NodeZipArray Mac virus (Free Guide)

NodeZipArray Mac virus Removal Guide

What is NodeZipArray Mac virus?

NodeZipArray is a Mac virus that might jeopardize your computer security

NodeZipArray is malicious software originating from the Adload malware family, which exclusively targets Mac operating systems. It often infiltrates users' systems through counterfeit Flash Player updates or dubious software bundles downloaded from unauthorized websites. The intrusion may initially go unnoticed, but symptoms of infection soon become apparent.

Upon successful installation, NodeZipArray deploys its main component along with a browser extension compatible with Safari, Chrome, or other web browsers. This extension alters search results and can even modify the browser's homepage to direct users toward sponsored links and advertisements. Simultaneously, the extension collects personal information in the background, posing significant risks to user privacy.

Name NodeZipArray
Type Mac virus, adware, browser hijacker
Malware family Adload
Distribution Third-party websites distributing pirated software, software bundles, fake Flash Player updates
Symptoms Installs an extension to the browser that can not be deleted easily; changes homepage/new tab to Safe Finder, Akamaihd, or something else; redirects lead to potentially malicious or scam sites, promotes suspicious software, etc.
Removal The easiest way to eliminate unwarned and malicious software on Macs is by performing a full system scan with SpyHunter 5Combo Cleaner security software. Alternatively, you can attempt to terminate the infection manually
System optimization Third parties can employ cookies to continue tracking your online activities, so we recommended clearing browser caches with FortectIntego

How does malware spread and how to avoid it?

Understanding the delivery methods employed to disseminate malware like NodeZipArray is crucial for minimizing the risk of infection. The software typically spreads through two main avenues: fraudulent Flash Player updates and bundled pirated software installers.

In the first approach, users are misled into believing they need an urgent Flash Player update for optimal computer performance or to view specific content. Once initiated, the so-called update actually installs the malware onto the system. To avoid this trap, it's advisable to always download software updates from official or reputable sources and to be cautious of unexpected pop-up messages urging immediate updates.

The second common pathway for this malware is through pirated software installers. When users download and install cracked or unauthorized software, the malware may be bundled within these packages. By running the installer, users unknowingly grant the software access to their system. To mitigate this risk, steering clear of unofficial or dubious websites for software downloads is recommended. Instead, software should be obtained directly from trusted vendors or authorized platforms.

Being aware of these deceptive distribution methods can significantly aid in preventing unwelcome intrusions. Exercising caution when prompted to update software or when downloading installers, particularly from unverified or unfamiliar sources, can substantially reduce the likelihood of inadvertently installing malicious software.

How dangerous is Adload?

Originating from the Adload malware family, NodeZipArray is part of a software lineage that has been infecting Mac systems since 2017. Despite being one of many variants released over the years, it remains particularly dangerous, affecting thousands of users globally. The identity of its creators remains elusive, but its ties to other high-profile Mac malware like the Shlayer Trojan indicate that it's part of a broader network of malicious activities.

The primary goal of NodeZipArray is to generate revenue through the injection of unauthorized advertisements into the browsers of infected users. The quality of these ads is usually subpar, as the operators of the malware rely on untrustworthy ad networks for their content. This serves as more than just an annoyance; it can also expose users to additional risks by guiding them toward potentially hazardous websites and advertising content.

One of the more insidious features is its installation of a man-in-the-middle proxy. This allows the malware to redirect internet traffic through servers controlled by cybercriminals. This not only enables them to profit from the redirected web traffic but also increases the risk of users encountering dangerous web content.

The heightened level of access granted to malware during installation poses another layer of danger. Its browser extension is designed to collect sensitive personal data, including but not limited to credit card information and login credentials. The unauthorized collection of this data could lead to serious consequences such as financial loss and identity theft.

NodeZipArray is not just a run-of-the-mill piece of malware. It poses multiple layers of risks to Mac users, from annoying ads to severe privacy infringements and financial damages. Given its long history, ties to other malware, and range of malicious capabilities, this is a high threat that users need to be vigilant against.

Removal explained

The removal of NodeZipArray from a Mac system poses challenges due to its escalated privileges. This malware not only deploys dangerous files but also creates new user profiles and login items. Utilizing AppleScript, it can evade detection mechanisms like XProtect and Gatekeeper. Simply deleting the core files or the browser extension might provide temporary relief, but it’s common for these elements to resurface.

The most effective way to eliminate NodeZipArray is through the use of specialized anti-malware software. Such a program can comprehensively scan your system to identify and remove all associated malicious files, including those that are designed to persist. Regularly updating your anti-malware software is essential for the tool to recognize and neutralize newly emerging threats.

For those who prefer a manual removal approach, certain steps can be taken, albeit with the caution that incomplete removal may result in the malware’s reappearance. The first task is to open Activity Monitor and forcefully terminate any processes connected to the malware. Following this, efforts can be made to uninstall the main application that houses the malware.

  • Open Applications folder
  • Select Utilities
  • Double-click Activity Monitor
  • Here, look for suspicious processes related to adware and use the Force Quit command to shut them down
  • Go back to the Applications folder
  • Find it in the list and move it to Trash.Uninstall from Mac 1

Login items ensure that the application launches automatically when the computer is turned on, while Profiles serve to manage different account settings. Removing both is a crucial part of the process for eliminating the malware.

  • Go to Preferences and pick Accounts.
  • Click Login items and delete everything suspicious.
  • Next, pick System Preferences > Users & Groups.
  • Find Profiles and remove unwanted profiles from the list.

The PLIST files, short for “Property List,” are compact configuration files that store user preferences and application information. To eradicate the malware, it's necessary to locate and remove the relevant PLIST files in the following manner:

  • Select Go > Go to Folder.
  • Enter /Library/Application Support and click Go or press Enter.
  • In the Application Support folder, look for any dubious entries and then delete them.
  • Now enter /Library/LaunchAgents and /Library/LaunchDaemons folders the same way and terminate all the related .plist files.Uninstall from Mac 2

Removing unwanted items from the browser

If you opt for manual removal, it's important to address the browser extension associated with the malware, as it is designed to harvest personal information like account credentials and passwords. Ensure that this extension is completely removed to prevent further risk. If this step proves unfeasible, continue to the next part of the removal process.


  • Click Safari > Preferences…
  • In the new window, pick Extensions.
  • Select the unwanted extension and select Uninstall.Remove extensions from Safari

Google Chrome

  • Open Google Chrome, click on the Menu (three vertical dots at the top-right corner) and select More tools > Extensions.
  • In the newly opened window, you will see all the installed extensions. Uninstall all the suspicious plugins that might be related to the unwanted program by clicking Remove.Remove extensions from Chrome

If removing the malware from your web browser proves challenging, you can opt to reset the browser as outlined below without losing bookmarks or other customized settings.


  • Click Safari > Preferences…
  • Go to the Advanced tab.
  • Tick the Show Develop menu in the menu bar.
  • From the menu bar, click Develop, and then select Empty Caches.Reset Safari

Google Chrome

  1. Click on Menu and select Settings.
  2. In the Settings, scroll down and click Advanced.
  3. Scroll down and locate Reset and clean up section.
  4. Now click Restore settings to their original defaults.
  5. Confirm with Reset settings.Reset Chrome 2

It's also advisable to clear your web browsers of cached files and cookies to halt data tracking and minimize the chance of experiencing recurring redirects and advertisements. For expedient cleaning, you can use FortectIntego, or if you prefer a hands-on approach, proceed with the steps outlined below.


  • Click Safari > Clear History…
  • From the drop-down menu under Clear, pick all history.
  • Confirm with Clear History.Clear cookies and website data from Safari

Google Chrome

  • Click on Menu and pick Settings.
  • Under Privacy and security, select Clear browsing data.
  • Select Browsing history, Cookies and other site data, as well as Cached images and files.
  • Click Clear data.Clear cache and web data from Chrome
do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

How to prevent from getting adware

Stream videos without limitations, no matter where you are

There are multiple parties that could find out almost anything about you by checking your online activity. While this is highly unlikely, advertisers and tech companies are constantly tracking you online. The first step to privacy should be a secure browser that focuses on tracker reduction to a minimum.

Even if you employ a secure browser, you will not be able to access websites that are restricted due to local government laws or other reasons. In other words, you may not be able to stream Disney+ or US-based Netflix in some countries. To bypass these restrictions, you can employ a powerful Private Internet Access VPN, which provides dedicated servers for torrenting and streaming, not slowing you down in the process.

Data backups are important – recover your lost files

Ransomware is one of the biggest threats to personal data. Once it is executed on a machine, it launches a sophisticated encryption algorithm that locks all your files, although it does not destroy them. The most common misconception is that anti-malware software can return files to their previous states. This is not true, however, and data remains locked after the malicious payload is deleted.

While regular data backups are the only secure method to recover your files after a ransomware attack, tools such as Data Recovery Pro can also be effective and restore at least some of your lost data.

About the author
Olivia Morelli
Olivia Morelli - Ransomware analyst

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Olivia Morelli
About the company Esolutions