Around a month ago, I got a hysterical call from my mother (I'm Sicilian, so this is nothing new). Turns out her printer wasn't working, so she decided to call HP support staff. Long story short, the number she called wasn't exactly what she was looking for, and she gave a complete stranger/asshat the permissions he needed to poke and prod around her iMac.

After around half an hour of "help", the stranger demanded $200, to which my mom told him to eat it and hung up the phone. She realized that she had made a mistake and tried to fix it, this time by calling the proper number to get some security help, but even after putting up a firewall, my mom was beside herself.

"He was clicking for me!" She cried through the phone as I struggled to understand her through sobs. "He took over the computer!"

Fast forward to around a month later, and my mom's assured me everything is fine. She has the firewall up on her iMac, nothing is sluggish or slow, and no one has "taken over her computer", but she needs some help signing into something. When I pull up Google Chrome, rather than have the familiar Google search bar and bright, primary-colored font staring back at me, I saw this:

I was perplexed at first, because what the hell is this. I assumed she had mistakenly set some random site as her homepage and told her to be more careful, but when I tried to set it to Google, the page kept coming back.

I tried Bing. It came back.

I tried Yahoo. It came back.

That's when I noticed that where the URL normally is, a strange address appeared that I didn't recognize; something called

A quick real Google search told me everything I needed to know: is a dubious website that claims to be an Internet search engine. The appearance of this site is identical to Google, Bing, Yahoo, and other similar websites and, therefore, users often believe that is legitimate. In fact, developers promote this site using bogus 'installer set-ups' that hijack web browsers and modify their settings… This site gathers visitors' Internet Protocol addresses, search queries, clicks on search results, and other similar information. This data may seem insignificant, however, it might contain private details. For this reason, visiting is risky and can lead to serious privacy issues or even identity theft. (

Well. Shit.

Shit shit shit.

But before my mind imploded, I figured a) if this is just something that's exclusive to the browser (in this case, Google Chrome, because Safari was acting just fine), then it might not be a huge deal, and b) I'm sure this is an easy fix.

Well, I was right... and I was wrong.

How to remove from your browser

Easy. Uninstall it.

Online, I came across a couple of great articles that talked about deleting the extensions from Google Chrome, which is also a really good/smart call, but because panic/Sicilian hysteria had set in between my mother and I, we decided to uninstall Chrome completely.

If you're looking to try and uninstall the extension on Google Chrome, then here's how!

  1. Open Google Chrome that's infected with Kuklorest.
  2. Click the Chrome Menu which looks like three vertical lines in the upper right corner.
  3. Click More Tools.

  4. Click extensions.

  5. Click the garbage can to delete any suspicious-looking extensions.

  6. Click the Settings on the left side of the page.

  7. Click Set pages in the Open a specific page or set of pages in the On startup column.

  8. Delete the browser hijacker.

  9. Add in the URL of your choice.

  10. Click Manage Search engines in the Search section of the Settings page.

  11. Click the X to delete suspicious search engines.
  12. Click the Search Engine you would like to make default (Google, Yahoo, etc).

Alright! Done! Easy peasy! Everything is great, right?

Well, not exactly.

I had a strange feeling that perhaps it wasn't that easy. I mean my mom's computer was running fine (despite not being updated for 4 years) and it seemed to even be a bit faster, but that could have just been the placebo effect of tossing Chrome in the trashcan.

After doing a bit more digging, I realized that Kuklorest is like a dandelion: once it has its roots planted, it buds and spreads its seeds to more than just your browser, depending on your activity. One minute it's affecting your browser, and the next there are dozens of documents littered throughout your iMac with names like com.iyogi.plist, niceplayer.jave, and sometimes straight up just kuklorest.update.plist.

How to remove from your Applications

The easiest step to clearing out Kuklorest is removing the suspicious looking applications from your Applications folder.

You may see random apps with names like Mac Tuneup, NicePlayer, FriendlyPoll, or, again, an app straight up called Kuklorest.

These apps come accompanied by pretty simple looking icons, like a black box with a white triangle or a green orb with gears in it.

Always remember that kuklorest will do its best to imitate and blend in with your Mac icons, so literally go row by row to see which apps are masquerading as dangerous malware

How to remove from your files and folders

Once you're done clearing out your Applications folder, there are four other main folders that you're going to need to look through:

  • /Library/LaunchAgents
  • /Library/Application
  • ~/Library/LaunchAgents
  • /Library/LaunchDaemons

Going to each of these folders and deleting the Kulkorest malware is a bit tricky, because there is no set number of files to keep an eye out for, and it's easy to get confused between a legitimate sounding and sketchy sounding filenames from time to time.

If you're unsure if you should delete a file or not, try googling the name of the file to see what comes up. This was very helpful when I was deleting Kulkorest files, because normally the first search results on Google are "is this random file called _________ actually a virus?"

  1. Click the Finder icon.
  2. Click Go.

  3. Click Go to Folder.
  4. Type in the name of the folder to search for it.

Once you are at the folder you would like to search, go through and delete any suspicious-looking files. They could have names like,, MplayerX, or (yet again) simply kuklorest.update.plist.

Keep repeating these steps until you've deleted all the malware files.

The end result

Once all of the documents were deleted, the folders were searched & scourged, and Google Chrome was in the trash can, permanently deleting was actually kind of a pain.

An error message continued to appear as I tried to empty the trash, and I kept getting prompts to enter my password. Eventually I restarted the computer and tried again, and suddenly, those spooky, malicious files were gonzo.

Though after going through this process, and then double- and triple-checking that everything looked okay, I'm honestly still not 100% sure if the computer is safe…

Moral of the story?

Kuklorest isn't just harmless browser malware; it can hurt your iMac or MacBook. A lot.

Having something like anti-malware software set up is probably a good call and will definitely save you a migraine in the future.

Oh, and always dial the right number for tech support.

(I love you, mom!!!)