PhantomRich Mac virus Removal Guide
What is PhantomRich Mac virus?
PhantomRich is Mac malware that specializes in showing intrusive ads
PhantomRich is a malicious application designed for Macs
PhantomRich is Mac malware that you most likely unintentionally installed yourself because you either fell for a fake Flash Player update or downloaded it along the illegal software from an insecure website. The likelihood of coming across harmful advertising, redirection, sponsored links, and other unwanted content increases for those infected by the virus. Due to the numerous harmful files it drops during the infection, the software could prove to be fairly challenging to remove.
Infection with the PhantomRich virus can have severe repercussions that go beyond just a bad browsing experience. Malware may sometimes be able to track personal user information, install additional versions of itself without user consent, and expose users to harmful content online. We recommend you check out the information below to find out more about the virus and how to terminate it successfully from the infected Mac machine.
|Type||Mac virus, adware, browser hijacker|
|Distribution||Users get infected by installing fake Flash Player updates or cracked application software|
|Symptoms||An extension installed on the browser with elevated permissions, along with an application of the same name; new profiles and login items set up on the account; malicious ads shown during web browsing activities; search and browsing settings changed to another search provider|
|Risks||Installation of other malware, personal data disclosure to cybercriminals, financial losses|
|Removal||An entire system scan using SpyHunter 5Combo Cleaner security software is the quickest and most effective approach to remove harmful and unauthorized applications from Macs. Alternately, you could try to remove the infection manually|
|System optimization||Third parties can employ cookies to continue tracking your online activities, so we recommended clearing browser caches with FortectIntego|
Adload: a menace to Mac users
PhantomRich belongs to a Mac malware family known as Adload, which has been spreading around since at least 2017. Since then, hundreds of virus versions have been released, each having a lot of similarities to the other.
For example, all Adload versions are known to be named in a particular pattern consisting of predetermined words such as system (ExpandedSystem), analyzer (AnalyzerState), Input (AccessibleInput), and similar. The naming pattern is not the only similarity: visually, the virus uses a distinctive magnifying glass icon placed on a teal, green, blue, or, most recently, gray background.
In terms of the operation of these variants, there are little to no differences, although cybercriminals do tend to improve malware at some points to make it even more evasive and persistent. The main goal of the PhantomRich virus is to ensure that users are exposed to as many ads as possible, which guarantees steady financial income to its creators.
For that, many malicious techniques are used, including elevated permissions within the system, usage of native Mac files, employing of AppleScript, and more. This is precisely why some users may find additional applications installed on their systems, be flooded with intrusive ads, and wouldn't be able to get rid of the infection that easily.
Adload variants are often spread via fake Flash Player installers
Automatic virus removal
PhantomRich has two major components when it is installed on a device: a browser extension and an application that runs at the system level. Both of these elements work together to support the overall function of malware with the aid of various evasion techniques. In order to prevent reinfection, the virus must be deleted from the system together with the browser extension and the main program.
To avoid elimination mistakes and ensure the system is cleaned thoroughly, we recommend opting for the automatic removal method with SpyHunter 5Combo Cleaner or Malwarebytes security software. Third-party anti-malware software won't be affected by the virus' evasion mechanisms (unlike the built-in Xprotect), allowing for easy and quick removal of all malicious files at once.
If you want to perform the process yourself, you can check out the guide below, although we strongly recommend sticking to the automatic option. Regardless of your choice, do not forget that the browser cleaning process is critical and must be performed after malware is fully deleted.
Manual removal and browser cleaning
Your first task is to stop the malicious processes that were initiated by the threat. For that, you should access Activity Monitor and forcibly close all malware-related processes and only then attempt to remove the main app.
- Open Applications folder
- Select Utilities
- Double-click Activity Monitor
- Here, look for suspicious processes related to adware and use the Force Quit command to shut them down
- Go back to the Applications folder
- Find it in the list and move it to Trash.
Login Items ensure that the malicious app is started every time the Mac is booted – this entry is essential to remove. Profiles belonging to the virus should also be eliminated.
- Go to Preferences and pick Accounts
- Click Login items and delete everything suspicious
- Next, pick System Preferences > Users & Groups
- Find Profiles and remove unwanted profiles from the list.
The PLIST files are small config files, also known as the “Properly list.” They hold various user settings and hold information about certain applications. To remove the virus, you have to find the related PLIST files and remove them.
- Select Go > Go to Folder.
- Enter /Library/Application Support and click Go or press Enter.
- In the Application Support folder, look for any suspicious entries and then delete them.
- Now enter /Library/LaunchAgents and /Library/LaunchDaemons folders the same way and delete all the related .plist files.
Take care of your browser
The browser extension component of PhantomRich fulfills an important role in malware's operation – it is used to deliver intrusive advertisements and spy on various user data, including account passwords, credit card details, and more. Therefore, an important task is to make sure that the extension is eliminated:
- Click Safari > Preferences…
- In the new window, pick Extensions.
- Select the unwanted extension and select Uninstall.
- Open Google Chrome, click on the Menu (three vertical dots at the top-right corner) and select More tools > Extensions.
- In the newly opened window, you will see all the installed extensions. Uninstall all the suspicious plugins that might be related to the unwanted program by clicking Remove.
In some instances, the malicious extension might be grayed out, making it hard to delete it normally. In this case, you have the option to reset your browser, which will remove all of your add-ons but allow you to reinstall the reliable ones later:
- Click Safari > Preferences…
- Go to the Advanced tab.
- Tick the Show Develop menu in the menu bar.
- From the menu bar, click Develop, and then select Empty Caches.
- Click on Menu and select Settings.
- In the Settings, scroll down and click Advanced.
- Scroll down and locate Reset and clean up section.
- Now click Restore settings to their original defaults.
- Confirm with Reset settings.
If you successfully removed the extension, you should clean browser history and other leftover settings, or tracking may continue. To perform this step automatically and clean all the other junk from your system, you can use FortectIntego. If you would rather perform this manually, follow these steps:
- Click Safari > Clear History…
- From the drop-down menu under Clear, pick all history.
- Confirm with Clear History.
- Click on Menu and pick Settings.
- Under Privacy and security, select Clear browsing data.
- Select Browsing history, Cookies and other site data, as well as Cached images and files.
- Click Clear data.
How to prevent from getting adware
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.