Mac OS X下Adware/malware 的简单手动排除方法

针对浏览器被劫持一类的恶意插件和软件，如mackeeper，Mac Cleaner之类的流氓软件，如何确定他们的安装文件及配置信息，并进行移除？

可以通过以下几方面进行确定。

1.分析用户目录和系统目录下的自启动项可执行文件

ls -alF /Lib*/Launch*/ ~/Lib*/Launch*/

包含目录：

/Library/LaunchAgents/

/Library/LaunchDaemons/

~/Library/LaunchAgents/

简化后，只看plist文件

ls -alF /Lib*/Launch*/*.plist ~/Lib*/Launch*/*.plist

2.检查/etc目录下是否存在可执行的脚本文件

ls -alF /private/etc/*.sh

3.检查后台存在运行的apple脚本对浏览器执行进行影响

检查monitor窗口或者进程

4.查验用户和系统两个级别下正在执行的后台进程（排除apple）

launchctl list | grep -v apple 

sudo launchctl list | grep -v apple 

（1）进程状况

ps -axo user,pid,ppid,%cpu,%mem,start,time,command

5.查找系统library及用户library目录下的可执行文件

sudo find /Library ~/Library -name “*.sh*"

6.后台驱动状态

kextstat | grep -iv apple

根据当前运行的plist文件查找主程序目录的字段：

cat [path to file] | grep -iA3 program

系统的/Library 下的文件目录如果以小写字母开头，然后是一个第三方开发的应用的话，则很可能存在问题。

~/Library/Application Support/ folder中的可执行应用均值得怀疑

可能会选用字典中单词随机生成文件名，也可以混淆apple的文件，改名为com.apple.morkim.plist之类的， 

检查plist文件中所对应的应用启动路径，是否是正常路径（applications及常规路径下的），否则进行收集启动路径；

插件相关的文件目录：

/Library/Extensions/

框架目录：

/System/Library/Frameworks

chrome：

/Library/Application\ Support/Google/Chrome/External\ Extensions/

Safari：

~/Library/Safari/Extensions/

所有用户可以使用的浏览器插件：

 /Library/Internet\ Plug-Ins/  

 /Library/Internet\ Plug-Ins/Disabled\ Plug-Ins

当前用户使用的浏览器插件：

~/Library/Internet\ Plug-Ins/

Firefox：

~/Library/Application\ Support/Firefox/Profiles/随机字符.default/extensions

感染过程和解决办法分析：

https://discussions.apple.com/docs/DOC-7471

伪装或误导安装，然后恢复

Recovery Procedure

 

Installing the most recent OS X version will block most forms of adware automatically. Read and follow the instructions contained in this Apple Support document: Stop pop-up ads in Safari.

 

If Safari appears to be blocked or "frozen" and you can't control it, please read Phony "tech support" / "ransomware" popups and web pages.

Web pages alleging your Mac is infected with something are extremely common, and 100% fraudulent.

Those fraudulent web pages should be considered criminal attempts to defraud you.

No additional actions are justified or should be taken based on the information that appears.

If you can't quit Safari normally, force it to quit by reading these instructions: Force an app to close on your Mac, then launch Safari again while holding a Shift key.

This action will prevent Safari's previously loaded web pages (including any problematic ones that may have caused the problem to begin with) from appearing upon launch.

 

After restarting your Mac, Safari should then be restored to normal.

JavaScript类的浏览器窗口锁定及循环弹窗问题：

从活动监视窗口关闭对应的进程，对关联文件进行移除，或者移除com.apple.Safari.savedState 文件保存目录（restarting Safari with the Shift key held to prevent auto-resume）

Unlike other browsers in OS X, Safari hosts pages in separate running processes on your Mac. This makes them effectively be separate applications that will appear as such in OS X’s Activity Monitor utility. To identify the problematic Web page, make a note of its title and URL address, and then do the following in Activity Monitor:

Choose “All Processes” from the View menu.

Search for “Safari Web Content” in Activity Monitor’s search field.

Click on the Process Name column title to sort listings by this field so they won’t jump around in your view.

With this done, if you cannot see the URL of your Web page listed, then hover your mouse over each Safari Web Content process to see a list of the URLs represented by it. Once you have located the URL for the page that is giving you problems, select that Web Content process and use the “X” button in the toolbar to force it to quit. You should now be able to dismiss the JavaScript alert and close the page that is causing it.

常见威胁，苹果给出的解决办法：

https://discussions.apple.com/docs/DOC-8071

Solution (Mac):

 

Some of these scam popup messages are very easy to dismiss:

 

If a checkbox appears with the text "Don't show more alerts from this webpage", select it, then click the Leave Page or OK button.

If that option does not appear, try repeatedly and quickly clicking the Leave Page or OK button while also pressing the key combination ⌘ W.

If the Leave Page or OK button is not visible because the dialog box extends beyond your display's lower limit, the Return or Enter key should perform the equivalent action.

 

Either option may result in interrupting the script preventing you from closing the page normally. If it does, you're finished. If not, or you grow tired of that method, continue below.

 

Quit Safari. If necessary, force Safari to close by following these instructions: Force an app to close on your Mac - Apple Support.

Summary: choose  (Apple menu) > Force Quit...

Or, using three fingers press the three-key chord ⌘ (the Command key, next to the space bar) Option (the key next to it) Escape (the key at the upper left of your keyboard or Touch Bar).

A dialog box with the title Force Quit Applications will open.

Choose Safari, click the Force Quit button, and confirm the dialog with Force Quit again.

Close the dialog box.

Press and hold a Shift key and keep it depressed while launching Safari again.

When Safari opens, release the Shift key.

This action prevents Safari's previously loaded pages from loading again upon launch.

 

If that does not immediately fix the problem:

 

Force Safari to quit again.

Disconnect from the Internet by selecting Wi-Fi "off" in the Mac's menu bar, or disconnecting its Ethernet cable if you're not using wireless. See pictures below.

 

off.png pro.jpg iBack.jpg

Turn Wi-Fi "off" Disconnect Ethernet cable (MacBook Pro)Disconnect Ethernet cable (iMac)

 

Launch Safari again by pressing and holding a Shift key while launching Safari.

No pages will be able to load since you're not connected to the Internet.

Select the Safari menu > Preferences > General, and review your home page selection.

Select the Privacy pane > Remove All Website Data... > Remove Now.

After you reconnect to the Internet, you will need to sign in again with all websites that require authentication (such as this one).

Close the Preferences window.

(optional) Select the History menu > Clear History...

Choose an appropriate period to clear from the dropdown menu. That action will ensure you don't inadvertently navigate back to the same problematic web page.

Turn Wi-Fi back on again or reconnect your Ethernet cable.

 

You'll be back in business.

 

In an abundance of caution, consider the following additional actions. They are not required to eliminate the scam webpage but you should review them to determine certain Safari settings have not been unexpectedly altered.

 

Open Safari's Preferences... again and select Extensions. Uninstall any Extensions that you are not certain you require by clicking the Uninstall button.

If you are not sure what to uninstall, uninstall all of them. None are required for normal operation.

Select the Privacy pane. Verify "Cookies and website data" is configured the way you expect. If you are not certain what choice is appropriate, choose "Allow from websites I visit".

For OS X versions prior to Yosemite the equivalent preference is "Block cookies and other website data" > From third parties and advertisers.