn't buy a computer so that you could scan it for viruses or clean it up.
2. Do not trust any third-party software, no matter where it comes from or who recommends it, that purports to remove files automatically that it didn't install.
3. Do not use any kind of "anti-virus" or "anti-malware" software, again no matter who recommends it. That's how you create problems, not how you solve them. Even if the software does nothing at all, it's still harmful, because it gives you a false sense of security, which is very dangerous.
What is AppYM?
