OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Adware Removal Guide : ChatZum

Published November 7th, 2013 at 4:48 PM EDT , modified November 28th, 2014 at 8:59 AM EDT

chatzum extension ChatZum is adware that was originally seen downloaded from Softonic. Downloads of a few free apps were wrapped in an adware installer by Softonic, without the knowledge and against the wishes of the developers of those apps.

Softonic representatives told me that this was a trial of a partnership between them and the makers of ChatZum, and claim to have removed all ChatZum installers. However, they did not appear to understand why what they were doing was wrong, so I have little confidence that this will remain true. ChatZum undoubtedly remains available for download through installers downloaded from elsewhere, as well.

ChatZum does provide an uninstaller. However, at the time of my last testing, that uninstaller did not remove all components of the adware.

Because ChatZum installation did not involve outright deception, it is not detected as malware by most anti-virus software.

Removal

Delete the ChatZum browser extension. (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.)

Move the following items to the trash. Note that, if you don’t know how to locate a file or folder based on the paths that I will give in the instructions, you should read Locating files from paths.

/Applications/ChatZumUninstaller.pkg
/Library/Application Support/SIMBL/Plugins/SafariOmnibar.bundle
/Library/Internet Plug-Ins/uid.plist
/Library/Internet Plug-Ins/zako.plugin

Some of these items can only be deleted by an admin user, and will require entry of that admin user’s password to delete.

Additionally, unless you already had it installed for a specific purpose, it would be a good idea to remove the SIMBL software that ChatZum installs to do its dirty work:

/Library/Application Support/SIMBL/
/Library/LaunchAgents/net.culater.SIMBL.Agent.plist
/Library/ScriptingAdditions/SIMBL.osax

These items will also require an admin password to delete.

Finally, quit Safari and re-open it to cause the changes to take effect.

You may need to change the home page and search engine settings in your browser’s preferences.

<- Back to Adware Removal Guide