Mac OS X下Adware/malware 的簡單手動排除方法

針對浏覽器被劫持一類的惡意插件和軟體，如mackeeper，Mac Cleaner之類的流氓軟體，如何确定他們的安裝檔案及配置資訊，并進行移除？

可以通過以下幾方面進行确定。

1.分析使用者目錄和系統目錄下的自啟動項可執行檔案

ls -alF /Lib*/Launch*/ ~/Lib*/Launch*/

包含目錄：

/Library/LaunchAgents/

/Library/LaunchDaemons/

~/Library/LaunchAgents/

簡化後，隻看plist檔案

ls -alF /Lib*/Launch*/*.plist ~/Lib*/Launch*/*.plist

2.檢查/etc目錄下是否存在可執行的腳本檔案

ls -alF /private/etc/*.sh

3.檢查背景存在運作的apple腳本對浏覽器執行進行影響

檢查monitor視窗或者程序

4.查驗使用者和系統兩個級别下正在執行的背景程序（排除apple）

launchctl list | grep -v apple 

sudo launchctl list | grep -v apple 

（1）程序狀況

ps -axo user,pid,ppid,%cpu,%mem,start,time,command

5.查找系統library及使用者library目錄下的可執行檔案

sudo find /Library ~/Library -name “*.sh*"

6.背景驅動狀态

kextstat | grep -iv apple

根據目前運作的plist檔案查找主程式目錄的字段：

cat [path to file] | grep -iA3 program

系統的/Library 下的檔案目錄如果以小寫字母開頭，然後是一個第三方開發的應用的話，則很可能存在問題。

~/Library/Application Support/ folder中的可執行應用均值得懷疑

可能會選用字典中單詞随機生成檔案名，也可以混淆apple的檔案，改名為com.apple.morkim.plist之類的， 

檢查plist檔案中所對應的應用啟動路徑，是否是正常路徑（applications及正常路徑下的），否則進行收集啟動路徑；

插件相關的檔案目錄：

/Library/Extensions/

架構目錄：

/System/Library/Frameworks

chrome：

/Library/Application\ Support/Google/Chrome/External\ Extensions/

Safari：

~/Library/Safari/Extensions/

所有使用者可以使用的浏覽器插件：

 /Library/Internet\ Plug-Ins/  

 /Library/Internet\ Plug-Ins/Disabled\ Plug-Ins

目前使用者使用的浏覽器插件：

~/Library/Internet\ Plug-Ins/

Firefox：

~/Library/Application\ Support/Firefox/Profiles/随機字元.default/extensions

感染過程和解決辦法分析：

​​https://discussions.apple.com/docs/DOC-7471​​

僞裝或誤導安裝，然後恢複

Recovery Procedure

Installing the most recent OS X version will block most forms of adware automatically. Read and follow the instructions contained in this Apple Support document: Stop pop-up ads in Safari.

If Safari appears to be blocked or "frozen" and you can't control it, please read Phony "tech support" / "ransomware" popups and web pages.

Web pages alleging your Mac is infected with something are extremely common, and 100% fraudulent.

Those fraudulent web pages should be considered criminal attempts to defraud you.

No additional actions are justified or should be taken based on the information that appears.

If you can't quit Safari normally, force it to quit by reading these instructions: Force an app to close on your Mac, then launch Safari again while holding a Shift key.

This action will prevent Safari's previously loaded web pages (including any problematic ones that may have caused the problem to begin with) from appearing upon launch.

After restarting your Mac, Safari should then be restored to normal.

JavaScript類的浏覽器視窗鎖定及循環彈窗問題：

從活動監視視窗關閉對應的程序，對關聯檔案進行移除，或者移除com.apple.Safari.savedState 檔案儲存目錄（restarting Safari with the Shift key held to prevent auto-resume）

Unlike other browsers in OS X, Safari hosts pages in separate running processes on your Mac. This makes them effectively be separate applications that will appear as such in OS X’s Activity Monitor utility. To identify the problematic Web page, make a note of its title and URL address, and then do the following in Activity Monitor:

Choose “All Processes” from the View menu.

Search for “Safari Web Content” in Activity Monitor’s search field.

Click on the Process Name column title to sort listings by this field so they won’t jump around in your view.

With this done, if you cannot see the URL of your Web page listed, then hover your mouse over each Safari Web Content process to see a list of the URLs represented by it. Once you have located the URL for the page that is giving you problems, select that Web Content process and use the “X” button in the toolbar to force it to quit. You should now be able to dismiss the JavaScript alert and close the page that is causing it.

常見威脅，蘋果給出的解決辦法：

​​https://discussions.apple.com/docs/DOC-8071​​

Solution (Mac):

Some of these scam popup messages are very easy to dismiss:

If a checkbox appears with the text "Don't show more alerts from this webpage", select it, then click the Leave Page or OK button.

If that option does not appear, try repeatedly and quickly clicking the Leave Page or OK button while also pressing the key combination ⌘ W.

If the Leave Page or OK button is not visible because the dialog box extends beyond your display's lower limit, the Return or Enter key should perform the equivalent action.

Either option may result in interrupting the script preventing you from closing the page normally. If it does, you're finished. If not, or you grow tired of that method, continue below.

Quit Safari. If necessary, force Safari to close by following these instructions: Force an app to close on your Mac - Apple Support.

Summary: choose  (Apple menu) > Force Quit...

Or, using three fingers press the three-key chord ⌘ (the Command key, next to the space bar) Option (the key next to it) Escape (the key at the upper left of your keyboard or Touch Bar).

A dialog box with the title Force Quit Applications will open.

Choose Safari, click the Force Quit button, and confirm the dialog with Force Quit again.

Close the dialog box.

Press and hold a Shift key and keep it depressed while launching Safari again.

When Safari opens, release the Shift key.

This action prevents Safari's previously loaded pages from loading again upon launch.

If that does not immediately fix the problem:

Force Safari to quit again.

Disconnect from the Internet by selecting Wi-Fi "off" in the Mac's menu bar, or disconnecting its Ethernet cable if you're not using wireless. See pictures below.

off.png pro.jpg iBack.jpg

Turn Wi-Fi "off" Disconnect Ethernet cable (MacBook Pro)Disconnect Ethernet cable (iMac)

Launch Safari again by pressing and holding a Shift key while launching Safari.

No pages will be able to load since you're not connected to the Internet.

Select the Safari menu > Preferences > General, and review your home page selection.

Select the Privacy pane > Remove All Website Data... > Remove Now.

After you reconnect to the Internet, you will need to sign in again with all websites that require authentication (such as this one).

Close the Preferences window.

(optional) Select the History menu > Clear History...

Choose an appropriate period to clear from the dropdown menu. That action will ensure you don't inadvertently navigate back to the same problematic web page.

Turn Wi-Fi back on again or reconnect your Ethernet cable.

You'll be back in business.

In an abundance of caution, consider the following additional actions. They are not required to eliminate the scam webpage but you should review them to determine certain Safari settings have not been unexpectedly altered.

Open Safari's Preferences... again and select Extensions. Uninstall any Extensions that you are not certain you require by clicking the Uninstall button.

If you are not sure what to uninstall, uninstall all of them. None are required for normal operation.

Select the Privacy pane. Verify "Cookies and website data" is configured the way you expect. If you are not certain what choice is appropriate, choose "Allow from websites I visit".

For OS X versions prior to Yosemite the equivalent preference is "Block cookies and other website data" > From third parties and advertisers.