3 noviembre, 2024
You installed one or more variants of the “InstallMac” trojan. Take the steps below to disable it.
The
criminal behind this attack tries to make the malware hard to remove by
varying the names of the files it installs. This procedure works as of
now, as far as I know. It may not work in the future.
Anyone finding this comment a few days or more after it was posted
should look for a more recent discussion, or start a new one.
Back up all data before continuing.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
          Go Go to Folder…
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return. A folder named “LaunchAgents” will open.
2. Inside the folder you just opened, there may be files with a name of the form
          something.AppRemoval.plist
          something.download.plist
          something.ltvbit.plist
          something.update.plist
where something is usually a meaningless string, such as any of the following:
          Epolife
          InstallMac
          Javeview
          Kuklorest
          Manroling
          Otwexplain
These
are examples, not a complete list. The string could be anything. The
point is that the same string will usually appear in the name of three
or four files.
You could have more than one copy of the malware, with different values of something.
Move all such items to the Trash. If there are any other files with a name that begin with something,
move them to the Trash also. After you’ve done that, there may not be
anything left in the LaunchAgents folder; in that case, you can delete
the folder, but otherwise don’t delete it. Other files in the folder are
not necessarily malicious (though they could be, if you also installed
some other kind of malware.)
Log
out or restart the computer. The trojan will now be inactive, but there
are a few more components of it that should be cleaned up.
3. Open this folder in the same way as above:
~/Library/Application Support
and move to the Trash any subfolders named with the same something you found in Step 2.
Don’t move the Application Support folder or anything else inside it.
4.
Open the Applications folder. If there is an item with the same name as
in Step 3, or any of the other names listed in Step 2, or with the name
“Zip Devil,” drag it to the Trash.
If in doubt, press the key combination option-command-4
to arrange the apps by date added. Look at the apps that have been
added since you first noticed the problem. If there is one you don’t
recognize, drag it to the Trash.
Empty the Trash.
If you get an alert that the application is in use, force it to quit.
5. From the Safari menu bar, select
          Safari Preferences… Extensions
Uninstall
all extensions you don’t know you need. If in doubt, remove all of
them. None is required for normal operation. Do the equivalent in the
Chrome and Firefox browsers, if you use either of those.
6. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
          Safari Preferences… General
and click
          Set to Current Page

Deja un comentario

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *