jbgriffee

Q: malware

Appear that I downloaded malware.  I removed MegaBackup and Mac Defender but now safari goes to a blank window with a search field and the web address is ChumSearch.  How do I get rid of this and get back to having Safari go to my preference search engine?

Posted on Mar 11, 2016 3:27 PM

Close

Q: malware

  • All replies
  • Helpful answers

first Previous Page 3 of 4 last Next
  • by dolswagen,

    dolswagen dolswagen Jun 15, 2016 3:36 PM in response to jbgriffee
    Level 1 (4 points)
    Desktops
    Jun 15, 2016 3:36 PM in response to jbgriffee

    Skjermbilde 2016-06-16 kl. 00.32.59.png

  • by dolswagen,

    dolswagen dolswagen Jun 15, 2016 3:59 PM in response to Linc Davis
    Level 1 (4 points)
    Desktops
    Jun 15, 2016 3:59 PM in response to Linc Davis

    Can someone help me with my problem? 


    STEP 1: 

    STEP 1.png


    STEP 2: 

    STEP 2.png

    STEP 3: 

    STEP 3.png 

    STEP 4:

    STEP 4.png

  • by Berkovitch,

    Berkovitch Berkovitch Jul 3, 2016 5:15 PM in response to jbgriffee
    Level 1 (4 points)
    Jul 3, 2016 5:15 PM in response to jbgriffee

    Hi, thank you so much for your help, this adware is just the worse.

    I'm usually using Chrome as my default browser but also have Firefox and Safari

     

    step 1

    step1.png

    step 2

    step2.png

    step 3 (2 parts)

    step3-1.png

    step3-2.png

     

    step 4: there is no extensions on the safari and chrome browsers - on the fire fox I found this one:

    step 5 .png

     

    so which files I need to trush ?

     

    again, thank you so much

    BR

  • by Linc Davis,

    Linc Davis Linc Davis Jul 3, 2016 5:49 PM in response to Berkovitch
    Level 10 (207,973 points)
    Applications
    Jul 3, 2016 5:49 PM in response to Berkovitch

    A

    You installed one or more variants of the "VSearch" trojan. Please inactivate them as follows. This procedure will leave a few small files behind, but they have no effect, and trying to remove them all would be a lot more trouble than it's worth.

    This malware has many variants. Anyone else finding this comment should not expect it to be applicable.

    Back up all data before proceeding.

    Step 1

    The VSearch variant that you have regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.

    Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.

    Step 2

    While running in safe mode, load this web page and then triple-click anywhere in the line below to select it:

    /Library/LaunchDaemons

    In the Finder, select

              Go Go to Folder...

    from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

    A folder named "LaunchDaemons" will open. Press the key combination command-2 to select list view, if it's not already selected.

    There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within a few minutes, so they will be clustered together when you sort the folder this way, making them easy to identify.

    Step 3

    Inside the LaunchDaemons folder, there may be one or more files with a name of this form:

              com.apple.something.plist

    where something is a random, meaningless string of letters, different in every case.

    Note that the name consists of four words separated by periods. Typical examples:

              com.apple.builins.plist

              com.apple.cereng.plist

              com.apple.nysgar.plist

    There may also be one or more items with a name of this form:

              com.something.plist

    Again, something is a random, meaningless string—not necessarily the same one that appears in any of the other file names.

    These names consist of three words separated by periods. Typical examples:

              com.semifasciaUpd.plist

              com.ubuiling.plist

    Drag all such items to the Trash. You may be prompted for your administrator login password.

    Restart the computer and empty the Trash.

    If you're not sure whether a file is part of the malware, order the folder contents by modification date, not by name. The malware files will be clustered together. There could be more than one such cluster. A file dated far in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.

    If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Go back to Step 1 and try again.

    Step 4

    Reset the home page in each of your web browsers, if it was changed. In Safari, first load the home page you want, then select

              Safari Preferences... General

    and click

              Set to Current Page

    If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.

    Step 5

    The malware enables web proxy discovery in the network settings. If you know that the setting was already enabled for a good reason, skip this step. Otherwise you should revert the change.

    Open the Network pane in System Preferences. If there is a closed padlock icon in the lower left corner of the window, click it and authenticate to unlock the settings. Click the Advanced button, then select Proxies in the sheet that drops down. Uncheck the box marked Auto Proxy Discovery if it's checked. Click OK, then Apply.

    Step 6

    This step is optional. Open the Users & Groups pane in System Preferences and click the lock icon to unlock the settings. In the list of users, there may be some with random names that were added by the malware. You can delete those users. If you're not sure whether a user is legitimate, don't delete it.

    B

    "CleanMyMac" is a scam and a common cause of instability and poor performance. Depending on what version you have, the developer's instructions may not completely remove it. Please follow those instructions, then do as below.

    Back up all data before proceeding.

    Triple-click anywhere in the line below on this page to select it:

    /Library/LaunchDaemons/com.macpaw.CleanMyMac3.Agent.plist

    Right-click or control-click the highlighted line and select

              Services Reveal in Finder (or just Reveal)

    from the contextual menu.* A folder may open with an item selected. If it does, move the selected item to the Trash. You may be prompted for your administrator login password.

    Repeat with this line:

    /Library/PrivilegedHelperTools/com.macpaw.CleanMyMac3.Agent

    Restart the computer and empty the Trash.

    You may also have to remove one or more of these items in the same way:

    ~/Library/LaunchAgents/com.macpaw.CleanMyMac.helperTool.plist
    ~/Library/LaunchAgents/com.macpaw.CleanMyMac.volumeWatcher.plist
    ~/Library/LaunchAgents/com.macpaw.CleanMyMac3.Scheduler.plist

    Never again install "CleanMyMac" or anything like it.

    *If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

              Go Go to Folder...

    from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

  • by Berkovitch,

    Berkovitch Berkovitch Jul 4, 2016 5:08 AM in response to Linc Davis
    Level 1 (4 points)
    Jul 4, 2016 5:08 AM in response to Linc Davis

    Hi Linc, again thank you. I followed your instruction very carefully but unfortunately this mackeeper adds still pop-up (I didn't install it)  

    now after erasing all the "strange names" the 1-3 steps look like that: (and not regenerates itself or come back with a different name)

     

    step1.png

    step2.png

    step3.png

     

    But, suddenly i noticed that in the "Library" folder I have some folders with the same names I just erased. I looks like that:

    Library1.pngLibrary2.pngLibrary3.png

    those it have any connection to the problem?

    what should I do?

     

    very appreciate your help,

    thank you

  • by Linc Davis,

    Linc Davis Linc Davis Jul 4, 2016 6:26 AM in response to Berkovitch
    Level 10 (207,973 points)
    Applications
    Jul 4, 2016 6:26 AM in response to Berkovitch

    You also need to delete item #2 in the third screenshot from your last comment. It's an older variant of VSearch.

     

    The last set of screenshots shows other malware files. They have no effect after the malware has been inactivated. Deleting them is optional, but since you found them, there's no reason not to do it.

  • by Berkovitch,

    Berkovitch Berkovitch Jul 4, 2016 10:04 AM in response to Linc Davis
    Level 1 (4 points)
    Jul 4, 2016 10:04 AM in response to Linc Davis

    I think it's over!!

    after deleting the #2 file and the folders it's happened again but after clearing all in Chrome settings> content settings> manage exceptions, the Chrome tabs are stable.

     

    Linc Davis you saved the day!! thank you so much for your help and patience

  • by leonelfromchino hills,

    leonelfromchino hills leonelfromchino hills Jul 4, 2016 6:16 PM in response to Linc Davis
    Level 1 (4 points)
    Jul 4, 2016 6:16 PM in response to Linc Davis

    Hello Linc,

     

    I've been reading your posts about the removal of malware and I'd like to ask your recommendations to remove this in my Mac:

     

     

    Step 1: 

    Screen Shot 2016-07-04 at 6.05.03 PM.png

    Step 2:

    Screen Shot 2016-07-04 at 6.05.28 PM.png

    Step 3:

    Screen Shot 2016-07-04 at 6.06.33 PM.png

    Step 4:

     

    Screen Shot 2016-07-04 at 6.08.14 PM.png

     

    Appreciate your prompt feedback.

     

     

    Regards,

    Leo

  • by ashaninan,

    ashaninan ashaninan Jul 17, 2016 9:25 PM in response to jbgriffee
    Level 1 (4 points)
    Jul 17, 2016 9:25 PM in response to jbgriffee

    Screen Shot 2016-07-17 at 11.22.50 PM.pngScreen Shot 2016-07-17 at 11.23.20 PM.pngScreen Shot 2016-07-17 at 11.23.20 PM.png

  • by missidaliag,

    missidaliag missidaliag Jul 26, 2016 8:45 AM in response to Linc Davis
    Level 1 (4 points)
    Jul 26, 2016 8:45 AM in response to Linc Davis

    Screen Shot 2016-07-26 at 10.41.54 AM.png

  • by Ivna Ji,

    Ivna Ji Ivna Ji Jul 28, 2016 2:55 AM in response to jbgriffee
    Level 1 (8 points)
    Jul 28, 2016 2:55 AM in response to jbgriffee

    Screen Shot 2016-07-28 at 11.50.23.png

  • by kailebelle,

    kailebelle kailebelle Aug 7, 2016 2:13 AM in response to Linc Davis
    Level 1 (4 points)
    Aug 7, 2016 2:13 AM in response to Linc Davis

    step 1

    Screen Shot 2016-08-07 at 10.46.53 AM.png

     

    step 2

     

    Screen Shot 2016-08-07 at 11.03.43 AM.png

     

    step 3

     

    Screen Shot 2016-08-07 at 11.10.58 AM.png

  • by green jean,

    green jean green jean Aug 10, 2016 12:23 PM in response to theratter
    Level 1 (81 points)
    Mac OS X
    Aug 10, 2016 12:23 PM in response to theratter

    the earlier suggestions about reinstalling the latest osx update and the apple suggestions did not solve my problem, but theratter's suggestion for malwarebytes did.  the scan showed 2 files, which i removed via malwarebytes.  that did not prevent my browser from being hijacked to chumsearch, but the next suggestion from malwarebytes did.  i should have thought to look at my preferences to see what might have been changed. 

     

    thank you, theratter and malwarebytes.  i guess i better pay more attention to what i am doing.

  • by Emm242,

    Emm242 Emm242 Aug 11, 2016 6:22 PM in response to Linc Davis
    Level 1 (4 points)
    Aug 11, 2016 6:22 PM in response to Linc Davis

    Linc,

     

    Are you able to help me with this?

     

    Screen Shot 2016-08-11 at 9.11.18 PM.png

    Screen Shot 2016-08-11 at 9.13.12 PM.pngScreen Shot 2016-08-11 at 9.13.51 PM.png

    Much appreciated

  • by etresoft,

    etresoft etresoft Aug 11, 2016 8:44 PM in response to Emm242
    Level 7 (29,228 points)
    Mac OS X
    Aug 11, 2016 8:44 PM in response to Emm242

    Hello Emm242,

    This thread is old and Linc is not longer active on the forums. You should start your own thread and someone else will be quick to help.

first Previous Page 3 of 4 last Next