We had a client report today about a strange thing that has started to happen on their Mac. They complain that the computer will begin to work fine, and slowly over time, the Mac will grind to a halt and begin to crash and freeze at times. They checked the Activity Monitor and noticed a process called “AppSo” taking up huge amounts of memory and processor usage. As it turns out, chances are pretty good that this Mac has a trojan horse installed onto it, probably from installing fake online-based utility programs like “Install Mac,” or “MacKeeper.” You may also see a pop-up window that says “Please run InstallMac compatibility test and updates for the upcoming Mac OSX.” These programs typically have full access to your Mac, and then proceed to install backdoor programs to capture your data and make it appear as if your Mac is having problems (which it creates).
So, we have to first determine if we in fact are infected by these types of Trojan Horse programs. It’s pretty easy to determine by going to the “Go” menu and choosing “Go To Folder…” in the Macintosh finder. When the search box appears, type in this path:
That is the user library, not the system library. Inside this folder, look for some files that look like the following examples:
The “something” above may contain random names–and this is just a few examples; there could be many variations of these–such as:
MacKeepr, InKeepr, Javeview,Leperdvil, Manroling,Totiteck, etc.
BACKUP YOUR MAC FIRST! If you happen to see any or all of these files, you must move them to the trash to get rid of this Mac trojan horse. Simply move any one of those folders that contained our example above into the trash. You may have a now-empty LaunchAgents folder, and that is perfectly OK.
Let’s go to the Finder’s “GO” menu again and choose “Go To Folder…” and type in:
Locate any of the files in this folder that we noticed in our examples above. Remove anything that contains those names.
You can then head to your Applications folder on your Mac and locate any items that contain any of our example names from above, or, “ZipDevil.” Move these items to the trash as well.
Restart your Mac.
At this point when you come back after your restart, you should be able to empty your Mac’s trash in the Finder.
You may want to also consider checking all of your browsers for extensions that shouldn’t be there, or, look unfamiliar. This includes Safari, Chrome and Firefox. These extensions can be the door that the trojan horse used to get into your Macintosh. It wouldn’t be a bad idea to start to consider to use some Macintosh anti-virus and anti-trojan software such as Norton Antivirus or Trend Micro Antivirus.
Please leave some comments if you have issues with this procedure, or, just want to let us know that you indeed had a Macintosh Trojan Horse!