Nov. 22, 2023
Occasionally, a pop-up says that "OpticalUpdater.system will damage your computer."
It started on Nov. 8, 2023 after coming back from vacation when my iMac had been shut down for 2 weeks.
It says I can report to Apple.
Is this a problem?
PLEASE HELP.
From: Jane
iMac 27″, OS X 10.11
ExploreUnit, please follow the instructions below.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: How to use safe mode on your Mac - Apple Support. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
First screenshot:
Third screenshot:
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Preferences (or Settings) > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Then, select the Search pane and confirm your desired Search Engine. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences (or Settings) > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Evaluate its operation and ensure everything is working as you expect it should.
Next: You can see for yourself that "Malwarebytes" did nothing to prevent you from installing adware, and from what you describe it was equally ineffective at removing it. It's your decision whether to keep it installed or not, but no product can provide absolute protection from becoming deceived into willfully installing junk. Recognition and avoidance is the only effective defense. For more regarding that subject, read How to install adware - Apple Community.
Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:
~/Library/Application Support
It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.
Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.
Thank you for your help. BTW, I did a chat with Apple, and they walked me through this: Go to System Settings > General > Login items. I toggled off "OpticalUpdater.service", and "OpticalUpdater.system" (dated Nov 8, 2023, and Nov 22, 2023). Which I found under "Allow in the Background". I found a lot of other old items from 2010, 2013, 2016, etc.
Note, I recently updated my Mac OS.
There is one more folder you need to examine:
It was the first of the three shown in your earlier reply. Those are the files you need to delete. The only files that should remain in that folder are those from Adobe, Amazon, Apple, and Dropbox.
You don't need the one from Apple any more either — it's obsolete, so you might as well drag it to the Trash also.
You need to do all that in Safe Mode.
Apple missed a lot of files that should also be removed, and the problem is likely to return unless you delete them. Please follow the instructions below.
First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.
Next: This step will prevent the scam products from loading so that they can be removed while they are inactive. Restart in "Safe Mode", and log in: How to use safe mode on your Mac - Apple Support. Starting in Safe Mode takes longer than usual so let it finish. The rogue processes affecting that Mac are inoperative in "Safe Mode".
The following files and / or folders need to be deleted while using your Mac in "Safe Mode":
First screenshot:
Second screenshot:
Drag those selections of files to the Trash. You may be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.
Next: open Safari and select the Safari menu > Preferences (or Settings) > Extensions. If you see any Safari Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Then, select the Search pane and confirm your desired Search Engine. Repeat those equivalent actions for any other browser you may use (Brave, Firefox, or Opera for example).
There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.
Next: In an abundance of caution, examine System Preferences (or Settings) > Extensions. Determine if there are any System Extensions that may have been installed without your knowledge. Ask if you're uncertain.
Remaining in System Preferences, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but have also been exploited by adware creators and similar malcontents. If any Profiles are installed on your Mac an icon like this will appear in System Preferences:
If you see that icon in System Preferences, select it. To remove a Profile, select it, then click the [—] (minus) button and authenticate.
Remaining in System Preferences, open Users & Groups. Select your User Account's Login Items. You may or may not find those Applications in its list. If you do, select them then click the [—] (minus) button to remove them from Login Items.
You can then restart your Mac and log in as usual. Evaluate its operation and ensure everything is working as you expect it should.
Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:
~/Library/Application Support
It is normal for that folder to contain many items, but anything associated with the above adware may contain identical names. If you find a folder or folders bearing those names, drag those folders to the Trash. Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.
Finally: If any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.
Please read Removing "Search Marquis" / "Search Baron" / etc on your own - Apple Community, and post the three screenshots it describes in a reply to this Discussion.
Please ignore the implications of its title. This is a new manifestation of an old problem, but the solution remains the same. Post those three screenshots.
Great! Thanks for the update.
Now I want to know how I can thank you. What can I do for you? THANK YOU SO MUCH.
You can teach others to fix it. The instructions I provided were not originally intended to address this new problem, so I just created this new one specifically for it:
About those "<app> will damage your computer" messages - Apple Community
I hope it is more streamlined and less daunting than the earlier one. Let me know what you think.
I followed your instructions as best I could. I backed up in Time Machine.
Then when I started in Safe Mode, the OpticalUpdater.system Pop-Up appeared.
I did not see the LaunchAgents that I was supposed to delete.
I removed the items in LaunchDaemons as instructed.
I looked at Added Extensions, it looked normal.
Safari had no extensions.
In my Applications Folder, should I delete "JAVA" and "VersionCue CS4". They look old. Maybe too many to decide now.
In System Preferences, no Profiles were installed. But there was a thing at the top "Work or School Account" with a Sign In button.
Then on a Normal Restart, the OpticalUpdater.system Pop Up appeared again. I went to find it Finder, then I trashed it. But it was not shown in trash. And I could not find it in Finder with a search. This time I screen grabbed the Pop Up in Finder.
FYI - since I toggled off the OpticalUpdater per Apple. I had not seen the Pop Up until today while I started up in Safe Mode and then again in Normal Mode.
Should I try a Normal Restart again and see if the Pop Up appears again?
See below my current LaunchAgents and LaunchDaemons.
Thank you,
Jane
Thank you so much for your quick reply here.
I think I see now. I was in /Library/LaunchAgents instead of ~/Library/LaunchAgents.
I will try again to remove those items.
Should I not worry that the Pop Up appears when I restart in Safe Mode?
Hi, John - I removed that last "bit" off my LaunchAgents folder in Safe Mode. When I opened it in Normal Mode, I also removed what I think was the "remnant" which I think you said would not be active anymore.
I restarted my computer twice, and there was no Pop Up.
Now I want to know how I can thank you. What can I do for you? THANK YOU SO MUCH.
Thank you. Please see my screenshots and let me know the next steps to take.
Hvis man Googler "OpticalUpdater" finder man ud af at det er en Browser Hijacker.
Prøv at hente den gratis udgave af Malwarebytes til mac og kør en scanning!
Det er mit bedste råd.
Possible Malware - OpticalUpdater.system
