OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Search results for: adware

Java now installing adware

Posted on March 4th, 2015 at 11:34 AM EDT

Rich Trouton, a Mac systems administrator who runs the Der Flounder blog, discovered yesterday that a Java installer is installing adware, in the form of the Ask Toolbar. (He first wrote about it on JAMF Nation, but has published additional information in his Der Flounder post today.) Fortunately, in the course of trying to duplicate his findings, it appears that this installer is a bit finicky, and may not always install the toolbar properly.
Read the rest of this entry »

60 Comments

Adware Removal Guide : Ask Toolbar

Posted on March 4th, 2015 at 11:29 AM EDT

The Ask Toolbar adds a toolbar at the top of your browser’s window containing an Ask search function. Installation of the toolbar may also change your browser’s home page and search engine settings.

Removal

Delete any extension called something like Search App by Ask. (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.)

Move the following item to the trash. Note that, if you don’t know how to locate a file or folder based on the path that I will give in the instructions, you should read Locating files from paths.

~/Library/Application Support/Sponsors.framework

<- Back to Adware Removal Guide

Leave a comment

Apple cracks down on adware

Posted on February 13th, 2015 at 7:25 AM EDT

Apple has used the XProtect anti-malware protection in Mac OS X to block a few pieces of adware in the past. Yesterday, they cracked down on adware again, adding a slew of new items to XProtect’s signatures, used for identifying and blocking malicious apps. Three are updated signatures, while one is for adware never before blocked by XProtect.
Read the rest of this entry »

50 Comments

Genieo adware causing Safari crashes

Posted on December 21st, 2014 at 6:57 AM EDT

Over the last week, I’ve been seeing a lot of reports of Safari crashes on Apple’s discussion forums as well as via personal e-mail. All seem to be running Yosemite with Safari 8. Interestingly, in almost every single one of these cases, the Genieo adware was found on the machine. In every case where Genieo was found, removing Genieo solved the problem.
Read the rest of this entry »

58 Comments

Adware Removal Guide : Bundlore

Posted on November 22nd, 2014 at 12:07 PM EDT

The Bundlore adware is a collection of related adware programs with widely varying names, but that all appear to be made by the same group.

Removal

Delete all of the following browser extensions that you find: Shopy Mate, FlashMall, Cinema-Plus Pro (and variants like CinemaPlus, CinemaProCinema + HD, Cinema + Plus + or Cinema Ploos). (See Identifications > Examine Browser Extensions for instructions on how to locate your browser extensions.)

Move the following items to the trash. Note that, if you don’t know how to locate a file or folder based on the paths that I will give in the instructions, you should read Locating files from paths. Removing many of these files will require administrator access, so you will need to be sure you are logged in to an admin account on your Mac. If you are not, you will be unable to remove some of them.

/Applications/WebTools.app
/Applications/WebShopper.app
~/Applications/WebTools.app
~/Applications/WebShopper.app
/Library/cinemapro1-2/
~/Library/cinemapro1-2/
~/Library/WebTools/
~/Library/Application Support/webHelperApp/
~/Library/Application Support/WebShopper/
~/Library/LaunchAgents/WebServerSocketApp
~/Library/LaunchAgents/UpdateDownloder
~/Library/LaunchAgents/com.webhelper.plist
~/Library/LaunchAgents/com.webtools.update.agent.plist
~/Library/LaunchAgents/com.webtools.uninstaller.plist

Some of these items can only be deleted by an admin user, and will require entry of that admin user’s password to delete. You may not find all these items, but should remove all that you do find.

Next, look in the following folders:

/Applications
~/Applications

These are actually two different Applications folders, be sure to check both. Move any applications in either folder having names similar to Shopy Mate, Flashmall, CinemaPlus or CinemaPro to the trash.

There may also be a number of related files in the user LaunchAgents folder. Go to the following folder:

~/Library/LaunchAgents

(Note that, if you don’t know how to locate a file or folder based on the path, you should read Locating files from paths.)

In that folder, look for files like the following and move them to the trash:

Safari Security
shopy-mate_enabler.plist
shopy-mate_enabler.sh
shopy-mate_updater.plist
shopy-mate_updater.sh
shopy-mate.ver
com.crossrider.wssXXXX.agent.plist
com.extensions.updaterXXXXX.agent.plist
com.extensions.updaterXXXXX.ver
com.WebTools.YYYYY.helpd.plist
com.WebTools.YYYYY.plist
com.WebShopper.YYYYY.helpd.plist
com.WebShopper.YYYYY.plist

The “Safari Security” file appears to always have the same name. The others will have names that vary depending on the name of the browser extension you have installed, such as “cinemas-+-plus-+_enabler.plist” or “flashmall_enabler.plist”. Any files like these should be removed. Items like “com.crossrider.wssXXXX.agent.plist” file will have numbers in place of each X. Items like “com.WebTools.YYYYY.plist” will have a string of letters and numbers, such as “oiuqw343sQ9a”, in place of the “YYYYY”.

Also look in the following folder:

/Library/LaunchDaemons

In this folder, you may find a file named something like “com.cinemapro1-2.daemon.plist”. The exact name will vary according to the name of whatever browser extensions you find installed. Move this file to the trash.

When you are done, restart your computer.

<- Back to Adware Removal Guide

Leave a comment

Downlite adware blocked by Apple

Posted on November 21st, 2014 at 7:24 AM EDT

Macs infected with the Downlite adware have been prevented from accessing my AdwareMedic site and portions of The Safe Mac for several weeks now. (See Adware blocking AdwareMedic downloads!.) This appears to have been done in an attempt to prevent people from removing this adware from their Macs. Fortunately, this also may have led to Downlite’s demise: it is now identified as malware by Apple!
Read the rest of this entry »

50 Comments

Adware blocking AdwareMedic downloads!

Posted on October 28th, 2014 at 6:24 AM EDT

Last week, I began to receive a series of reports from people that the Download button on the AdwareMedic site wasn’t working. First it was just a trickle, then a flood. For some people, the button was redirecting to the MacKeeper website. For others, it was going to a “not found” error page. I knew that the site itself wasn’t doing that, since I wrote every single piece of code on the AdwareMedic site… so what was going on?
Read the rest of this entry »

73 Comments

AdMedic is now AdwareMedic

Posted on September 12th, 2014 at 4:11 PM EDT

Due to an unfortunate naming issue, AdMedic has been renamed, and is now AdwareMedic! You will find it now on AdwareMedic.com.
Read the rest of this entry »

82 Comments

How the movie industry is causing adware problems

Posted on September 6th, 2014 at 3:37 PM EDT

Before you think I’m saying something I’m not, let me clarify: the movie industry is not deliberately infecting people with adware. Nonetheless, it is their policies that are giving power to the scams that hackers use to infect people with adware… and actual malware, for that matter. This may seem like a stretch, but let’s look at a real-world example that illustrates why this is true.
Read the rest of this entry »

6 Comments

The unchecked growth of Mac adware

Posted on August 18th, 2014 at 2:40 PM EDT

Adware was unheard of on the Mac just a couple years ago. The first Mac adware appeared in 2012, and it was the only one to appear that year. Since then, adware has seen an exponential rise that promises to bring the Mac down to the same state as Windows, where adware infections are very common. Most people just want to know how to get rid of adware, but the questions we need to be asking are what is causing this sudden growth, and why is it being allowed to grow unchecked?
Read the rest of this entry »

58 Comments