Macintosh Adware Removal

Symptoms of Macintosh Adware Presence

  • Troubles accessing web pages in Safari or Chrome (browser hijacking)
  • Popup windows load up instantly when opening web browsers.
  • Abnormal picture ads on google.com main page and search results.
  • Unable to create a new message on the Gustavus webmail interface.

Services Provided

The Technology Helpline staff is available to help with malware removal from personally owned Macintosh computers during regular hours. Institutionally owned Macintosh computers that are infected will be re-imaged.

Malware removal involves uninstalling applications such as Search Conduit, Mackeeper, MPlayerX, Genieo, InstallMac, Downlite, etc and deleting files from both the System Library and the User Library.

Automated Removal

We recommend using the MalwareBytes product for Macintosh as a first step in the removal process for malware on Macintosh computers.

  1. Download and install the Malwarebytes for Macintosh application from Malwarebytes.org.
  2. Run the installer
  3. Launch the Application (from the Applications folder)
    1. Read and accept the license agreement
  4. Check for Updates - from the Malwarebytes Anti-Malware menu, select Check for Updates
  5. To Scan - click the Scan button.
  6. Remove any found items.

Manual Removal

Location of Malicious Files/Processes

Malware may be installed in any number of locations on the Macintosh HD, following are some of the most common locations, access information and additional tools that may be useful for a manual removal process.

Applications folder

The applications folder is at the root of the Macintosh HD. To find the Applications folder:

  • in Finder
  • from the Go Menu select Computer
  • double-click Macintosh HD
  • you should see a Applications folder at this location.

System Library

The System Library is the Library folder at the root of the Macintosh HD. To find the System Library:

  • in Finder
  • from the Go Menu select Computer
  • double-click Macintosh HD
  • you should see a Library folder at this location.

User Library (~/Library)

The User Library (typically denoted ~/Library) is the the Library folder in root of your user directory. To find the User Library:

  • in Finder
  • Hold down Option key (holding the option key shows the user library in the Go menu - without the option key - it won't show.
  • from the Go Menu
  • select Library

Accessing Activity Monitor

The Activity Monitor application is in the Utilities folder located in the Applications folder:

  • in Finder
  • from the Go Menu select Computer
  • double-click Macintosh HD
  • you should see a Applications folder at this location.
  • Go to the Utilities folder
  • Open Activity Monitor and select All Processes.

Accessing Login Items

The Login Items menu is responsible for telling the computer what applications to start when logging into the computer after a restart. It is located in the System Preferences menu, under User and Groups

  • Apple menu (upper left corner)
  • System Preferences
  • User and Groups
  • For the user with the popup problems, click their user on the left, usually the current user
  • On the right, click Login Items.

Removal

After removing files, a restart of the computer is necessary.

  • From the System Library (Macintosh HD/Library)
  • Check the Launch Agents, LaunchDaemons and Application Support folders
  • remove any files or folders with zeobit, MacKeeper, 911 or 911bundle, Vsearch, or MPlayerX in their names.
  • From the User Library (~/Library)
  • Check the Caches, Application Support, Preferences, and LaunchAgents folders
  • remove any files or folders with zeobit, MacKeeper, 911 or 911bundle, Vsearch, or MPlayerX in their names.
  • From the Applications folder (Macintosh HD/Applications)
  • remove any applications with zeobit, MacKeeper, 911 or 911bundle, Vsearch, SearchConduit, or MPlayerX in their names.
  • From Activity Monitor (Macintosh HD/Applications/Utilities)
  • Delete any processes with zeobit, MacKeeper, 911 or 911bundle, Vsearch, SearchConduit, or MPlayerX in their names
  • From the User and Groups menu in the System Preferences menu
  • Click on the user on the left
  • Click on the Login Items tab on the right
  • Highlight Mackeeper or other malicious process
  • Click the (-) button to delete it
  • Also check all browsers for suspicious extensions (MacCost, Coupon extensions, Search extensions)
  • Empty the Trash
  • Clear caches in Chrome, Safari, and Firefox
  • Manually reset home pages in Chrome, Safari, and Firefox
  • Reboot computer

Software Updates

After removing malware:

  • Verify that all System Updates (App Store - Updates) have been applied.
  • Verify that all browsers are up to date. Check About Chrome or About FireFox from the Chrome or FireFox menu.
  • Verify that all Plug-ins are up to date. In FireFox from the Tools menu select Add-ons - on the Plug-ins tab, click the Check to see if your plug-ins are up to date. Update any outdated Plug-ins.

Additional Help

Here is a helpful web page that has been proven to work multiple times to guide you through removing pesky Macintosh Adware.

http://applehelpwriter.com/2011/09/21/how-to-uninstall-mackeeper-malware/


Please only delete those files that have the words zeobit, MacKeeper, 911 or 911bundle, or Vsearch.

The directions on the website don't mention anything about Vsearch, but any file that says Vsearch should be treated the same, delete or kill the file/process.

More resources -

Other

  • Try removing the website data in Safari. Safari menu, Reset Safari, Remove website data.

See also

Retrieved from "https://gustavus.edu/gts/w/index.php?title=Macintosh_Adware_Removal&oldid=37513"