OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Search results for: adware

Has MacUpdate fallen to the adware plague?

Posted on November 2nd, 2015 at 1:17 PM EDT

It seems that MacUpdate, long considered to be one of the only remaining trustworthy download aggregation sites for the Mac, has succumbed to the same plague that has ruined most of the others: adware.

Read the full story on Malwarebytes Unpacked

23 Comments

Adware Removal Guide : OperatorMac

Posted on June 30th, 2015 at 5:23 PM EDT

This adware will redirect you to different pages and inject content, such as an odd set of navigation controls floating over the page, into pages in your web browser.

Removal

Delete all of the following browser extensions that you find: Opti-Page, Toppy. (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.)

Move the following items to the trash, if present. Note that, if you don’t know how to locate a file or folder based on the paths that I will give in the instructions, you should read Locating files from paths.

~/Library/Application Support/Google/Chrome/Default/chromex
~/Library/Application Support/Google/Chrome/Default/chromexdm
~/Library/Application Support/mediahm
~/Library/LaunchDaemons/com.mediahm.operator.update.plist

If you have Firefox installed, go to the following folder:

~/Library/Application Support/Firefox/Profiles/

Inside that folder, you will find another folder whose name begins with a series of random characters and ends with “.default”. Open that folder, and look for a folder named searchplugins. Inside that folder, delete the “mySearchPlug.xml” file, if present.

Leave a comment

Adware Removal Guide : Buca Apps

Posted on June 13th, 2015 at 3:23 PM EDT

Coverage of this adware has moved to the Bundlore removal instructions page.

This was done to more accurately reflect the name being used by other security companies, and because the Buca Apps name was only seen in a few early variants of this adware.

Leave a comment

Genieo adware proliferating

Posted on June 7th, 2015 at 9:00 AM EDT

In recent months, several new variants of the Genieo adware have crossed my path. This adware is still pulling many of the same tricks – changing the search engine to Bing, and installing all kinds of junk that runs in the background and modifies browser behavior. However, it’s now using a variety of different names, perhaps in an attempt to make detection more difficult.
Read the rest of this entry »

31 Comments

Spigot adware proliferates

Posted on May 25th, 2015 at 5:14 AM EDT

Adware Removal Guide : InstallCore

Posted on May 23rd, 2015 at 9:42 AM EDT

InstallCore is very widespread adware that has been seen in many different malicious installers, including fake Adobe Flash Player installers that don’t actually install anything other than InstallCore. It has also been recently seen being installed by an installer that attempted to avoid analysis with techniques often used by malware.

Early variants of InstallCore involved a browser extension named “searchme”, which is a name also used by the older Spigot adware. It is unclear whether there may be some kind of connection between InstallCore and Spigot, or whether this is a coincidence.
Read the rest of this entry »

Leave a comment

Adware Removal Guide : DownLite

Posted on May 23rd, 2015 at 9:27 AM EDT

Coverage of this adware has moved to the VSearch removal instructions page.

This was done because the name I originally used for this adware seems to have fallen out of favor, and I’m pretty much the only one still using it. I am now referring to it by the more accepted name, VSearch.

Leave a comment

MPlayerX adware behaving like malware!

Posted on May 11th, 2015 at 4:38 PM EDT

MPlayerX has long been used as “bait” to convince people to run adware installers. Most of the time, MPlayerX is installed along with the adware to (somewhat) disguise the fact that anything else was installed. However, it now appears that the folks behind MPlayerX are definitely in on the scam. Worse, the installer is now displaying malware-like behavior, by trying to foil analysis!
Read the rest of this entry »

34 Comments

InstallCore adware proliferates

Posted on April 8th, 2015 at 11:42 AM EDT

InstallCore is adware that began with a couple simple browser extensions. (One of these took the same name as a Spigot extension, “Searchme”, leaving questions about whether InstallCore might be related to Spigot in some way or whether this is purely coincidence.) Recently, however, new variants of InstallCore have been appearing like poop on a lawn full of geese. And some of the strategies it’s using stink just as badly!
Read the rest of this entry »

34 Comments

Adware Removal Guide : Premier Opinion

Posted on March 13th, 2015 at 9:51 AM EDT

PremierOpinion, aka OpinionSpy, is marketing research software that collects all manner of data about your system and your internet usage and transmits it back to the creators of the software. It first appeared back in 2010, and was quickly labeled as malware at the time, although it never seemed to me to be real malware. PremierOpinion resurfaced in February of 2015, being distributed by CNET’s untrustworthy Download.com site.

Removal

The full capabilities of this new PremierOpinion variant have not been published by any security companies to-date, but the old PremierOpinion was said to have backdoor capabilities, meaning the people behind it had remote access to infected systems. It is possible that the new version has the same capabilities.

The safest way to remove this spyware from your computer would be to erase the hard drive and reinstall everything from scratch. In my opinion, this is probably overkill. However, those who want that extra assurance should take those measures. Those who are willing to just remove the known components of PremierOpinion can follow the directions below.

Delete the PremierOpinion browser extension. (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.)

Move the following items to the trash. Note that, if you don’t know how to locate a file or folder based on the paths that I will give in the instructions, you should read Locating files from paths.

/Applications/PremierOpinion
/Library/LaunchDaemons/PremierOpinion.plist

Some of these items can only be deleted by an admin user, and will require entry of that admin user’s password to delete.

Finally, restart your computer to finish the removal process. You can empty the trash after restarting the computer.

You may need to change the home page and search engine settings in your browser’s preferences.

<- Back to Adware Removal Guide

Leave a comment