OpinionSpy Removal Tool IconBackground:

If you build it, they will come… unfortunately.

A Mac-specific piece of spyware was uncovered this week.

Called “OSX/OpinionSpy” or “PremierOpinions”, the spyware is bundled with some free Mac downloads; particularly “free screensavers”. Affected installers are actively being distributed from both 7art-screensavers . com (*do not visit*) and a few popular Mac download sites.

Among other behavior, the spyware:

  • Constantly runs in the background, sometimes using 50% or more CPU.
  • Enumerates, scans, and collects data from files on your computer.
  • Injects code into web browsers and other processes (which also can cause those programs to use considerable CPU), and collects personal information/data.
  • Regularly sends data to various servers.
  • Runs as “root”, and is thus capable of doing essentially *anything* on your computer.

Installing the spyware requires entering an administrator password as part of the affected screensaver (or other) install. This is not uncommon for Mac-based installers, but is yet another example of why you should make sure you trust a program before clicking “OK” on any administrator prompt.

But there’s happy news for all of our Mac-using friends: we’ve created a small, free utility that will let you instantly detect + (optionally) remove this spyware.

Solution:

OpinionSpy Removal Tool IconOSX/OpinionSpy Detection + Removal Tool
Mac OS X 10.5, 10.6 – Free

Download

Instructions:

  1. Simply download and run the tool.OpinionSpy Removal Tool - Main Screenshot
  2. Click the “Scan Now” button.
    The program will detect whether OSX/OpinionSpy is installed on your system.
  3. If OSX/OpinionSpy is detected, you’ll be shown a “Remove OpinionSpy” button. Click it, and the tool will remove OSX/OpinionSpy.
    (It will also show a detailed log of what it removed, after it’s done.)

    Before clicking the “Remove” button, it’s highly recommended that you close any open web browsers (Safari, Firefox) and iChat, to purge the spyware’s injected code.

Removal requires an administrator password. (Scanning doesn’t.)