Q: Leperdvil and Geneo - after upgrade to El Capitan

First of all, uninstall Norton.  Macs do not need anti-virus programs at this time, as there are no viruses currently in the wild that can do any damage to OS X.  If that were to change, and it very well might in the future, then anti-virus programs will become as essential to Macs as they are to PCs, but that's not the case right now.  Anti-virus programs tend to negatively affect the performance of whatever computer they've been installed on.  Also, no malware or adware is part of an Apple update or upgrade.  It was already on your computer beforehand, you probably just hadn't noticed it.  Apple would not include malware or adware in any update or upgrade.  I don't work for Apple, so that's not an official statement, it's just common sense, at least to me.  Secondly, you have two options to remove the malware.

1. You can remove it using Malwarebytes' Anti-Malware for Mac — it was developed by a trusted and respected contributor here.  A lot of people prefer it because it's quick, it's easy, and it doesn't negatively impact your system.  It removes malware, and that's it.  Nothing else.
2. You can remove it manually using the tips/steps found in the following support article --> Stop pop-up ads and adware in Safari - Apple Support

The reason I gave you the two options above is to make sure you completely removed all of it from your hard drive, as a simple drag and drop to the trash sometimes isn't enough.  In the future, do not download anything from the following kinds of sites:

• torrent sites
• aggregate download sites (CNET, Download (dot) com, MacUpdate, Softpedia, Softonic, etc.)
• any website that is not the developer's actual website

Only download extensions, applications, drivers, etc, from either the developer's website or from the Mac App Store.  That cuts down greatly on the chances the installer will be bundled with malware or adware.

mw2016 wrote:

 

Thank you so much for your help. I'll follow your advice.

 

Just one more question. Is this adware/malware only on my hard drive or will it have infected my external hard drives?

 

M

Unless whatever you installed that had the adware/malware bundled with it was also installed on your external hard drive, then no.

First, never use any kind of "anti-virus" or "anti-malware" software on a Mac. That's how you cause problems, not how you solve them.

If you don't have a problem with popup ads or search redirection in your web browsers, you don't need to do anything else. The malware was inactivated automatically by OS X.

If you do have a problem, see below.

You installed one or more variants of the "InstallMac" trojan. Please take the steps below to disable it.

The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

2. Inside the folder you just opened, there may be files with a name of any of these forms:

          something.AppRemoval.plist

          something.download.plist

          something.ltvbit.plist

          something.update.plist

Here something is usually a meaningless string, such as any of the following:

          Epolife

          InstallMac

          Javeview

          Kuklorest

          Manroling

          Otwexplain

These are examples, not a complete list. The string could be anything. The point is that the same string will usually appear in the name of three or four files.

Lately, the "InstallMac" attacker has been scrambling the strings "AppRemoval," "download," "ltvbit," and "update" in the names of his files. For example, you might see file names such as these, instead of the above:

          something.AppVemoral.plist

          something.dolnwoad.plist

          something.btvlit.plist

          something.uadpte.plist

You could have more than one copy of the malware, with different values of something.

Move all such items to the Trash. If there are any other files with a name that begins with something, move those to the Trash also. After you've done that, there may not be anything left in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)

Log out or restart the computer. The trojan should now be inactive.

3. This step is optional. Open the following folder as in Step 1:

~/Library/Application Support

and move to the Trash any subfolders with the name something that you found in Step 2.

Don't move the Application Support folder or anything else inside it.

4. Open the Applications folder. If there is an item named something, or "Zip Devil," or with any of the other names listed in Step 2, drag it to the Trash.

If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.

You may get an alert that the item is locked. Confirm that you want to move it to the Trash.

Empty the Trash.

If you get an alert that the application is in use, force it to quit.

5. From the Safari menu bar, select

          Safari ▹ Preferences... ▹ Extensions

Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

If the Preference window won't open, restart the computer in safe mode. Certain caches maintained by the system will be rebuilt.

6. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select

          Safari ▹ Preferences... ▹ General

and click

          Set to Current Page