How to remove ClickFix malware from computers
Written by Tomas Meskauskas on (updated)
What is "ClickFix" malware?
ClickFix scams trick users into running malicious commands by pretending to solve issues like fixing website errors or performing other steps. Ultimately, victims are tricked into taking actions that cause computer infections. These scams can lead to various issues, including data theft and unauthorized remote access to computers.
ClickFix campaign targeting macOS users
One known scam campaign targeting macOS users is the fake Safeguard scam, which primarily targets cryptocurrency users. The scam operates in at least two ways. In the first case, users may come across Telegram channels urging them to "Tap to verify" to participate in token airdrops.
Clicking the provided button or link directs users to a fake Safeguard bot that pretends to verify their account. After the "verification" process, the bot claims that the verification has failed and provides manual steps to resolve the issue. If these steps are followed, malicious code is secretly copied to the clipboard.
In the second case, scammers use fake social media accounts impersonating well-known people and share links to Telegram groups in comment sections. They invite users to join for investment opportunities. Once users join these groups, they are tricked into following a fake verification process, similar to the first scenario.
When users are given step-by-step instructions, harmful code is copied to their clipboard. If they paste this code into the macOS Terminal or another system tool, it may appear normal, sometimes starting with a benign-looking term like "Telegram" masking its malicious intent. The code typically contains commands that download and run advanced malware, such as remote access Trojans.
These RATs allow hackers to steal sensitive information, such as wallet files, passwords, and private keys, and can even be used to steal cryptocurrency. It is important to mention that above are just a couple examples of schemes used to trick users into infecting computers.
Threat actors can also try to trick users into "fixing" problems, "creating" documents, "joining" calls, and taking other steps to lure users into unknowingly executing malware through malicious code pasted into their clipboard.
Name | ClickFix malicious campaign |
Threat Type | Malware |
Detection Names (Malicious file) | Avast (MacOS:AMOS-BK [Trj]), AVG (MacOS:AMOS-BK [Trj]), ESET-NOD32 (A Variant Of OSX/PSW.Agent.CZ), Kaspersky (HEUR:Trojan-PSW.OSX.Amos.ah), Full List Of Detections (VirusTotal) |
Related Domain | lasso-security[.]com |
Detection Names (lasso-security[.]com) | alphaMountain.ai (Suspicious), CRDF (Malicious), Seclookup (Malicious), Full List Of Detections (VirusTotal) |
Symptoms | A program that you do not recall installing suddenly appeared on your computer. A new application is performing computer scans and displays warning messages about 'found issues'. Asks for payment to eliminate the supposedly found errors. |
Distribution Methods | Fake X (Twitter) accounts, Telegram, deceptive websites. |
Possible Damage | Monetary loss, identity theft, data encryption, slow computer performance, and more. |
Malware Removal (Mac) | To eliminate possible malware infections, scan your Mac with legitimate antivirus software. Our security researchers recommend using Combo Cleaner. |
Conclusion
In conclusion, ClickFix scams are a growing threat, tricking users into running malicious commands. These scams have recently expanded to target macOS users. It is crucial for users to remain vigilant and avoid falling for these deceptive tactics to protect their computers, personal data, and digital assets.
How did malware infiltrate my computer?
Users may be tricked into clicking links from Telegram channels or fake social media accounts. These links lead to a fake bot or group, promising account verification or investment opportunities. Once users follow instructions, malicious code is secretly copied to their clipboard. If they paste this code into tools like macOS Terminal, it activates the malware.
How to avoid malware?
Be cautious with emails—carefully inspect them before opening links or attachments, especially if they are unsolicited, irrelevant, or from unknown senders. Avoid clicking on ads, buttons, links, or pop-ups found on dubious websites, and do not permit sites of this kind to send you notifications.
Always download software from official websites or trusted app stores. Avoid using P2P networks, questionable websites, or downloading pirated software and illegal tools. Additionally, keep your operating system and applications up to date, and regularly scan your device with a trusted security tool to detect and prevent potential threats.
If your computer is already infected, we recommend running a scan with Combo Cleaner Antivirus for macOS to automatically eliminate all threats.
Appearance of the ClickFix malware delivery scheme where a malicious code is copied into the clipboard (GIF):
Another example of ClickFix-type website targeting MacOS users:
Instant automatic Mac malware removal:
Manual threat removal might be a lengthy and complicated process that requires advanced IT skills. Combo Cleaner is a professional automatic malware removal tool that is recommended to get rid of Mac malware. Download it by clicking the button below:
▼ DOWNLOAD Combo Cleaner for Mac
By downloading any software listed on this website you agree to our Privacy Policy and Terms of Use. To use full-featured product, you have to purchase a license for Combo Cleaner. Limited seven days free trial available. Combo Cleaner is owned and operated by Rcs Lt, the parent company of PCRisk.com read more.
Quick menu:
- What is "ClickFix"?
- STEP 1. Remove malware-related files and folders from OSX.
- STEP 2. Remove rogue extensions from Safari.
- STEP 3. Remove rogue add-ons from Google Chrome.
- STEP 4. Remove potentially unwanted plug-ins from Mozilla Firefox.
Video showing how to remove adware and browser hijackers from a Mac computer:
Unwanted applications removal:
Remove potentially unwanted applications from your "Applications" folder:
Click the Finder icon. In the Finder window, select "Applications". In the applications folder, look for "MPlayerX","NicePlayer", or other suspicious applications and drag them to the Trash. After removing the potentially unwanted application(s) that cause online ads, scan your Mac for any remaining unwanted components.
Remove adware-related files and folders
Click the Finder icon, from the menu bar. Choose Go, and click Go to Folder...
Check for adware generated files in the /Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: /Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the ~/Library/Application Support/ folder:
In the Go to Folder... bar, type: ~/Library/Application Support/
In the "Application Support" folder, look for any recently-added suspicious folders. For example, "MplayerX" or "NicePlayer", and move these folders to the Trash.
Check for adware generated files in the ~/Library/LaunchAgents/ folder:
In the Go to Folder... bar, type: ~/Library/LaunchAgents/
In the "LaunchAgents" folder, look for any recently-added suspicious files and move them to the Trash. Examples of files generated by adware - "installmac.AppRemoval.plist", "myppes.download.plist", "mykotlerino.ltvbit.plist", "kuklorest.update.plist", etc. Adware commonly installs several files with the exact same string.
Check for adware generated files in the /Library/LaunchDaemons/ folder:
In the "Go to Folder..." bar, type: /Library/LaunchDaemons/
In the "LaunchDaemons" folder, look for recently-added suspicious files. For example "com.aoudad.net-preferences.plist", "com.myppes.net-preferences.plist", "com.kuklorest.net-preferences.plist", "com.avickUpd.plist", etc., and move them to the Trash.
Scan your Mac with Combo Cleaner:
If you have followed all the steps correctly, your Mac should be clean of infections. To ensure your system is not infected, run a scan with Combo Cleaner Antivirus. Download it HERE. After downloading the file, double click combocleaner.dmg installer. In the opened window, drag and drop the Combo Cleaner icon on top of the Applications icon. Now open your launchpad and click on the Combo Cleaner icon. Wait until Combo Cleaner updates its virus definition database and click the "Start Combo Scan" button.
Combo Cleaner will scan your Mac for malware infections. If the antivirus scan displays "no threats found" - this means that you can continue with the removal guide; otherwise, it's recommended to remove any found infections before continuing.
After removing files and folders generated by the adware, continue to remove rogue extensions from your Internet browsers.
Remove malicious extensions from Internet browsers
Remove malicious Safari extensions:
Open the Safari browser, from the menu bar, select "Safari" and click "Preferences...".
In the preferences window, select "Extensions" and look for any recently-installed suspicious extensions. When located, click the "Uninstall" button next to it/them. Note that you can safely uninstall all extensions from your Safari browser - none are crucial for regular browser operation.
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Safari.
Remove malicious extensions from Google Chrome:
Click the Chrome menu icon (at the top right corner of Google Chrome), select "More Tools" and click "Extensions". Locate all recently-installed suspicious extensions, select these entries and click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Google Chrome.
Remove malicious extensions from Mozilla Firefox:
Click the Firefox menu (at the top right corner of the main window) and select "Add-ons and themes". Click "Extensions", in the opened window locate all recently-installed suspicious extensions, click on the three dots and then click "Remove".
- If you continue to have problems with browser redirects and unwanted advertisements - Reset Mozilla Firefox.
Frequently Asked Questions (FAQ)
What is a "ClickFix" scam?
A "ClickFix" scam is a type of fraudulent scheme that tricks users into running malicious commands on their devices.
What is the purpose of a "ClickFix" scam?
The purpose of a "ClickFix" scam is to trick users into running malicious code on their devices, which leads to malware infections. The malware can then steal sensitive information, such as passwords, wallet files, and private keys, or allow hackers to remotely access the system.
Why do I encounter scam websites?
Scam websites are spread through fake emails, bogus social media profiles, misleading advertisements, pop-ups, and suspicious notifications. Users can also be tricked by ads from adware or directed to scam sites via rogue ad networks, which are often found on torrent sites or illegal streaming platforms.
Will Combo Cleaner protect me from scam websites?
Combo Cleaner scans every website you visit, detecting malicious ones. It also identifies sites that deliver scams, alerting you immediately and blocking access.
▼ Show Discussion