How do I safely remove "memory cleancopy" malware from my MacBook?

TonyH9999 Said:

"How do I safely remove 'memory cleancopy' malware from my MacBook?: [...]'MemoryCleancopy will damage your computer. You should move it to the Trash. The file was downloaded at an unknown date.' [...]I won't touch anything else until I get more information, but I do not have one of the those fancy new MacBooks with a ERASE ALL AND RESTORE option, so I'm unsure how to proceed without an Apple employee in the room.[..]"

-------

Ridding of Messages:

A. View Login Items:

Go To: System Preferences > Users & Groups > Click your Username > Login Items> Rid of Items that are Not Needed

B. Boot in Safe Mode:

In Safe Mode, Login Items do not run at login, certain preferences are set aside, and damaged system files are then see if this no longer pops up. So, once booted in to Safe Mode, wait 30 seconds, and then run Malwarebytes. Remove what need be. For instructions, go here: How to Use safe Mode on your Mac - Apple Support

B. Malwarebytes for Mac:

Malwarebytes searches for malware (short for (malicious software) and spyware. Those make your Mac act in a mislead manor. So scan with it, and remove what is found from the quarantine. It is created by longtime users of these forums making it the only reliable Security Software for a Mac. If synced with iPad connected, it may have got installed on your Mac.

Downloads:

1. Malwarebytes Anti-Malware for Mac
2. Malwarebytes Uninstaller

First start up in Safe Mode:

Start up your Mac in safe mode - Apple Support

Then in the last screenshot, move these 3 files to your Desktop:

• com.coot.plist
• com.miro-TEDPlayer.plist
• com.startCOIN-Qt.plist

Start your computer up again normally and see if the issue has been resolved. If the pop up still occurs, then you can put these files back. If you no longer see the pop up, then it will take some help from you to determine if these files are legitimate or even trial and error to see if the pop up returns after moving one of them back. Here is a brief description of the app that may be related to those files to help determine if it is something you use. Any of these apps that you do use, then put back in that folder and test if the pop up returns, while any that you do not use can be moved to the trash. I suspect Coot is the least likely one to be used and may be the problem file.

• Startcoin - related to Crypto/BitCoin
• Miro - Used for remote collaboration on projects, such as whiteboarding
• Coot - Used for modeling proteins in a lab environment.

Off topic to the issue, just want to make sure you are aware that your computer is being remotely managed with the jamf software package and remote access is also available using the Splashtop software.

Anti-malware is not good at finding legitimately installed apps that are problematic or are junk, a category which can contain too many anti-malware apps, deliberately installed cryptocurrency rubbish, and cracked apps, and cracking-related add-on apps.

Anti-malware is ~incapable of detecting backdoor paths deliberately user-created, and which can then allow siblings or their designees or internet randos to regain access or reload apps, too.

One set of anti-malware (the built-in) detected and is blocking (some of) the mess, while the two add-on anti-malware apps apparently did not detect this mess. I’d pick and run one anti-malware, probably the built-in. (Add-on anti-malware is what blew up many critical Microsoft Windows systems just a few days ago.)

Anti-malware is not a panacea for a breached Mac.

Beyond the problematic apps, apps installed by other Apple IDs cannot be updated from yours, too. You need sibling’s Apple ID credentials, or deleting and redownloading those apps, or deleting. Similar linkages for any of sibling’s purchases and subscriptions that might be present or referenced here.

And yeah, remote management — if you didn’t install that yourself — usually means somebody else with some tooling was doing who-knows-what to this Mac.

Again, I’d suggest treating this Mac as if it were breached, and reinstalling. Because it more or less has been breached. Reinstalling will also clean up the two add-on anti-malware apps.

Above is very likely correct.

Here’s a write-up: About those "<app> will damage your computer” messages - Apple Community

But I’d back up the Mac, create a bootable installer, factory reset, and restore only your files and settings and documents. If history is any guide for sibling security, this probably won’t be the only adventure awaiting.

I usually create and keep a bootable installer around for older systems, which can be tested before any erasure or related uses.

Here is how to: Create a bootable installer for macOS - Apple Support

Preferably with the newest OS X or macOS version supported by the particular Mac.

You can then shut down the running system, and test-boot that installer. You don't need to use it to erase and install now, or even at all. But having it gives you a path to repair your install if you can’t boot Recovery otherwise.

As for erasing, do you trust somebody that has already loaded a cryptocurrency miner, seemingly some remote management app, and who knows what else? This can include apps owned by other Apple IDs, too. And I’d wonder whether there are files or images that could well cause legal repercussions for you, particularly if you’re of legal age in your jurisdiction. All hassles you just don’t need.

Good News. I am confident that your issue with the pop-up is gone and will not come back.

MrHoffman is a very knowledgeable contributor on these forums and I respect and listen to all advice he offers to users. I do share the concerns with some of the software that was installed, such as:

• JamF
• Splashtop
• startCOIN being a crypto related app
• BitDefender - This serves no purpose and I would also recommend using the uninstaller for the app to remove it and follow up by verifying that the files have been removed in the locations that you have provided in the Screenshots. I did not recommend removing it before because it was not related to the problem you asked about, but my personal opinion is that it should not be on your Mac and will cause other problems for you.

I would take a couple of additional steps to make sure that the remote access software that was installed did not add a profile and review the apps that are set to launch on startup.

• Go to  > System Settings > Privacy & Security > Profiles. There should be no profiles here. This is where remote management software will add a profile that is used to provide restrictions on your computer. In some cases you can select them and choose the minus button to delete them.
• Go to  > System Settings > General > Login Items. Usually in the top section called Open at Login, there are no items, unless you specifically want something to run every time you start your computer. The bottom section titled Allow in the Background, may contain some files that are OK. The ones you would want to be concerned about would be anything related to the JamF, Splashtop, or a bitcoin miner. You should be able to identify the apps you see there and determine if they are legitimate.

And finally for the position of the nuke and pave approach, in my opinion only, if everything above checks out without any other issues, I think you are now fine and will not have any other problems. I would never recommend against performing a clean install of the OS and manually installing the apps that you use. You would not want to use a backup that would restore the problematic apps though, so it would take some more effort on your part.

I am sure MrHoffman will provide a follow up and I would recommend to take everything he says seriously. He is far more knowledgeable on the abilities of Remote Device Management software, and if I have missed something on this topic, I would defer to what he says.

Go to Finder > Go > Go to Folder, and paste each of these folder locations in that text box. Post the screenshot of the files in each of those folders. Don't forget the "~" in the last one.

/Library/LaunchDaemons

/Library/LaunchAgents

~/Library/LaunchAgents

After you post a screenshot of those 3 folders, we will be able to tell you which files need to be deleted to remove that pop up you are receiving.

PS: the nuke-and-pave gets rid of any files and the contents of any partitions that might be problematic or even illegal for you to even possess, too.