The Long and Systematic Approach to Manually Remove Adware from a Mac
I’ve owned a mid 2007 iMac for over 10 years, and at times, prefer using it over my macbook pro. While you might be silently chuckling to yourself, it’s okay, I can honestly say I still get productive and much needed use out of it as my garage/shop computer. If you work in your garage as much as I do on the weekends, I highly recommend finding a good “knock around” computer. This machine, preferably a desktop in my opinion, is something you wouldn’t mind getting dirty with oil or grease from time to time, and that can easily manage a few different software applications while browsing the internet, but I digress. Strictly speaking about it’s tangible parts, it’s hardware, I recently upgraded it with a 1 TB hard drive and an additional 2 MB of RAM. Relatively speaking, when compared to newer computers, it’s very antiquated and it would be left in the dust. However, retrospectively speaking, it computes faster and better then the day I bought it! Alright, awesome! I can go about my extensive automotive research or pursue whatever internet rabbit hole I decide to dive into at that moment, and really not have much to worry about. This is how I’ve always approached thinking about macs, why would it change? Quite frankly, I think this ignorant bliss was perfectly fine, until recently.
Something I didn’t know was that all of those updates your computer wants to install, usually at horribly inconvenient times, typically include some kind of important security update. But wait a minute, Apple told me that my iMac is “maxed” out at OS X Mavericks 10.9.5….isn’t Apple at like 10.14 or something? Where are my security updates? Does this mean I need to change my arrogant ways and quit boastfully claiming that my mac has never needed security software nor will it ever? Finding inner acceptance with this new concept and idea of purchasing security software was not sitting well. Unfortunately, I knew it was going to compound and get worse. The fact of the matter is that when newer operating systems are developed, older systems like mine lay waste and eventually become unsupported and vulnerable to online threats. Maybe this is something a google search can help me fix? And so begins my journey of compiling every conceivable way to find and remove malicious files.
According to Malwarebytes, 2017 saw a 230% spike in malware activity within the Mac ecosystem.
Symptoms
If you have any symptoms listed below, your computer may be infected by Adware, Malware, Spyware, Ransomware, Scareware, or whatever “-ware”.
— Finding anything named MacDefender, MacKeeper, MacProtector or MacSecurity.
— Loss of overall performance and speed.
— Opening new browser tabs or redirecting you to random sites
— Random applications unexpectedly downloading.
— Random applications unexpectedly opening when booting up.
— Change in browser homepage or toolbars.
Assumptions
Below are assumptions regarding particular things I will have assumed you, as the reader, will understand while stepping through the steps.
— How to use and change preferences in Chrome web browser
— How to use Activity Monitor (viewing and quitting processes)
— Knowing basic terminal commands and ability to navigate through directories. A little rusty? Quickly learn the basics here.
— The term adware will be used as an encompassing term including anything that might be harmful on your computer.
Must Do - Try the Easy Fixes
Before getting to my methodology, below you can find a list of general things you should try doing that might solve your problem.
— Remove any unwanted applications from your apps directory by clicking and dragging to recycle bin. (Look in the Utilities directory as well)
— Update to the newest version in chrome
— Look under Chrome preferences and uninstall any suspicious extensions
— Clear all browsing data including history, cookies and cache
— Delete any files in downloads that resemble suspicious content.
— Delete all files that resemble adware in launch agents, launch daemons, and StartupItems. (Small helper programs that run in the background)
These directories can be found using the routes below.
/System/Library/LaunchAgents
/System/Library/LaunchDaemons
/System/Library/StartupItems
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/StartupItems
~/Library/LaunchAgents
~/Library/LaunchDaemons
— Go to the ActivityMonitor, find any suspicious processes and terminate that process.
Note: Mac processes are well documented and have unfamiliar names so it’s a good rule of thumb to ‘google’ the process before terminating it.
— Following after all of the listed above steps, empty your recycle bin and immediately restart your computer to terminate anything that might be running in memory.
Now if you have made it this far and you’ve done everything listed above and the symptoms still persist, or what happened in my case, the processes you terminated are back up and running and the files you deleted have miraculously reappeared? Continue on.
At this point, I can image you might be a little frustrated, I certainly was. Most of my frustration wasn’t a response to the actual problem per se but more towards the fact that I couldn’t find a clear and concise executable solution to use when searching online. Aside from getting a bombardment of download “this or that” security software to solve my problem, if you are like me, I stubbornly refuse to do it. From the lens at which I viewed my search results at that particular moment within my programming journey, I found that my options were basically different variations of the general list above. With little to no progress in removing what was plaguing my computer, I decided to go down a tyrannical path of destruction, implementing a thorough and systematic combination of a scorched earth policy along with a seek-and-destroy methodology. These files or whatever they are, were going to be eviscerated off the face of my hard drive. Here’s how I did it.
1.
Open the Terminal application, copy and paste the following command into the Terminal window:
defaults write com.apple.finder AppleShowAllFiles -bool true
then:
killall Finder
These commands will restart Finder and show any hidden files and folders.
Running the command again with -bool false, will revert back.
2.
Open the Activity Monitor, locate the process you would like to remove and double click on it. This should open a window with the options to sample or quit along with a few tabs to view.
Note: if you have difficulty selecting the process while they continually sort by percentage of CPU usage, use the search bar.
In the new window, located next to the Memory and Statistics tabs, select the Open Files and Ports tab. From here you can see where the files are located and their perspective paths.
Note: If the Open Files and Ports tab is not an option, select the sample option. Depending on the complexity and where the adware is located you may be prompted to enter a password. After entering your password, another window will open generating data about that specific process. Within that data, you’ll be able to find the root path of where the process is being stored and run.
In either of these cases, the end goal is to remove these files. Simple right? Let’s find out.
3.
Depending on where these files are located, having executed the terminal command to view hidden files will allow you to easily navigate through the Finder to visually see them.
Open Finder and navigate to the path, or in some cases, multiple paths that the process is running at. Select these files and drag them to the recycle bin.
Depending on the complexity of the adware and how it was created, this may be it, you’re done. Easy peasy. However, if a message pops up stating that the process is running and cannot be deleted or that you do not have access rights to execute this task, the next steps will need to be executed through the terminal.
4.
Open a terminal window and navigate into the directory where the files can be found. Depending on where the files are located, you may need to navigate out of the users directory and into the systems directory. Once there execute:
sudo rm -rf <file_name>
Let me break this down.
sudo — allows you to perform an action on a protected directory or file and may prompt for a user password
rm — is the command to remove
-r — (short for “recursively”) will remove the entire file hierarchy rooted in each file argument. Basically will remove a directory and all of its contents when run on a directory.
-f — (“short for forcefully”) will remove files without prompting for confirmation
Note: While not needed specifically on files, I included the -r tag in case the file is a folder you wish to delete.
Warning: Use extreme caution when using these commands
DO NOT use sudo rm -rf / or sudo rm -rf ~
The forward slash indiscriminately removes everything from that point onward
The tilde indiscriminately removes everything in the current users directory
If you have gotten this far and everything has worked accordingly, restart your computer and check to see if the files have been in fact permanently removed.
If these commands did not work, continue on.
5.
Go back into the Finder, locate the files you want to remove and execute the following for each file.
— Right click the file, and select Get Info.
— Click the lock symbol and enter your password.
— Change all users, staff, and everyone to “Read & Write” privilege.
— To save, click the unlocked symbol to a locked symbol and close the window.
Note: This can also be accomplished through the terminal, however, that won’t be covered here. Want to learn how to do it using terminal commands? Find more information on changing file permissions here.
This step basically accomplishes what the step 4 “sudo” tag in the command we tried to run earlier couldn’t accomplish. Step 5 is the manual way of changing the sharing and permission rights. While it is redundant and unclear on why to do this, others have documented similar problems on StackOverFlow with no clear answer on to why this works.
Hopefully, you should be able to drag the file into the recycle bin and immediately empty it.
By the powers that be and for reasons I cannot explain, if you receive another error when trying to empty the recycle bin there are….you guessed it, more steps to try.
6.
The next two steps are a little tricky and need to be followed closely.
— Open both the terminal and the recycle bin.
— Resize both windows so that both the terminal and recycle bin can be viewed at the same time.
— Type but do not execute the command:
sudo rm -rf (followed by a space)
— Drag the malicious file or folder from the recycle bin to the terminal window and you should see a path auto populate.
— Press enter followed by your password to execute.
7.
According to Topher Kessler at cnet.com, if the command listed above in step 6 is ineffective, one can assume the ACL (Access Control List) setup, on either the directory or the files within the directory, have been tampered with and specifically changed to keep people like us out. Excellent, this leads me to believe that we’re in the right place. However, one thing to note, this basically renders our attempted manual change of the files’ permission rights executed earlier in step 5, completely useless. Want to learn more about ACLs?
— Type but do not execute the command:
sudo chown -RN (followed by a space)
— Followed by again dragging the malicious file into the terminal.
— After this, repeat step 6 and execute the sudo rm -rf command sequence again.
Note: This command will try and strip away any ACL permissions that may have been used on the file.
8.
If all else fails, there is one more option. The last resort and ultimate final step, a step that I fortunately have not had to experience is starting your mac in safe mode. While I could limp you through the steps, your best resource is to follow the detailed guide on the apple support page.
Final Thoughts:
Many of the commands above can damage your system beyond repair if used carelessly and incorrectly. I strongly urge to use extreme caution when executing. Try using these commands to view processes from the terminal.
top -F -R -o cpu
ps aux | grep root
