How to Remove Backdoor.OSX.Mokes.a

What is Backdoor.OSX.Mokes.a?
Backdoor.OSX.Mokes.a is the most recently discovered OS X variant of a cross-platform backdoor which is able to operate on all major operating systems.

This spyware/malware is able to steal various types of data from your Mac (Screenshots, Audio-/Video-Captures, Office-Documents, Keystrokes).

How to remove Backdoor.OSX.Mokes.a?
Scan your computer with Macware Spyware Cleaner. Spyware Cleaner will clean your Mac from all currently know Spyware (e.g. Backdoor.OSX.Mokes.a).

How to manually remove Backdoor.OSX.Mokes.a?

Locate and delete the following files;

~/Library/App Store/storeuserd
~/Library/com.apple.spotlight/SpotlightHelper
~/Library/Dock/com.apple.dock.cache
~/Library/Skype/SkypeHelper
~/Library/Dropbox/DropboxCache
~/Library/Google/Chrome/nacld
~/Library/Firefox/Profiles/profiled

If you cannot find the above specified files, please check;

~/Library/Application Support/App Store/storeuserd
~/Library/Application Support/com.apple.spotlight/SpotlightHelper
~/Library/Application Support/Dock/com.apple.dock.cache
~/Library/Application Support/Skype/SkypeHelper
~/Library/Application Support/Dropbox/DropboxCache
~/Library/Application Support/Google/Chrome/nacld
~/Library/Application Support/Firefox/Profiles/profiled

After the following files have been deleted, empty your trash bin.

 

 

 

How to Remove MacKeeper

How to remove MacKeeper?
Scan your computer with Macware Antivirus for Mac. This will remove all traces of MacKeeper and the malicious browser extensions it installs.

How to manually remove MacKeeper?
Launch the MacKeeper app in the Applications folder and then quit it. (If this is your first time running it, no, you don’t have to activate MacKeeper or sign on for any of its services. Just choose Quit from the MacKeeper application menu.)

When you’ve done that, drag the MacKeeper app to the trash. You may be prompted for your administrator’s password. Enter it and the MacKeeper app will move to the trash and a window will pop up and offer to uninstall the rest of its components. Click the Uninstall MacKeeper button (don’t bother selecting an option about why you’re doing so if you don’t care to). This should remove most of the files MacKeeper placed on your hard drive.

mackeeper-1
If you have a recent version of MacKeeper, the uninstaller does a good job, and Macware Antivirus can help clean up any bits left behind.

But not all of them. Although the window tells you that all MacKeeper-related processes will be deleted, a few things remain.

A MacKeeper Helper folder isn’t removed. You can find it by visiting this location: ~/Library/Application Support. (To access this Library folder hold down the Option key and, in the Finder, choose Go > Library.) Inside this MacKeeper Helper folder is a NoticeEngine.plugin file. Go ahead and toss the MacKeeper Helper folder and this file will disappear right along with it. Empty the trash, restart your Mac, and MacKeeper will be gone. If you don’t see the MacKeeper Helper folder, don’t worry about it—it’s only bad if it’s there.

While we’re making sure the uninstaller got everything, here’s a few more places to check. The most recent version of MacKeeper as of this writing (3.7, build 979) did get all of these on the uninstall, but it’s still smart to double-check.

~/Library/Caches/com.mackeeper.MacKeeper

~/Library/Caches/com.mackeeper.MacKeeper.Helper

~/Library/LaunchAgents/com.mackeeper.MacKeeper.Helper.plist

~/Library/Application Support/MacKeeper Helper

~/Library/LaunchDaemons/com.mackeeper.MacKeeper.plugin.AntiTheft.daemon.plist

How to remove MacKeeper Adware?

MacKeeper also installs unwanted browser extensions which either inject ads into your web browser or displays annoying ad pop-up windows.

Uninstall MacKeeper Safari Extension;
You can uninstall the  extension by selecting Safari > Preferences > Extensions > Select the MacKeeper Extension (it may be listed as another name, so just uninstall anything you don’t remember installing yourself) > Uninstall > Restart Safari.

(See Remove Extensions from Safari for more detailed instructions)

Uninstall MacKeeper Firefox Extension;
You can uninstall the MacKeeper extension by selecting: Firefox > Tools > Add-ons > Extensions > Find the MacKeeper Extension (it may be listed as another name, so just uninstall anything you don’t remember installing yourself) > Remove > Restart Firefox.

(See Remove Extensions from Firefox for more detailed instructions)

Uninstall MacKeeper Google Chrome Extension;
You can easily uninstall the the MacKeeper extension by selecting Window > Extensions > Find the MacKeeper Extension(it may be listed as another name, so just uninstall anything you don’t remember installing yourself) > click the Trash Can icon.

(See Remove Extensions from Chrome for more detailed instructions)

How to Remove OSX.Pirrit

What is OSX.Pirrit?
OSX.Pirrit adware shows you ad’s in your browser as you browse the web.

It can be downloaded from the programs website or bundled with some third-party software installation programs (e.g MacKeeper).

How to remove OSX.Pirrit?
Scan your computer with Macware Adware Cleaner for Mac. Adware Cleaner will free your computer from annoying adware (e.g. Pirrit), malicious hijacker programs and unwanted toolbars.

Pirrit

How to manually remove OSX.Pirrit?

STEP 1: Uninstall MacKeeper
Please carefully read and follow this guide; MacKeeper Removal Guide

STEP 2: Delete Malicious Files

Locate and delete the following files from; ~/Library/cyrtograph/Contents/MacOS
~/Library/unsubtleness/Contents/MacOS

rec_script.sh

If you cannot find the specified file, please look for any unfamiliar or suspicious files/browser extensions. It may be the one causing the Pirrit to be present on your Mac. Arranging all items to see the most recent ones may also help you identify recently installed unfamiliar files.

 

 

 

How to Detect Spyware on a Mac

Please read this whole guide before doing anything.

Only follow these instructions if you have already scanned your Mac with Macware Spyware Cleaner.

The following procedure will help identify whether your system has been modified. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.

These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.

Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. After you have executed each command copy/paste the result into a text file.

Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then either copy or drag it.

Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.

Launch the Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad. Click Utilities, then Terminal in the page that opens.

When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.

terminal
Terminal Command Prompt

Step 1
Copy or drag — do not type — the line below into the Terminal window, then press return:

kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'

Post the lines of output (if any) that appear below what you just entered (the text, please, not a screenshot.) You can omit the final line ending in “$”.

Step 2
Repeat with this line:

sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'

This time, you’ll be prompted for your login password, which won’t be displayed when you type it. You may get a one-time warning not to screw up. You don’t need to post the warning.

Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step.

Step 3

launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'

Step 4

ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null

Step 5

osascript -e 'tell application "System Events" to get name of every login item' 2> /dev/null

Remember, steps 1-5 are all drag-and-drop or copy-and-paste, whichever you prefer — no typing, except your password. Also remember to paste the output into a text file.

You can then quit Terminal.

Step 6

Post your results here;

Our staff will review the results as soon as possible and inform you of any potential spyware found.

How to Remove MacCaptain

What is MacCaptain?
MacCaptain is advertised as a program that displays coupons for sites you are visiting and competitive prices when you are viewing product pages at sites like Amazon. Though this may sound like a useful service, the MacCaptain program can be intrusive and will display ads whether you want them to or not.

When installed, the MacCaptain browser extension will display advertising banners, pop-up advertisements and in-text ads, stating that they are brought to you by “MacCaptain”. These ads are aimed to promote the installation of additional questionable content including web browser toolbars, optimization utilities and other products, all so the MacCaptain publisher can generate pay-per-click revenue.

MacCaptain
MacCaptain Homepage

When infected with MacCaptain the common symptoms include:
– Advertising banners are injected with the web pages that you are visiting.
– Random web page text is turned into hyperlinks.
– Browser popups appear which recommend fake updates or other software.
– Other unwanted adware programs might get installed without the user’s knowledge.

How to quickly remove MacCaptain?
Scan your computer with Macware Adware Cleaner for Mac. Adware Cleaner will free your computer from annoying adware (e.g MacCapitan), malicious hijacker programs and unwanted toolbars.

How to remove MacCaptain?
If there’s an item named “vindinstaller” in the Applications folder, or any other item that you don’t recognise, delete it.

Uninstall MacCaptain Safari Extension;
You can uninstall the  extension by selecting Safari > Preferences > Extensions > Select the MacCaptain Extension (it may be listed as another name) > Uninstall > Restart Safari. (See Remove Extensions from Safari for more detailed instructions)

Uninstall MacCaptain Firefox Extension;
You can uninstall the MacCaptain extension by selecting: Firefox > Tools > Add-ons > Extensions > Find the MacCaptain Extension (it may be listed as another name) > Remove > Restart Firefox. (See Remove Extensions from Firefox for more detailed instructions)

Uninstall MacCaptain Google Chrome Extension;
You can easily uninstall the the MacCaptain extension by selecting Window > Extensions > Find the MacCaptain Extension (it may be listed as another name) > click the Trash Can icon.(See Remove Extensions from Chrome for more detailed instructions)

 

 


Remove Extensions from FireFox

To remove Extensions from Mozilla FireFox:

  1. Click the menu button New Fx Menu and choose Add-ons. The Add-ons Manager tab will open.
    firefox-step1
  2. In the Add-ons Manager tab, select the Extensions or Appearance panel.
    firefox-step2
  3. Select the extension add-on you wish to remove.
    firefox-step3
  4. Click the Remove button.
    firefox-step4
  5. Click Restart now if it pops up. Your tabs will be saved and restored after the restart.

Remove Adware from FireFox

To remove Adware Extensions from Mozilla FireFox:

  1. Click the menu button New Fx Menu and choose Add-ons. The Add-ons Manager tab will open.
    firefox-step1
  2. In the Add-ons Manager tab, select the Extensions or Appearance panel.
    firefox-step2
  3. Select the adware extension add-on you wish to remove.
    firefox-step3
  4. Click the Remove button.
    firefox-step4
  5. Click Restart now if it pops up. Your tabs will be saved and restored after the restart.