Jump to content
treed

How to remove the after-effects of adware

Recommended Posts

Many different kinds of malware will make changes to the system that Malwarebytes cannot fix. These changes include:

1) Malicious changes to the browser settings (home page, search engine, etc)

2) Addition of malicious system profiles

These changes may result in your browser continuing to direct you to malicious sites, such as WeKnow, SearchMine, and others, even after the malware has been removed.

Malwarebytes can remove the malware responsible, but it cannot fix these changes to the system! In some cases, these changes cannot be fixed without using the same kinds of unsavory hacks that the malware used. In other cases, they cannot be fixed without risk to your security.

Here are some steps to take to remove all the effects of this malware.

Restart your computer

Malwarebytes for Mac will alert you if it removes something that requires a restart. Be sure that you have done this before doing anything else. If you fail to restart when required, the removal will not be complete until you do so. If you did not notice whether Malwarebytes told you a restart was needed, go ahead and restart anyway just to be safe.

If Malwarebytes didn't detect anything, that can be normal. Sometimes, the installer responsible for the problem won't actually do anything but mess with your settings, and will not actually install malicious software. In this case, please be sure to continue with these directions, rather than stopping here.

Delete Safari's preferences

If the problem is occurring in Safari, try deleting Safari's preferences:

  1. Quit Safari
  2. In the Finder, choose Go to Folder from the Go menu
  3. Paste the following path into the window that opens, then click Go:
    ~/Library/Preferences/com.apple.Safari.plist
  4. If the file is found, delete it, then re-open Safari

Remove malicious profiles

If your computer is managed by your employer, contact their IT department. There may be legitimate profiles mixed with malicious ones. You may need to show them these instructions to ensure they know what is needed.

Some adware and malware will install a malicious configuration profile. These profiles are meant to be used by IT admins to manage your Mac, but are being abused to force the home page to a scam site. For more information, and instructions for how to remove the profile, see:

https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/

Check for managed preferences for Chrome

If your computer is managed by your employer, contact their IT department. There may be legitimate managed preferences mixed with malicious ones. You may need to show them these instructions to ensure they know what is needed.

Some adware has been known to install managed preferences to set the home page and search engine settings in Chrome. To check for these, do the following:

  1. Quit Chrome
  2. In the Finder, choose Go to Folder from the Go menu
  3. Paste the following path into the window that opens, then click Go:
    /Library/Managed Preferences/
  4. Look for the following files, where [username] is your username:

    com.google.Chrome.plist
    [username]/com.google.Chrome.plist
    [username]/complete.plist

    These may be legitimate, so open these files with TextEdit and see if they have links to the troublesome site in them. If they do, delete them and restart Chrome.

Change home page setting

Your browser's home page setting may have been changed by the malware. After removing the profile (if present), fix the home page setting in your browser of choice.

In Safari:

  1. Choose Preferences from the Safari menu
  2. Click the General icon
  3. Change the Homepage setting

In Chrome:

  1. Choose Preferences from the Chrome menu
  2. Change the settings under On startup

Nuke Chrome

In many cases, changes to Chrome may have been made that are non-trivial to fix. In such a case, it will be easier to completely remove Chrome and all data, then reinstall. To do this, delete all of the following items:

/Applications/Chrome.app
/Library/Application Support/Google/
/Library/Google/
~/Library/Application Support/Google/
~/Library/Google/
~/Library/Preferences/com.google.Chrome.plist

Be aware that this will delete all data for all Google apps you have installed, such as Chrome bookmarks. Export any data you want to keep beforehand.

If you're not sure how to find these folders, choose Go to Folder from the Go menu in the Finder, then paste one of those paths into the window that opens. Be sure to delete the correct item, as deleting the wrong item could cause data loss or even damage to your system or other apps.

After deleting all these files, restart the computer. Then re-download Chrome and reinstall. You will need to import any exported bookmarks or other data, and may need to reinstall any other Google apps that you use.

If Safari's home page is stuck

In some cases, after being changed by adware or malware, Safari's home page can become stuck. You will be able to edit the Homepage field in Safari's preferences, but the change will not stick. This appears to be a bug, and there is an odd workaround. Try this:

  1. In Safari, choose Preferences from the Safari menu.
  2. In the window that opens, click the General icon (if necessary)
  3. Enter your desired home page in the "Homepage" field, but DO NOT press return!
  4. At the top of the window, click any of the other icons (eg, Tabs, AutoFill, etc).
  5. You may see a prompt asking for confirmation for changing the home page. If so, confirm.
  6. Switch back to the General page and check to make sure the home page has been changed.

Check other browser settings

In some cases, the Homepage setting will not have been changed, but the browser is still loading a different page when it starts up. Check other settings besides the Homepage setting. For example, some recent malware has been observed to add a bookmark, then change Safari's New windows open with setting to load new tabs for that bookmark item. Explore any settings that control what happens when you open the browser, or open new windows or tabs, and make sure all of them are set as you wish. Remove any unwanted bookmarks that have been created, if any.

screen_shot_2018-08-31_at_1_09.03_pm.png.b70cb5088f40d97eee83d25f21794cc4.png

If nothing helps...

If all the above fails to help, please submit a ticket to our support site for more assistance.

https://support.malwarebytes.com/hc/en-us/requests/new

Please be patient, especially on weekends, holidays, or at odd hours for Europe and the US. Be sure to identify the product as Malwarebytes for Mac. If you choose Windows, you'll be at the bottom of a much longer queue, and will only get Mac help once our techs have figured out you're not actually on Windows.

Edited by treed

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.