A
Please back up all data before making any changes.
In the first folder arranged as shown in the screenshots, please delete these items:
#4 ("Advanced Mac Cleaner")
#5 and #6 ("Flashmall")
#7 and #8 ("ZipCloud")
#9 through #12 ("InstallMac")
In the second folder:
None
In the third folder:
None
Restart the computer.
Reset the Safari home page, if it was changed. You may need to do the same in other browsers.
From the Applications folder (not shown in the screenshots), delete items with any of the following names:
Advanced Mac Cleaner
InstallMac
ZipCloud
Swissfist
Open your home folder by clicking the house icon with your name in the sidebar of a Finder window. If there is a subfolder named "Applications" (different from the main Applications folder), remove anything in it that you don't recognize.
These steps will permanently inactivate the malware, as long as you never reinstall it. A few small files may remain in hidden folders, but they have no effect.
The instructions above apply only to you. I'm including more general—and complete—self-contained removal instructions below for the benefit of others who may find this discussion. You can skip the remaining steps, but you should read them.
B (optional)
You installed one or more variants of the "InstallMac" trojan. Take the steps below to disable it.
The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
Back up all data before continuing.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.
2. Inside the folder you just opened, there may be files with a name of the form
something.AppRemoval.plist
something.download.plist
something.ltvbit.plist
something.update.plist
where something is usually a meaningless string, such as any of the following:
Epolife
InstallMac
Javeview
Kuklorest
Manroling
Otwexplain
These are examples, not a complete list. The string could be anything. The point is that the same string will usually appear in the name of three or four files.
You could have more than one copy of the malware, with different values of something.
Move all such items to the Trash. If there are any other files with a name that begins with something, move them to the Trash also. After you've done that, there may not be anything left in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)
Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.
3. Open this folder in the same way as above:
~/Library/Application Support
and move to the Trash any subfolders named with the same something you found in Step 2.
Don't move the Application Support folder or anything else inside it.
4. Open the Applications folder. If there is an item with the same name as in Step 3, or any of the other names listed in Step 2, drag it to the Trash.
If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.
Empty the Trash.
If you get an alert that the application is in use, force it to quit.
5. From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
6. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
C (optional)
You installed a fake "utility" called "Advanced Mac Cleaner." Like any software that purports to automatically "clean up" or "speed up" a Mac, it's a scam. To remove it, take the steps below. Some of the files listed may be absent. Back up all data before proceeding.
If you paid for the software with a credit card, consider reporting the charge to the bank as fraudulent.
Step 1
Triple-click anywhere in the line below on this page to select it:
~/Library/LaunchAgents/com.pcv.hlpramc.plist
Right-click or control-click the highlighted line and select
Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.* A folder should open with an item selected. Move the selected item to the Trash. Log out or restart the computer.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
Step 2
Move the following item to the Trash as in Step 1:
/Library/Application Support/amc
This time you may be prompted for your administrator login password. There's no need to log out after taking this step.
Step 3
Move this item to the Trash:
~/Library/AdvancedMacCleaner
Step 4
Open the Applications folder and move an item named "Advanced Mac Cleaner" (if it's present) to the Trash. Empty the Trash.
D (optional)
"ZipCloud," sometimes named "JustCloud," is a cloud-storage service with a doubtful reputation. The OS X client is sometimes distributed along with malware. Although ZipCloud may not be malicious itself, it should be suspected by virtue of the company it keeps.
To remove ZipCloud, start by backing up all data (not with ZipCloud itself, of course.)
Quit the "ZipCloud" or "JustCloud" application, if it's running, and drag it from the Applications folder to the Trash. Don't try to empty yet.
Triple-click anywhere in the line below on this page to select it:
~/Library/LaunchAgents
Right-click or control-click the highlighted line and select
Services ▹ Open
from the contextual menu.* A folder named "LaunchAgents" should open.
In the folder, there may be one or more files with a name beginning as follows:
com.jdibackup.
Move all such files to the Trash.
Log out or restart the computer and empty the Trash.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
E (optional)
You installed a variant of the "Flashmall" trojan. To remove it, start by backing up all data.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
1. Please triple-click anywhere in the line below on this page to select it:
/Library/LaunchAgents
Right-click or control-click the highlighted line and select
Services ▹ Open
from the contextual menu.* A folder named "LaunchAgents" should open.
In the folder, there may be one or more files with a name that begins in either of the following ways:
com.SoftwareUpdater
com.WebShopper
Move each such file to the Trash. You may be prompted for your administrator password.
2. Do as in Step 1 with this line:
~/Library/LaunchAgents
3. Log out or restart the computer.
4. Open the Applications folder in the Finder. It may have subfolders with either of these names:
SoftwareUpdater
WebShopper
WebShoppers
Move each such subfolder to the Trash. Empty the Trash.
5. From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall all extensions you don't know you need, including one called "SearchTrust," if it's present. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
