Home > Malwares > How To Remove “iWorkServices”

How To Remove “iWorkServices”

I noticed that few traffics coming in are looking on how to remove “iWorkServices”.

So, here’s a manual or  “Do It Yourself” steps: 

Open Terminal – >  /Application/Utilities/Terminal.app 

Check if “iWorkServices” is running, to do you can choose any of the options below: 

**Note: These commands requires root privileges to execute, to avoid re-entering your password everytime type – > “sudo su“.


  1. Check for “iworkservices” running process by typing “lsof -c iwork” or “lsof -c iWork“, just check which one works for you. 



Monitoring ” iWorkServices” background activity, you will notice TCP connections changes as it tries to communicate to and  qwfojzlk.freehostia.com:1024.


              1.1 If you know the PID or process ID then typing “lsof -p <PID>” will also give the same result.  

        2. Since we already confirmed the presence of this threat in the system, you could start removing them through executing the following commands:  

            rm -rf /System/Library/StartupItems/iWorkServices 

            rm /usr/bin/iWorkServices

            rm /private/tmp/.iWorkServices

            rm -rf /Library/Receipts/iWorkServices.pkg

            killall -9 iWorkServices

              2.1 Or you can copy the same instruction and make a small bash script, as exampled below:

#This is a simple script to delete iworkservices files terminate running process
rm -rf /System/Library/StartupItems/iWorkServices
rm /usr/bin/iWorkServices
rm /private/tmp/.iWorkServices
rm -rf /Library/Receipts/iWorkServices.pkg
killall -9 iWorkServices

You can write these instructions to any text editor like TextEdit (/Applications/TextEdit.app). 










Open terminal and type “chmod +rwx <filename>” as exampled below. **Notice that I am root user here, so don’t forget to type “sudo su“, so your script will execute properly.**


And, execute it by typing “./<your_filename>.sh“.  In this example, I am executing “./remove.sh“, please refer the sequence below.                                                                                                                                                                                                           
Ok,  for those who want to just “Click and Remove”, SecureMac provides a free clean-up tool and you can download directly from this link: 
I have tested it and it’s a good tool to do the job for you! (“,                                                                                                                                                                                                                                                
If this instruction works, then i’ll be excited to hear your story.  I am pleased and overwhelmed on how much feedbacks I received from my previous blog article “How to Remove MacAccess” .  I hope this will be useful as well… 

Please feel free to drop a message and hopefully with additional information such as:

  • How did you get infected ? (website? )
  • Do you still have a copy of the application you installed ?  If yes, please send it to this email address:  meths101 (at) optusnet (dot) com (dot) au ; or just send me a link where I can download it.
  • Any unusual behavior found in your computer.

Happy Holidays!!! –> As of writing, it is a nice sunny “Australian day” today and I still feel sleepy for watching Australian Open last night. It was fun and amazing crowd!  

  1. January 27, 2009 at 9:32 pm

    It seems to me that one of the virus was created in Argentina, or at least is using a machine located in Argentina.

    • Methusela Cebrian Ferrer
      January 27, 2009 at 11:07 pm

      Yes, it seems to be the server pointing to Argentina.

  1. January 27, 2009 at 6:26 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: