when I logout out, I get a darkened screen, swirly wheel, and a box that asks if I want to continue the installation or abort, but it won't let me click on either. How can I fix this?

You may have installed one or more variants of the "InstallMac" trojan. Please take the steps below to disable it.

The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

Press the key combination command-2 to select list view, if it's not already selected.

There should be a column in the Finder window headed Date Modified. Click that heading to sort the contents by date. This will make related files easy to identify regardless of their names, because they will have the same modification date.

2. Inside the folder you just opened, there may be files with a name of any of these forms:

something.AppRemoval.plist

something.download.plist

something.ltvbit.plist

something.notification.plist

something.update.plist

Here something is usually a meaningless string, such as any of the following:

Epolife

InstallMac

Javeview

Kuklorest

Manroling

Otwexplain

These are examples, not a complete list. The string could be anything, and there could be more than value of something. Look for a cluster of files with the same modification date that fit the description.

Lately, the "InstallMac" attacker has been scrambling the strings "AppRemoval," "download," "ltvbit," and "update" in the names of his files. For example, you might see file names such as these, instead of the above:

something.AppVemoral.plist

something.dolnwoad.plist

something.btvlit.plist

something.uadpte.plist

You could have more than one copy of the malware, with different values of something.

Move all such items to the Trash. If there are any other files with a name that begins with something, move those to the Trash also. You may get a warning that some of the files are locked; delete them anyway.

After you've done that, there may not be anything left in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)

Log out or restart the computer. The trojan should now be inactive.

3. This step is optional. Open the following folder as in Step 1:

~/Library/Application Support

and move to the Trash any subfolders with the name something that you found in Step 2.

Don't move the Application Support folder or anything else inside it.

4. Open the Applications folder. If there is an item named something, or "Zip Devil," or with any of the other names listed in Step 2, drag it to the Trash.

If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.

You may get an alert that the item is locked. Confirm that you want to move it to the Trash.

Empty the Trash.

If you get an alert that the application is in use, force it to quit.

5. From the Safari menu bar, select

Safari ▹ Preferences... ▹ Extensions

Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

If the Preference window won't open, restart the computer in safe mode. Certain caches maintained by the system will be rebuilt.

6. Reset the search engine and the home page in each of your browsers, if either was changed. In Safari, first load the home page you want, then select

Safari ▹ Preferences... ▹ General

and click

Set to Current Page

Download and run MalwareBytes. Malwarebytes was developed by one of our own colleagues here in ASC. It gets rave reviews and is about the most proven anti-malware software for Mac.

Never use any kind of "anti-virus" or "anti-malware" software on a Mac. That's how you cause problems, not how you solve them.

The suggestion offered by macjack to use Malwarebytes Anto Malware for Mac is an excellent one. It is recommended for use by Apple telephone support and used by Apple store genius bar technicians instead of Apple manual procedures because it is faster, easier and more comprehensive.

It is a search tool that will locate malware/adware that allows the user to to delete same. It is not designed to offer any protection from malware thus might confuse some people due to it's name. As is the case with any such application, it cannot offer 100% guarantee of success.

Ciao.