How to Check for Malware and ‘Bad’ Plists Manually on Your Mac

Recently, I noticed that unwanted ads were popping up on my iMac telling me there was malware on my computer and that I needed to deal with the problem. Since the application CleanMyMac showed that my iMac was “clean,” I decided to check things out manually. 

You can, too. Here’s how:

First, open the Finder and type Shift+command+G. A pop-up box dubbed “Go to Folder” will appear. 

Then, type the following three commands respectively:

  • ~/Library/LaunchAgents
  • /Library/LaunchAgents
  • /Library/LaunchDaemons

Click “Go” and check whether there is any weird looking plists or ones with with garbled/random file name. If you find some, delete ‘em and restart your Mac. Removing all plists with adobe in the name fixed my problem.

By the way, a plist file is a settings file, also known as a “properties file,” used by macOS applications. It contains properties and configuration settings for various programs. 

By the way, part II: Malwarebytes is a malware/adware protection utility and CleanMyMac is an all-in-one macOS solution designed to keep your Mac clean and to secure space from your computer’s hard drive.



LEAVE A COMMENT


  • Please excuse me if I am in the wrong place. I am looking for some instructions on how to get rid of Bing as it is highjacking all my google searches. Safari is set to use google but bing always bumps it out. I have checked the archives here and found nothing. I must be doing something wrong. Mac Pro late 2011, OS El Capitan, 10.11.6, Safari 11.1.2




  • Agree with Bill, MacRat and others. cleanMyMac always shows up as a hidden payload on misspelled websites and on redirects to unintended pop up type free flash player / pr0n sites. Maybe reconsider that as a suggestion?

    Another aspect of cleaning a Mac includes grabbing a copy (and donating!) to a utility like AppCleaner. (FreeMacSoft.NET) There is an older version of this utility for Macs still running High Sierra and older. I’m unaffiliated with them. Just love their product.
    Then toss out any and all apps that you don’t recognize or are no longer used within the applications folder.
    Sometimes it is also a good idea to replace your third party browsers by downloading your bookmarks file and using this utility to remove the browser and then get a new copy of the browser.
    Finally, consider using the fantastic app for third party browsers called
    HTTPS-EVERYWHERE.
    You can find this on the eff.org site, and choose to donate as well ;). This double checks the authenticity of SSL certificates to protect your browsing. Also intercepts malware that use garbage SSL certificates.
    Finally consider looking at other browser adding like Ghostery, Disconnect or even changing the settings in each browser’s cookie policy to blocking all third party cookies




  • Malwarebytes is good, reputable software for handling adware/malware. Just use that periodically. It is common for plists to be encoded, which means that they will look “weird” when you open them with a text editor. It is not a good idea to delete plists unless you really know what you’re doing.




  • How timely for me! I tried to order a music CD from “adrian.belew.com” (my mistake) then “adrian.belew.org”, and both sites were infected, planted a similar program on my Macs called “Mac Cleanup Pro”.
    A friend suggested “malwarebytes” and I got the problem fixed.

    But I still don’t have Belew’s new CD…. :(




  • DiskWarrior 5.2 “Files – Check All Files and Folders – Start” finds corrupt “.plist” files:

    Property list data that was found to be damaged
    Detected that Property List data is damaged and cannot be repaired

    That happens after installing applications like:

    Adobe Acrobat Pro DC
    Adobe Illustrator
    Adobe Photoshop
    Mathtype
    MPlayerX




    • Sadly, Disk Warrior is still not fully compatible with the latest file system. At least the last time I checked in March or so.

      It’s been such a champ for so many years that I wonder if those grumpy guys at Alsoft have just tossed in the towel or are still complaining about Apple changing things and making their lives difficult? ;-)




      • Mick, Yes, I agree with you. DiskWarrior os a must (safety net). That is why we are stuck at macOS 10.12 Sierra at out University, until DiskWarrior 6 is released to rebuild directory of APFS disks.

        But do not blame Alsoft people (like Rusty Little). They need Apple to publish full documentation about how to write to APFS disks, as they have already done about how to read them. Hopefully, this or next year.

        Maybe we should have to wait to macOS 10.16 by WWDC June 2020, for Apple announce Time Machine support to write to APFS disks. Then APFS will be finished (sort of). Indeed, APFS is still in beta development and not a finished product. Apple should not have done all that but releasing it when finished, but here we are!




  • No malware, but I did clean out some old cruft from Adobe and others for stuff I don’t want/use.

    But one thing I haven’t found yet: I keep on getting warnings about “Spotify Helper won’t run on the next Mac OS”. But I cannot find where that app is located (or how the OS is finding it to complain it’s only 32-bit.) Searching Spotify’s website and ‘the internet at large’ hasn’t helped (most of the tips are removing Spotify from Windows.)

    Anyone else seen this? Even better, anyone else have a fix?




  • I’m shocked you use CleanMyMac.

    It’s well known to cause issues and in general its use is very clearly not recommended by myself and many others on the Apple Support Discussions forum.




  • While Malwarebytes is trusted, I’ve always found CleanMyMac a bit suspect. It’s not quite the MacKeeper junk, but if it does what it says it does, then you can mess up your system.

    I’m curious what other techs are saying/seeing these days with regard to that program.

    Honestly, Drive Genius seems the best of the bunch about alerts when an application is going into my Library again. You really have to be careful about your Daemons and what gets installed there. Manual inspection is the only way to be sure, but Drive Genius always catches the install process.




    • Saying MacKeeper is junk is an understatement as it is outright malware.

      It modifies settings within Safari to redirect URLs to web sites owned by the parent company. (Example, if you type in http://mailwarebytes.com on a MacKeeper infected Mac, you end up at a completely different website.)




      • Agreed, but it’s confusing too because there was the actual malware in the wild with that name for a time, as well as the software that claims to help one’s Mac. It doesn’t, much, and is total junk, but I was trying to differentiate between out and out malware and a crappy, scammy program that nearly falls into the same category.

        I can’t believe I still see their ads online. Whatever you want to call it, one should never install it. I think they got hacked recently too.




      • Haha! Check this out! 2 programs that DON’T work well together! LOL!

        In July 2013 Kromtech (owners of “MacKeeper”) filed a lawsuit against Macpaw, the developers of CleanMyMac. Kromtech alleged that Macpaw employees created several usernames and posts on several websites defaming the MacKeeper software. The case was dismissed before the hearing.




      • You can use Malwarebytes to clean out MacKeeper, among other things. You can use it for free if you don’t want it to run on a schedule. I run it when I think I need it, usually when it’s updated.

        I’ve found the best app for finding brand name files like “Spotify Helper” is Find Any File. Sadly it’s still 32bit, but it will run on Mojave, nonetheless. It looks like the old fashioned Search program from OS 7 days, but you can customize your searches any way you like and select any attached drive. It does a manual search of your system, rather than using a library like Spotlight. As a result it can find invisible files that Spotlight ignores, like deamons. It only takes a few moments to do a search and lists found files in a hierarchy so you can see where they live. It costs only $6 and I’ve found it to be worth that and more.




        • Well, you can use the Unix “find” command (see https://linux.die.net/man/1/find) to do the same thing without installing an app (but with learning a bit of command line.) To check everything, you’ll have to run this from “/” as root from an admin account.

          That being said, it couldn’t find anything that started with “Spotify”, so I have no idea where that piece of cruft is sitting, or what it’s named.




        • Yes, I think Malwarebytes is still doing a good job. You just never know how “developed” an app will become over time, so I hope they don’t mess it up. It does a good job of what it does. They certainly could build in an invisible file search function to it, but then they’d have to support all of those people who deleted necessary system files and….

          What I don’t like about it, and find it strange its developers would see this as a function people would want to pay for, is the scan every hour B.S. Macs really don’t need this kind of intrusion and performance hit and the OS itself (Gatekeeper) is probably more then enough. At least you can turn this function off in Malwarebytes.




      • Hi. MacKeeper can’t and doesn’t do it. You described Typosquatting – in simple words is a type of attack when ordinary users incorrectly type a website address into their web browser (e.g., “gmai.com” instead of “gmail.com”). Mentioned site includes a mistake and redirects to the correct site.