Severity scale:  

Remove Shlayer Trojan virus (Virus Removal Guide) - updated Feb 2019

removal by Alice Woods - - | Type: Adware

Shlayer Trojan virus is the threat that disables Gatekeeper to run malicious payloads on macOS devices

Shlayer Trojan virus

Shlayer Trojan virus is malicious software that targets Mac users and is typically installed via BitTorrent file sharing sites or fake Adobe Flash updates. Also known as OSX/Shlayer or Crossrider, the threat is especially dangerous because it establishes configuration profiles which increase the persistence and users struggle when trying to get rid of it. The most recent variant of the virus that spreads via rogue Flash Player updates focuses on disabling the macOS Gatekeeper security agent.[1] The discovery was made by TAU researchers, and according to them, versions from 10.10.5 to 10/12/.3 can get affected by this updated version. The malicious installer uses DMG, .pkg, .iso, .or zip file formats.

Name Shlayer Trojan virus
Also known as OSX/Shlayer, Crossrider
Type Trojan horse, adware
Affected systems macOS
First discovered  2018
Symptoms Aggressive pop-ups lead to insecure sites, the computer is filled with programs the user never installed, altered search engine and homepage, etc. 
Recently discovered features Disabling macOS Gatekeeper security agent to distribute malicious payloads
Distribution Fake Adobe Flash updates, cracks, BitTorrent sites
Elimination Download and install reputable security software
Optimization To revert the damage done by the virus, scan your Mac with Reimage Reimage Cleaner Intego

The primary purpose of Shlayer Trojan virus is to download and install various potentially unwanted programs, such as Advanced Mac Cleaner or Mac Cleanup Pro. Initially, Apple does not allow automatic installations of apps that do not come from Apple store, but Shlayer Trojan enables such functionality and macOS gets filled with bloatware that degrade the operation of the device. It is also known that the malware changes Google Chrome's or other browser's search engine to[2]

Shlayer Trojan virus is one of the most well-known malware that is designed for Macs. Users typically wonder around BitTorrent sites and download a crack for legitimate software. It is not surprising that such illegal tools are often malicious, and most of the security applications will detect the file as malware, regardless of its functionality.

Alternatively, users might get infected when they get redirected to a malicious site that prompts them to update Adobe Flash. When Shlayer Trojan virus is launched, it will display two installation methods: Express (recommended) or Custom Installation (expert). If the latter is chosen, users can see what is actually being installed:

Custom installation (expert)

  • Install Adobe Flash Player & MyShopcoupon.
  • Install ChumSearch.
  • Install maccleaner.

Shlayer Trojan virus installer will install the following onto the macOS:

Once installed, Shlayer Trojan virus will perform the scan using Advanced Mac Cleaner and activate Siri's voice that says that the computer has multiple problems (which is obviously a lie). As typical to scareware, it will show numerous issues and, users who want to fix them need to pay a hefty $107 for it. As evident, users should ignore these warning and remove Shlayer Trojan virus together with the unwanted programs that it installed.

However, even after Shlayer Trojan virus removal, users will not be able to get rid of all the traces left by PUPs because it sets up a malicious configuration profile that lingers until the profile is deleted. We explain below how to accomplish that. Until then, users will still see as their main page on Safari and Chrome.

Shlayer Trojan
Shlayer Trojan is the virus that came back to the internet with a new Mac OS targeting campaign.
In February 2019, Carbon Black's Threat Analysis Unit discovered a new campaign with additional features. This time  Shlayer Trojan virus spreading via rogue Flash Player updates. This aggressive campaign now is not targeting BitTorrent users and spreading malware more worldly.

As researchers reported, samples discovered during their analysis affects most of the newest versions:

Samples discovered by TAU have been seen to affect versions of macOS from 10.10.5 to 10.14.3. To this point, all discovered samples of this malware have targeted only macOS. The malware employs multiple levels of obfuscation and is capable of privilege escalation. 

Attackers use the legitimate code signing through Apple's developer program and that allows them to bypass MacOS's restrictions and warnings that are enforced using gatekeeper. However, Shlayer virus still uses shell scripts to deploy secondary payloads, run commands and execute scripts.

The final payload collects information from the system, creates a unique ID for the infected device and downloads other malware from the remote server. That secondary malware payload is an .app executable, as TAU report writes:

Once the malware has elevated to root privileges, it attempts to download additional software (observed to be adware in the analyzed samples) and disables Gatekeeper for the downloaded software using spctl. This allows the whitelisted software to run without user intervention even if the system is set to disallow unknown applications downloaded from the internet.

Shlayer Trojan virus can read and transmit the data you type while the malware is installed. It means that your name, passwords, and even banking details are at risk of the exposure. In addition, users will suffer from constant ads and redirects during their web browsing.

To detect the unwanted software on your device, check your applications folder. If you see any apps you never installed or the ones mentioned above – you should be concerned. The best way to protect your Mac is by employing reputable security software. We recommend using Reimage Reimage Cleaner Intego or SpyHunter 5Combo Cleaner, although you can use any other trusted AV engine that would detect malicious processes automatically.

Shlayer Trojan malware
Shlayer Trojan virus is a dangerous cyber threat that is programmed to download and install PUPs and malware automatically

Forget Adobe Flash or never install its updates from third-party sites

Adobe Flash is an outdated platform and is barely used anymore, as it will be shut down in 2020.[3] The player is known to have multiple security flaws,[4] and have been abused by cybercriminals for years (fake updates). Besides, most modern browsers have the feature already built-in, so there is no need to download Adobe Flash.

However, if you ever find the need for Adobe Flash, download it from the official website. Additionally, set it to click-to-run mode, so that it would not launch automatically on dangerous sites.

As it is typical of malware, it is widely spread on BitTorrent sites. Therefore, experts[5] recommend staying away from them. However, if you will be torrenting, keep in mind the following:

  • Do not download cracks or keygens;
  • Employ security software and keep it updated;
  • Enable Firewall;
  • Download ad-blocking software;
  • Keep your system and software updated;
  • Read comments before downloading;
  • Scan each unknown file with anti-malware software.

Remove Shlayer Trojan virus with the help of these instructions

The first thing you have to do is to remove Shlayer Trojan virus and the applications that it installed. If you are savvy enough, you can proceed simply go Application folder and look for apps mentioned above. However, be aware that OSX/Shlayer is designed to download and install unknown programs automatically. Therefore, we recommend users using profession software that could take care of Shlayer Trojan virus removal automatically.

Once the unwanted applications are removed, you will have to delete the malicious profile that Shlayer Trojan created. Please follow these steps:

  • Go to System Preferences;
  • Click on Profiles;
  • Locate a suspicious profile;
  • Remove it by clicking on the “-” button.

Finally, we recommend resetting each of the installed browsers as described below.

You may remove virus damage with a help of Reimage Reimage Cleaner Intego. SpyHunter 5Combo Cleaner and Malwarebytes are recommended to detect potentially unwanted programs and viruses with all their files and registry entries that are related to them.

do it now!
Reimage Happiness
Intego Happiness
Compatible with Microsoft Windows Supported versions Compatible with OS X Supported versions
What to do if failed?
If you failed to remove virus damage using Reimage Intego, submit a question to our support team and provide as much details as possible.
Reimage Intego has a free limited scanner. Reimage Intego offers more through scan when you purchase its full version. When free scanner detects issues, you can fix them using free manual repairs or you can decide to purchase the full version in order to fix them automatically.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Reimage, try running SpyHunter 5.
Alternative Software
Different software has a different purpose. If you didn’t succeed in fixing corrupted files with Intego, try running Combo Cleaner.

To remove Shlayer Trojan virus, follow these steps:

Delete Shlayer Trojan from Mac OS X system

To remove Shlayer Trojan virus from your Mac, follow these steps:

  1. If you are using OS X, click Go button at the top left of the screen and select Applications. Cick 'Go' and select 'Applications'
  2. Wait until you see Applications folder and look for Shlayer Trojan or any other suspicious programs on it. Now right click on every of such entries and select Move to Trash. Click on every malicious entry and select 'Move to Trash'

Remove Shlayer Trojan virus from Microsoft Edge

To make sure all the settings are reset on MS Edge, follow these instructions:

Reset Microsoft Edge settings (Method 1):

  1. Launch Microsoft Edge app and click More (three dots at the top right corner of the screen).
  2. Click Settings to open more options.
  3. Once Settings window shows up, click Choose what to clear button under Clear browsing data option. Go to Settings and select 'Choose what to clear'
  4. Here, select all what you want to remove and click Clear. Select 'Clear' button
  5. Now you should right-click on the Start button (Windows logo). Here, select Task Manager. Open the start menu and select 'Task Manager'
  6. When in Processes tab, search for Microsoft Edge.
  7. Right-click on it and choose Go to details option. If can’t see Go to details option, click More details and repeat previous steps. Right-click 'Microsoft Edge' and select 'Go to details' Select 'More details' if 'Go to details' option fails to show up
  8. When Details tab shows up, find every entry with Microsoft Edge name in it. Right click on each of them and select End Task to end these entries. Find Microsoft Edge entries and select 'End Task'

Resetting Microsoft Edge browser (Method 2):

If Method 1 failed to help you, you need to use an advanced Edge reset method.

  1. Note: you need to backup your data before using this method.
  2. Find this folder on your computer: C:\Users\%username%\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe.
  3. Select every entry which is saved on it and right click with your mouse. Then Delete option. Go to Microsoft Edge folder on your computer, right-click every entry and click 'Delete'
  4. Click the Start button (Windows logo) and type in window power in Search my stuff line.
  5. Right-click the Windows PowerShell entry and choose Run as administrator. Find Windows PowerShell, right-click it and select 'Run as administrator'
  6. Once Administrator: Windows PowerShell window shows up, paste this command line after PS C:\WINDOWS\system32> and press Enter:
    Get-AppXPackage -AllUsers -Name Microsoft.MicrosoftEdge | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register $($_.InstallLocation)\AppXManifest.xml -Verbose}
    Copy and paste a required command and press 'Enter'

Once these steps are finished, Shlayer Trojan should be removed from your Microsoft Edge browser.

Eliminate Shlayer Trojan from Mozilla Firefox (FF)

  1. Remove dangerous extensions
    Open Mozilla Firefox, click on the menu icon (top right corner) and select Add-ons Extensions. Click on menu icon and select 'Add-ons'
  2. Here, select Shlayer Trojan and other questionable plugins. Click Remove to delete these entries. Select 'Extensions' and look for malicious entries. Click 'Remove' to get rid of each of them
  3. Reset Mozilla Firefox
    Click on the Firefox menu on the top left and click on the question mark. Here, choose Troubleshooting Information. Click on menu icon and then on '?'. Select 'Troubleshooting Information'
  4. Now you will see Reset Firefox to its default state message with Reset Firefox button. Click this button for several times and complete Shlayer Trojan removal. Click on 'Reset Firefox' button for a couple of times

Get rid of Shlayer Trojan from Google Chrome

  1. Delete malicious plugins
    Open Google Chrome, click on the menu icon (top right corner) and select Tools Extensions. Click on menu icon. Select 'Tools' and 'Extensions'
  2. Here, select Shlayer Trojan and other malicious plugins and select trash icon to delete these entries. Look for malicious entries and delete each of them by clicking on the Trash bin icon
  3. Click on menu icon again and choose Settings Manage Search engines under the Search section. When in 'Settings', select 'Manage search engines...'
  4. When in Search Engines..., remove malicious search sites. You should leave only Google or your preferred domain name. Click 'X' to remove malicious URLs
  5. Reset Google Chrome
    Click on menu icon on the top right of your Google Chrome and select Settings.
  6. Scroll down to the end of the page and click on Reset browser settings. When in 'Settings', scroll down to 'Reset browser settings' button and click on it
  7. Click Reset to confirm this action and complete Shlayer Trojan removal. Click on 'Reset' button to complete your removal

Erase Shlayer Trojan from Safari

You need to reset Safari by performing these steps:

  1. Remove dangerous extensions
    Open Safari web browser and click on Safari in menu at the top left of the screen. Once you do this, select Preferences. Click on 'Safari' and select 'Preferences'
  2. Here, select Extensions and look for Shlayer Trojan or other suspicious entries. Click on the Uninstall button to get rid each of them. Go to 'Extensions' and uninstall malicious add-ons
  3. Reset Safari
    Open Safari browser and click on Safari in menu section at the top left of the screen. Here, select Reset Safari.... Click on 'Safari' and select 'Reset Safari...'
  4. Now you will see a detailed dialog window filled with reset options. All of those options are usually checked, but you can specify which of them you want to reset. Click the Reset button to complete Shlayer Trojan removal process. Select all options and click on 'Reset' button

Access your website securely from any location

When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. It is a hassle when your website is protected from suspicious connections and unauthorized IP addresses.

The best solution for creating a tighter network could be a dedicated/fixed IP address. If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for server or network manager that need to monitor connections and activities. This is how you bypass some of the authentications factors and can remotely use your banking accounts without triggering suspicious with each login. 

VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world. It is better to clock the access to your website from different IP addresses. So you can keep the project safe and secure when you have the dedicated IP address VPN and protected access to the content management system.

Backup files for the later use, in case of the malware attack

Computer users can suffer various losses due to cyber infections or their own faulty doings. Software issues created by malware or direct data loss due to encryption can lead to problems with your device or permanent damage. When you have proper up-to-date backups, you can easily recover after such an incident and get back to work.

It is crucial to create updates to your backups after any changes on the device, so you can get back to the point you were working on when malware changes anything or issues with the device causes data or performance corruption. Rely on such behavior and make file backup your daily or weekly habit.

When you have the previous version of every important document or project you can avoid frustration and breakdowns. It comes in handy when malware occurs out of nowhere. Use Data Recovery Pro for the system restoring purpose.

About the author

Alice Woods
Alice Woods - Likes to teach users about virus prevention

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

Contact Alice Woods
About the company Esolutions


Your opinion regarding Shlayer Trojan virus