How to Remove Adload Mac Virus

George Herman
George Herman
IT Security Expert

Get a FREE scan to check for Adload problems

Some infections like this Adload virus can regenerate themselves. There is no better way to detect, remediate and prevent malware infection, than to use a professional anti-malware software like SpyHunter. One Application that is capable of solving all MAC problems.

Anti-Malware

SpyHunter Anti-Malware FREE 15-day trial available.

What Is AdLoad Mac Virus?

adload mac virus

 

AdLoad is an adware infection that installs a Man-In-The-Middle (MITM) web proxy to redirect user’s web traffic through the attacker’s own preferred servers. The aim is to take over and redirect users’ web browsers for financial gain. As the number of incidents of the aggressive AdLoadMacOS malware has increased over the last few months, it continues to evade built-ins macOS security and many third party security solutions. AdLoad has been around for quite some time now. However, the developers continue to update their software so that it no longer gets detected by anti-malware programs. We’ll take a deeper look at how AdLoad adapts to evade many macOS anti-malware solutions and discuss how to properly detect it. AdLoad is an adware program that is bundled with other software and distributed for free. It is believed that the malware authors are targeting macOS users because it has been observed to be prevalent in French, Turkish, and Russian communities. The advertising companies that distribute this adware offer a software bundle full of other applications as a way to increase their distribution count. This typically includes legitimate applications such as image editors, media players, download managers, compression software etc.

AdLoad is a malicious software program that installs under various different names: Kreberisc, Apollo, Aphroditesearchdaemon, etc. The names are not completely random. Most names follow a pattern like this

<name>SearchDaemon
<name>Lookup
<name>Search
<name>Results

or a combination of the above.

Some of the more recent names used include:

QuickSearchTool, Kreberisec, GlobalConsoleSearch, EABSearch, AccessibleSearchEngine, SearchAdditionally, SimpleFunctionSearch, ResultSync etc…

Why Am I not protected from AdLoad?

From Apple’s current definition of XProtect, the string “getSafariVersion” must be present in the binary in order for it to be detected by XProtect.

adload malicious string

The b1 string actually means getSafariVersion

Malware authors have long since rewritten their code and current variants don’t contain that string anymore. That makes the XProtect rule ineffective against the malware, because the rule specifies that string is necessary but not sufficient for a detection. To avoid simple static detection, the files have different hash values, but they are often of similar sizes.

How can I Remove AdLoad virus ?

Step 1: Uninstall AdLoad and remove related files and objects

  • Open your Finder –> Click on GO –>Click on Utilities

macos utilities

  • Find Activity Monitor and open it

activity monitor macos

  • Review all the processes in Activity Monitor and write down the ones related to AdLoad virus

AdLoad stop

  • Select Quit

AdLoad info

  • To kill the malicious process, choose the Force Quit option.

force quit AdLoad

With multiple persistence agents – launch agents, daemons, cronjobs and processes running in memory out of /var/root – it can sometimes take several attempts to beat all of these before one of them manages to re-write the deleted components back to disk. Somewhat like the malware itself, however, persistence does pay off. As long as you have identified all the malicious processes and persistence agents, repeatedly removing them will eventually beat the race.

AdLoad doesn’t just stop at having a LaunchAgent and Launch Daemons in its attempt at maintaining persistence. It also installs a system cronjob and an application in a subfolder of your user’s Library Applications folder. The subfolder has a UUID-hexadecimal pattern of 8-4-4-4-12 characters, and the executable file inside it has a name that has a different UUID-hexadecanimal pattern with the same 8-4-4-4-12 pattern.

This is patter UUID numbers will be different for every user and are likely used as part of campaign tracking.

30 */2 * * * /Users/MacUser/Library/Application Support/412B5686-91B3-915B-DB32-13A4744D87B2/.74C07AE1-8BCE-51FA-54F7-0EB0A520EBAC h >/dev/null 2>&1}

This code runs every 2:30 hours. The target of the CronJob is an executable that imports the JavaScriptCore framework, which makes it possible for the executable to execute JavaScript and make the native objects, methods and function available to the JavaScript environment.

Step 2: Remove AdLoad – related extensions from Safari / Chrome / Firefox

The first thing you need to do is to make sure Safari is not running. If you have troubles closing it, you may need to Force Quit Safari - (Start Activity Monitor by opening up Finder, then proceed to Application --> Utilities --> Activity monitor. Locate the Safari process and force quit it.

Safely launch Safari again by holding the Shift key and clicking on the Safari application icon - This will prevent Safari’s previously opened malicious web pages.

In case that you still are having trouble with scripts interrupting the closing of unwanted pages, please do the following:

  • Force Quit Safari again.
  • Disconnect form Internet and try again.

Then Re-Launch Safari but don’t forget to press and hold the Shift button to prevent pop-ups. Then, click on Preferences.

  • Carefully take a look at your default home page and change it if the hijacker altered it.

  • Then go to the Extensions tab and make sure there are no unknow extensions installed.

  • Next step is to click on Privacy tab

  • Manage website data

  • Here you can remove any unwanted website data or just remove them all. Please, keep in mind that after you do this all stored website data will be deleted. You will need to sign-in again for all websites that require any form of authentication.
  • The next step is to Clear History (if you want), select the tab.

  • Click the menu next to clear and choose a time period — if you want to completely reset Safari, choose all history.
  • Press Clear History
  • To remove from Chrome, open the browser and click the icon with the three dots located in the top-right.
  • Select to More Tools --> Extensions and review what Chrome Extensions are present in the browser
  • Remove the ones that you do not recognize.

bad toolbar

  • If the parasite continues to disrupt your browsing with Chrome, this is what else you can do:
    1. Click again the menu of Google Chrome, and open Settings.
    2. Select the Search Engine from the left panel, review the available search engines and change the default to your preference.default search engine
    3. Then, click on Manage Search Engines, review the list of search engine availabilities and if any of the listed items looks suspicious, click the three-dots next to them, and delete.suspicious search engine
    4. Click on Privacy and Security in the left panel, select the Clear browsing data option, check every box except the Passwords one, and click Clear Data.clear browsing data
    5. Next step is to clear Notifications, select the Site settings option in the Privacy and Security section, then locate Notifications.clear notifications
    6. Review the listed websites in the Allow to send notifications section and if any of the entries shown there seem dubious or related to the browser hijacker, select the three dots next to the object and click on Remove.
  • Start Mozilla Firefox
  • On the top right click the three dashes

  • go to add-ons and themes
  • The add-ons manager will open
  • Carefully review review four Firefox Extensions
  • If any unwanted extension is present, click on the three horizontal dots and then Remove

  • After the extension is removed, restart Mozilla Firefox by closing it from the red dot in the top left and start it again.
To make sure AdLoad is removed from the browser  we recommend to scan with a reputable antimalware program like SpyHunter for Mac

Step 3: Scan for and remove AdLoad files from your Mac

Fix your browser settings with SpyHunter Anti-Malware

Once you download and install SpyHunter for Mac run a scan.

Once the scan is complete, your mac will be virus free.

AdLoad malware Frequently Asked Questions:

  • How do I get rid of AdLoad?

AdLoad is a Browser hijacker – malicious software that can be installed by third-party applications or websites. They usually change the settings of web browsers and search engines to display certain ads, pop-ups, banners, etc.

  • What are the symptoms of AdLoad infection in your Mac?

AdLoad becomes your web browser’s built-in search engine.

Your browser’ s search queries are redirected through AdLoad.com

The “AdLoad” browser extension or some shady software is installed on your Mac.

  • How do I remove AdLoad from my browser?

In Internet Explorer, click the gear icon on the top left and select Manage add-ons. Under Add-on Types, select Search Providers. Select your search engine from the list of providers and click Remove to remove it. In Google Chrome, go to Settings (at the top right) and choose Search in the On Startup drop down menu.

  • How do I uninstall AdLoad?
If you made a mistake when installing an app on your mac, the easiest way to uninstall it is by right clicking on its icon in your dock, then going to ‘move to trash’. Once it’s gone, restart your mac. If that didn’t work for you, try rebooting and looking for an icon opening up. Once you’ve found that, go to utilities/get info, then go to the ‘Applications’ tab and look for the app. Right-click it and select ‘Get Info’ and then look for the option to ‘Uninstall this Version’. If that doesn’t work, restart your mac again. If you don’t have any luck you can always use the SpyHunter free uninstall.

How to Make Your Mac Run Faster?

You might be wondering how to make your Mac run faster? It is a common misconception that the more processing power you have, the faster your computer will run. In reality, it’s actually about what’s going on in your processor and memory. For the average person using a computer for just general applications like word processing and web browsing, you don’t need much in the way of computing power.

– Use an SSD drive instead of a hard disk drive.

– Double your RAM if possible.

– Disable System Integrity Protection (SIP). (Attention! – do this only if you know the consequences.)

References:

  1. More about pop-up advertisements on Wikipedia.
  2. MacOS malware
  3. SpyHunter Anti-Malware overview and also the reasons why we recommend it for malware elimination.

Leave a Reply

Your email address will not be published.