Deworming the Apple

So we have seen a rapid rise in Mac “Malware”…

I hesitate call the trouble we have seen as malware. The troubles fall into two categories; webpage alerts that can not be dismissed and Mac Keeper.

The webpage alert is a shake down scam. It takes 10minutes of work, 13 lines of code and a website that will run any ad for money to pull off. What makes this malware is a feature built into your web browser where it will reopen the website you had open when you last closed it. A useful feature for most of us but in the hands of people without scruples it becomes a major headache.

The cure tough is simple. Just two steps. First Quit your web browser. On a Mac you can sometimes choose “Quit”  from the Application’s menu.

Quit Firefox

If all else fails though you can force quit the application. Similar to Control + Alt + Delete on a Windows PC on a Mac, use the key combination: Command + Option + Escape to bring up the Force Quit Dialog.

Force Quit Dialog

Select your web browsers and click “Force Quit”. That’s step one. Now the tricky part if you hold down the shift key while launching your web browser it should not restore the previous session. If your Web browser resides in your Dock this is simple… just hold don the shift key and click the icon in the dock. If you launch your web browser by double clicking on a desktop shortcut or its icon in the applications folder you have to be careful because holding down the shift key “extends the selection” normally. So click first on the icon so only it is selected then hold the shift key down and double click.

I suggest clearing your history and avoiding the websites you were browsing when the alert popped up.

This brings us to the second type of trouble: Mac Keeper (and friends). MacKeeper is the unholy offspring of the Ask Toolbar and Symantec Protection Suite. It does nothing for you but slow your computer, show their ads in the web pages you visit and nag you to purchase the full version because your Mac is unprotected from… Mac Keeper. Perhaps needles to say their is a class action lawsuit for people duped into paying for MacKeeper.

Mac Keeper has changed evil corporate overlord shell company at least once thus there are a few versions out there. One version is easy to rid yourself of. It lives in your Applications folder with some friends;, and Just drag all four to the Trash, wait for Mac Keeper to ask why you are uninstalling it I usually just leave the question unanswered and click “Continue Uninstalling”. You may have to enter your password if you are an administrator or an administrator’s name and password if you are a standard user. You may want to take this opportunity to look through your Downloads folder and clean out any MacKeeper installers (MacKeeper.pkg) there by dragging them to the trash too. Finally empty the trash.

The other variant is not so nice it tries to keep running by relaunching from an Application support folder. The hard way… Macs have a nice services control subsystem called launchd. launchd takes its instructions from xml formated text files so MacKeeper and friends drop instruction files to run them an keep launching them if they exit one of the three places launchd will look for them: /Library/LaunchAgents and ~/Library/LaunchDaemons and ~/Library/LaunchAgents. Note: for those new to unix, a leading ‘/’ means this is at the root of the startup drive while ‘~/’ refers to your home folder. Look in these folders, moving anything that mentions zeobit, MacKeeper or its friends to the trash. Next look in /Library/Application Support and ~/Library/Application Support for folders suspiciously named things like MacKeeper and move these to the trash. Finally move the applications like in the /Applications folder to the trash. Reboot. Empty the trash.

This usually takes care of Mac “Malware”. One last place to look though is in your web browser’s Add-ons/Extensions. These are little bits of software that change the way your web browser works. Some like AdBlock Plus can be helpful by limiting the ads your web browser displays. But most are not helpful. So you may want to uninstall any you find in your web browser… the specifics of how to do so is a much longer blog post for another day