Mac Cleanup Pro "virus"

Tech Talk, Tech News and Tech Support (Gadgets included)
User avatar
Vulture
Posts: 5539
Joined: Tue Nov 16, 2010 6:45 pm
Title: 420
Location: 420

Mac Cleanup Pro "virus"

Post by Vulture »

Hey everybody, happy New Year to all of you! Would like to chime in after doing a search on this here and not finding it, there seems to be a common malware installer currently plaguing inattentive computer users, most probably with the typical fake Flash installer trick.
Anybody deal with it? Wondering what the best and easiest protocol is to purge it from he computer. I found this as the most in-depth instructions, other than just quitting all apps and trashing the app from the Applications folder.

Why am I even posting about this? The 'rents called me in a panic about how "nothing is working" and I found out this happened. Granted, the possible damage is minimal and easy to fix, but we are talking about users who constantly sit in silence when a question like "what is the current active application?" is asked, and I may have to remedy this using FaceTime to point a camera at the screen while it is done 400 miles away.

Thanks for your input.
User avatar
dv
Posts: 30680
Joined: Wed Jan 16, 2008 3:42 pm

Post by dv »

There are still macOS AV programs. Avast is free, I think, still.

You should also be able to do all that stuff from a CLI while booted from a recovery partition, if you're so inclined.

But yeah, the virus makers rely on the fact that most people who fall for their fake installers aren't techie enough to follow removal directions like that.
Image
User avatar
Vulture
Posts: 5539
Joined: Tue Nov 16, 2010 6:45 pm
Title: 420
Location: 420

Post by Vulture »

I had to FaceTime their screen, I had a hard time getting them to figure out what the Dock is, these things are painful. The price of being born lol.
User avatar
obvs
Posts: 27719
Joined: Sat Jan 12, 2008 8:44 pm
Title: Socialist isn't an epithet;it's a badge.

Post by obvs »

I use AVG on my own systems, and keep MalwareBytes for a backup, just in case.
User avatar
Betonhaus
Posts: 2911
Joined: Thu Aug 30, 2018 10:25 pm

Post by Betonhaus »

I don't do tech support for my dad or stepmom. It's... painful dealing with my stepmom, who literally got mad because i installed a touchpad driver on my dad's laptop (it was missing it because it got wiped and she apparently told the techs not to reinstall anything) so that he could TYPE without the slightest brushing moving his text curser around. If she wasn't so hostile about tech I'd just give my dad a chromebook.

I just use the built in Windows 10 av along with adblock, that together I'm confident enough that I can get by with basic online hygiene practices.
User avatar
Vulture
Posts: 5539
Joined: Tue Nov 16, 2010 6:45 pm
Title: 420
Location: 420

Post by Vulture »

I was on the phone for almost 3 hours, turns out it has this homepage search engine hijack on there called we know.ac and the General tab in Safari preferences won't allow you to reset the homepage. I'm kind of stuck now unless there is something I'm missing just by seeing the homepage options greyed out as unchangeable via FaceTime observation. I have read that MalwareBytes clears this kind of thing up for sure, but that would be another hour on the phone for sure.
User avatar
Betonhaus
Posts: 2911
Joined: Thu Aug 30, 2018 10:25 pm

Post by Betonhaus »

Can you walk them through installing TeamViewer and see if you can see better? Maybe there's a weird add on in system preferences?
User avatar
Vulture
Posts: 5539
Joined: Tue Nov 16, 2010 6:45 pm
Title: 420
Location: 420

Post by Vulture »

Betonhaus wrote: Can you walk them through installing TeamViewer and see if you can see better? Maybe there's a weird add on in system preferences?

Thanks for all your help, all of you. Before I try going that route, I've managed to get enough rudimentary info about what needs to be done to get around the malware activity:

2 apps may be installed in Applications, called MyShopCoupon(Adware) and WeKnow(HomePage Hijack), so find and delete them

In Safari Extensions preferences, MyShopCoupon can be disabled and uninstalled.

I had them do all that, and changed the New Window/NewTab Preferences to "Favorites" instead of Homepage, so they won't use the fake search engine at weknow.ac

I have not figured out how to remove the homepage hijack yet, but this seems to be a temp workaround.
User avatar
obvs
Posts: 27719
Joined: Sat Jan 12, 2008 8:44 pm
Title: Socialist isn't an epithet;it's a badge.

Post by obvs »

You can use a really neat tool called FSMonitor, which will monitor and display files that are getting changed on your computer. It displays a really cool graph, and you can right-click on files to show them in the Finder.
User avatar
Vulture
Posts: 5539
Joined: Tue Nov 16, 2010 6:45 pm
Title: 420
Location: 420

Post by Vulture »

obvs wrote: You can use a really neat tool called FSMonitor, which will monitor and display files that are getting changed on your computer. It displays a really cool graph, and you can right-click on files to show them in the Finder.

Thanks, this all gets very interesting in options to be aware of what is happening.

As far as being able to remove this infection, are you all suggesting that Malwarebytes can be downloaded as a trial version and it will remove the installed malware without having to purchase the software?

Keep in mind I'm talking with people who use a computer for 15 years and still can't differentiate between an Apple ID, an iCloud password, and the password to log in to the user account on the OS.
User avatar
obvs
Posts: 27719
Joined: Sat Jan 12, 2008 8:44 pm
Title: Socialist isn't an epithet;it's a badge.

Post by obvs »

There are pretty much three parts of antimalware:
  1. Running a scan to see if there's an infection.
  2. Active protection, to always sit in the background and identify infection attempts as they might occur.
  3. Malware removal, to remove any identified infections.

AVG includes all three.

MalwareBytes includes #1 and #3. #2 is excluded unless you're using the paid version.

You might want to look into TeamViewer, to let you remotely control your parents' computer. Alternatively, Skype includes screen sharing, which would let you direct what to click on.
User avatar
Ribtor
Posts: 9363
Joined: Sun Nov 28, 2010 3:45 pm

Post by Ribtor »

Perhaps there is an equivalent of "Spywareblaster" for the mac. It is a free passive anti-malware system that maintains a list of known malware and prevents any installation. Since it is passive it consumes no resources except when updating itself.
Pyke notte thy nostrellys
User avatar
Betonhaus
Posts: 2911
Joined: Thu Aug 30, 2018 10:25 pm

Post by Betonhaus »

iirc there's only a few folders that malware can hide on macOS and still be executable... I'd check any folder touched at startup first. It's all made hardewr because you are trying to do it remotely... at what point would it be easier just to go to an Apple Store genius or repair shop?
User avatar
dv
Posts: 30680
Joined: Wed Jan 16, 2008 3:42 pm

Post by dv »

Betonhaus wrote: iirc there's only a few folders that malware can hide on macOS and still be executable... I'd check any folder touched at startup first. It's all made hardewr because you are trying to do it remotely... at what point would it be easier just to go to an Apple Store genius or repair shop?


Depends on the repair shop. A lot of them will just format/reinstall instead of trying to repair the system. (Nuke it from orbit, it's the only way to be sure.) But that's fairly easy to do on your own.
Image
User avatar
Vulture
Posts: 5539
Joined: Tue Nov 16, 2010 6:45 pm
Title: 420
Location: 420

Post by Vulture »

I'm starting to have a whole new view on Parental Controls.
User avatar
dv
Posts: 30680
Joined: Wed Jan 16, 2008 3:42 pm

Post by dv »

Vulture wrote: I'm starting to have a whole new view on Parental Controls.


The old Linux admin advice is to never, ever, ever, never operate a computer using an admin account. Unless you absolutely positively have to.
Image
User avatar
Vulture
Posts: 5539
Joined: Tue Nov 16, 2010 6:45 pm
Title: 420
Location: 420

Post by Vulture »

I think I am going to have to tell them to remove the hard drive and mail it to me. It's a 2009 iMac.
User avatar
Betonhaus
Posts: 2911
Joined: Thu Aug 30, 2018 10:25 pm

Post by Betonhaus »

Vulture wrote: I think I am going to have to tell them to remove the hard drive and mail it to me. It's a 2009 iMac.

...are you going to walk them through taking out the hard drive?
User avatar
Pariah
Posts: 22751
Joined: Fri Mar 07, 2008 5:45 pm
Title: Know Your Enemy

Post by Pariah »

Vulture wrote: I think I am going to have to tell them to remove the hard drive and mail it to me. It's a 2009 iMac.

I probably can guess the answer but...Do they have a Time Machine backup?
Not even duct tape will fix stupid, but it can muffle the sound.
User avatar
Vulture
Posts: 5539
Joined: Tue Nov 16, 2010 6:45 pm
Title: 420
Location: 420

Post by Vulture »

Betonhaus wrote:
Vulture wrote: I think I am going to have to tell them to remove the hard drive and mail it to me. It's a 2009 iMac.

...are you going to walk them through taking out the hard drive?

I was planning on that, but when I saw you have to pop the screen off, I think I'm going to say forget the whole thing.

Pariah wrote:
Vulture wrote: I think I am going to have to tell them to remove the hard drive and mail it to me. It's a 2009 iMac.

I probably can guess the answer but...Do they have a Time Machine backup?

They did. They had a Time Machine backup until a cousin of mine came over with his wife and kids and decided to upgrade everything for. day and a half for them. All of his kids had iDevices and needed Wifi just to survive for 3 days, which got his attention on their WiFi and their computer. He disconnected the Time Capsule for some reason and now when I got them to try to connect to it, it simply says it "cannot connect to Time Capsule". The backup is from last year. Oh well, I've been trying to not get them in trouble but it looks like they've slowly dismantled every option.

Yesterday the machine wouldn't even get on the internet, even though Network Preferences show it is connected via WiFi. I could probably spend another 10 hours of my life on the phone with them about this and get nowhere. I would even try to get a network cable between the Time Capsule and the computer but this malware seems to be blocking peripherals. The only reason we found out this is n their computer is because their wired keyboard wasn't connecting one day. After they got the Caps Lock key to turn on to show power with a few plugs and unplugs of the USB, then I found out they were getting these popups about the Mac Cleanup Pro shenanigans.

We left it at the idea that their computer is done and they just have to survive with their iPad and iPhones, which somehow operate well with people who don't know how to operate them, go figure.

They are looking into getting a new iMac to replace this almost 10 year old machine that they can't manage themselves for issues like this. Too bad a stupid fake virus like this takes down a fully working survivor machine just because nobody around has some skill to rid it of the files. I would even try getting them to just erase the whole computer, but I don't know if that's wise or how I could even get them to do that.

I'd like to think they've learned their lesson, but I don't know. Senior citizens and computers, I don't know what it is. They've been staring at computers since about 1985 in the wild, they are forced to learn Windows at work, yet simple operating philosophy and file management is not getting in there.

Please excuse my defeatist attitude toward the end here, but I've got things to do that can't be swallowed up with a silly fake flash installer over the phone. I could go on and on about how comedic our exchanges are, so there is a funny element to it that outshines the frustrating absurdity. But, I'll refrain from making fun of my parents. ;)

I'd like to add that I'll probably have to instill a backup protocol for them using an external drive if they indeed end up with a working computer in the future, one where they have to remember to back up the computer at least 10-12 times a year (is that too much to ask?). The Time Capsule is about as old as their iMac, and I don't really like Time Machine as much as cloned partitions. I'm not sure what I will try to have them do, since just asking to open a new window in the Finder is like speaking a foreign language.
User avatar
obvs
Posts: 27719
Joined: Sat Jan 12, 2008 8:44 pm
Title: Socialist isn't an epithet;it's a badge.

Post by obvs »

If you put MalwareBytes and AVG on a thumb drive and send it to them, they may be able to restart and hold down shift while booting. At that point you might be able to install MalwareBytes and AVG from the thumb drive and run a scan.

It may also be that their DNS is hijacked and is blocking access to certain sites. I'd check their DNS and set it to 1.1.1.1.

If I had the machine, I'd also use the FSMonitor to find out what files are being messed with, and look in /Library/LaunchAgents and /Library/LaunchDaemons(and within launchctl itself) to see what might be running that you don't want to run.
User avatar
Vulture
Posts: 5539
Joined: Tue Nov 16, 2010 6:45 pm
Title: 420
Location: 420

Post by Vulture »

obvs wrote: If you put MalwareBytes and AVG on a thumb drive and send it to them, they may be able to restart and hold down shift while booting. At that point you might be able to install MalwareBytes and AVG from the thumb drive and run a scan.

It may also be that their DNS is hijacked and is blocking access to certain sites. I'd check their DNS and set it to 1.1.1.1.

If I had the machine, I'd also use the FSMonitor to find out what files are being messed with, and look in /Library/LaunchAgents and /Library/LaunchDaemons(and within launchctl itself) to see what might be running that you don't want to run.

Thanks for that, if I'm feeling exceptionally enterprising I know better what to do now.
User avatar
Betonhaus
Posts: 2911
Joined: Thu Aug 30, 2018 10:25 pm

Post by Betonhaus »

If they really want to buy a new computer I'd insist they consider a Chrome book. Not much they can screw up on this those things and it's not likely to be missing anything they know how to use.
User avatar
C. Ives
Posts: 3563
Joined: Tue May 26, 2009 6:49 pm
Title: Lacks Critical stick fiddling Thinking

Post by C. Ives »

My dad keeps getting this kind of crap on his computer. It's frustrating.

I set the security preferences to ONLY install apps from the App store, so maybe that will slow him down.

Fortunately, my parents live across town, so I can just take his laptop and home with me and work on it, but yeah, it's not fun (and I've dealt with Mac Cleanup Pro twice now).
All skill is in vain when an angel wastes down the barrel of your rifle.
User avatar
obvs
Posts: 27719
Joined: Sat Jan 12, 2008 8:44 pm
Title: Socialist isn't an epithet;it's a badge.

Post by obvs »

Make it so they're not administrators. Create a separate admin account that's only used for administration.

Infections installed in a non-admin account wouldn't affect the admin account, so you could log in and fix things from that account.
User avatar
Vulture
Posts: 5539
Joined: Tue Nov 16, 2010 6:45 pm
Title: 420
Location: 420

Post by Vulture »

obvs wrote: Make it so they're not administrators. Create a separate admin account that's only used for administration.

Infections installed in a non-admin account wouldn't affect the admin account, so you could log in and fix things from that account.

I've never considered doing that before, but now I certainly will. The worst I have to deal with now I expect to be walking them through the new computer setup process, which will have to begin with an admin account and then creating non-admin user accounts for each of them. I'll make sure they won't want to be logging into the admin user because the password will be very annoying.

Question: would you set up the first account with one of their Apple IDs, or not?
User avatar
obvs
Posts: 27719
Joined: Sat Jan 12, 2008 8:44 pm
Title: Socialist isn't an epithet;it's a badge.

Post by obvs »

No, and I hate that Apple pushes that.

I like the administrator account to be a local account that isn't actually signed in to anything but the App Store(to install software updates) and then to only use it for two purposes: upgrades(when necessary), and troubleshooting.

I think the whole Apple ID thing is problematic, in particular, because I had to change my Apple ID password an inordinate number of times compared to the limited utility I've ever gotten from actually having an Apple ID. But I understand that some people like it. If anything, I might have the Apple ID account be a non-admin user, and then use the admin account to check and set up restrictions on the Apple ID account.

But for me, all of my accounts are local.
User avatar
maurvir
Posts: 25358
Joined: Mon Nov 15, 2010 10:13 pm
Title: Steamed meat popsicle

Post by maurvir »

Microsoft has doubled down on that blatherskite as well. You REALLY have to want to create a local user account, and then search carefully for the button, lest you wind up signing in with a Microsoft account.
User avatar
arkayn
Posts: 6721
Joined: Fri Jan 18, 2008 1:47 pm
Title: Aaarrrggghhhh
Location: Gulf Coast
Contact:

Post by arkayn »

maurvir wrote: Microsoft has doubled down on that blatherskite as well. You REALLY have to want to create a local user account, and then search carefully for the button, lest you wind up signing in with a Microsoft account.


My Win 10 laptop, still only uses a local user account.

And it will stay that way.
User avatar
Vulture
Posts: 5539
Joined: Tue Nov 16, 2010 6:45 pm
Title: 420
Location: 420

Post by Vulture »

So when setting up a new Mac, you can skip having to put in an Apple ID, and still have it be admin for downloading from the App Store? Pardon me if I don't understand, but I thought you had to sign in with your Apple ID to download from the App Store.
User avatar
obvs
Posts: 27719
Joined: Sat Jan 12, 2008 8:44 pm
Title: Socialist isn't an epithet;it's a badge.

Post by obvs »

The Mac App Store is really just another website, like any other.

You seem to be implying that you're auto-logged-into it when you open it if the account you used to log into the computer was an Apple ID. That sounds useful in some cases.

But if you log in to the computer with a local account and then open the Mac App Store it will ask you to sign in within the Mac App Store app itself using your Apple ID(not log in to use the computer, but enter your Apple ID and Apple ID password in the app to download updates). And once you do, the app will remember that account.
User avatar
Vulture
Posts: 5539
Joined: Tue Nov 16, 2010 6:45 pm
Title: 420
Location: 420

Post by Vulture »

obvs wrote: The Mac App Store is really just another website, like any other.

You seem to be implying that you're auto-logged-into it when you open it if the account you used to log into the computer was an Apple ID. That sounds useful in some cases.

But if you log in to the computer with a local account and then open the Mac App Store it will ask you to sign in within the Mac App Store app itself using your Apple ID(not log in to use the computer, but enter your Apple ID and Apple ID password in the app to download updates). And once you do, the app will remember that account.

Ah yes, that was my confusion. I was under the assumption that the OS "requires" you to set up your Mac with an App ID to proceed by needing to access the App Store. I was being blindly led down a path of thinking the same way that a fake Flash installer led my parents to believe its prompts.
User avatar
avkills
Posts: 3127
Joined: Sun Nov 14, 2010 9:46 am
Location: Everywhere

Post by avkills »

maurvir wrote: Microsoft has doubled down on that blatherskite as well. You REALLY have to want to create a local user account, and then search carefully for the button, lest you wind up signing in with a Microsoft account.


Yeah the Windows install really pushes you to do a Microshaft account.

I also hate how Apple pushes the Admin account as default. I use to make another account, but it is such a pain in the ass now, I just suck it up.
"Killing them dead till they believe"
† The Church of Mark †
User avatar
Betonhaus
Posts: 2911
Joined: Thu Aug 30, 2018 10:25 pm

Post by Betonhaus »

avkills wrote:
maurvir wrote: Microsoft has doubled down on that blatherskite as well. You REALLY have to want to create a local user account, and then search carefully for the button, lest you wind up signing in with a Microsoft account.


Yeah the Windows install really pushes you to do a Microshaft account.

I also hate how Apple pushes the Admin account as default. I use to make another account, but it is such a pain in the ass now, I just suck it up.

At least Microsoft will allow me to "refresh" my PC (resets everything to a clean install with only my Windows Store apps kept, and my user account is untouched so all my files are still there). Never had to use it but it is awesome if it works. I do wish Apple considered implementing something like it, it should've been pretty easy to do as applications already are restricted in where they can stick human waste and have it be executable and the App Store can whitelist the apps and app components that can stay.
User avatar
Pariah
Posts: 22751
Joined: Fri Mar 07, 2008 5:45 pm
Title: Know Your Enemy

Post by Pariah »

Betonhaus wrote:
avkills wrote:
maurvir wrote: Microsoft has doubled down on that blatherskite as well. You REALLY have to want to create a local user account, and then search carefully for the button, lest you wind up signing in with a Microsoft account.


Yeah the Windows install really pushes you to do a Microshaft account.

I also hate how Apple pushes the Admin account as default. I use to make another account, but it is such a pain in the ass now, I just suck it up.

At least Microsoft will allow me to "refresh" my PC (resets everything to a clean install with only my Windows Store apps kept, and my user account is untouched so all my files are still there). Never had to use it but it is awesome if it works. I do wish Apple considered implementing something like it, it should've been pretty easy to do as applications already are restricted in where they can stick human waste and have it be executable and the App Store can whitelist the apps and app components that can stay.

Any maleware worth it's salt, first thing that goes is restore points.
Not even duct tape will fix stupid, but it can muffle the sound.
User avatar
Betonhaus
Posts: 2911
Joined: Thu Aug 30, 2018 10:25 pm

Post by Betonhaus »

Pariah wrote:
Betonhaus wrote:
avkills wrote:
maurvir wrote: Microsoft has doubled down on that blatherskite as well. You REALLY have to want to create a local user account, and then search carefully for the button, lest you wind up signing in with a Microsoft account.


Yeah the Windows install really pushes you to do a Microshaft account.

I also hate how Apple pushes the Admin account as default. I use to make another account, but it is such a pain in the ass now, I just suck it up.

At least Microsoft will allow me to "refresh" my PC (resets everything to a clean install with only my Windows Store apps kept, and my user account is untouched so all my files are still there). Never had to use it but it is awesome if it works. I do wish Apple considered implementing something like it, it should've been pretty easy to do as applications already are restricted in where they can stick human waste and have it be executable and the App Store can whitelist the apps and app components that can stay.

Any maleware worth it's salt, first thing that goes is restore points.

Not a restore point. Restore points bring your system to the last saved configuration. Refresh downloads a new OS image from Microsoft then does a clean reinstall which it migrates your user data and Windows store apps over to.
https://www.windowscentral.com/how-use- ... windows-10
User avatar
Vulture
Posts: 5539
Joined: Tue Nov 16, 2010 6:45 pm
Title: 420
Location: 420

Post by Vulture »

They bit the bullet and got a new iMac, made an admin account that they don't use, then separate "standard" accounts for them.
Took hours on the phone just telling them to do what they needed to do with passwords and preferences. Next step is to use TeamViewer so I can just do things remotely. Or, I may just try Chrome Remote Desktop, it's free to use.

EDIT: I just realized TeamViewer is free also for personal use.

They still need to get an external hard drive for Time Machine backups or, (if I can just do it myself remotely) an updated partition clone, and it seems their printer has no power now as if a fuse has blown internally (Canon Pro99000 MkII). I have to see what a good new equivalent printer would replace it nowadays, they are very intent on printing things, no idea why.


Not sure if they can even appreciate that having a SSD and a new computer is super fast, maybe they will make a comment in the coming weeks. Seems people only comment on how slow things are, not how fast.
User avatar
dv
Posts: 30680
Joined: Wed Jan 16, 2008 3:42 pm

Post by dv »

Vulture wrote: They bit the bullet and got a new iMac, made an admin account that they don't use, then separate "standard" accounts for them.
Took hours on the phone just telling them to do what they needed to do with passwords and preferences. Next step is to use TeamViewer so I can just do things remotely. Or, I may just try Chrome Remote Desktop, it's free to use.

EDIT: I just realized TeamViewer is free also for personal use.

They still need to get an external hard drive for Time Machine backups or, (if I can just do it myself remotely) an updated partition clone, and it seems their printer has no power now as if a fuse has blown internally (Canon Pro99000 MkII). I have to see what a good new equivalent printer would replace it nowadays, they are very intent on printing things, no idea why.


Not sure if they can even appreciate that having a SSD and a new computer is super fast, maybe they will make a comment in the coming weeks. Seems people only comment on how slow things are, not how fast.


People never notice how much faster SSDs are, they just freak out when they have to use a machine with a spinner in it.
Image
User avatar
avkills
Posts: 3127
Joined: Sun Nov 14, 2010 9:46 am
Location: Everywhere

Post by avkills »

MacOS has screen sharing built in; but I have never tried it remotely.
"Killing them dead till they believe"
† The Church of Mark †
User avatar
dv
Posts: 30680
Joined: Wed Jan 16, 2008 3:42 pm

Post by dv »

avkills wrote: MacOS has screen sharing built in; but I have never tried it remotely.

IIRC, Apple's Remote tech is just an apple-packed "pretty" version of VNC; it uses no small amount of bandwidth, and I'm pretty sure you'd need to do port forwarding setup, etc.

It's been a while; they might have improved upon it quite a bit since I was using it every day.
Image
Post Reply