What is Trojan-Downloader.OSX.Shlayer?

Trojan-Downloader.OSX.Shlayer  or Shlayer Trojan is a persistent Mac virus. The main motive of this family of threat is to download and execute other adware threats on the target system.

As the name suggests, it is particularly designed to target the Mac.  Users are likely to install this Trojan while updating flash player from any infected link or freeware downloads. Users suspecting this threat may also notice adware like Adware.MAC.OSX.Pirrit, AdWare.OSX.Bnodlero ,Advanced Mac Cleaner, MyShopcoupon, Chumsearch, MyMacUpdater and many such.

When it comes to such adware category of threat, they have the motive to display intrusive advertisements within the browsers. Injects pop-ups, ads, banners and highlighted texts within the search result’s page and so on. This activity may not be too harmful, but still their behavior are not invited, as most of the ads are worthless. Clicking the ads further causes the browser to redirect to suspicious sites, indulge in fake installation of unwanted programs and fake updates. Thus, engaging to such pages may soon turn out to be a huge risk. Thus, if users notice too much ads and pop-ups on their browser, then it may be a sign of Adware infection.

Trojan-Downloader.OSX.Shlayer Distribution And Motive

Coming back to Trojan-Downloader.OSX.Shlayer, it is a Trojan dropper that is widely distributed by malware authors. Although, it can various ways through your system can get this infection but, most common among them are:

Fake links to watch videos, movies or streaming TV that we get on the search results page or from any online link sharing. Such links are mostly fake and asks users to first install or update their flash player before they can view the contents of the page. The fake update link may contain Trojan-Downloader.OSX.Shlayer, rather than any legitimate update. This is a common way to distribution used by cyber-offenders to inject malicious links within compromised websites.

According to a new distribution campaign, the shlayer Trojan can spread “Adobe Flash player out of date” ‘novel’ Tactic To Bypass macOS Catalina Security

Flash Player out of date mac

Flash Player out of date Mac

Once Shlayer Trojan is installed on the target system, it contains an executable file that has a simple four lines of codes in a Bash script. The function of the code is to decrypt the contents within and execute another files that it brings along. Once execution, the program downloads, extracts the additional program and executes the same on the system. Thus, finally it is able to install other adware programs without the knowledge of users. Also, the Shlayer Trojan is modifies the registry entries to allow the adware program run whenever the system is rebooted.

The best way to deal with Trojan-Downloader.OSX.Shlayer, is to scan the system and remove all adware and files components associated with the Trojan threat.

How to Remove Trojan-Downloader.OSX.Shlayer From Mac (Guide)

This is a complete manual removal guide for Mac users. It consist of step-by-step removal of unwanted programs.  For instance, Adware, browser hijackers, redirects, Trojans and other malware. The manual removal may take several minutes, therefore you have to patience. Please follow the steps carefully. If you are in hurry, then we suggest you to go for automatic removal solution.

Combo Cleaners LogoCombo Cleaner DOWNLOAD LINK
(The above link will open a new page from where the Combo Cleaner will download)
“Trojan-Downloader.OSX.Shlayer” may reinstall itself multiple times if you don’t delete its core files. We recommend downloading Combo Cleaner to scan for malicious programs. This may save your precious time and effort. Combo Cleaner scans the infected PC for free but you need to purchase its full version for complete removal. More information on Combo Cleaner.

To Remove Trojan-Downloader.OSX.Shlayer from Mac OS, follow the steps:


STEP 1: Remove Unknown Profiles Created by Trojan-Downloader.OSX.Shlayer Program From Mac OS

Profiles are utility that allows business or organizations to control the actions and behavior of the Mac system. Thus, any profile created by the admins will prevent the users to change them. However, adware distributes design their programs that may create new profile. As a result, it prevents user from uninstalling the adware or other malware program.

So, we first need to find out if there is any malicious profile created on the Mac. If yes, then you have to remove them.

Please follow the Steps here:

    1. Select System Preferences from the Apple menu;
      Open System Preferences

      Open System Preferences

    2. Within the System Preferences window, find “Profiles” icon; (If you can’t find the profile icon, it means may not have any profiles created.)
      Choose Users & Groups Icon

      Choose Users & Groups Icon

    3. When the “Profile” Window opens, look for the unknown profiles. To remove Trojan-Downloader.OSX.Shlayer fake user profile, select it and click on the – (minus) button.
      Remove Unknown User Profile by Shlayer Trojan

      Remove Unknown User Profile by Shlayer Trojan

    4. Repeat the steps to remove all unknown profiles.

STEP 2: Uninstall Trojan-Downloader.OSX.Shlayer/Malicious Apps From Mac OS

In this step, You need to locate for Trojan-Downloader.OSX.Shlayer application or unknown programs that you may not have installed yourself. Remove all such apps from your system.

  1. Open “Finder” application from your dock;
    Finder

    Finder

  2. In the left pane of the Finder, click on “Applications“;
    Choose Applications

    Choose Applications

  3. The Applications window will display the list of all apps installed on your Mac OS. Next, you need to locate the Trojan-Downloader.OSX.Shlayer/suspicious apps by scrolling.
    • Search For Apps like Advanced mac Cleaner, ChumSearch, MyShopcoupon, mediaDownloader, MyMacUpdater.
  4. To remove Trojan-Downloader.OSX.Shlayer, right-click on it, and then click “Move to Trash”. (Repeat this step until you remove all such apps).
    Remove Trojan-Downloader.OSX.Shlayer Application

    Remove Trojan-Downloader.OSX.Shlayer Application

  5. Now you need to empty the trash as sometimes program can restore themselves from the trash. On your dock, right-click on the trash icon and then select “Empty Trash”.

STEP 3: Remove Trojan-Downloader.OSX.Shlayer Daemons And Agents From Mac’s Startup

  1. From top menu On Desktop → Choose Go→Go to Folder;
    Go To Folder

    Go To Folder

  2. Within the “Go To Folder” pop-up window, enter the following paths along with Trojan-Downloader.OSX.Shlayer.plist one by one. This will locate the malicious files created by the apps.
    • /Library/LaunchAgents
      Launch Agents

      Launch Agents

    • ~/Library/LaunchAgents
    • /Library/Application Support
    • /Library/LaunchDaemons

For instance, If a malicious program named Trojan-Downloader.OSX.Shlayer, then you may see ~/Library/LaunchDaemons/com.Trojan-Downloader.OSX.Shlayer.plist”, within this location.  You will see lots of files with “.plist” extension. Scroll through it and find the ones which appear to be suspicious.

Some of the files are:

  • /Applications/Advanced Mac Cleaner
  • /Applications/MyMacUpdater
  • /Applications/MyShopcoupon
  • /Applications/mediaDownloader
  • /Library/LaunchAgents/com.MyMacUpdater.agent.plist
  • /Library/LaunchAgents/com.MyShopcoupon.agent.plist
  • /mm-plugin.dylib
  • /myshopcoupon.safariextz
  • ~ Library/Application Support/amc
  • ~ Library/Caches/com.apple.Safari/Extensions/Chumsearch+.safariextension
  • ~ Library/LaunchAgents/com.pcv.hlpramcn.plist
  • ~ Library/Safari/Extensions/Chumsearch+.safariextz
    • To Remove launch agents by Trojan-Downloader.OSX.Shlayer, right click on it and “More To Trash”.
      Delete Trojan-Downloader.OSX.Shlayer Malicious Agents

      Delete Trojan-Downloader.OSX.Shlayer Malicious Agents

Similarly, do this for launching agents locations: /Library/LaunchAgents/com.Trojan-Downloader.OSX.Shlayer.plist.

NOTE: Do not forget to empty the trash. 


STEP 4: Use ComboCleaner Scan To Remove Trojan-Downloader.OSX.Shlayer

Combo Cleaners LogoCombo Cleaner DOWNLOAD LINK
(The above link will open a new page from where the Combo Cleaner will download)
“Trojan-Downloader.OSX.Shlayer” may reinstall itself multiple times if you don’t delete its core files. We recommend downloading Combo Cleaner to scan for malicious programs. This may save your precious time and effort. Combo Cleaner scans the infected PC for free but you need to purchase its full version for complete removal. More information on Combo Cleaner.

Combo Cleaner is a complete security suite for Mac OS that is developed by “RCS LT” company. This program is featured with anti-virus scanner and system optimization tools like disk cleaner, duplicate files finder, application uninstaller, privacy scanner, and 24*7 customer support service.

It is very important to have a reliable anti-virus solution for the computer system. Combo cleaner is one of the best options for MAC users as detects and eliminates all sorts of threats like adware, browser hijacker, Trojans, and other malware.

How to Install and Scan with Combo Cleaner

  • 1. Click the above button to Download the “Combo Cleaner”;

  • 2. Once the download completes, double-click on the downloaded file;

  • 3. After the window opens, drag the Combo Cleaner program icon and drop it into your “Applications folder” icon.

    Combo Cleaner Install Step 2

    Combo Cleaner Install Step 2

  • 4. Now, open your “Launchpad” and click on the “Combo Cleaner” icon.

    Combo Cleaner Install Step 3

    Combo Cleaner Install Step 3

  • 5. This will start the combo cleaner installation and updates its latest virus definition. Once done, Combo cleaner will launch;

    Combo Cleaner Dashboard

    Combo Cleaner Dashboard

  • 6. Click on “Antivirus” tab and choose the scan options like Quick, Full, and custom. (Full is recommended for the first time)

    Combo Cleaner Antivirus Scan

    Combo Cleaner Antivirus Scan

  • 7. Let the scan be completed and it will list all the threats found. Now, click on “Remove All Threats”;

    Combo Cleaner Scan Results

    Combo Cleaner Scan Results

  • 8. after removing the threats, click on the “uninstaller” to find and remove any unwanted programs. Select the program from the list and its related files and then click on “Remove Selected Items“

    Remove Trojan-Downloader.OSX.Shlayer And Other Threats

    Remove Trojan-Downloader.OSX.Shlayer And Other Threats


STEP 5: Remove Trojan-Downloader.OSX.Shlayer From Safari, Chrome, And Firefox Web Browsers

Reset Safari

Safari Browser

To Remove Trojan-Downloader.OSX.Shlayer Extensions, homepage redirects From Safari Browser, follow steps:

    • On the Safari browser, click the “Safari” menu then select “Preferences”.
      Safari Preferences

      Safari Preferences

    • On the “General” tab of the Safari preferences, check for Trojan-Downloader.OSX.Shlayer URL added as the default homepage. Within the “Homepage” field enter your preferred URL as your default start-page of the browser.
      Reset Safari Homepage

      Reset Safari Homepage

    • Next, you need to check for malicious extensions, click on the “Extensions” tab on the same window.
    • The “Extensions” screen will list all the extensions installed on your safari browser. You need to browse through the list and uninstall Trojan-Downloader.OSX.Shlayer extension or Adware. Select it and then click on “Uninstall”. Repeat the steps to remove all unwanted extensions.
      Uninstall Trojan-Downloader.OSX.Shlayer Extension From Safari

      Uninstall Trojan-Downloader.OSX.Shlayer Extension From Safari

  1. Delete Safari’s preferences file to reset the default settings

Even after performing the above steps, some malicious program may reappear again. This happens because adware and browser hijackers creates new files within the preferences. Thus, they are able to replace the homepage and search engine URLs each time when user launches the Safari.

To do this, follow the below steps:

    • Close the Safari browser;
    • Come to normal desktop mode, now choose “Go” from the top menu then click on “Go to Folder“.
    • Within the “Go to Folder: pop-up window, enter the ~/Library/Preferences/com.apple.Safari.plist path and click on GO;
      Safari Reset

      Safari Reset

    • Delete the file, if found;
    • Launch the Safari Again.

Reset Google Chrome

Google Chrome

 

To Remove Trojan-Downloader.OSX.Shlayer From Chrome (Extensions, homepage redirects), follow steps:

Similarly,  you need to reset the default settings of Chrome browser. In order to remove unknown extensions, search engines, startup, and new tabs.

It is better to use the default reset feature of the Google Chrome. This will reset all the unwanted modifications done by third-party programs. It should be noted that you will not lose your saved passwords and bookmarks. (Sync your Google with Account to secure them first). However, it will delete cookies, extensions, startups, URLs, homepage and new tabs preferences.

    • Click on Chrome’s main menu then choose “Settings“. Scroll to the bottom of the page and click on “Advanced”;
      Google Chrome Advanced Settings

      Google Chrome Advanced Settings

    • Under the Advanced page, go for “Reset and clean up” section.  Then click on “Reset settings to their original defaults”;
      Remove Trojan-Downloader.OSX.Shlayer Extension And Reset Chrome

      Remove Trojan-Downloader.OSX.Shlayer Extension And Reset Chrome

    • Next, click on “Reset”, when you will be prompted for a confirmation “This will reset your startup page, a new tab page, search engine, and pinned tabs. It will also disable all extensions and clear temporary data like cookies. Your bookmarks, history, and saved passwords will not be cleared”;
    • Click on the “Reset Settings” button to confirm the procedure. After that, it may ask to restart your browser, click “Yes”.
  1. Remove Chrome’s policies created by Trojan-Downloader.OSX.Shlayer Program

If the above reset solution does not work for you, then it may possible that the malicious programs has created policies within the chrome browser. This certainly restricts the unwanted apps, homepage and search engine settings to reset again.  The Chrome polices are listed within chrome://policy URL. You can check the unwanted policies created by malicious apps. If this is the case then you need to remove them.

To reset such policies from chrome browser, follow the steps below:

    • Open a Terminal window. Go to Finder → Go → Utilities → Terminal;
      Open Terminal Window

      Open Terminal Window

    • Within the Terminal window, execute the following commands one by one. And press enter after each command.
      Delete Chrome Policies

      Delete Chrome Policies

defaults write com.google.Chrome HomepageIsNewTabPage -bool false
defaults write com.google.Chrome NewTabPageLocation -string “https://www.google.com/”
defaults write com.google.Chrome HomepageLocation -string “https://www.google.com/”
defaults delete com.google.Chrome DefaultSearchProviderSearchURL
defaults delete com.google.Chrome DefaultSearchProviderNewTabURL
defaults delete com.google.Chrome DefaultSearchProviderName
defaults delete com.google.Chrome ExtensionInstallSources
    • After executing the above commands, launch the Chrome browser again. To check the unknown policies to be removed successfully. Type  “chrome://policy” within the address bar and click on  “Reload policies”.
      Reload Chrome Policy

      Reload Chrome Policy

    • Now, the malicious policies should be gone. After that,  you can modify your homepage, new tab and search engine as per your preferences.

NOTE: Last but not the least, if the above solution also does not work for you. Then the malicious programs may have install “Managed by your organization” policy. As a consequence it restricts to remove the unknown extension or homepage even after resetting the browser.

Please follow our guide Remove “Managed by your organization” Chrome Hijack From Mac


 

Reset FirefoxMozilla Firefox Browser

 

To Remove Trojan-Downloader.OSX.Shlayer Extension, homepage redirects From Mozilla Firefox Browser, follow steps:

Finally, if you have facing same issues with Firefox browser, then follow the steps to refresh it.

    • Open Firefox’s Main Menu button by clicking on three horizontal lines. After that, from the drop-down menu select “Help“;
    • Click on the “Troubleshooting Information,“ from the Help menu;
      Troubleshooting Information Firefox

      Troubleshooting Information Firefox

    • From the upper-right corner of the “Troubleshooting Information” page, click on the “Refresh Firefox”.
      Reset Firfox

      Reset Firfox

    • To confirm, click on the “Refresh Firefox” button, within the confirmation pop-up window.
    • Click on the “Finish“ button.

By the time now, your Mac should free from adware and other malicious programs. Most importantly, you should always have a reliable anti-malware with real-time protection features. So, that it can trace the behaviors of unwanted program at its earliest. And quarantine it from being making serious damages.

More From Unboxhow

EXPLORE SITE TOOLS
BROWSE ARTICLES