What Is AdLoad Mac Virus?
AdLoad is an adware infection that installs a Man-In-The-Middle (MITM) web proxy to redirect user’s web traffic through the attacker’s own preferred servers. The aim is to take over and redirect users’ web browsers for financial gain. As the number of incidents of the aggressive AdLoadMacOS malware has increased over the last few months, it continues to evade built-ins macOS security and many third party security solutions. AdLoad has been around for quite some time now. However, the developers continue to update their software so that it no longer gets detected by anti-malware programs. We’ll take a deeper look at how AdLoad adapts to evade many macOS anti-malware solutions and discuss how to properly detect it. AdLoad is an adware program that is bundled with other software and distributed for free. It is believed that the malware authors are targeting macOS users because it has been observed to be prevalent in French, Turkish, and Russian communities. The advertising companies that distribute this adware offer a software bundle full of other applications as a way to increase their distribution count. This typically includes legitimate applications such as image editors, media players, download managers, compression software etc.
AdLoad is a malicious software program that installs under various different names: Kreberisc, Apollo, Aphroditesearchdaemon, etc. The names are not completely random. Most names follow a pattern like this
<name>SearchDaemon <name>Lookup <name>Search <name>Results
or a combination of the above.
Some of the more recent names used include:
QuickSearchTool, Kreberisec, GlobalConsoleSearch, EABSearch, AccessibleSearchEngine, SearchAdditionally, SimpleFunctionSearch, ResultSync etc…
Why Am I not protected from AdLoad?
From Apple’s current definition of XProtect, the string “getSafariVersion” must be present in the binary in order for it to be detected by XProtect.
The b1 string actually means getSafariVersion
Malware authors have long since rewritten their code and current variants don’t contain that string anymore. That makes the XProtect rule ineffective against the malware, because the rule specifies that string is necessary but not sufficient for a detection. To avoid simple static detection, the files have different hash values, but they are often of similar sizes.
How can I Remove AdLoad virus ?
Step 1: Uninstall AdLoad and remove related files and objects
- Open your Finder –> Click on GO –>Click on Utilities
- Find Activity Monitor and open it
- Review all the processes in Activity Monitor and write down the ones related to AdLoad virus
- Select Quit
- To kill the malicious process, choose the Force Quit option.
AdLoad doesn’t just stop at having a LaunchAgent and Launch Daemons in its attempt at maintaining persistence. It also installs a system cronjob and an application in a subfolder of your user’s Library Applications folder. The subfolder has a UUID-hexadecimal pattern of 8-4-4-4-12 characters, and the executable file inside it has a name that has a different UUID-hexadecanimal pattern with the same 8-4-4-4-12 pattern.
This is patter UUID numbers will be different for every user and are likely used as part of campaign tracking.
30 */2 * * * /Users/MacUser/Library/Application Support/412B5686-91B3-915B-DB32-13A4744D87B2/.74C07AE1-8BCE-51FA-54F7-0EB0A520EBAC h >/dev/null 2>&1}
Step 2: Remove AdLoad – related extensions from Safari / Chrome / Firefox
The first thing you need to do is to make sure Safari is not running. If you have troubles closing it, you may need to Force Quit Safari - (Start Activity Monitor by opening up Finder, then proceed to Application --> Utilities --> Activity monitor. Locate the Safari process and force quit it.
Safely launch Safari again by holding the Shift key and clicking on the Safari application icon - This will prevent Safari’s previously opened malicious web pages.
In case that you still are having trouble with scripts interrupting the closing of unwanted pages, please do the following:
- Force Quit Safari again.
- Disconnect form Internet and try again.
Then Re-Launch Safari but don’t forget to press and hold the Shift button to prevent pop-ups. Then, click on Preferences.
- Carefully take a look at your default home page and change it if the hijacker altered it.
- Then go to the Extensions tab and make sure there are no unknow extensions installed.
- Next step is to click on Privacy tab
- Manage website data
- Here you can remove any unwanted website data or just remove them all. Please, keep in mind that after you do this all stored website data will be deleted. You will need to sign-in again for all websites that require any form of authentication.
- The next step is to Clear History (if you want), select the tab.
- Click the menu next to clear and choose a time period — if you want to completely reset Safari, choose all history.
- Press Clear History
- To remove from Chrome, open the browser and click the icon with the three dots located in the top-right.
- Select to More Tools --> Extensions and review what Chrome Extensions are present in the browser
- Remove the ones that you do not recognize.
- If the parasite continues to disrupt your browsing with Chrome, this is what else you can do:
- Click again the menu of Google Chrome, and open Settings.
- Select the Search Engine from the left panel, review the available search engines and change the default to your preference.
- Then, click on Manage Search Engines, review the list of search engine availabilities and if any of the listed items looks suspicious, click the three-dots next to them, and delete.
- Click on Privacy and Security in the left panel, select the Clear browsing data option, check every box except the Passwords one, and click Clear Data.
- Next step is to clear Notifications, select the Site settings option in the Privacy and Security section, then locate Notifications.
- Review the listed websites in the Allow to send notifications section and if any of the entries shown there seem dubious or related to the browser hijacker, select the three dots next to the object and click on Remove.
- Start Mozilla Firefox
- On the top right click the three dashes
- go to add-ons and themes
- The add-ons manager will open
- Carefully review review four Firefox Extensions
- If any unwanted extension is present, click on the three horizontal dots and then Remove
- After the extension is removed, restart Mozilla Firefox by closing it from the red dot in the top left and start it again.
Step 3: Scan for and remove AdLoad files from your Mac
Fix your browser settings with SpyHunter Anti-Malware
Once you download and install SpyHunter for Mac run a scan.
Once the scan is complete, your mac will be virus free.
AdLoad malware Frequently Asked Questions:
- How do I get rid of AdLoad?
AdLoad is a Browser hijacker – malicious software that can be installed by third-party applications or websites. They usually change the settings of web browsers and search engines to display certain ads, pop-ups, banners, etc.
- What are the symptoms of AdLoad infection in your Mac?
AdLoad becomes your web browser’s built-in search engine.
Your browser’ s search queries are redirected through AdLoad.com
The “AdLoad” browser extension or some shady software is installed on your Mac.
- How do I remove AdLoad from my browser?
In Internet Explorer, click the gear icon on the top left and select Manage add-ons. Under Add-on Types, select Search Providers. Select your search engine from the list of providers and click Remove to remove it. In Google Chrome, go to Settings (at the top right) and choose Search in the On Startup drop down menu.
- How do I uninstall AdLoad?
How to Make Your Mac Run Faster?
You might be wondering how to make your Mac run faster? It is a common misconception that the more processing power you have, the faster your computer will run. In reality, it’s actually about what’s going on in your processor and memory. For the average person using a computer for just general applications like word processing and web browsing, you don’t need much in the way of computing power.
– Use an SSD drive instead of a hard disk drive.
– Double your RAM if possible.
– Disable System Integrity Protection (SIP). (Attention! – do this only if you know the consequences.)