FocusGuide Mac virus Removal Guide
What is FocusGuide Mac virus?
FocusGuide – a malicious Mac application designed to show ads and steal user data
The malicious extension can gather sensitive user data
FocusGuide belongs to a widespread malware family that targets Mac devices – Adload. The strain showed up a few years ago, and new versions are being released on a regular basis. The functionality that users might notice is that of a browser hijacker and adware, although when diving deeper, there are no questions remaining why some security vendors mark the versions of Adload as Trojans or simply malware.
Nobody would want their systems compromised, hence it is unlikely for anyone to install FocusGuide intentionally. Nevertheless, both distribution methods used by the virus demand user interference, as Apple ID needs to be entered every time an application from an unapproved source is installed on the system. Looking at distribution methods, it becomes clear why people give content for the app's installation:
- Fake Flash Player installers or update prompts encountered on malicious websites;
- Software bundles downloaded from pirated software distributors.
While some malware hides from users' views and performs its operations in the background, this virus shows symptoms immediately. What most people would notice initially are changes to their Safari, Chrome, or Firefox browsers, as the homepage would be set to Safe Finder or another provider.
Likewise, the searches would be generated via a different provider (e.g., Yahoo), which would be filled with sponsored links and ads. The browser hijacking is made possible by an extension that is installed on the browser with elevated permissions – it uses a distinct hourglass icon.
The main goal of the virus is to expose users to all types of advertisements whenever they use their computers. These ads might be malicious, and the installation of other unwanted or dangerous software becomes very much probable. In fact, some of the Adload versions can even install additional apps in the background.
If you have encountered FocusGuide on your Mac, make sure you do not allow it to run on your system, as you might suffer from other malware infections, financial losses, and security issues.
|Type||Mac virus, adware|
|Previous versions||FlexProduct, LatestStructured, EdgeManagement|
|Installation||Usually spread via fake Flash Player installers or bundled along illegal software downloaded from torrent and similar sites|
|Symptoms||An extension installed on the browser with elevated permissions, along with an application of the same name; new profiles and login items set up on the account; malicious ads shown during web browsing activities; search and browsing settings altered to Safe Finder or another search provider|
|Elimination||You can remove Mac malware with the help of powerful security tools, such as SpyHunter 5Combo Cleaner or Malwarebytes. We also provide manual elimination steps below|
|System optimization||After you terminate the infection with all its associated components, we recommend you also scan your machine with ReimageIntego for best results|
Macs' problem with adware
While Windows has been dominating the market for many years, Macs are getting increasingly popular. Looking at the statistics, around 15% of computer users choose macOS over anything else, which shows that the user count has doubled since 2013.
Following this growth, threat actors started paying attention to the operating system much more, and the previously seemingly virus-immune Mac became a target of cyberattacks. This resulted in the incredible growth of malware that is targeting Macs, so much so that it even outpaced Windows in 2020.
Most of the threats affecting macOS are adware and, while it might not sound like something threatening, it can be. Adware is programmed to show various ads and redirect them to suspicious or dangerous websites. In some cases, malware such as Shlayer might install and run scareware apps on the system without permission.
It is important to note that Mac viruses will not go away any time soon, and prominent malware families such as Adload will continue to spread due to their advanced persistence mechanisms.
The dangerous traits of FocusGuide and how to remove it
Adload is a very broad malware family that has been infecting Mac users for years now. The actors behind implement various techniques to infect as many users as possible, and so far, they have been quite successful.
It is important to note that users install the app themselves, even if they are not directly aware. To reduce this possibility, we recommend staying away from websites that distribute pirated software or cracks. Software bundles hide malicious extensions and applications by disguising them under the Advanced installation settings, pre-ticked boxes, and similar. Thus, when installing an illegal app, users might also install malware along with it.
Fake Flash Player installers are also very popular when it comes to Mac malware distribution. These prompts usually claim they users need to install the plugin in order to gain access to the website's contents. This is a lie, as the software has been discontinued by its created Adobe at the start of 2021 and all modern browsers use built-in technology replacements that work automatically. In other words, all Flash Player update prompts are fake – never download them.
Adload malware is spread via Flash Player updates and illegal software installers
As soon as the FocusGuide virus is installed, it places the extension on Safari or another used browser. Its icon is always an hourglass in teal, blue, or green background, which is also installed with significant permissions. If you look at the description of the extension within the browser, here's what it reads:
Permissions for “XXX”:
Can read sensitive information from webpages, including passwords, phone numbers, and credit cards on all webpages
Can see when you visit all webpages
It goes without saying that such permissions should not be granted to any extension, as there is no need for anybody to know your passwords or credit card details. The information can be used for phishing campaigns and might also be sold on the underground forums, resulting in privacy issues or even identity theft.
With the help of the built-in AppleScript, the virus avoids the detection of XProtect and Gatekeeper and continues running in the background (this is another reason to ensure that your system is protected with SpyHunter 5Combo Cleaner, Malwarebytes, or another third-party security software). Malware also creates Login Items, Groups, settings, and many other files that increase the persistence, making the removal quite difficult.
Due to its functionality and persistence mechanisms, we strongly advise you use security software to remove the infection fully and then employ ReimageIntego to clean your browsers automatically. Alternatively, you can follow the steps below, although keep in mind that it does not guarantee a proper FocusGuide virus removal.
1. Get rid of the main application
The infection consists of several components that are scattered across the system, which are all intertwined. For this reason, several of the steps below might simply not be possible without eliminating certain elements first. Let's start with the main application.
- Open Applications folder
- Select Utilities
- Double-click Activity Monitor
- Here, look for suspicious processes and use the Force Quit command to shut them down
- Go back to the Applications folder
- Find the malicious entry and place it in Trash.
2. Remove Login items and Profiles
Malware creates new items in Profiles and Login items sections in order to perform its malicious activities. They can be found and removed from the following locations:
- Go to Preferences and pick Accounts
- Click Login items and delete everything suspicious
- Next, pick System Preferences > Users & Groups
- Find Profiles and remove unwanted profiles from the list.
3. Delete the leftover files
The PLIST files are small config files, also known as “Properly list.” They hold various user settings and hold information about certain applications. In order to remove the virus, you have to find the related PLIST files and remove them.
- Select Go > Go to Folder.
- Enter /Library/Application Support and click Go or press Enter.
- In the Application Support folder, look for any dubious entries and then delete them.
- Now enter /Library/LaunchAgents and /Library/LaunchDaemons folders the same way and delete all the related .plist files.
4. Clean your browsers
If you removed malware manually, the browser might still be vulnerable for as long as the extension remains installed. Even if you choose the automatic removal method, we strongly recommend paying close attention to your browser cleaning process, as some components might remain, even if the main malicious app is gone (for example, tracking cookies). First, remove the extension:
- Click Safari > Preferences…
- In the new window, pick Extensions.
- Select the unwanted extension and select Uninstall.
Next, you should focus on cleaning cookies and other web data by following these steps:
- Click Safari > Clear History…
- From the drop-down menu under Clear, pick all history.
- Confirm with Clear History.
If some or all of the steps above were impossible to do, you could always opt for a browser reset. Before you do that, you can try using ReimageIntego maintenance utility that could clean your browsers automatically without you having to reset them.
- Click Safari > Preferences…
- Go to the Advanced tab.
- Tick the Show Develop menu in the menu bar.
- From the menu bar, click Develop, and then select Empty Caches.
If you are using Google Chrom or Mozilla Firefox on your Mac, you will find the instructions on how to clean or reset them manually below.
Getting rid of FocusGuide Mac virus. Follow these steps
Remove from Google Chrome
Delete malicious extensions from Google Chrome:
- Open Google Chrome, click on the Menu (three vertical dots at the top-right corner) and select More tools > Extensions.
- In the newly opened window, you will see all the installed extensions. Uninstall all the suspicious plugins that might be related to the unwanted program by clicking Remove.
Clear cache and web data from Chrome:
- Click on Menu and pick Settings.
- Under Privacy and security, select Clear browsing data.
- Select Browsing history, Cookies and other site data, as well as Cached images and files.
- Click Clear data.
Change your homepage:
- Click menu and choose Settings.
- Look for a suspicious site in the On startup section.
- Click on Open a specific or set of pages and click on three dots to find the Remove option.
Reset Google Chrome:
If the previous methods did not help you, reset Google Chrome to eliminate all the unwanted components:
- Click on Menu and select Settings.
- In the Settings, scroll down and click Advanced.
- Scroll down and locate Reset and clean up section.
- Now click Restore settings to their original defaults.
- Confirm with Reset settings.
Remove from Mozilla Firefox (FF)
Remove dangerous extensions:
- Open Mozilla Firefox browser and click on the Menu (three horizontal lines at the top-right of the window).
- Select Add-ons.
- In here, select unwanted plugin and click Remove.
Reset the homepage:
- Click three horizontal lines at the top right corner to open the menu.
- Choose Options.
- Under Home options, enter your preferred site that will open every time you newly open the Mozilla Firefox.
Clear cookies and site data:
- Click Menu and pick Options.
- Go to Privacy & Security section.
- Scroll down to locate Cookies and Site Data.
- Click on Clear Data…
- Select Cookies and Site Data, as well as Cached Web Content and press Clear.
Reset Mozilla Firefox
If clearing the browser as explained above did not help, reset Mozilla Firefox:
- Open Mozilla Firefox browser and click the Menu.
- Go to Help and then choose Troubleshooting Information.
- Under Give Firefox a tune up section, click on Refresh Firefox…
- Once the pop-up shows up, confirm the action by pressing on Refresh Firefox.
How to prevent from getting adware
Stream videos without limitations, no matter where you are
There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.
Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.
Data backups are important – recover your lost files
Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.
While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.