Malware Removal
Jump to navigation
Jump to search
Steps 1-2 can and should be done on a testing drive, not booted into the customers OS. It can still be done in the customers OS if necessary, but some programs may be more stubborn to remove. Steps 3-6 should be done in the customers OS.
Step 1: Clear Malicious Apps
Applications (Root)
- Check for and remove anything weird
- Any Antivirus
- Install Mac
- Webtools
- MacKeeper
- MalwareBytes
- Tune My Mac
- Clean My Mac
Applications (User)
- Navigate through Macintosh HD/Users/(user name)/Applications
- Check for and remove anything weird. Remove Chromium and Opera if the customer does not know what those are.
- Delete any MacCleaner type applications
- Navigate through Macintosh HD/Users/Shared
- Check for and remove anything weird. The only typical folders seen here are Adobe and audio libraries.
Step 2: Clear Directory Remnants
Finder (If on Sierra or newer use CMD+Shift+Dot to show hidden files, Does not work on El Cap or lower.)
Library (Root)
- Internet Plug-Ins
- Do NOT remove these
- Default browser.plugin
- nslQTScriptablePlugin.xpt
- Use best judgment for the rest
- Do NOT remove these
- Launch Agents
- Delete all except for Office and music programs. If there are questionable items, talk to the customer. This will only remove them from startup and will not break most programs.
- Launch Daemons
- Delete all except for Office and music programs. If there are questionable items, talk to the customer. This will only remove them from startup and will not break most programs.
- Startup
- Occassionally you will find additional remnants in Application Support files. Delete any remnants associated with the files you removed but proceed with caution!
User Library
*Note: to access hold option/alt key while under “GO” menu of finder if running newer OS;
Otherwise, navigate through Macintosh HD/Users/(user name)/Library
- Internet plug-ins
- If there are any here they are probably bad
- Use best judgement
- If there are any here they are probably bad
- Launch Agents
- Delete all except for Office and music programs. If there are questionable items, talk to the customer. This will only remove them from startup and will not break most programs.
- Launch Daemons
- Delete all except for Office and music programs. If there are questionable items, talk to the customer. This will only remove them from startup and will not break most programs.
- Application Support - Same as library files above.
- Startup
Step 3: Check Login Items
- Under system pref->users->login items
- Delete anything that doesn’t need to run at start
Step 4: Clear Browser(s)
- Check home page
- Reset to “google.com” if wonky
- Check browser extensions/ add-ons
- Delete anything suspicious
- Check home page
- Reset to “google.com” if wonky
- Check browser extensions
- Click on the button with 3 parallel horizontal bars
- Select add-ons
- Delete anything suspicious
- Under Appearance, make sure home page set to “google.com”
- Click Extensions (top left)
- Delete anything suspicious or anything non-google
- At bottom of page click “Get more extensions”
- See Cleaning Policies For Chrome for additional assistance if needed
Step 5: Check System Preferences
- Verify that no additional profiles have been added
- If a profile has been added, remove it directly from system preferences. If unable to remove from system preferences, refer to Google search.
- Check network settings to make sure there aren't any weird connections/devices/VPNs/proxies.
Step 7: Check Notifications!
- Some websites (legitimate and not) add annoying notifications. Often customers will click ok and add them without knowing. Clean notifications from browsers and/or talk to customers about turning off notifications in System Preferences for the browsers.
Step 6: Empty Trash and TEST!
- Reboot and recheck all browsers. They should have a legitimate home page and when using the search bar, should return a major search engine directly, like google.