Q: how to remove Olivernetko?

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

You installed one or more variants of the "InstallMac" trojan. Take the steps below to disable it.

The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

2. Inside the folder you just opened, there may be files with a name of the form

          something.AppRemoval.plist

          something.download.plist

          something.ltvbit.plist

          something.update.plist

where something is usually a meaningless string, such as any of the following:

          Epolife

          InstallMac

          Javeview

          Kuklorest

          Manroling

          Olivernetko

These are examples, not a complete list. The string could be anything. The point is that the same string will usually appear in the name of three or four files.

You could have more than one copy of the malware, with different values of something.

Move all such items to the Trash. If there are any other files with a name that begin with something, move them to the Trash also. After you've done that, there may not be anything left in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)

Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.

3. Open this folder in the same way as above:

~/Library/Application Support

and move to the Trash any subfolders named with the same something you found in Step 2.

Don't move the Application Support folder or anything else inside it.

4. Open the Applications folder. If there is an item with the same name as in Step 3, or any of the other names listed in Step 2, or with the name "Zip Devil," drag it to the Trash.

If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.

Empty the Trash.

If you get an alert that the application is in use, force it to quit.

5. From the Safari menu bar, select

          Safari ▹ Preferences... ▹ Extensions

Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

6. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select

          Safari ▹ Preferences... ▹ General

and click

          Set to Current Page

Hi, i use Chrome on OSX.9.5.

Today, when I start Chrome, instead of going on my starting page as set in the preferences (the advanced search google page) it opens a "Safari lookalike" search page and I see that the URL is search.olivernetko.com

I tried your procedure above. Found only two items in the LaunchAgents folder and trashed them. Restarted and then looked in the Application Support folder and trashed any recent thing looking suspect but to no avail. Still getting this unwanted "home page".

If I open a new tab, it goes on the correct Google search site.

I tried opening Safari and it seems OK.

Any further suggestion?

P.S. I did not install MacKeeper. I also ran a search for olivernetko.app but nothing found.

I had this exact same issue. I couldn't stop google chrome from going to the exact same sites: olivernetko, astomenda, and binkiland. And I deleted all these folders from my computer associated with them.

I reset all my settings on my google chrome browser and they haven't come back.

Here is how you can reset to default settings on safari

https://kb.wisc.edu/helpdesk/page.php?id=4162

hope this helps

Thanks but unfortunately, this doesn't help me.

I have NO folders (or even files) named "olivernetko" in my Mac. At least, Spotlight can't find any.

About the settings, my pre-defined Chrome home page as I set it in the prefs is the Google Advanced Search page and it's correct. If I ask for a new page, it goes there. If I click on "Home Page", it goes there.

Problem still is: opening Chrome from scratch, I get a search page by "search.olivernetko.com", looking like a Safari page. Obviously, this means that somewere "inside" Chrome there's a reference, a link or something like that instructing Chrome to go to that site. But I cannot find it!

If Safari is not affected, you may have installed a malicious Chrome extension. Remove all extensions you don't know you need. If in doubt, remove all of them.

No strange extensions found but...

Just checked all the settings and found that olivernetko was listed among the "preferred" search engines. Don't know how it got there. I deleted it and now it seems it's gone. Phew!

Thanks to all.