Mac Malware

I use a Mac.  I have since 2006.  One of the things I love about using a Mac is that there is very little malware or viruses.  That doesn’t mean you are completely safe though.  Just like on a Windows system, the easiest way you can get infected is when you are not paying attention.

I am a pretty savvy computer user.  But recently I was on a conference call and taking care of a personal task at the same time, when I quickly without paying attention, clicked on a link to update my flash player.  First off, Flash is crap. If you can avoid Flash do so at all costs.  But, if you need Flash, do yourself a favor and install it from the official site: (https://get.adobe.com/flashplayer/).

Well in this case, I did not go to the official site but clicked the very official looking button to update flash.  When I did that, it immediately downloaded a DMG file, and we were off to the races.  I spent about three hours searching various sites and cleaning off my machine.

Tonight, the same exact thing happened to my wife.  This time, I decided to write everything down it took to clean it off.  These programs that are installed, from what I can tell, are not spyware.  They are unwanted applications (IMO) designed to make money.  Essentially, they try to get you to sign up for extra services and hijack browser sessions in an attempt for clicks.  People may actually use these applications.  But for the most part, the company that made them (PCVARK) is using very aggressive and shady tactics to try and sell its product.  The three applications that were installed (that I could find after deep digging) were: MegaBackup, Advanced Mac Cleaner, and Mac-File-Opener.  The last one in particular was tough to find as the only clue it is there is when you click on a file that the system doesn’t recognize.  When you do that it hijacks your Mac file opener and redirects you to a website that tries to get you to download more crap.

So without further adieu, here are my notes from everything that had to be cleaned and where I found the information.

Potential browser Issues:

It’s more than likely the browsers you use had settings changed.
  1. In your browser, open up the setting or preferences and check the following:
    1. Homepage or new tabs (check what homepage opens or what new tabs open by default)
    2. Home Button (check the action that occurs when you click the home button)
    3. Search Engine (you were probably redirected to a sponsors search engine)
    4. Extensions Installed (I didn’t find any new extensions but you should check)
    5. Startup pages (What pages start up when your browser starts up)

Malware programs installed:

Below are instructions to removing files on your system.  Without explaining at each line, the easiest way to remove files is to:
  1. Open Finder
  2. On the Menu Bar, click on Go…Go to folder…
  3. Copy and paste the paths that I have below
Mac File Opener
This one is a bit complicated as it puts itself in crazy places and is not an app as much as a replacement for the mac file opener.  Here is what I can find:
Resources:
Go to the following directories and remove the following files or folders:
  1. ~/Library/ and delete the folder Mac-File-Opener
  2. ~/Library/  and delete the file com.pcvark.Mac-File-Opener.plist
  3. ~/Library/Caches/ and delete the file File com.pcvark.Mac-File-Opener
Advanced Mac Cleaner
  1. Close the program (Command-Alt-Escape and select Advance Mac Cleaner and force close)
  2. Delete login item for Advanced Mac Cleaner
    1. Open System Preferences (Apple Menu)
    2. Go to Users & Groups
    3. Click on Login Items for your account
    4. Click on the Advanced Mac Cleaner and delete
  3. Open finder and delete the application from application folder
  4. Remove the following files or folders:
    1. ~/Library/ and delete the folder Advanced Mac Cleaner
    2. ~/Library/Logs and delete the files Advanced Mac Cleaner.log; helperamc.log
    3. ~/Library/Application Support and delete the folders Advanced Mac Cleaner; amc
    4. ~/Library/Caches and delete the files com.pcv.hlpramc; com.PCvark.Advanced-Mac-Cleaner
    5. ~/Library/Saved Application State and delete the files com.PCvark.Advanced-Mac-Cleaner.savedState
    6. ~/Library/Preferences and delete the files com.pcv.hlpramc.plist; com.PCvark.Advanced-Mac-Cleaner.plist
    7. ~/Library/LaunchAgents and delete the files com.pcv.hlpramc.plist; com.PCvark.Advanced-Mac-Cleaner.plist
    8. ~/Library/Cookies/ and delete the file com.PCvark.Advanced-Mac-Cleaner.binarycookies
  5. Empty the Trash
MegaBackup
  1. Close the program completely
  2. Open finder and delete the application from application folder
  3. If it pops up, kill the popup window (Cmd-Alt-Escape)
  4. Remove the following files or folders:
    1. ~/Library/Preferences/ and delete the file com.megabackup.MegaBackup.plist
    2. ~/Library/Preferences/ and delete the file com.megabackup.MegaBackupAgent.plist
    3. ~/Library/Caches/ and delete the files com.megabackup.MegaBackup; com.megabackup.MegaBackupAgent
    4. ~/Library/Logs/ and delete the folder MegaBackup
  5. Empty the trash

Conclusion

When you are done, reboot your machine and make sure nothing wonky appears.  If you want, you can open Activity Monitor and look at everything running.  There are sometimes hundreds of processing running so this is very hard to tell what is legitimate and what might be a problem, but searching online for process names will quickly tell you what is a problem.

I hope this helps someone, happy hunting.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s