mausbaus

Q: Malware "Deal Top"

Hello,

 

I have a problem with the malware "Deal Top". It highlights search words that I have recently used in normal text on any website, puts them in capital letters and places a green icon to the right with an arrow. It gives me the programme name "Deal Top" when I move the cursor over the word. I ran Malawarebytes yesterday but the problem persists. The malware could stem from the computer version of the Whatsapp App. I have also downloaded (official) trial versions of Adobe products recently. I have tried to reset Safari and updated my iMac to El Capitan just yesterday (the macbook a few weeks back), hoping that would remove the malware but haven't had any success.

I will attach screenshots of the launch daemons and launch agents as well as the active links. Is there anything I can do or would it help to reset the macs?

 

Thanks for your help!

 

Bildschirmfoto 2016-06-05 um 00.44.24.JPG

Bildschirmfoto 2016-06-05 um 00.59.16.JPG

Bildschirmfoto 2016-06-05 um 01.00.25.JPG

 

Bildschirmfoto 2016-06-05 um 01.01.26.JPG

iMac (24-inch Early 2009), OS X El Capitan (10.11.5)

Posted on Jun 4, 2016 4:07 PM

Close

Q: Malware "Deal Top"

  • All replies
  • Helpful answers

  • by Linc Davis,Helpful

    Linc Davis Linc Davis Jun 8, 2016 12:57 PM in response to mausbaus
    Level 10 (207,978 points)
    Applications
    Jun 8, 2016 12:57 PM in response to mausbaus

    A

    You installed one or more variants of the "VSearch" trojan. Please inactivate them as follows. This procedure will leave a few small files behind, but they have no effect, and trying to remove them all would be a lot more trouble than it's worth.

    This malware has many variants. Anyone else finding this comment should not expect it to be applicable.

    Back up all data before proceeding.

    The VSearch variant that you have regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.

    Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.

    While running in safe mode, load this web page and then triple-click anywhere in the line below to select it:

    /Library/LaunchDaemons

    In the Finder, select

              Go Go to Folder...

    from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

    A folder named "LaunchDaemons" will open. Press the key combination command-2 to select list view, if it's not already selected.

    There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within a few minutes, so they will be clustered together when you sort the folder this way, making them easy to identify.

    Inside that folder there are one or more items with a name that begins like this:

              com.apple.

    There are also one or more items with a three-part name of this form:

              com.something.plist

    and of this form:

              com.something.net-preferences.plist

    where something is a meaningless string of letters, different in every case. Typical examples:

              com.hemolymphatic.net-preferences.plist

              com.semifasciaUpd.plist

              com.ubuiling.plist

    Drag all such items to the Trash. You may be prompted for your administrator login password.

    Restart the computer and empty the Trash.

    Reset the home page in each of your web browsers, if it was changed. In Safari, first load the home page you want, then select

              Safari Preferences... General

    and click

              Set to Current Page

    If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.

    If you're not sure whether a file is part of the malware, order the folder contents by modification date, not by name. The malware files will be clustered together. There could be more than one such cluster. A file dated years in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.

    If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Try again.

    B

    The "Malwarebytes" product failed to remove the malware. That's what you should always expect from such products: failure. I suggest that you remove it according to its developer's instructions and never install any "anti-malware" or "anti-virus" software again. Relying on such software for your security is a dangerous mistake. Security lies in safe computing practices, not in software. Ask if you want guidance.

    C

    "CleanMyMac" is a scam and a common cause of instability and poor performance. Depending on what version you have, the developer's instructions may not completely remove it. Please follow those instructions, then do as below.

    Back up all data before proceeding.

    Triple-click anywhere in the line below on this page to select it:

    /Library/LaunchDaemons/com.macpaw.CleanMyMac3.Agent.plist

    Right-click or control-click the highlighted line and select

              Services Reveal in Finder (or just Reveal)

    from the contextual menu.* A folder may open with an item selected. If it does, move the selected item to the Trash. You may be prompted for your administrator login password.

    Repeat with this line:

    /Library/PrivilegedHelperTools/com.macpaw.CleanMyMac3.Agent

    Restart the computer and empty the Trash.

    You may also have to remove one or more of these items in the same way:

    ~/Library/LaunchAgents/com.macpaw.CleanMyMac.helperTool.plist
    ~/Library/LaunchAgents/com.macpaw.CleanMyMac.volumeWatcher.plist
    ~/Library/LaunchAgents/com.macpaw.CleanMyMac3.Scheduler.plist

    Never again install "CleanMyMac" or anything like it.

    *If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

              Go Go to Folder...

    from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

  • by Jelmer Jeen,Solvedanswer

    Jelmer Jeen Jelmer Jeen Jun 8, 2016 12:57 PM in response to Linc Davis
    Level 1 (14 points)
    Jun 8, 2016 12:57 PM in response to Linc Davis

    Hi, this is how my LaunchDaemons folder looks like. What files should I delete? Thanks a lot in advance!Screen Shot 2016-06-06 at 20.21.15.png

  • by mausbaus,

    mausbaus mausbaus Jun 8, 2016 1:18 PM in response to Linc Davis
    Level 1 (5 points)
    Desktops
    Jun 8, 2016 1:18 PM in response to Linc Davis

    Thanks, that helped.

    I did like you instructed on the iMac and everything looked fine in Safari and Firefox - but in Chrome an additional tab opened with the malware. So I deleted Chrome and checked again (in safe mode) for LaunchDaemons etc. that could be infected and deleted everything that I do not need.

    So far I think that solved the problem. I did the same with my MacBook and have not had any problems with the trojan since.

     

    But I noticed that Safari is slower on my iMac than usual but that might have to do with El Capitan that I only installed 5 days ago. The same goes for my MacBook that takes far longer than usual to "get ready", including Microsoft Word and Safari that take ages to boot. Both macs are from 2009 so I did expect that they would be a little slower than with Snow Leopard (and Yosemite), but is there anything I can do or should I open a new thread for that problem?