Someone very close to me who is computer adept was tricked into downloading and running a sneaky Flash installer that actually installed malware. This exercise was a good time to review my checklist for finding and fixing this situation. I was pleasantly surprised to discover some new useful tools and updated my checklist for 2018.
Don’t think you are immune because you know more than others. If your computer is connected to the internet and you use a web browser it can happen to you, especially if you use Outlook (aka Lookout!).
My previous process was basic:
- Check Login Items in System Preferences.
- Run Lingon X to check for extra startup items.
- Run EtreCheck for a general report.
- Check browser settings, extensions, and plugins.
- Run Onyx to clean things up.
These are fine things to do and still not a bad recommendation, but this list doesn’t feel complete and I like to revisit older processes to see if they can be improved. I stumbled across a helpful forum post which inspired me to make a new checklist.
If you think you just installed something bad, turn off your internet. If you are connected to WiFi, turn it off, unplug your ethernet cable, however you are connected. This stops anything installed from doing any more harm over the internet.
Quit all of your open apps (especially web browsers). If any of these apps are infected this will help stop them from running whatever bad code may have been installed into them.
Your files on your computer may be infected or you may remove important files during this process. If you haven’t already, now would be a good time to backup your important stuff. I use Time Machine and Backblaze for a dual local/remote always-on backup strategy.
In System Preferences, Users and Groups > Login Items is still something to check. If you are unsure about something in that list use a web browser to do some digging, but wait and come back to this step after doing the other cleanup items below.
Profiles. This icon will usually not be present, but if it is, check to see if an odd profile is installed. Check its info for some common malware keywords. Here are some we discovered this time around: mymacupdater, myshopcoupon, and mackeeper.
Get CCleaner and run the default set of Cleaning items. Then check Tools > Startup for any new startup items. This seems like a good replacement for Lingon X mentioned earlier. Then check Tools > Uninstall to find extra apps like Mackeeper. This can also be handy to uninstall old apps you haven’t used in a long time.
While CCleaner does just fine with its basic cleaning for the purpose of this post, consider later running Onyx for deeper cleaning options.
Get Malwarebytes and run it. The free version does the basic job we need. It focuses on finding malware and did great when I tested it. I found the real-time protection was using a constant 10% cpu so that feature is now disabled.
Now is when I would fire up your web browsers (check them all if you use more than one). Look in Preferences for startup page, plugins, and extensions. This is also a good time to get rid of any plugins or extensions you no longer use.
I still like the report EtreCheck runs. While the previous steps should have already found anything really bad, this report might find something else or at least show some things you may not know about.
Get Avast and run it. During the install you can optionally install their VPN and password manager. I already use and highly recommend Encrypt.me for our VPN needs, and use the built-in keychain for managing passwords so I skipped these items. After installing I had to find it in the menu bar. This will take a long time to scan your computer but it does a very thorough check. It will find some of the items already found earlier that might have been quarantined or moved to the trash. It also helped scan Time Machine backups and remove those backed up bad files, along with all of those pesky bad email attachments. So I think it would be good to run through these steps if you ever restore from a backup.
You may want to restart after each of the above steps if you found anything along the way. This makes sure something you may have removed or disabled is quit and no longer loaded and running.
Even if you don’t suspect a problem now, it’s not a bad idea to go through these steps so you are familiar with the process and so that you already have some of these tools at the ready. Malwarebytes and Avast can also run in the background (their default setting) to provide some preventive measures to help avoid this situation in the first place.
While tools like Malwarebytes and Avast are very helpful, they also make money using FUD so be careful not to be swayed too hard by their own ads for protecting you and your family, which is a little ironic. macOS is already very good about malware and security so do some research on these tools before paying for their extra services.
Startup Items Extra Note
A final note that you can skip as it’s a bit more technical and not at all necessary. It’s great that Malwarebytes and Avast can continue to monitor things for you. This means they always start automatically and run in the background when you restart. By all means keep using them; a set-it-and-forget-it which is great. However, for me personally, I like to know what is running automatically and have control over this process. I wanted to see what each of these automatically started and how to control this behavior. Spoiler: they are both disappointing.
I Turned off all automatic settings and removed it from the menu bar, but it still starts Malware Bytes agent while not appearing in Login Items. Deactivating its free trial didn’t help. You must use CCleaner > Tools > Startup to find and disable it. You don’t need to restart and you can see it disappear in Activity Monitor. It seems to work fine after disabling the startup item. I could find nothing in their documentation about these automatic agents.
I found six different tasks automatically start. Even with all Shields off and all settings adjusted, they still run. They could only be disabled one-by-one in CCleaner. If one doesn’t disable, use Remove. I could find nothing in their documentation about these automatic agents. It seems to run fine after disabling them.