Tag Archives: spyware

Issues with AppSo crashes and high CPU use on a Mac?

High Mac AppSo UseWe had a client report today about a strange thing that has started to happen on their Mac. They complain that the computer will begin to work fine, and slowly over time, the Mac will grind to a halt and begin to crash and freeze at times. They checked the Activity Monitor and noticed a process called “AppSo” taking up huge amounts of memory and processor usage. As it turns out, chances are pretty good that this Mac has a trojan horse installed onto it, probably from installing fake online-based utility programs like “Install Mac,” or “MacKeeper.” You may also see a pop-up window that says “Please run InstallMac compatibility test and updates for the upcoming Mac OSX.” These programs typically have full access to your Mac, and then proceed to install backdoor programs to capture your data and make it appear as if your Mac is having problems (which it creates).

So, we have to first determine if we in fact are infected by these types of Trojan Horse programs. It’s pretty easy to determine by going to the “Go” menu and choosing “Go To Folder…” in the Macintosh finder. When the search box appears, type in this path:

~/Library/LaunchAgents

That is the user library, not the system library. Inside this folder, look for some files that look like the following examples:

something.ltvbit.plist

something.download.plist

something.update.plist

The “something” above may contain random names–and this is just a few examples; there could be many variations of these–such as:

MacKeepr, InKeepr, Javeview,Leperdvil, Manroling,Totiteck, etc.

BACKUP YOUR MAC FIRST! If you happen to see any or all of these files, you must move them to the trash to get rid of this Mac trojan horse. Simply move any one of those folders that contained our example above into the trash. You may have a now-empty LaunchAgents folder, and that is perfectly OK.

Let’s go to the Finder’s “GO” menu again and choose “Go To Folder…” and type in:

~/Library/Application Support

Locate any of the files in this folder that we noticed in our examples above. Remove anything that contains those names.

You can then head to your Applications folder on your Mac and locate any items that contain any of our example names from above, or, “ZipDevil.” Move these items to the trash as well.

Restart your Mac.

At this point when you come back after your restart, you should be able to empty your Mac’s trash in the Finder.

You may want to also consider checking all of your browsers for extensions that shouldn’t be there, or, look unfamiliar. This includes Safari, Chrome and Firefox. These extensions can be the door that the trojan horse used to get into your Macintosh. It wouldn’t be a bad idea to start to consider to use some Macintosh anti-virus and anti-trojan software such as Norton Antivirus or Trend Micro Antivirus.

Please leave some comments if you have issues with this procedure, or, just want to let us know that you indeed had a Macintosh Trojan Horse!


 If you enjoyed this article and we have helped you out, please consider a small donation so that we may bring you more helpful tips and tricks on the Macintosh!

Another Day, Another Phishing Scam.

Phishing Scam

Don’t fall for these realistic-looking phishing scams!

I just got this screenshot from a Capital Mac Service customer that looks pretty scary–fortunately, this is yet another version of a typical scam going around the Internet. Basically, just clicking on a weblink brought this webpage up, which basically traps you on the page–you cannot get off of it without force quitting your browser. These types of scams try to trick you into thinking you have a virus or spyware on your Mac (or PC and Android as I found out by digging deeper). When you click through, they ask for a credit card number to remove this fake spyware and virus from your computer. If you visit the page where this scam comes from (see it here), you can see all the various directories with various scary webpages warning you about this virus you may have. They have different scareware pages for different operating systems! DO NOT fall for these scams when surfing the web. Take a screenshot and contact us if you like so we can educate further on the dangers of these fake and fraudulent sites trying to steal your credit card and other personal information.

Certificate Errors (Adware ib.adnxs.com) While Using Safari (SOLVED)

Here’s a fun one I ran into this evening on a client’s computer. When we launched Safari, and tried to go to most any website (Yahoo being the most reproducible), we were greeted to a constant barrage of pop-up windows (advertising MacKeeper), or, a certificate error pointing to a website called ib.adnxs.com, which is a form of adware (sort of a virus if you want to call it that). Doing some research on the subject, I found out that to remove this malicious software from Safari, you must remove the following components manually:

  • /Library/Application Support/VSearch
  • /Library/LaunchAgents/com.vsearch.agent.plist
  • /Library/LaunchDaemons/com.vsearch.daemon.plist
  • /Library/LaunchDaemons/com.vsearch.helper.plist
  • /Library/LaunchDaemons/Jack.plist
  • /Library/PrivilegedHelperTools/Jack
  • /System/Library/Frameworks/VSearch.framework

You simply navigate to each of these places on your hard drive and drag those files seen above to the trash. You may have most of them and not all of them (what we witnessed), but, remove the ones that you find. It will ask for your admin password each time, which is normal. When done, restart your computer and empty the trash. Upon launching Safari, we no longer had certificate errors pointing to ib.adnxs.com any longer. Please feel free to contact Capital Mac Service if you have any difficulty finding or removing these files.