PhantomRich Mac virus (Free Guide)

PhantomRich Mac virus Removal Guide

What is PhantomRich Mac virus?

PhantomRich is Mac malware that specializes in showing intrusive ads

PhantomRichPhantomRich is a malicious application designed for Macs

PhantomRich is Mac malware that you most likely unintentionally installed yourself because you either fell for a fake Flash Player update or downloaded it along the illegal software from an insecure website. The likelihood of coming across harmful advertising, redirection, sponsored links, and other unwanted content increases for those infected by the virus. Due to the numerous harmful files it drops during the infection, the software could prove to be fairly challenging to remove.

Infection with the PhantomRich virus can have severe repercussions that go beyond just a bad browsing experience. Malware may sometimes be able to track personal user information, install additional versions of itself without user consent, and expose users to harmful content online. We recommend you check out the information below to find out more about the virus and how to terminate it successfully from the infected Mac machine.

Name PhantomRich
Type Mac virus, adware, browser hijacker
Malware family Adload
Distribution Users get infected by installing fake Flash Player updates or cracked application software
Symptoms An extension installed on the browser with elevated permissions, along with an application of the same name; new profiles and login items set up on the account; malicious ads shown during web browsing activities; search and browsing settings changed to another search provider
Risks Installation of other malware, personal data disclosure to cybercriminals, financial losses
Removal An entire system scan using SpyHunter 5Combo Cleaner security software is the quickest and most effective approach to remove harmful and unauthorized applications from Macs. Alternately, you could try to remove the infection manually
System optimization Third parties can employ cookies to continue tracking your online activities, so we recommended clearing browser caches with FortectIntego

Adload: a menace to Mac users

PhantomRich belongs to a Mac malware family known as Adload, which has been spreading around since at least 2017. Since then, hundreds of virus versions have been released, each having a lot of similarities to the other.

For example, all Adload versions are known to be named in a particular pattern consisting of predetermined words such as system (ExpandedSystem), analyzer (AnalyzerState), Input (AccessibleInput), and similar. The naming pattern is not the only similarity: visually, the virus uses a distinctive magnifying glass icon placed on a teal, green, blue, or, most recently, gray background.

In terms of the operation of these variants, there are little to no differences, although cybercriminals do tend to improve malware at some points to make it even more evasive and persistent.[1] The main goal of the PhantomRich virus is to ensure that users are exposed to as many ads as possible, which guarantees steady financial income to its creators.

For that, many malicious techniques are used, including elevated permissions within the system, usage of native Mac files, employing of AppleScript,[2] and more. This is precisely why some users may find additional applications installed on their systems, be flooded with intrusive ads, and wouldn't be able to get rid of the infection that easily.

PhantomRich virusAdload variants are often spread via fake Flash Player installers

Automatic virus removal

PhantomRich has two major components when it is installed on a device: a browser extension and an application that runs at the system level. Both of these elements work together to support the overall function of malware with the aid of various evasion techniques. In order to prevent reinfection, the virus must be deleted from the system together with the browser extension and the main program.

To avoid elimination mistakes and ensure the system is cleaned thoroughly, we recommend opting for the automatic removal method with SpyHunter 5Combo Cleaner or Malwarebytes security software. Third-party anti-malware software won't be affected by the virus' evasion mechanisms (unlike the built-in Xprotect),[3] allowing for easy and quick removal of all malicious files at once.

If you want to perform the process yourself, you can check out the guide below, although we strongly recommend sticking to the automatic option. Regardless of your choice, do not forget that the browser cleaning process is critical and must be performed after malware is fully deleted.

Manual removal and browser cleaning

Your first task is to stop the malicious processes that were initiated by the threat. For that, you should access Activity Monitor and forcibly close all malware-related processes and only then attempt to remove the main app.

  • Open Applications folder
  • Select Utilities
  • Double-click Activity Monitor
  • Here, look for suspicious processes related to adware and use the Force Quit command to shut them down
  • Go back to the Applications folder
  • Find it in the list and move it to Trash.Uninstall from Mac 1

Login Items ensure that the malicious app is started every time the Mac is booted – this entry is essential to remove. Profiles belonging to the virus should also be eliminated.

  • Go to Preferences and pick Accounts
  • Click Login items and delete everything suspicious
  • Next, pick System Preferences > Users & Groups
  • Find Profiles and remove unwanted profiles from the list.

The PLIST files are small config files, also known as the “Properly list.” They hold various user settings and hold information about certain applications. To remove the virus, you have to find the related PLIST files and remove them.

  • Select Go > Go to Folder.
  • Enter /Library/Application Support and click Go or press Enter.
  • In the Application Support folder, look for any suspicious entries and then delete them.
  • Now enter /Library/LaunchAgents and /Library/LaunchDaemons folders the same way and delete all the related .plist files.Uninstall from Mac 2

Take care of your browser

The browser extension component of PhantomRich fulfills an important role in malware's operation – it is used to deliver intrusive advertisements and spy on various user data, including account passwords, credit card details, and more. Therefore, an important task is to make sure that the extension is eliminated:


  • Click Safari > Preferences…
  • In the new window, pick Extensions.
  • Select the unwanted extension and select Uninstall.Remove extensions from Safari

Google Chrome

  • Open Google Chrome, click on the Menu (three vertical dots at the top-right corner) and select More tools > Extensions.
  • In the newly opened window, you will see all the installed extensions. Uninstall all the suspicious plugins that might be related to the unwanted program by clicking Remove.Remove extensions from Chrome

In some instances, the malicious extension might be grayed out, making it hard to delete it normally. In this case, you have the option to reset your browser, which will remove all of your add-ons but allow you to reinstall the reliable ones later:


  • Click Safari > Preferences…
  • Go to the Advanced tab.
  • Tick the Show Develop menu in the menu bar.
  • From the menu bar, click Develop, and then select Empty Caches.Reset Safari

Google Chrome

  1. Click on Menu and select Settings.
  2. In the Settings, scroll down and click Advanced.
  3. Scroll down and locate Reset and clean up section.
  4. Now click Restore settings to their original defaults.
  5. Confirm with Reset settings.Reset Chrome 2

If you successfully removed the extension, you should clean browser history and other leftover settings, or tracking may continue. To perform this step automatically and clean all the other junk from your system, you can use FortectIntego. If you would rather perform this manually, follow these steps:


  • Click Safari > Clear History…
  • From the drop-down menu under Clear, pick all history.
  • Confirm with Clear History.Clear cookies and website data from Safari

Google Chrome

  • Click on Menu and pick Settings.
  • Under Privacy and security, select Clear browsing data.
  • Select Browsing history, Cookies and other site data, as well as Cached images and files.
  • Click Clear data.Clear cache and web data from Chrome
do it now!
Fortect Happiness
Intego Happiness
Compatible with Microsoft Windows Compatible with macOS
What to do if failed?
If you failed to fix virus damage using Fortect Intego, submit a question to our support team and provide as much details as possible.
Fortect Intego has a free limited scanner. Fortect Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Fortect, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

How to prevent from getting adware

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.

If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.


Recover files after data-affecting malware attacks

While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.

Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection. 


About the author
Jake Doevan
Jake Doevan - Computer technology expert

If this free guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Jake Doevan
About the company Esolutions