Q: How to remove Adware?

You've got adware that can easily be removed by Malwarebytes Anti-Malware for Mac. You've also got MacKeeper, which needs to be removed.

(Fair disclosure: I am affiliated with Malwarebytes, whose product I am recommending above.)

A

You don't need to, and should not, download anything to solve this problem. Never use any commercial "anti-virus" or "anti-malware" product that may be advertised on the Web.

You installed a variant of the "VSearch" ad-injection malware. Follow Apple Support's instructions to remove it.

If you have trouble following those instructions, see below.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

The VSearch malware tries to hide itself by varying the names of the files it installs. To remove it, you must first identify the naming pattern.

Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination  command-C:

/Library/LaunchDaemons

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" may open. Look inside it for two files with names of the form

          com.something.daemon.plist

and

           com.something.helper.plist

Here something is a variable string of characters, which can be different in each VSearch infection. So far it has always been an alphanumeric string without punctuation, such as "cloud," "dot," "highway," "submarine," or "trusteddownloads." Sometimes it's a meaningless string such as "e8dec5ae7fc75c28" rather than a word. Sometimes the string is "apple," and then you must be especially careful not to delete the wrong files, because many built-in OS X files have similar names.

You managed to install two different versions of the malware. In your case, "something" is both "vsearch" and "ConformablyPurpurite".

If you find these files, leave the LaunchDaemons folder open, and open the following folder in the same way:

/Library/LaunchAgents

In this folder, there may be a file named

          com.something.agent.plist

where the string something is the same as before.

If you feel confident that you've identified the above files, back up all data, then drag just those three files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder windows and restart the computer.

Don't delete the "LaunchAgents" or "LaunchDaemons" folder or anything else inside either one.

The malware is now permanently inactivated, as long as you never reinstall it. You can stop here if you like, or you can remove two remaining components for the sake of completeness.

Open this folder:

/Library/Application Support

If it has a subfolder named just

           something

where something is the same string you saw before, drag that subfolder to the Trash and close the window.

Don't delete the "Application Support" folder or anything else inside it.

Finally, in this folder:

/System/Library/Frameworks

there may be an item named exactly

            v.framework

It's actually a folder, though it has a different icon than usual. This item always has the above name; it doesn't vary. Drag it to the Trash and close the window.

Don't delete the "Frameworks" folder or anything else inside it.

If you didn't find the files or you're not sure about the identification, post what you found.

If in doubt, or if you have no backups, change nothing at all.

The trouble may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it. I don't recommend that you install the genuine "MPlayerX," because it's hosted on the rogue "SourceForge" website and is bundled with other malware.

This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.

In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere  should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.

Then, still in System Preferences, open the App Store or Software Update pane and check the box marked

          Install system data files and security updates (OS X 10.10 or later)

or

          Download updates automatically (OS X 10.9 or earlier)

if it's not already checked.

B

"MacKeeper" is a scam with only one useful feature: it deletes itself.

First, back up all data.

Note: These instructions apply to the version of the product that I downloaded and tested in early 2012. I can't be sure that they apply to other versions.

If you have incompletely removed MacKeeper—for example, by dragging the application to the Trash and immediately emptying—then you'll have to reinstall it and start over.

IMPORTANT: "MacKeeper" has what the developer calls an “encryption” feature. In my tests, I didn't try to verify what this feature really does. If you used it to “encrypt” any of your files, “decrypt” them before you uninstall, or (preferably) restore the files from backups made before they were “encrypted.” As the developer is not trustworthy, you should assume that the "decrypted" files are corrupt unless proven otherwise.

In the Finder, select

          Go ▹ Applications

from the menu bar, or press the key combination shift-command-A. The "MacKeeper" application is in the folder that opens. Quit it if it's running, then drag it to the Trash. You'll be prompted for your login password. Click the Uninstall MacKeeper button in the dialog that appears. All the other functional components of the software will be deleted. Restart the computer and empty the Trash.

☞ Quit MacKeeper before dragging it to the Trash.

☞ Let MacKeeper delete its other components before you empty the Trash.

☞ Don't try to drag MacKeeper from the Dock or the Launchpad to the Trash.

☞ Don't try to remove MacKeeper while running in safe mode.

Boot Mode: Normal

Model: MacBookPro5,3

Battery cycles: 645

System diagnostics

   2015-08-11 webfilterproxyd crash

   2015-08-12 ParentalControls spin

   2015-08-12 com.apple.WebKit.WebContent spin

   2015-08-12 firefox spin

   2015-08-13 ParentalControls spin

   2015-08-14 com.apple.WebKit.WebContent spin

   2015-08-14 webfilterproxyd crash

   2015-08-17 Installer spin

   2015-08-17 com.apple.WebKit.WebContent hang

   2015-08-18 plugin-container spin

User diagnostics

   2015-08-02 AppS crash

   2015-08-02 CoreServicesUIAgent crash

   2015-08-20 AppYM crash

   2015-08-20 AppYM crash

   2015-08-20 AppYM crash

Kernel messages

   Aug 18 10:54:31   wl0: Roamed or switched channel, reason #4, bssid 00:23:69:34:a5:40

   Aug 18 11:57:11   process firefox[9626] thread 157024 caught burning CPU! It used more than 50% CPU (Actual recent usage: 82%) over 180 seconds. thread lifetime cpu usage 159.680926 seconds, (147.893400 user, 11.787526 system) ledger info: balance: 90001780845 credit: 158101314455 debit: 68099533610 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 109502739172

   Aug 18 12:09:24   AFP_VFS afpfs_DoReconnect: Max reconnect time: 30 secs, Connect timeout: 15 secs for /Volumes/Data

   --- last message repeated 1 time ---

   Aug 18 22:41:40   sync timed out: 60 sec

   Aug 19 00:28:37   AFP_VFS afpfs_DoReconnect: Max reconnect time: 30 secs, Connect timeout: 15 secs for /Volumes/Data

   Aug 19 00:30:28   sync timed out: 60 sec

   Aug 19 02:17:28   AFP_VFS afpfs_DoReconnect: Max reconnect time: 30 secs, Connect timeout: 15 secs for /Volumes/Data

   Aug 19 02:19:19   sync timed out: 60 sec

   Aug 19 04:06:18   AFP_VFS afpfs_DoReconnect: Max reconnect time: 30 secs, Connect timeout: 15 secs for /Volumes/Data

   Aug 19 04:08:10   sync timed out: 60 sec

   Aug 19 05:55:09   AFP_VFS afpfs_DoReconnect: Max reconnect time: 30 secs, Connect timeout: 15 secs for /Volumes/Data

   Aug 19 05:57:01   sync timed out: 60 sec

   Aug 19 07:44:00   AFP_VFS afpfs_DoReconnect: Max reconnect time: 30 secs, Connect timeout: 15 secs for /Volumes/Data

   Aug 19 07:45:52   sync timed out: 60 sec

   Aug 19 09:20:44   AFP_VFS afpfs_DoReconnect: Max reconnect time: 30 secs, Connect timeout: 15 secs for /Volumes/Data

   Aug 19 19:06:04   wl0: Roamed or switched channel, reason #8, bssid a4:2b:8c:15:ea:cd

   --- last message repeated 1 time ---

   Aug 19 19:37:34   PM notification timeout (pid 16160, com.apple.WebKit)

   --- last message repeated 1 time ---

   Aug 20 02:53:08   wl0: Roamed or switched channel, reason #8, bssid a4:2b:8c:15:ea:cd

   --- last message repeated 2 times ---

   Aug 20 09:04:52   PM notification timeout (pid 16160, com.apple.WebKit)

   Aug 20 10:53:39   wl0: Roamed or switched channel, reason #8, bssid a4:2b:8c:15:ea:cd

   --- last message repeated 1 time ---

Pageouts (MiB): 1912

Loaded extrinsic kernel extensions

   com.epson.driver.EPSONProjectorUDAudio (1.30)

Extrinsic daemons

   com.openbase.com.openexec

   com.sonycorporation.BloggieInstallerAgent

   com.microsoft.office.licensing.helper

   com.adobe.SwitchBoard

   com.adobe.fpsaud

Extrinsic agents

   org.thebends.iphonedisk.mobile_fs_util

   N4RA379GBW.com.busymac.busycal2.alarm

   com.nchsoftware.wavepad.schedule.LikeSurvey

   Epolife.download

   jp.co.canon.UFR2.BackGrounder

   Epolife.ltvbit

   com.wondershare.mobilegoiOSMacWatchDemo

   Javeview.update

   com.cinema-plus-1-1.agent

   com.adobe.ARM.UUID

   com.spotify.webhelper

   com.ghughes.wifisync.user

   com.extensions.updater60094.agent.plist

   com.google.keystone.user.agent

   Epolife.update

   com.sony.BloggieSoftware.AutoRun

launchd items

   /Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist

    (com.adobe.AAM.Startup-1.0)

   /Library/LaunchAgents/com.ghughes.wifisync.user.plist

    (com.ghughes.wifisync.user)

   /Library/LaunchAgents/com.sony.BloggieSoftware.AutoRun.plist

    (com.sony.BloggieSoftware.AutoRun)

   /Library/LaunchAgents/jp.co.canon.UFR2.BG.plist

    (jp.co.canon.UFR2.BackGrounder)

   /Library/LaunchDaemons/com.adobe.fpsaud.plist

    (com.adobe.fpsaud)

   /Library/LaunchDaemons/com.adobe.SwitchBoard.plist

    (com.adobe.SwitchBoard)

   /Library/LaunchDaemons/com.apple.spirecorder.plist

    (com.apple.spirecorder)

   /Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist

    (com.microsoft.office.licensing.helper)

   /Library/LaunchDaemons/com.sonycorporation.BloggieInstallerAgent.plist

    (com.sonycorporation.BloggieInstallerAgent)

   /Library/LaunchDaemons/openbase.plist

    (com.openbase.com.openexec)

   Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist

    (com.adobe.AAM.Scheduler-1.0)

   Library/LaunchAgents/com.adobe.ARM.UUID.plist

    (com.adobe.ARM.UUID)

   Library/LaunchAgents/com.cinema-plus-1-1.agent.plist

    (com.cinema-plus-1-1.agent)

   Library/LaunchAgents/com.extensions.updater60094.agent.plist

    (com.extensions.updater60094.agent.plist)

   Library/LaunchAgents/com.google.keystone.agent.plist

    (com.google.keystone.user.agent)

   Library/LaunchAgents/com.nchsoftware.wavepad.schedule.LikeSurvey.plist

    (com.nchsoftware.wavepad.schedule.LikeSurvey)

   Library/LaunchAgents/com.spotify.webhelper.plist

    (com.spotify.webhelper)

   Library/LaunchAgents/com.wondershare.mobilegoiOSMacWatchDemo.plist

    (com.wondershare.mobilegoiOSMacWatchDemo)

   Library/LaunchAgents/Epolife.download.plist

    (Epolife.download)

   Library/LaunchAgents/Epolife.ltvbit.plist

    (Epolife.ltvbit)

   Library/LaunchAgents/Epolife.update.plist

    (Epolife.update)

   Library/LaunchAgents/Javeview.update.plist

    (Javeview.update)

   Library/LaunchAgents/UpdateDownloader

    (No job label)

Startup items

   /Library/StartupItems/ChmodBPF/ChmodBPF

   /Library/StartupItems/EasyProject/EasyProject

   /Library/StartupItems/EasyProject/StartupParameters.plist

Extrinsic loadable bundles

   /System/Library/Extensions/EMP_UDAU.kext

    (com.epson.driver.EPSONProjectorUDAudio)

   /System/Library/Extensions/hp_Inkjet3_io_enabler.kext

    (com.hp.print.hpio.Inkjet3.kext)

   /System/Library/Extensions/JMicronATA.kext

    (com.jmicron.JMicronATA)

   /Library/Audio/MIDI Drivers/EmagicUSBMIDIDriver.plugin

    (info.emagic.driver.unitor)

   /Library/Internet Plug-Ins/Flash Player.plugin

    (com.macromedia.Flash Player.plugin)

   /Library/Internet Plug-Ins/GarminGpsControl.plugin

    (com.garmin.GarminGpsControl)

   /Library/Internet Plug-Ins/JavaAppletPlugin.plugin

    (com.apple.java.JavaAppletPlugin)

   /Library/Internet Plug-Ins/OfficeLiveBrowserPlugin.plugin

    (com.microsoft.officelive.browserplugin)

   /Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin

    (com.microsoft.sharepoint.browserplugin)

   /Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin

    (com.microsoft.sharepoint.webkitplugin)

   /Library/Internet Plug-Ins/Silverlight.plugin

    (com.microsoft.SilverlightPlugin)

   /Library/Internet Plug-Ins/SonyOnlineMediaEngine.bundle

    (com.sony.sonyonlinemediaengine)

   /Library/Internet Plug-Ins/VLC Plugin.plugin

    (com.netscape.vlc)

   /Library/Internet Plug-Ins (Disabled)/Flash Player.plugin

    (com.macromedia.Flash Player.plugin)

   /Library/PreferencePanes/Flash Player.prefPane

    (com.adobe.flashplayerpreferences)

   /Library/PreferencePanes/MacFUSE.prefPane

    (com.google.MacFUSE)

   /Library/PreferencePanes/OpenBasePreferences.prefPane

    (com.OpenBase.OpenBasePreferences)

   /Library/PreferencePanes/OpenBasePreferences.prefPane/OpenBasePreferences.prefP ane

    (com.OpenBase.OpenBasePreferences)

   /Library/Spotlight/GBSpotlightImporter.mdimporter

    (com.apple.garageband.spotlightimporter)

   Library/Address Book Plug-Ins/SkypeABDialer.bundle

    (com.skype.skypeabdialer)

   Library/Address Book Plug-Ins/SkypeABSMS.bundle

    (com.skype.skypeabsms)

   Library/Internet Plug-Ins/CitrixOnlineWebDeploymentPlugin.plugin

    (com.citrixonline.mac.WebDeploymentPlugin)

   Library/ScriptingAdditions/BrowserHelper.osax

    (com.cinema-plus-1-1.ScriptingAdditions)

Extrinsic shared libraries

   /usr/lib/libgutenprint.2.0.3.dylib

DNS (from DHCP): 69.144.127.53

Root crontab

   * */5 * * * "/Library/Internet Plug-Ins/AdobeFlash" vx 1>/dev/null 2>&1

Global login items

   /Applications/USB Display/USB Display.app/Contents/Resources/USB Display Agent.app

User login items

   PhoneViewHelper

   PK Mobile Helper

   iTunesHelper

   Dropbox

   BusyCalAlarm

   MGWatch

   Spotify

Safari extensions

   Epolife

Restricted user files: 139

Desktop file count: 43

Elapsed time (s): 203

I think you are wasting your time here.

Linc did not ask you to post this information.

Linc rarely responds to "me too" requests for support and never without some explanation of what your problem is.

Linc may not even be monitoring this year old discussion.

Since the topic concerns Adware, I'll guess that you might have one of dozens of such infections that exist today, but without any clues as to what you are seeing it's anybody's guess.

In glancing over your entry, nothing jumps out at me that could cause an issue.

Bottom line, if you don't see anything in a discussion that helps you, start a new topic and completely describe your issue, including screen shots if necessary. Don't jump to conclusions on the cause. Don't run diagnostics unless you are asked to. You will have a lot more people show up to give you a hand quicker than posting here.

That's just the way this forum works best for all of us.

A

You installed the "CinemaPro" trojan. Take the steps below to disable it.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

The criminal behind this attack tries to make the malware difficult to remove by varying the names of the files it installs. Not all, or even most, of the files listed below will be present in any particular case. If you don't find any of the files listed in a step, skip that step and go on to the next one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

2. Inside the folder you just opened, there may be files with a name beginning in any of the following ways:

           cinema-plus

           cinemas-+-plus

           com Installer

           com.cinemapro

           com.extensions

           Safari Security

           shopy-mate

           UpdateDownloader

Move all such items to the Trash.

Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.

3. Do as in Step 1 with this line:

~/Library

A folder named "Library" will open. Inside it there may be a subfolder with a name beginning

            cinemapro

If so, move that subfolder—not the Library folder—to the Trash.

4. Open this folder:

~/Library/Application Support

and remove an item named

            IM.Installer

5. Open this folder:

~/Library/ScriptingAdditions

and remove an item named

            BrowserHelper.osax

if present.

6. Open this folder:

~/Applications

This is not the usual Applications folder, but a different one inside your home folder. Look for an application with a name beginning like this:

             Cinema-Plus

             cinemapro

and move it to the Trash, if present. You should also move to the Trash any items in that folder that you don't remember putting there yourself. No legitimate software installer, in my experience, installs to that folder automatically.

Empty the Trash.

7. From the Safari menu bar, select

             Safari ▹ Preferences... ▹ Extensions

Uninstall all extensions you don't know you need, including any with a name similar to "CinemaPro." If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

8. Take this step only if you use the Firefox browser. Reveal this folder as before:

~/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/144ee21a-8997-41ab-96a6-b13f40648ffd@1ab45825-655a-4789-a375-a283ea7ca5c5.com

If it exists, move it to the Trash and empty. Relaunch Firefox.

B

You also installed one or more variants of the "InstallMac" trojan. Take the steps below to disable it.

The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

2. Inside the folder you just opened, there may files with a name of the form

          something.download.plist

          something.ltvbit.plist

          something.update.plist

where something is usually a meaningless string, such as any of the following:

          Epolife

          InstallMac

          Javeview

          Leperdvil

          Manroling

          Otwexplain

These are examples, not a complete list. The string could be anything. The point is that the same string will appear in the name of three files.

You could have more than one copy of the malware, with different values of something.

In your case, something is both "Epolife" and "Javeview".

Move all such items to the Trash. There may not be any other files in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)

Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.

3. Open this folder in the same way as above:

~/Library/Application Support

and move to the Trash any subfolders named with the same something you found in Step 2.

Don't move the Application Support folder or anything else inside it.

4. Open the Applications folder. If there is an item with the same name as in Step 3, or any of the other names listed in Step 2, drag it to the Trash.

If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.

Empty the Trash.

If you get an alert that the application is in use, force it to quit.

5. From the Safari menu bar, select

          Safari ▹ Preferences... ▹ Extensions

Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

6. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select

          Safari ▹ Preferences... ▹ General

and click

          Set to Current Page

C

You also installed the "MacAccess" malware, a remote-access rootkit that gives full control to an Internet criminal. It could have compromised all data.

MacAccess circulated in 2008 and 2009, and is reported to be no longer active. Whatever damage it was going to do was done long ago, if the reports are accurate. Instructions for removing it were posted here. Not having a sample of the malware, I can't test those instructions. From what I've seen, I'm reasonably sure they would work. On the other hand, the folllowing procedure is very time-consuming and probably unnecessary, but it will ensure that the machine is safe to use. The choice is yours.

Erase and install OS X. If you don't already have at least two complete, independent backups of all data, then you must make them first. One backup is not enough to be safe.

When you restart after the installation, you'll be prompted to go through the initial setup process for a new computer. That’s when you transfer the data from a backup in Setup Assistant.

Select only users in the Setup Assistant dialog—not Applications, Other files and folders, or Computer & Network Settings. Don't transfer the Guest account, if it was enabled.

Reinstall third-party software from original media or fresh downloads—not from a backup, which may be contaminated.

That being done, change all Internet passwords and check all financial accounts for unauthorized transactions. Do this  after the system has been secured, not before.

D

Unless you become much more cautious about installing software, you will continue to be a victim of Internet crime, and the consequences may be much worse in the future. Nothing but your own common sense is going to save you.

OK Thanks!

Boot Mode: Normal

Model: MacBookPro5,3

Battery cycles: 919

USB

   USB Receiver (Logitech Inc.)

System diagnostics

   2015-08-18 mds crash

User diagnostics

   2015-08-26 LeagueofLegends crash

   2015-08-26 LoLPatcher crash

   2015-08-26 LoLPatcher crash

   2015-08-26 UserKernel crash

   2015-08-26 UserKernel crash

   2015-08-26 UserKernel crash

   2015-08-27 AppAS crash

   2015-08-27 AppAS crash

   2015-08-27 AppAS crash

   2015-08-27 AppAS crash

Kernel messages

   Aug 24 14:09:35   Process Setup Assistant [250] disabling system-wide I/O Throttling

   Aug 24 14:09:35   Process Setup Assistant [250] disabling system-wide CPU Throttling

   Aug 26 00:40:10   Over-release of kernel-internal importance assertions for pid 215 (nsurlsessiond), dropping 1 assertion(s) but task only has 9 remaining (9 external).

   Aug 26 00:40:46   Over-release of kernel-internal importance assertions for pid 276 (photolibraryd), dropping 1 assertion(s) but task only has 2960 remaining (2960 external).

Extrinsic daemons

   com.BatlonSortably.helper

Extrinsic agents

   Manroling.update

   Qamails.download

   Qamails.ltvbit

   Qamails.update

   com.spotify.webhelper

   com.BatlonSortably.agent

   com.google.keystone.user.agent

launchd items

   /Library/LaunchAgents/com.batlonsortably.agent.plist

    (com.BatlonSortably.agent)

   /Library/LaunchDaemons/com.batlonsortably.helper.plist

    (com.BatlonSortably.helper)

   Library/LaunchAgents/com.google.keystone.agent.plist

    (com.google.keystone.user.agent)

   Library/LaunchAgents/com.spotify.webhelper.plist

    (com.spotify.webhelper)

   Library/LaunchAgents/Manroling.update.plist

    (Manroling.update)

   Library/LaunchAgents/Qamails.download.plist

    (Qamails.download)

   Library/LaunchAgents/Qamails.ltvbit.plist

    (Qamails.ltvbit)

   Library/LaunchAgents/Qamails.update.plist

    (Qamails.update)

Extrinsic loadable bundles

   Library/Address Book Plug-Ins/SkypeABDialer.bundle

    (com.skype.skypeabdialer)

   Library/Address Book Plug-Ins/SkypeABSMS.bundle

    (com.skype.skypeabsms)

DNS (from DHCP): 75.75.75.75

User login items

   iTunesHelper

   Google Chrome

   Spotify

Restricted user files: 9

Elapsed time (s): 116

Boot Mode: Normal

Model: MacBookPro11,4

System diagnostics

   2015-08-30 LookupViewService crash

   2015-08-30 LookupViewService crash

   2015-08-30 LookupViewService crash

   2015-08-30 LookupViewService crash

   2015-08-30 LookupViewService crash

   2015-08-30 LookupViewService crash

   2015-08-30 LookupViewService crash

   2015-08-30 com.apple.WebKit.WebContent spin

   2015-09-01 iMovie spin

   2015-09-05 Installer spin

User diagnostics

   2015-08-30 com.apple.WebKit.WebContent crash

   2015-09-02 Finder crash

Kernel messages

   Aug 31 11:38:25   wl0: Roamed or switched channel, reason #4, bssid f8:0b:be:27:58:f0, last RSSI 0

   Sep 1 16:07:00   Over-release of kernel-internal importance assertions for pid 362 (sharingd), dropping 1 assertion(s) but task only has 61 remaining (61 external).

   Sep 1 21:55:14   ARPT: Wake Reason: Wake on TCP Timeout

   --- last message repeated 4 times ---

   Sep 2 05:38:07   Over-release of kernel-internal importance assertions for pid 222 (cloudphotosd), dropping 1 assertion(s) but task only has 0 remaining (0 external).

   Sep 2 09:11:36   Over-release of kernel-internal importance assertions for pid 4850 (AddressBookSourc), dropping 1 assertion(s) but task only has 0 remaining (0 external).

   Sep 2 12:42:30   Over-release of kernel-internal importance assertions for pid 224 (nsurlstoraged), dropping 1 assertion(s) but task only has 2 remaining (2 external).

   Sep 3 18:47:01   Over-release of kernel-internal importance assertions for pid 117 (cfprefsd), dropping 1 assertion(s) but task only has 0 remaining (0 external).

   Sep 3 20:08:17   ARPT: Wake Reason: Wake on TCP Timeout

   --- last message repeated 13 times ---

   Sep 6 09:56:40   Over-release of kernel-internal importance assertions for pid 118 (cfprefsd), dropping 1 assertion(s) but task only has 0 remaining (0 external).

   Sep 6 11:17:10   Over-release of kernel-internal importance assertions for pid 246 (gamed), dropping 1 assertion(s) but task only has 0 remaining (0 external).

Extrinsic daemons

   com.Lycidae.helper

   com.adobe.fpsaud

Extrinsic agents

   com.Lycidae.agent

   com.google.keystone.user.agent

launchd items

   /Library/LaunchAgents/com.lycidae.agent.plist

    (com.Lycidae.agent)

   /Library/LaunchDaemons/com.adobe.fpsaud.plist

    (com.adobe.fpsaud)

   /Library/LaunchDaemons/com.lycidae.daemon.plist

    (com.Lycidae.daemon)

   /Library/LaunchDaemons/com.lycidae.helper.plist

    (com.Lycidae.helper)

   Library/LaunchAgents/com.google.keystone.agent.plist

    (com.google.keystone.user.agent)

Extrinsic loadable bundles

   /Library/Internet Plug-Ins/Flash Player.plugin

    (com.macromedia.Flash Player.plugin)

   /Library/PreferencePanes/Flash Player.prefPane

    (com.adobe.flashplayerpreferences)

User login items

   iTunesHelper

   Google Chrome

Restricted user files: 8

Elapsed time (s): 67

Actually got this all worked out through apple support line.  Took a few minutes.  Thanks though, you helped me get rid of a few of the pesky ones first.

Hi NobleWorld -

Can you share with us what your problem was?  It would help future readers here.

Thanks.

Yes, Bee.  I downloaded something from the internet and all these pages kept popping up on my Chrome from MacKeeper and other "giveaways"/ fishing sites.   I already new it was all crap from MacKeeper and other computer "cleaning" sites so I just clicked out but it annoys the **** out of me.  Anyways, in the end it was a file called Lycidae that I had to clean out.  Download a free version of https://www.malwarebytes.org/ and install and run test.  After it tests and finds the problems hit the KIND at the top of the file window and delete the ones that say .disk or .install and trash them.  Restart your computer and then empty your trash. 

Great information, Noble . . .

The Lycidae file is mentioned a lot in the report.

So glad you're all sorted now.

And yes, malwarebytes is fabulous!  One of our helpers here, Thomas Reed, is the original developer.

I followed the Adware Removal Guide where you suggested a link to the Malwarebytes Anti-Malware (note: you provided a full disclaimer you may receive compensation for it) and it worked for me. I contracted several malware ads by viewing a US Open Tennis match online. I successfully deleted some of the things that were placed on my Macbook Air, but the software you suggested worked to clear out the rest of them.

They were causing Safari to not bring up my email links from Outlook - so frustrating!! Anyway, I signed on here just to make this comment as it was so very helpful! Thanks again! Btw, if anyone is choosing to go the route of Malwarebytes Anti-Malware, I chose the automatic option and restarted my computer. Worked like a charm!

Excellent, Yumz!

So glad you've posted about your success with MalwareBytes!

It's a great app.

I got some kind of bug for the first time ever on my mac a few days ago that did exactly what the OP talked about: random links on the pages, my homepage was reset to a yahoo search page, i would get redirected to some site that asked me to call a toll free number, etc. So I downloaded Sophos, AVG, and Bitdefender. After doing two total scans for each program, I was still getting the problem (mostly on Chrome and Safari, interestingly, not on Firefox). I came here and found this response, so I downloaded the dedicated program Malwarebytes...ran it once, and voila goneno 

I think today I learned that a virus is not the same as malware. Whatever, I'd definitely recommend going with a dedicate adware killer.