Pirrit - how to custom restore your data without infecting an erased MacBookPro?

Thank you for this great article I will use this technique on my macbookpro later. This is indeed knowledgeable post.

More power to you. Ps. https://acobsglobal.com/

Safest is to only restore app data. Do not restore apps, do a fresh install of all app that do not come with OSX.

Do not restore user or app settings since them may include malicious files

1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.

The test works on OS X 10.8 ("Mountain Lion") and later. I don't recommend running it on older versions of OS X. It will do no harm, but it won't do much good either.

Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.

2. If you don't already have a current backup, please back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.

There are ways to back up a computer that isn't fully functional. Ask if you need guidance.

3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.

You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.

In this case, however, there are ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone who understands the code can verify what it does.

You may not be able to understand the script yourself. But variations of it have been posted on this website many times over a period of years. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message. See, for example, this discussion.

Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.

4. Here's a general summary of what you need to do, if you choose to proceed:

☞ Copy the text of a particular web page (not this one) to the Clipboard.

☞ Paste into the window of another application.

☞ Wait for the test to run. It usually takes a few minutes.

☞ Paste the results, which will have been copied automatically, back into a reply on this page.

These are not specific instructions; just an overview. The details are in parts 7 and 8 of this comment. The sequence is: copy, paste, wait, paste again. You don't need to copy a second time.

5. Try to test under conditions that reproduce the problem, as far as possible. For example, if the computer is intermittently slow, run the test during a slowdown.

You may have started up in safe mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual before running it. If you can only test in safe mode, do that.

6. If you have more than one user, and only one user is affected by the problem,, and the affected user is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.

7. Load this linked web page (on the website "Pastebin.") Press the key combination command-A to select all the text, then copy it to the Clipboard by pressing command-C.

8. Launch the built-in Terminal application in any one of the following ways:

☞ Enter the first few letters of its name ("Terminal") into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

Click anywhere in the Terminal window to activate it. Paste from the Clipboard into the window by pressing command-V, then press return. The text you pasted should vanish immediately.

9. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. If you don't know the password, or if you prefer not to enter it, just press return three times at the password prompt. Again, the script will still run.

If the test is taking much longer than usual to run because the computer is very slow, you might be prompted for your password a second time. The authorization that you grant by entering it expires automatically after five minutes.

If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.

10. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, a series of lines will appear in the Terminal window like this:

Test started

Part 1 of 4 done at: … sec
…
Part 4 of 4 done at: … sec

The test results are on the Clipboard.

Please close this window.

The intervals between parts won't be exactly equal, but they give a rough indication of progress.

Wait for the final message "Please close this window" to appear—again, usually within a few minutes. If you don't see that message within about 30 minutes, the test probably won't complete in a reasonable time. In that case, press the key combination control-C or command-period to stop it. Then go to the next step. You'll have incomplete results, but still something.

In order to get results, the test must either be allowed to complete or else manually stopped as above. If you close the Terminal window while the test is still running, the partial results won't be saved.

11. When the test is complete, or if you stopped it manually, quit Terminal. The results will have been saved to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.

At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "close this window" message. Please wait for it and try again.

If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.

12. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "The message contains invalid characters." That's a bug in the software that runs this website. Please post the test results on Pastebin, then post a link here to the page you created.

If you have an account on Pastebin, please don't select Private from the Paste Exposure menu on the page, because then no one but you will be able to see it.

13. When you're done with the test, it's gone. There is nothing to uninstall or clean up.

14. This is a public forum, and others may give you advice based on the results of the test. They speak for themselves, not for me. The test itself is harmless, but whatever else you do may not be. For others who choose to run it, I don't recommend that you post the test results on this website unless I asked you to.

15. The linked UNIX shell script bears a notice of copyright. Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

Hello Belfast MacUser,

You shouldn't have to reinstall. Mac malware is pretty easy to remove. I wrote a little diagnostic program to help show what adware is installed. Download EtreCheck from http://www.etrecheck.com, run it, and paste the results here. EtreCheck is perfectly safe to run, does not ask for your password to install, and is signed with my Apple Developer ID.

If adware is installed, EtreCheck will help you remove it, although you may have to supply a password. If you aren’t comfortable with that, just post the EtreCheck report here and other helpers can tell you exactly what files need to be deleted and how to do so. Recent versions of adware are adopting true malware techniques and I haven't had a chance to update EtreCheck. But the EtreCheck report will show exactly what state your system is in and then we can give you advice on how to remove the malware.

Disclaimer: Although EtreCheck is free, there are other links on my site that could give me some form of compensation, financial or otherwise.

If you don't want to do what I suggested, see below for an alternative.

You may have installed ad-injection malware ("adware").

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

Back up all data first.

If you're not already running the latest version of OS X, updating or upgrading in the App Store may cause the adware to be removed automatically. If you are already running the latest version, please log out or restart the computer. Again, some kinds of malware will be removed—not all. There is no such thing as automatic removal of all possible malware, either by OS X or by third-party software. That's why you can't rely on software to protect you.

If the malware is removed in your case, you'll still need to make changes to the way you use the computer to protect yourself from further attacks. Ask if you need guidance.

If the malware is not removed automatically, see below.

This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.

Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.

If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. The malware will be disabled temporarily.

Step 1

Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.

If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.

Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.

Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.

Leave the folder open for now.

Step 2

Do as in Step 1 with this line:

/Library/LaunchAgents

The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.

Step 3

Repeat with this line:

/Library/LaunchDaemons

This time the folder will be named "LaunchDaemons."

Step 4

Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.

Step 5

If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.

Hello again Belfast MacUser,

Unfortunately, recent types of Mac adware have crossed into true malware territory. You may find people here on Apple Support Communities splitting hairs and saying that "viruses" don't exist on the Mac. Technically, that may be true. But this recent crop of adware is very aggressive and actively resists being removed. It really isn't that much different than "true malware". So, I'm going to give you some instructions on how to proceed. Just realize that they probably won't work 100% the first time. It might take a couple of tries of doing the same or very similar procedures.

1) In the Finder, go to the "Go" menu and choose "Go to folder...".

2) In the "Go to the folder" dialog that appears, enter the following:

/Library/LaunchDaemons

and press enter.

3) Finder will open a new window. Select the following files in that window:

com.previsiveUpd.plist

com.Averroist.plist

com.automysophobia.plist

com.bilingual.plist

com.counterbarrage.plist

com.crapaud.plist

com.evilproof.plist

com.inappositeness.plist

com.intervertebra.plist

com.mattedness.plist

com.osphresis.plist

com.pentite.plist

com.poilu.plist

com.savagism.plist

com.seerpaw.plist

com.solicitude.plist

com.uschiwarkin.plist

com.wintered.plist

4) Drag them to the trash.

5) Restart your machine

6) Run another EtreCheck report and posts the report it generates.

My guess is that you will have to do some additional work to remove the "uschiwarkin" and "previsiveUpd" malware. You might even have one or two new ones. You will likely have to run some Terminal commands too. Just take it one step at a time.

Hhello again Belfast MacUser,

That's just the flaky Apple web forum software. The only files you really need to delete are in /Library/LaunchDaemons. Those are the scripts that automatically run the malware. In most cases, removing the files in /Library/LaunchDaemons and restarting is all you need to do. However, I wouldn't be surprised if you do have to do more. Malware has gotten noticeably more agressive just in the last two weeks. Just so you know, this will take multiple rounds.

A

You installed one or more variants of the "VSearch" trojan. Please inactivate them as follows. This procedure will leave a few small files behind, but they have no effect, and trying to remove them all would be a lot more trouble than it's worth.

This malware has many variants. Anyone else finding this comment should not expect it to be applicable.

Back up all data before proceeding.

Step 1

The VSearch variant that you have regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.

Step 2

While running in safe mode, load this web page and then triple-click anywhere in the line below to select it:

/Library/LaunchDaemons

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" will open. Press the key combination command-2 to select list view, if it's not already selected.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within a few minutes, so they will be clustered together when you sort the folder this way, making them easy to identify.

Step 3

Inside the LaunchDaemons folder, there may be one or more files with a name of this form:

com.apple.something.plist

where something is a random, meaningless string of letters, different in every case.

Note that the name consists of four words separated by periods. Typical examples:

com.apple.builins.plist

com.apple.cereng.plist

com.apple.nysgar.plist

There may also be one or more items with a name of this form:

com.something.plist

Again, something is a random, meaningless string—not necessarily the same one that appears in any of the other file names.

These names consist of three words separated by periods. Typical examples:

com.semifasciaUpd.plist

com.ubuiling.plist

Drag all such items to the Trash. You may be prompted for your administrator login password.

Restart the computer and empty the Trash.

If you're not sure whether a file is part of the malware, order the folder contents by modification date, not by name. The malware files will be clustered together. There could be more than one such cluster. A file dated far in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.

If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Go back to Step 1 and try again.

Step 4

Reset the home page in each of your web browsers, if it was changed. In Safari, first load the home page you want, then select

Safari ▹ Preferences... ▹ General

and click

Set to Current Page

If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.

Step 5

The malware enables web proxy discovery in the network settings. If you know that the setting was already enabled for a good reason, skip this step. Otherwise you should revert the change.

Open the Network pane in System Preferences. If there is a closed padlock icon in the lower left corner of the window, click it and authenticate to unlock the settings. Click the Advanced button, then select Proxies in the sheet that drops down. Uncheck the box marked Auto Proxy Discovery if it's checked. Click OK, then Apply.

Step 6

This step is optional. Open the Users & Groups pane in System Preferences and click the lock icon to unlock the settings. In the list of users, there may be one or more with random names that were added by the malware. You can delete those users. If you're not sure whether a user is legitimate, don't delete it.

B

"CleanMyMac" is a scam and a common cause of instability and poor performance. Depending on what version you have, the developer's instructions may not completely remove it. Please follow those instructions, then do as below.

Back up all data before proceeding.

Triple-click anywhere in the line below on this page to select it:

/Library/LaunchDaemons/com.macpaw.CleanMyMac3.Agent.plist

Right-click or control-click the highlighted line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder may open with an item selected. If it does, move the selected item to the Trash. You may be prompted for your administrator login password.

Repeat with this line:

/Library/PrivilegedHelperTools/com.macpaw.CleanMyMac3.Agent

Restart the computer and empty the Trash.

You may also have to remove one or more of these items in the same way:

~/Library/LaunchAgents/com.macpaw.CleanMyMac.helperTool.plist

~/Library/LaunchAgents/com.macpaw.CleanMyMac.volumeWatcher.plist

~/Library/LaunchAgents/com.macpaw.CleanMyMac3.Scheduler.plist

Never again install "CleanMyMac" or anything like it.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

C

Please remove "BitDefender Antivirus" by following the instructions on this page. I can't vouch for the effectiveness of those instructions. If they don't work, refer to the developer for more information.

Back up all data before making any changes. Never install any "anti-virus" or "anti-malware" software again.

D

The "Malwarebytes" product failed to remove the malware. That's what you should always expect from such products: failure. I suggest that you remove it according to its developer's instructions and never install any "anti-malware" or "anti-virus" software again. Relying on such software for your security is a dangerous mistake. Security lies in safe computing practices, not in software. Ask if you want guidance.

1 and 2. Normal. Change nothing.

3. Those folders are part of the malware, but they have no effect after it's been inactivated. Deleting them is optional. I made the procedure as simple as possible at the cost of leaving a few small files behind.