OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Adware Removal Guide : GoPhoto.it

Published November 26th, 2013 at 3:02 PM EDT , modified April 23rd, 2014 at 6:31 AM EDT

GoPhoto.itGoPhoto.it is adware that seems to be linked somehow to DropDownDeals, and thus also to Yontoo. They are not the same, and may not even be made by the same people, but they have at least used the same site for serving their ads. The only instance of GoPhoto.it that I have come across was a fake sports scores app, whose installer did not actually install anything other than GoPhoto.it and a version of Genieo.

Removal

Some people are reporting that they are unable to remove an installer associated with this program (called something like GoPhoto.it Installer or Mac_Installer) because it is running and will not quit. If you see this, simply press command-option-esc, then use the Force Quit Applications window that appears to force the installer to quit. Then you can remove it, and proceed with removing any components of the software that may have been installed.

Delete the GoPhoto.it and jollywallet cash back browser extensions. (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.)

If you are using Firefox, an additional JavaScript will be installed in your Firefox user profile. This JavaScript will disable some Firefox security settings that would prevent the extension from working properly. To remove it, go to the following folder:

~/Library/Application Support/Firefox/Profiles/

(Note that, if you don’t know how to locate a file or folder based on the paths that I will give in the instructions, you should read Locating files from paths.)

Inside that folder, you will find another folder whose name begins with a series of random characters and ends with “.default”. Inside that folder, delete the files named “prefs.js” and “user.js”, if present. This will reset some of your Firefox preferences, but there is no easy way to remove the malicious code added to the prefs.js file, so this is necessary. If you have a backup of the prefs.js file from before installing GoPhoto.it, you could restore that file from the backup.

You may need to change the home page and search engine settings in your browser’s preferences.

Some people have recently reported that the browser extension cannot be removed in Firefox. If this is the case for you, try removing the following folder:

~/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}

It is possible that future variants will use a different name for that folder.

<- Back to Adware Removal Guide