clean adwares

Hello

I wrote a script which, if I made no error, does what is described by Apple in the Technical Note available at :
http://support.apple.com/HT203987

May you check that everything is OK ?

set homePath to POSIX path of (path to home folder)

my deleteItem("/Library/Application Support/VSearch")
my deleteItem("/Library/LaunchAgents/com.vsearch.agent.plist")
my deleteItem("/Library/LaunchDaemons/com.vsearch.daemon.plist")
my deleteItem("/Library/LaunchDaemons/com.vsearch.helper.plist")
my deleteItem("/Library/LaunchDaemons/Jack.plist")
my deleteItem("/Library/PrivilegedHelperTools/Jack")
my deleteItem("/System/Library/Frameworks/VSearch.framework")
my deleteItem("/System/Library/Frameworks/v.framework")
my deleteItem("/Applications/SearchProtect.app")
my deleteItem("/Library/LaunchAgents/com.conduit.loader.agent.plist")
my deleteItem("/Library/LaunchDaemons/com.perion.searchprotectd.plist")
my deleteItem("/Library/Application Support/SIMBL/Plugins/CT2285220.bundle")
my deleteItem(homePath & "Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin")
my deleteItem(homePath & "Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin")
my emptyFolder("/Library/InputManagers/CTLoader/")

my emptyFolder("/Library/Application Support/Conduit/")
my emptyFolder(homePath & "Conduit/")
my emptyFolder(homePath & "Trovi/")

my killProcess("Genieo.")
my killProcess("InstallMac.")

my deleteItem("/private/etc/launchd.conf")
my deleteItem("/Applications/Genieo")
my deleteItem("/Applications/InstallMac")
my deleteItem("/Applications/Uninstall Genieo")
my deleteItem("/Applications/Uninstall IM Completer.app")
my deleteItem(homePath & "Library/LaunchAgents/com.genieo.completer.download.plist")
my deleteItem(homePath & "Library/LaunchAgents/com.genieo.completer.update.plist")
my deleteItem("/Library/LaunchAgents/com.genieoinnovation.macextension.plist")
my deleteItem("/Library/LaunchAgents/com.genieoinnovation.macextension.client.plist")
my deleteItem("/Library/LaunchAgents/com.genieo.engine.plist")
my deleteItem("/Library/LaunchAgents/com.genieo.completer.update.plist")
my deleteItem(homePath & "Library/LaunchAgents/com.genieo.completer.ltvbit.plist")
my deleteItem("/Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist")
my deleteItem("/Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client")
my deleteItem("/usr/lib/libgenkit.dylib")
my deleteItem("/usr/lib/libgenkitsa.dylib")
my deleteItem("/usr/lib/libimckit.dylib")
my deleteItem("/usr/lib/libimckitsa.dylib")
my deleteItem(homePath & "Library/Preferences/com.apple.genieo.global.settings.plist")
my deleteItem(homePath & "Library/SavedState/com.genieo.RemoveGenieoMac.savedState")

my emptyFolder(homePath & "Library/Application Support/Genieo/")
my emptyFolder(homePath & "Library/Application Support/com.genieoinnovation.Installer/")
my emptyFolder(homePath & "Library/Saved Application State/com.genieo.RemoveGenieoMac.savedState/")

my deleteItem("/Library/Frameworks/GenieoExtra.framework")

tell application "System Events"
	restart
end tell

#=====

on killProcess(theProcess)
	try
		tell application "System Events"
			unix id of process theProcess
		end tell
		do shell script "kill " & result
		tell application "System Events"
			repeat while exists process theProcess
				delay 0.1
			end repeat
		end tell
	end try
end killProcess

#=====

on emptyFolder(theFolder)
	try
		tell application "System Events"
			every disk item of folder theFolder
			repeat with theProcess in result
				delete disk item (path of theProcess) # useful if theProcess is a package
			end repeat
		end tell
	end try
end emptyFolder

#=====

on deleteItem(theItem)
	try
		tell application "System Events"
			delete disk item theItem
		end tell
	end try
end deleteItem

Here it runs flawlessly but, as no adware is available on my machine in fact it does nothing.

Yvan KOENIG (VALLAURIS, France) samedi 17 janvier 2015 16:01:32

I’d prefer not to trust any download button :wink:

Hey Yvan,

Well. Create some false files and test. :cool:

That said your script looks fairly straightforward.

My only complaint is that I want the list of files to be really easy to maintain and check against further updates from Apple or other sources.

I also notice that you transferred the period at the end of the sentence into your process names that need to be killed.

Hey Yvan,

At this point I’m more concerned about quick and easy detection than removal.

Presently I use AdwareMedic to do the actual removal and recently had just cause to use it after installing the now scum-ware product uTorrent which put Conduit (if memory serves) on my system.

Just to be different and get some practice I wrote a shell script instead of an AppleScript.

I’ve written this to be run from the Terminal (which runs 24/7 on my system), so I can switch over - type ‘mal’ - and get a report.

I probably want to move the file list to its own file to make it easier to manage, but at this point I’m still experimenting.

NOTE: To be sure to get the script text verbatim use the {Open this Scriplet in your Editor} link. If you copy & paste the script will fail due to the way the MacScripter webpage displays the text.

#! /usr/bin/env bash
# Auth: Christopher Stone <scriptmeister@thestoneforge.com>
# dMod: 2015/02/07 16:57
# Task: Produce a report indicating if any of the listed adware files or directories exist.

read -r -d '' fileList <<'EOF'
/Applications/Genieo
/Applications/InstallMac
/Applications/SearchProtect.app
/Applications/Uninstall Genieo
/Applications/Uninstall IM Completer.app
/Library/Application Support/Conduit/
/Library/Frameworks/GenieoExtra.framework
/Library/InputManagers/CTLoader/
/Library/LaunchAgents/com.genieo.completer.update.plist
/Library/LaunchAgents/com.genieo.engine.plist
/Library/LaunchAgents/com.genieoinnovation.macextension.client.plist
/Library/LaunchAgents/com.genieoinnovation.macextension.plist
/Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist
/Library/LaunchDaemons/Jack.plist
/Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client
/Library/PrivilegedHelperTools/Jack
/private/etc/launchd.conf
/System/Library/Frameworks/v.framework
/System/Library/Frameworks/VSearch.framework
/usr/lib/libgenkit.dylib
/usr/lib/libgenkitsa.dylib
/usr/lib/libimckit.dylib
/usr/lib/libimckitsa.dylib
~/Conduit/
~/Library/Application Support/com.genieoinnovation.Installer/
~/Library/Application Support/Genieo/
~/Library/Caches/com.Conduit.takeOverSearchAssestsMac
~/Library/Caches/com.VSearch.bulk.installer
~/Library/Caches/com.VSearch.VSinstaller
~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
~/Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin
~/Library/LaunchAgents/com.genieo.completer.download.plist
~/Library/LaunchAgents/com.genieo.completer.ltvbit.plist
~/Library/LaunchAgents/com.genieo.completer.update.plist
~/Library/Preferences/com.geneio.global.settings.plist
~/Library/Preferences/com.geneio.settings.plist.lockfile
~/Library/Preferences/com.genieo.global.settings.plist.lockfile
~/Library/Saved Application State/com.genieo.RemoveGenieoMac.savedState
~/Library/Saved Application State/com.VSearch.bulk.installer.savedstate
~/Trovi/
EOF

foundList="";
notFoundList="";

fileList=$(sed -E 's|^~|'"$HOME"'|' <<< "$fileList");

while read -r lineVar; do
	if [ -d "$lineVar" ] || [ -f "$lineVar" ]; then
		foundList="${foundList}File $lineVar\t¢¢¢¢ FOUND! ¢¢¢¢\n"
	else
		notFoundList="${notFoundList}File $lineVar\t.... not found ....\n"
	fi
done <<< "$fileList"

sep="----------------------------------------------------------------------------------\t-------------------\n";

echo "";
echo -e "${sep}MALWARE FILE SEARCH\t \n$sep$foundList$sep$notFoundList" | column -t -s'	';
echo "";

  • Edit 2015/02/07 17:01 CST ” removed several duplicate file paths from the script.

Hello Chris.

Nice script. The formatting with cols didn’t work out. And I do have my custom written launchd.conf, users will have to open the launchd.conf, and see what is in there before they classify it as malware, and then they can edit away the malevolent parts.

I’m sure it looks good with tidy columns on your screen though. :slight_smile:

Thanks.

Hey McUsrII,

Grrf! Try making the following change:

echo -e "${sep}MALWARE FILE SEARCH\t \n$sep$foundList$sep$notFoundList" | column -t -s'	';
echo -e "${sep}MALWARE FILE SEARCH\t<literal NBS>\n$sep$foundList$sep$notFoundList" | column -t -s'<literal-tab>';
  • NBS = Non-Breaking-Space = Opt-Space.

I was able to hit the {Open this Scriplet in your Editor} link, copy the result from Script Debugger into BBEdit and run, so I hoped this would just work.

I haven’t monkeyed with launchd items (yet).

Since launchd.conf is not likely to change very often I’d probably pull it out of the file-list and make a specific test for it using a Hash value, so it will only throw a flag if the Hash changes.

If you shoot me your email address I’ll send you the script text directly, and hopefully it will run properly for you.

Christopher Stone listmeister@thestoneforge.com

Hello Chris.

It’s okay, I’ll have some fun mending it. I wonder if it works that way with quote tags as well, that you’d don’t get the real characters back into the editor.

The great thing about your script, is the report it gives, and not that it does anything. And a user that has done something with his launchd.conf, probably will look into it before deleting it. Problem is if some sysadmin has written some entries in the launchd.conf, setting global variables and the like.

So, launchd conf should really be inspected before deleted. That was my point.

Thanks.

Hello

I was busy so I just look at your message.

I saw your second message saying :

I was able to hit the {Open this Scriplet in your Editor} link, copy the result from Script Debugger into BBEdit and run, so I hoped this would just work.

I don’t own Script Debugger so the text was sent in Apple’s Script Editor.
I down own BBEdit but have TextWrangler so I tried to do the same with this application.

Alas, When I hit “Run”, I get :
The operation couldn’t be completed, because an error occured.
This file doesn’t appear to contain a valid ‘shebang’ line (application error code: 13304)

For me, it’s quite Chinese language.

What must be changed to get an usable tool ?

Yvan KOENIG (VALLAURIS, France) jeudi 5 février 2015 15:53:28

PS
Of course, I edited the last echo instruction according to what you posted in your second message.

Hey Yvan,

I have sent you the file via email.

I have also revised the script of post #4 to fix the blank-line-at-top issue that was preventing the shebang line from being seen.

Let me know if you have any more problems.

Thanks Christopher

Without the blank line the file was correctly executed.

I assume that if I had better knowledge of Unix I would have understand the problem by myself.

Yvan KOENIG (VALLAURIS, France) jeudi 5 février 2015 16:35:22

Hey Folks,

I got bit by Spigot recently after installing the once safe now unsafe BitTorrent client (currently in version 7.4.3), so I’ve added Spigot’s files to the file list.

I also had some piece of software install its own OSAX without telling me, so I am listing all scripting addition folders as part of the report.

Sometime soon I’ll probably add some other things like the InputManagers folders ” I recently found one I didn’t know about, although it was benign.

I name my script ‘mal’ and install it in /usr/local/bin/ ” which is in my path.

NOTE: To be sure to get the script text verbatim use the {Open this Scriplet in your Editor} link. If you copy & paste the script will fail due to the way the MacScripter webpage displays the text.

#! /usr/bin/env bash
# Auth: Christopher Stone <scriptmeister@thestoneforge.com>
# dCre: 2015/05/20 21:57
# dMod: 2015/06/24 05:38
# Task: Produce a report indicating if any of the listed adware files or directories exist.
# Alts: Added List Scripting Additions, Added Spigot Malware Check.

read -r -d '' fileList <<'EOF'
/Applications/Genieo
/Applications/InstallMac
/Applications/SearchProtect.app
/Applications/Uninstall Genieo
/Applications/Uninstall IM Completer.app
/Library/Application Support/Conduit/
/Library/Frameworks/GenieoExtra.framework
/Library/InputManagers/CTLoader/
/Library/LaunchAgents/com.genieo.completer.update.plist
/Library/LaunchAgents/com.genieo.engine.plist
/Library/LaunchAgents/com.genieoinnovation.macextension.client.plist
/Library/LaunchAgents/com.genieoinnovation.macextension.plist
/Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist
/Library/LaunchDaemons/Jack.plist
/Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client
/Library/PrivilegedHelperTools/Jack
/private/etc/launchd.conf
/System/Library/Frameworks/v.framework
/System/Library/Frameworks/VSearch.framework
/usr/lib/libgenkit.dylib
/usr/lib/libgenkitsa.dylib
/usr/lib/libimckit.dylib
/usr/lib/libimckitsa.dylib
~/Conduit/
~/Library/Application Support/com.genieoinnovation.Installer/
~/Library/Application Support/Genieo/
~/Library/Application Support/Spigot/
~/Library/Application Support/Spigot/ApplicationManager
~/Library/Application Support/Spigot/Searchme.safariextz
~/Library/Caches/com.Conduit.takeOverSearchAssestsMac
~/Library/Caches/com.VSearch.bulk.installer
~/Library/Caches/com.VSearch.VSinstaller
~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
~/Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin
~/Library/LaunchAgents/com.genieo.completer.download.plist
~/Library/LaunchAgents/com.genieo.completer.ltvbit.plist
~/Library/LaunchAgents/com.genieo.completer.update.plist
~/Library/Preferences/com.geneio.global.settings.plist
~/Library/Preferences/com.geneio.settings.plist.lockfile
~/Library/Preferences/com.genieo.global.settings.plist.lockfile
~/Library/Saved Application State/com.genieo.RemoveGenieoMac.savedState
~/Library/Saved Application State/com.VSearch.bulk.installer.savedstate
~/Trovi/
EOF

foundList="";
notFoundList="";

fileList=$(sed -E 's|^~|'"$HOME"'|' <<< "$fileList");

while read -r lineVar; do
	if [ -d "$lineVar" ] || [ -f "$lineVar" ]; then
		foundList="${foundList}File $lineVar\t¢¢¢¢ FOUND! ¢¢¢¢\n"
	else
		notFoundList="${notFoundList}File $lineVar\t.... not found ....\n"
	fi
done <<< "$fileList"

sep="----------------------------------------------------------------------------------\t-------------------\n";

echo "";
echo -e "${sep}MALWARE FILE SEARCH\t \n$sep$foundList$sep$notFoundList" | column -t -s'	';
echo "";
sep2="------------------------------------------------------------------------------------------------------------";
echo "$sep2";
echo "User's Scripting Additions . ~/Library/ScriptingAdditions/";
echo "$sep2";
echo "";
ls -1 ~/Library/ScriptingAdditions/
echo "";
echo "$sep2";
echo "System Scripting Additions . /Library/ScriptingAdditions/";
echo "$sep2";
echo "";
ls -1 /Library/ScriptingAdditions/
echo "";
echo "$sep2";
echo "System Scripting Additions . /System/Library/ScriptingAdditions/";
echo "$sep2";
echo "";
ls -1 /System/Library/ScriptingAdditions/
echo "";
echo "";

Thanks Christopher

This one replace now the old version which I run once a month to check that the System is clean.

Yvan KOENIG (VALLAURIS, France) mercredi 24 juin 2015 17:16:25

Hey Folks,

Since the last posting I’ve added:

¢ The Transmission malware that came out a while back.
¢ The new malware discovered this year (January 2017).
¢ An edit switch for the command-line “ type “mal e” to edit in BBEdit, TextWrangler, or TextEdit.

-Chris

[format]#!/usr/bin/env bash

------------------------------------------------------------------------------------------

Auth: Christopher Stone scriptmeister@thestoneforge.com

dCre: 2015/05/20 21:57

dMod: 2015/06/24 06:20

Task: Produce a report indicating if any of the listed adware files or directories exist.

Cngs: 2015/06/20 21:04 : Added List Scripting Additions, Added Spigot Malware Check.

Cngs: 2015/06/24 06:20 : Added Listing of LaunchAgents Folders.

Cngs: ???/??/?? ??:?? : Added Transmission Malware.

Cngs: 2017/01/20 03:03 : Added the “e” switch to allow editing in BBEdit - “mal e”.

Cngs: 2017/01/20 06:19 : Added Malware found in early 2017 OSX.Backdoor.Quimitchin.

------------------------------------------------------------------------------------------

editFlag=“$1”

if [ “$editFlag” = ‘e’ ]; then
malExe=$(which mal);
open -a BBEdit “$malExe” || open -a TextWrangler “$malExe” || open -a TextEdit “$malExe”;
exit 0;
fi

read -r -d ‘’ fileList <<‘EOF’
/Applications/Genieo
/Applications/InstallMac
/Applications/SearchProtect.app
/Applications/Uninstall Genieo
/Applications/Uninstall IM Completer.app
/Library/Application Support/Conduit/
/Library/Frameworks/GenieoExtra.framework
/Library/InputManagers/CTLoader/
/Library/LaunchAgents/com.genieo.completer.update.plist
/Library/LaunchAgents/com.genieo.engine.plist
/Library/LaunchAgents/com.genieoinnovation.macextension.client.plist
/Library/LaunchAgents/com.genieoinnovation.macextension.plist
/Library/LaunchDaemons/com.genieoinnovation.macextension.client.plist
/Library/LaunchDaemons/Jack.plist
/Library/PrivilegedHelperTools/com.genieoinnovation.macextension.client
/Library/PrivilegedHelperTools/Jack
/private/etc/launchd.conf
/System/Library/Frameworks/v.framework
/System/Library/Frameworks/VSearch.framework
/usr/lib/libgenkit.dylib
/usr/lib/libgenkitsa.dylib
/usr/lib/libimckit.dylib
/usr/lib/libimckitsa.dylib
~/Conduit/
~/Library/Application Support/com.genieoinnovation.Installer/
~/Library/Application Support/Genieo/
~/Library/Application Support/Spigot/
~/Library/Application Support/Spigot/ApplicationManager
~/Library/Application Support/Spigot/Searchme.safariextz
~/Library/Caches/com.Conduit.takeOverSearchAssestsMac
~/Library/Caches/com.VSearch.bulk.installer
~/Library/Caches/com.VSearch.VSinstaller
~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
~/Library/Internet Plug-Ins/TroviNPAPIPlugin.plugin
~/Library/LaunchAgents/com.genieo.completer.download.plist
~/Library/LaunchAgents/com.genieo.completer.ltvbit.plist
~/Library/LaunchAgents/com.genieo.completer.update.plist
~/Library/Preferences/com.geneio.global.settings.plist
~/Library/Preferences/com.geneio.settings.plist.lockfile
~/Library/Preferences/com.genieo.global.settings.plist.lockfile
~/Library/Saved Application State/com.genieo.RemoveGenieoMac.savedState
~/Library/Saved Application State/com.VSearch.bulk.installer.savedstate
~/Trovi/

OSX/Keydnap “ Transmission:


/Applications/Transmission.app/Contents/Resources/License.rtf
/Library/Application’ ‘Support/com.apple.iCloud.sync.daemon/
/Volumes/Transmission/Transmission.app/Contents/Resources/License.rtf
~/Library/Application’ ‘Support/com.apple.iCloud.sync.daemon/icloudsyncd
~/Library/Application’ 'Support/com.apple.iCloud.sync.daemon/process.id
~/Library/LaunchAgents/com.apple.iCloud.sync.daemon.plist
~/Library/LaunchAgents/com.geticloud.icloud.photo.plist

OSX.Backdoor.Quimitchin “ malware found in early 2017 targeting biomedical research centers.


~/.client
~/Library/LaunchAgents/com.client.client.plist
EOF

fileList=$(sed -E ‘s|^~|’“$HOME”‘|’ <<< “$fileList”);

foundList=“”;
notFoundList=“”;

while read -r lineVar; do
if [ -d “$lineVar” ] || [ -f “$lineVar” ]; then
foundList=“${foundList}File $lineVar\t¢¢¢¢ FOUND! ¢¢¢¢\n”
else
notFoundList=“${notFoundList}File $lineVar\t… not found …\n”
fi
done <<< “$fileList”

sep=“----------------------------------------------------------------------------------\t-------------------\n”;

echo “”;
echo -e “${sep}MALWARE FILE SEARCH\t \n$sep$foundList$sep$notFoundList” | column -t -s’ ';
echo “”;
sep2=“------------------------------------------------------------------------------------------------------------”;
echo “$sep2”;
echo “User’s Scripting Additions . ~/Library/ScriptingAdditions/”;
echo “$sep2”;
echo “”;
ls -1 ~/Library/ScriptingAdditions/
echo “”;
echo “$sep2”;
echo “System Scripting Additions . /Library/ScriptingAdditions/”;
echo “$sep2”;
echo “”;
ls -1 /Library/ScriptingAdditions/
echo “”;
echo “$sep2”;
echo “System Scripting Additions . /System/Library/ScriptingAdditions/”;
echo “$sep2”;
echo “”;
ls -1 /System/Library/ScriptingAdditions/
echo “”;
echo “$sep2”;
echo “User Launch Agents . ~/Library/LaunchAgents/”;
echo “$sep2”;
echo “”;
ls -1 ~/Library/LaunchAgents/
echo “”;
echo “$sep2”;
echo “Library Launch Agents . /Library/LaunchAgents/”;
echo “$sep2”;
echo “”;
ls -1 /Library/LaunchAgents/
echo “”;
echo “$sep2”;
echo “System Library Launch Agents . /System/Library/LaunchAgents/”;
echo “$sep2”;
echo “”;
ls -1 /System/Library/LaunchAgents/
echo “”;
echo “”;
[/format]

Thanks Christopher.

Yvan KOENIG running Sierra 10.12.2 in French (VALLAURIS, France) samedi 21 janvier 2017 11:12:51