Removes Malwarebytes MacKeeper

Play it safe: Detect and delete adware on your Mac

It cannot be said often enough: macOS is practically not at risk from malware, a virus scanner is almost superfluous to protect Mac users. Only Windows can find malware that deletes and encrypts data, spies on users and turns PCs into part of a botnet. The adware that occurs occasionally on Macs, also called PUA or grayware by experts, is comparatively harmless. It's a whole class of advertising tools that redirect the browser to search engines like Yahoo, integrate the Mac into advertising networks, or install unwanted demo versions of Mackeeper and iBoost - all annoying, but not really dangerous. The user notices that the Mac is a victim of adware, for example, when suddenly Yahoo is set as the homepage and the browser's search engine.

What is the purpose of adware?

Adware is not a computer crime, it is annoying advertising - a kind of agency visit to the Internet. So far, Mac users have been as good as spared this aggressive form of online marketing, but it has long been a permanent nuisance for Windows users. The reason why adware is so prevalent is simple: it is a profitable business. If an adware author successfully places tools such as ZipCloud or iBoost on the computer of an ignorant user, there are always inexperienced users who buy this software. Since the commissions are up to 50 percent of the sales price, even the comparatively small (but financially strong) Mac community has become interesting. The ZipCloud cloud service, which is often installed unintentionally, is by no means malware, but rather an unsuccessful online service for managing compressed files.

The ailing Google competitor Yahoo apparently also pays a high commission fee, as a redirect to their website is one of the most common adware targets.

In the gray area: download pages

In most cases, adware victims get their marketing infection through an installer. This hardly looks any different from an everyday app installer, but in addition to the desired program, it installs a second tool or changes browser preferences.

There are two categories of installers: harmless and less harmless. The installers from download sites are rather harmless. If you want to load a freeware program such as Skype or Onyx from software sources such as Macupdate, or, the downloaded data is often unusually small. If you open the DMG file, you will find an installation program from the website operator instead of the desired program. Only this tool loads the desired freeware onto the computer - providers justify this with greater ease of use - doubts are appropriate. Often the user has to click through several windows until he has finally downloaded and installed the program. What many users overlook during the installation is a so-called opt-out option in one of the windows: If you do not check a particular box in one of the menus or choose an option such as “Skip”, the installer automatically installs an advertising program or runs one Reconfiguration from Safari. Many users do not even notice this, as they are used to clicking "Accept" several times during installations.

Often you don't notice the adware infestation immediately: But at some point you wonder about a new icon in the menu bar and wonder why the Mackeeper or Zip Cloud tool is suddenly installed on your Mac. Incidentally, the software installed by the adware changes constantly with some installers, apparently over seventy programs and services are distributed in this dubious way.

Macupdate: Adware on download sites

Some users saw it as breaking a taboo, the site operator MacUpdate, one of the most popular download sites for the Mac, was forced to do so for financial reasons: Since November, MacUpdate has only started to offer some software via installation tool. If you load a freeware like Onyx via the site, you will also be asked to install advertising software via the tool. Sites like Cnet, Softonic and have been doing this for a long time, but MacUpdate has so far had an excellent reputation as a reliable software source.

Nobody has anything against a software manufacturer financing himself through advertising - unless he is crossing borders in the process. Adobe recommends a demo version of Lightroom when downloading the Flash player. If, on the other hand, the adware comes from the operator of a download portal such as MacUpdate and an erroneous installation is very likely, we perceive this as far more problematic, as the reputation of the software manufacturer suffers at the same time. If tuning tools like Mackeeper are installed unintentionally, the limits to scareware are exceeded: Mackeeper claims on every computer that he has found problems and the Mac is at risk. The fact that the tool's system optimizations are often dangerous for stability makes things even more difficult. But even small tricks, like reconfiguring all browsers for Yahoo, are bad style. Inexperienced users often need some time to recognize and correct this configuration change.

The unwanted installation of annoying tools has already caused some complaints on social networks; in the long run, the reputation of sites like MacUpdate could suffer from this adware. That would be a shame, as the detailed software reviews by visitors to the site are very valuable.

The installers are sometimes quite complex. Some adware tools even check whether antivirus software is installed or whether the adware is already on the computer.

These more complex installers are not developed by hackers, but by regular companies such as Genieo and Iron Source. For example, installers for most download sites were created using a kit from the InstallCore brand.

Incidentally, an installation is not always carried out. This is how versions of the MacUpdate Installer installed browser extensions and demo versions. The current version of the constantly changing tool only changes the search engine presets of Safari, Firefox and Google Chrome. Probable reason for this reluctance: An old version of the installer triggered virus alarms in many antivirus scanners.

Should you therefore avoid download sites? Often times the App Store is still unable to replace sites like Macupdate. In order to find out about new app versions or freeware tools, they are therefore still essential. We recommend, however, that it is better to download software directly from the app developer's side and to proceed with installations with open eyes.

A second category of installers is less harmless. They use illegal means and disguise themselves as browser extensions, video players or Flash updates, for example. These installers are often distributed via unsuspicious-looking websites that imitate reputable software sites. Here, too, the aim is not to install malware, but rather adware.

One tool pretended to be an installer for the freeware download shuttle, but actually installed tools like Genieo, VSearch and Mackeeper. Genieo and VSearch go one step further than “legal” adware and use so-called ad-injection functions - a background program ensures that Safari displays certain advertisements. The tools sometimes even use security holes in macOS to install advertising software. Under OS X 10.10, one of these installers was able to bypass a security query before the installation. Since a dialog window appears before the installation of a Safari extension, the tool carried out the mouse click itself using a script. Another tool specifically changed the ad blocker list of a browser ad blocker. However, this vulnerability has already been closed under OS X 10.11.

Beginners: Remove with Malwarebytes

Adware is not new, so Apple has published a guide on how to find and remove adware in its support area. However, the instructions are aimed more at experienced users and do not take into account newer adware versions.

If you suspect a computer has been infected by malware, we therefore recommend a system check with the anti-malware software from Malwarebytes as the first step. Like its predecessor Adware Medic, the freeware specializes in Mac adware and is constantly updated. The operation is suitable even for computer beginners: Open the program and click on the "Scan" button. The strength of the tool is the quick detection and deletion of known adware. Anti-Malware conveniently removes adware such as Genieo and Vsearch, which are perpetuated in up to nine different system folders.

However, the software does not remove unwanted demo versions such as Mac Keeper or iBoost. You have to uninstall this manually or use an uninstaller from the software manufacturer - unfortunately, some research is often required. The tool is also powerless if an installer only changes system settings, like the Macupdate installer. After all, the installer only carries out this reconfiguration once. It is therefore sufficient to simply restore the original state.Professionals: KnockKnock

The KnockKnock tool takes a completely different approach to malware searches: while Anti-Malware searches for and removes typical files of known adware, the freeware systematically checks all data in problematic system folders. In principle, the somewhat curiously named tool does exactly what an experienced user would do: search for suspicious files at critical points.

Although this is the most thorough method, evaluating the results requires a lot of experience and takes longer. The tool only lists the browser extensions for Firefox and Google Chrome. Safari extensions cannot check. It is helpful with adware like VSearch, which appears again and again under different names - but uses the same methods. In order for adware to work, it has to be installed in certain folders on the Mac - such as the startup items or the frameworks. KnockKnock checks all files in the affected folders and reports known adware or malware. Files known to be malware are marked in red. If you find an unknown file, you can check it with a click of the mouse using the Virustotal web service. A tip for beginners: it is often sufficient to perform a simple scan with the tool. KnockKnock can detect some adware as early as the first run.

Protection by XProtect and antivirus software

The malware filter from Apple integrated into the system offers little protection against adware. The Apple program detects and blocks several dozen malware tools during a download (by the way, these are mainly adware from Genieo & Co.). The protection software, also known as XProtect, fails with tools that are installed on the computer and is often updated too slowly with newer threats. Unfortunately, even the smallest changes to the adware tools are enough to prevent XProtect from recognizing the malware.

Conventional antivirus programs are not very successful in detecting adware. Although they explicitly promise it, programs like Kaspersky Antivirus, Sophos or Avira have only limited protection in our experience. Only very few antivirus scanners classify the installers of download portals as malware. But this is not a failure of these manufacturers, because legally the operators of download portals do not do anything illegal. After all, tools like Mackeeper are not malware, but - as experts call them - "Potentially Unwanted Applications". As Stefan Rojacher from Kaspersky confirms, the manufacturer of a virus scanner must avoid being too strict, as false alarms, i.e. warnings from harmless software, are a major problem with anti-virus software. Therefore, only programs that exceed a certain limit would be classified as malware. A Yahoo browser extension or a system tool such as Mackeeper can ultimately also be a tool desired by the user that informs the user about the installation in the installer.

Few antivirus software manufacturers are more aggressive, as some tests with the show. The web service enables suspicious files to be checked simultaneously with 53 different virus scanners - all you have to do is upload a file and after a short waiting period you will be presented with the check result. With the MacUpdate download tool and other adware tools, very few virus scanners sounded the alarm in our samples. Doctor Web, Sophos and AVG scanners achieve good results. Unfortunately, the result only applies to the PC version of the AVG scanner, not the Mac version. When it comes to adware, the rather unknown scanner from Doctor Web makes the best impression. On the Windows platform, this is considered to be second class, but the manufacturer has been paying more attention to the Mac platform for several years. Nevertheless, we do not consider the installation of a virus scanner to be necessary. Adware is just too rare on the Mac to be worth it all the time. After all, the scanners intrude deep into the system and may cause more trouble than any adware. We therefore recommend testing suspicious installers with the Virus Total web service.


Fortunately, adware is rarely seen. But unfortunately it is not that easy for beginners to get rid of them. With the Malwarebytes solution, however, you can easily remove most pests. Troublemakers do not pose a real danger, so installing a virus scanner would be completely exaggerated - and annoying demos must be deleted by the user himself anyway.