Search results for: adware removal
Adware Removal Guide : OperatorMac
Posted on June 30th, 2015 at 5:23 PM EDT
This adware will redirect you to different pages and inject content, such as an odd set of navigation controls floating over the page, into pages in your web browser.
Removal
Delete all of the following browser extensions that you find: Opti-Page, Toppy. (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.)
Move the following items to the trash, if present. Note that, if you don’t know how to locate a file or folder based on the paths that I will give in the instructions, you should read Locating files from paths.
~/Library/Application Support/Google/Chrome/Default/chromex ~/Library/Application Support/Google/Chrome/Default/chromexdm ~/Library/Application Support/mediahm ~/Library/LaunchDaemons/com.mediahm.operator.update.plist
If you have Firefox installed, go to the following folder:
~/Library/Application Support/Firefox/Profiles/
Inside that folder, you will find another folder whose name begins with a series of random characters and ends with “.default”. Open that folder, and look for a folder named searchplugins. Inside that folder, delete the “mySearchPlug.xml” file, if present.
Adware Removal Guide : Buca Apps
Posted on June 13th, 2015 at 3:23 PM EDT
Coverage of this adware has moved to the Bundlore removal instructions page.
This was done to more accurately reflect the name being used by other security companies, and because the Buca Apps name was only seen in a few early variants of this adware.
Adware Removal Guide : InstallCore
Posted on May 23rd, 2015 at 9:42 AM EDT
InstallCore is very widespread adware that has been seen in many different malicious installers, including fake Adobe Flash Player installers that don’t actually install anything other than InstallCore. It has also been recently seen being installed by an installer that attempted to avoid analysis with techniques often used by malware.
Early variants of InstallCore involved a browser extension named “searchme”, which is a name also used by the older Spigot adware. It is unclear whether there may be some kind of connection between InstallCore and Spigot, or whether this is a coincidence.
Read the rest of this entry »
Adware Removal Guide : DownLite
Posted on May 23rd, 2015 at 9:27 AM EDT
Coverage of this adware has moved to the VSearch removal instructions page.
This was done because the name I originally used for this adware seems to have fallen out of favor, and I’m pretty much the only one still using it. I am now referring to it by the more accepted name, VSearch.
Adware Removal Guide : Premier Opinion
Posted on March 13th, 2015 at 9:51 AM EDT
PremierOpinion, aka OpinionSpy, is marketing research software that collects all manner of data about your system and your internet usage and transmits it back to the creators of the software. It first appeared back in 2010, and was quickly labeled as malware at the time, although it never seemed to me to be real malware. PremierOpinion resurfaced in February of 2015, being distributed by CNET’s untrustworthy Download.com site.
Removal
The full capabilities of this new PremierOpinion variant have not been published by any security companies to-date, but the old PremierOpinion was said to have backdoor capabilities, meaning the people behind it had remote access to infected systems. It is possible that the new version has the same capabilities.
The safest way to remove this spyware from your computer would be to erase the hard drive and reinstall everything from scratch. In my opinion, this is probably overkill. However, those who want that extra assurance should take those measures. Those who are willing to just remove the known components of PremierOpinion can follow the directions below.
Delete the PremierOpinion browser extension. (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.)
Move the following items to the trash. Note that, if you don’t know how to locate a file or folder based on the paths that I will give in the instructions, you should read Locating files from paths.
/Applications/PremierOpinion /Library/LaunchDaemons/PremierOpinion.plist
Some of these items can only be deleted by an admin user, and will require entry of that admin user’s password to delete.
Finally, restart your computer to finish the removal process. You can empty the trash after restarting the computer.
You may need to change the home page and search engine settings in your browser’s preferences.
Adware Removal Guide : Ask Toolbar
Posted on March 4th, 2015 at 11:29 AM EDT
The Ask Toolbar adds a toolbar at the top of your browser’s window containing an Ask search function. Installation of the toolbar may also change your browser’s home page and search engine settings.
Removal
Delete any extension called something like Search App by Ask. (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.)
Move the following item to the trash. Note that, if you don’t know how to locate a file or folder based on the path that I will give in the instructions, you should read Locating files from paths.
~/Library/Application Support/Sponsors.framework
Adware Removal Guide : Bundlore
Posted on November 22nd, 2014 at 12:07 PM EDT
The Bundlore adware is a collection of related adware programs with widely varying names, but that all appear to be made by the same group.
Removal
Delete all of the following browser extensions that you find: Shopy Mate, FlashMall, Cinema-Plus Pro (and variants like CinemaPlus, CinemaPro, Cinema + HD, Cinema + Plus + or Cinema Ploos). (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.)
Move the following items to the trash. Note that, if you don’t know how to locate a file or folder based on the paths that I will give in the instructions, you should read Locating files from paths. Removing many of these files will require administrator access, so you will need to be sure you are logged in to an admin account on your Mac. If you are not, you will be unable to remove some of them.
/Applications/WebTools.app /Applications/WebShopper.app ~/Applications/WebTools.app ~/Applications/WebShopper.app /Library/cinemapro1-2/ ~/Library/cinemapro1-2/ ~/Library/WebTools/ ~/Library/Application Support/webHelperApp/ ~/Library/Application Support/WebShopper/ ~/Library/LaunchAgents/WebServerSocketApp ~/Library/LaunchAgents/UpdateDownloder ~/Library/LaunchAgents/com.webhelper.plist ~/Library/LaunchAgents/com.webtools.update.agent.plist ~/Library/LaunchAgents/com.webtools.uninstaller.plist
Some of these items can only be deleted by an admin user, and will require entry of that admin user’s password to delete. You may not find all these items, but should remove all that you do find.
Next, look in the following folders:
/Applications ~/Applications
These are actually two different Applications folders, be sure to check both. Move any applications in either folder having names similar to Shopy Mate, Flashmall, CinemaPlus or CinemaPro to the trash.
There may also be a number of related files in the user LaunchAgents folder. Go to the following folder:
~/Library/LaunchAgents
(Note that, if you don’t know how to locate a file or folder based on the path, you should read Locating files from paths.)
In that folder, look for files like the following and move them to the trash:
Safari Security shopy-mate_enabler.plist shopy-mate_enabler.sh shopy-mate_updater.plist shopy-mate_updater.sh shopy-mate.ver com.crossrider.wssXXXX.agent.plist com.extensions.updaterXXXXX.agent.plist com.extensions.updaterXXXXX.ver com.WebTools.YYYYY.helpd.plist com.WebTools.YYYYY.plist com.WebShopper.YYYYY.helpd.plist com.WebShopper.YYYYY.plist
The “Safari Security” file appears to always have the same name. The others will have names that vary depending on the name of the browser extension you have installed, such as “cinemas-+-plus-+_enabler.plist” or “flashmall_enabler.plist”. Any files like these should be removed. Items like “com.crossrider.wssXXXX.agent.plist” file will have numbers in place of each X. Items like “com.WebTools.YYYYY.plist” will have a string of letters and numbers, such as “oiuqw343sQ9a”, in place of the “YYYYY”.
Also look in the following folder:
/Library/LaunchDaemons
In this folder, you may find a file named something like “com.cinemapro1-2.daemon.plist”. The exact name will vary according to the name of whatever browser extensions you find installed. Move this file to the trash.
When you are done, restart your computer.
Adware Removal Guide : Vidx
Posted on May 23rd, 2014 at 8:07 PM EDT
Vidx is adware that pretends to be a video player browser plugin. In actuality, it is no such thing. It provides no video playing functionality whatsoever.
This adware is quite sneaky, in that it uses a slightly different variation of the name each time you install it. Thus, it’s slightly more difficult to provide removal instructions, or an automated removal script… but only slightly.
For more information on this adware, see Vidx adware pretends to be video plugin.
Read the rest of this entry »
New Adware Removal Tool
Posted on May 3rd, 2014 at 8:22 AM EDT
I’m excited to announce the availability of The Safe Mac’s Adware Removal Tool, currently in public testing! This tool is an AppleScript application that will scan your system and remove all components of any known Mac adware. For more information, and to download the tool, go to:
Adware Removal Tool
Posted on May 2nd, 2014 at 12:01 PM EDT
The Adware Removal Tool has been removed.
This tool was discontinued some time ago and replaced with AdwareMedic. It detects adware more reliably, and detects many things that the Adware Removal Tool never did. If you have found and used a copy of the old Adware Removal Tool, be aware that it cannot be relied on at this point, and you probably still have adware components installed. It has been removed to prevent people from using it, and then believing that they have removed all adware when they probably have not.
