whitesmoke...how to delete it?

Look at the plug-in and extentions. Disable it there.

Firefox>Tools>Add-ons

Quit and restart the browser.

Firefox users

In the Firefox browser menu, select Add-ons > Extensions.

Select the WhiteSmoke Tools Community Toolbar.

Click Remove.

Safari users

Open the Finder application and browse to Applications.

Scroll down to Toolbars and click on WhiteSmoke Tools.

Double-click on “Uninstall”.

Fill in the “User name & Password” and click the OK button.

Go to the /Library/Internet Plug-Ins/ folder. Put it in List view (Command+2) and look for any plugin that may be the obvious culprit. If nothing stands out, click the word Date it the top of the file window to sort by date. Click it twice if needed to put the newest items at the top. Anything installed just recently?

1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve your problem.

2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. There are ways to back up a computer that isn't fully functional. Ask if you need guidance.

3. Below are instructions to run a UNIX shell script, a type of program. All it does is to gather information about the state of your computer. That information goes nowhere unless you choose to share it on this page. However, you should be cautious about running any kind of program (not just a shell script) at the request of a stranger on a public message board. If you have doubts, search this site for other discussions in which this procedure has been followed without any report of ill effects. If you can't satisfy yourself that the instructions are safe, don't follow them. Ask for other options.

Here's a summary of what you need to do, if you choose to proceed: Copy a line of text from this web page into the window of another application. Wait for the script to run. It usually takes a few minutes. Then paste the results, which will have been copied automatically, back into a reply on this page. The sequence is: copy, paste, wait, paste again. Details follow.

4. You may have started the computer in "safe" mode. Preferably, these steps should be taken in “normal” mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.

5. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply.

6. The script is a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, though you may not see all of it in your browser, and you can then copy it. If you try to select the line by dragging across the part you can see, you won't get all of it.

Triple-click anywhere in the line of text below on this page to select it:

PATH=/usr/bin:/bin:/usr/sbin:/sbin; clear; Fb='%s\n\t(%s)\n'; Fm='\n%s\n\n%s\n'; Fr='\nRAM details\n%s\n'; Fs='\n%s: %s\n'; Fu='user %s%%, system %s%%'; PB="/usr/libexec/PlistBuddy -c Print"; A () { [[ a -eq 0 ]]; }; M () { find -L "$d" -type f | while read f; do file -b "$f" | egrep -lq XML\|exec && echo $f; done; }; Pc () { o=`grep -v '^ *#' "$2"`; Pm "$1"; }; Pm () { [[ "$o" ]] && o=`sed -E '/^ *$/d; s/^ */ /; s/[-0-9A-Fa-f]{22,}/UUID/g' <<< "$o"` && printf "$Fm" "$1" "$o"; }; Pp () { o=`$PB "$2" | awk -F'= ' \/$3'/{print $2}'`; Pm "$1"; }; Ps () { o=`echo $o`; [[ ! "$o" =~ ^0?$ ]] && printf "$Fs" "$1" "$o"; }; R () { o=; [[ r -eq 0 ]]; }; SP () { system_profiler SP${1}DataType; }; id -G | grep -qw 80; a=$?; A && sudo true; r=$?; t=`date +%s`; clear; { A || echo $'No admin access\n'; A && ! R && echo $'No root access\n'; SP Software | sed '8!d;s/^ *//'; o=`SP Hardware | awk '/Mem/{print $2}'`; o=$((o<4?o:0)); Ps "Total RAM (GB)"; o=`SP Memory | sed '1,5d;/[my].*:/d'`; [[ "$o" =~ s:\ [^O]|x([^08]||0[^2]8[^0]) ]] && printf "$Fr" "$o"; o=`SP Diagnostics | sed '5,6!d'`; [[ "$o" =~ Pass ]] || Pm "POST"; p=`SP Power`; o=`awk '/Cy/{print $NF}' <<< "$p"`; o=$((o>=300?o:0)); Ps "Battery cycles"; o=`sed -n '/Cond.*: [^N]/{s/^.*://p;}' <<< "$p"`; Ps "Battery condition"; for b in Thunderbolt USB; do o=`SP $b | sed -En '1d;/:$/{s/ *:$//;x;s/\n//p;};/^ *V.* [0N].* /{s/ 0x.... //;s/[()]//g;s/(.*: )(.*)/ \(\2\)/;H;};/Apple|SMSC/{s/.//g;h;}'`; Pm $b; done; o=`pmset -g therm | sed 's/^.*C/C/'`; [[ "$o" =~ No\ th|pms ]] && o=; Pm "Thermal conditions"; o=`pmset -g sysload | grep -v :`; [[ "$o" =~ =\ [^GO] ]] || o=; Pm "System load advisory"; o=`nvram boot-args | awk '{$1=""; print}'`; Ps "boot-args"; a=(/ ""); A=(System User); for i in 0 1; do o=`cd ${a[$i]}L*/Lo*/Diag* || continue; for f in *.{cr,h,pa,s}*; do [[ -f "$f" ]] || continue; d=$(awk '/^D/{print $2; exit}' "$f"); [[ "$f" =~ h$ ]] && grep -lq "^Thread c" "$f" && e=\* || e=; echo $d ${f%_$d*} ${f##*.} "$e"; done | tail`; Pm "${A[$i]} diagnostics"; done; [[ "$o" =~ \*$ ]] && printf $'\n* Code injection\n'; o=`syslog -F bsd -k Sender kernel -k Message CReq 'GPU |hfs: Ru|I/O e|last value [1-9]|n Cause: -|NVDA\(|pagin|SATA W|ssert|Throt|timed? ?o' | tail -n25 | awk '/:/{$4=""; $5=""};1'`; Pm "Kernel messages"; o=`df -m / | awk 'NR==2 {print $4}'`; o=$((o<5120?o:0)); Ps "Free space (MiB)"; o=$(($(vm_stat | awk '/eo/{sub("\\.",""); print $2}')/256)); o=$((o>=1024?o:0)); Ps "Pageouts (MiB)"; s=( `sar -u 1 10 | sed '$!d'` ); [[ s[4] -lt 85 ]] && o=`printf "$Fu" ${s[1]} ${s[3]}` || o=; Ps "Total CPU usage" && { s=(`ps acrx -o comm,ruid,%cpu | sed '2!d'`); n=$((${#s[*]}-1)); c="${s[*]}"; o=${s[$n]}%; Ps "CPU usage by process \"${c% ${s[$((n-1))]}*}\" with UID ${s[$((n-1))]}"; }; s=(`top -R -l1 -n1 -o prt -stats command,uid,prt | sed '$!d'`); n=$((${#s[*]}-1)); s[$n]=${s[$n]%[+-]}; c="${s[*]}"; o=$((s[$n]>=25000?s[$n]:0)); Ps "Mach ports used by process \"${c% ${s[$((n-1))]}*}\" with UID ${s[$((n-1))]}"; o=`kextstat -kl | grep -v com\\.apple | cut -c53- | cut -d\< -f1`; Pm "Loaded extrinsic kernel extensions"; R && o=`sudo launchctl list | awk 'NR>1 && !/0x|com\.(apple|openssh|vix\.cron)|org\.(amav|apac|calendarse|cups|dove|isc|ntp|post[fg]|x)/{print $3}'`; Pm "Extrinsic daemons"; o=`launchctl list | awk 'NR>1 && !/0x|com\.apple|org\.(x|openbsd)|\.[0-9]+$/{print $3}'`; Pm "Extrinsic agents"; o=`for d in {/,}L*/Lau*; do M; done | grep -v com\.apple\.CSConfig | while read f; do ID=$($PB\ :Label "$f") || ID="No job label"; printf "$Fb" "$f" "$ID"; done`; Pm "launchd items"; o=`for d in /{S*/,}L*/Star*; do M; done`; Pm "Startup items"; o=`find -L /S*/L*/{C*/Sec*A,E}* {/,}L*/{A*d,Compon,Ex,In,iTu,Keyb,Mail/B,P*P,Qu*T,Scripti,Sec,Servi,Spo}* -type d -name Contents -prune | while read d; do ID=$($PB\ :CFBundleIdentifier "$d/Info.plist") || ID="No bundle ID"; [[ "$ID" =~ ^com\.apple\.[^x]|Accusys|ArcMSR|ATTO|HDPro|HighPoint|driver\.stex|hp-fax|\.hpio|JMicron|microsoft\.MDI|print|SoftRAID ]] || printf "$Fb" "${d%/Contents}" "$ID"; done`; Pm "Extrinsic loadable bundles"; o=`find -L /u*/{,*/}lib -type f | while read f; do file -b "$f" | grep -qw shared && ! codesign -v "$f" && echo $f; done`; Pm "Unsigned shared libraries"; o=`for e in INSERT_LIBRARIES LIBRARY_PATH; do launchctl getenv DYLD_$e; done`; Pm "Environment"; o=`find -L {,/u*/lo*}/e*/periodic -type f -mtime -10d`; Pm "Modified periodic scripts"; o=`scutil --proxy | grep Prox`; Pm "Proxies"; o=`scutil --dns | awk '/r\[0\] /{if ($NF !~ /^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./) print $NF; exit}'`; Ps "DNS"; R && o=`sudo profiles -P | grep : | wc -l`; Ps "Profiles"; f=auto_master; [[ `md5 -q /etc/$f` =~ ^b166 ]] || Pc $f /etc/$f; for f in fstab sysctl.conf crontab launchd.conf; do Pc $f /etc/$f; done; Pc "hosts" <(grep -v 'host *$' /etc/hosts); Pc "User launchd" ~/.launchd*; R && Pc "Root crontab" <(sudo crontab -l); Pc "User crontab" <(crontab -l | sed -E 's:/Users/[^/]+/:/Users/USER/:g'); R && o=`sudo defaults read com.apple.loginwindow LoginHook`; Pm "Login hook"; Pp "Global login items" /L*/P*/loginw* Path; Pp "User login items" L*/P*/*loginit* Name; Pp "Safari extensions" L*/Saf*/*/E*.plist Bundle | sed -E 's/(\..*$|-[1-9])//g'; o=`find ~ $TMPDIR.. \( -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 \) | wc -l`; Ps "Restricted user files"; cd; o=`SP Fonts | egrep "Valid: N|Duplicate: Y" | wc -l`; Ps "Font problems"; o=`find L*/{Con,Pref}* -type f ! -size 0 -name *.plist | while read f; do plutil -s "$f" >&- || echo $f; done`; Pm "Bad plists"; d=(Desktop L*/Keyc*); n=(20 7); for i in 0 1; do o=`find "${d[$i]}" -type f -maxdepth 1 | wc -l`; o=$((o<=n[$i]?0:o)); Ps "${d[$i]##*/} file count"; done; o=; [[ UID -eq 0 ]] && o=root; Ps "UID"; o=$((`date +%s`-t)); Ps "Elapsed time (s)"; } 2>/dev/null | pbcopy; exit 2>&-

exec bash

9. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. In most cases, the difference is not important. If you don't know your password, or if you prefer not to enter it, just press return three times at the password prompt.

If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.

10. The test will take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, there will be nothing in the Terminal window and no indication of progress. Wait for the line "[Process completed]" to appear. If you don't see it within half an hour or so, the test probably won't complete in a reasonable time. In that case, close the Terminal window and report your results. No harm will be done.

11. When the test is complete, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.

If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.

12. When you post the results, you might see the message, "You have included content in your post that is not permitted." It means that the forum software has misidentified something in the post as a violation of the rules. If that happens, please post the test results on Pastebin, then post a link here to the page you created.

Note: This is a public forum, and others may give you advice based on the results of the test. They speak only for themselves, and I don't necessarily agree with them.

________________________________

Hi Linc,

I'm not the originator of this thread, but I'm having exactly the same problem, and I just followed your instructions. Please help me, I'm desparate! Terminal gave me the following results, I'd appreciate anything you could tell me:

Boot Mode: Normal

USB

USB-PS/2 Optical Mouse (Logitech Inc.)

Hub (Intel Corporation)

Hub (Intel Corporation)

User diagnostics

2014-02-01 QuickLookSatellite crash

2014-02-01 QuickLookSatellite crash

2014-01-31 launchd crash

Kernel messages

Feb 22 08:23:17 pages 598478, wire 147039, act 269917, inact 11688, cleaned 0 spec 251, zf 6112, throt 0, compr 86298, xpmapped 209561

Feb 22 14:30:44 hibernate_alloc_pages act 88711, inact 42510, anon 2951, throt 0, spec 27681, wire 163352, wireinit 132206

Feb 22 14:30:44 pages 244314, wire 85389, act 69167, inact 1798, cleaned 0 spec 181, zf 0, throt 0, compr 23, xpmapped 71146

Feb 22 16:16:14 MacAuthEvent en1 Auth result for: 88:75:56:15:9f:e0 Auth timed out

Feb 22 18:30:43 pages 955879, wire 157638, act 435312, inact 2260, cleaned 0 spec 457, zf 65185, throt 0, compr 70867, xpmapped 71146

Feb 22 18:30:43 hibernate_alloc_pages act 506968, inact 133311, anon 81520, throt 0, spec 87092, wire 181073, wireinit 132206

Feb 22 18:30:52 pages 955869, wire 157625, act 435313, inact 2260, cleaned 0 spec 458, zf 65182, throt 0, compr 70867, xpmapped 161226

Feb 22 22:32:22 pages 927006, wire 157300, act 432479, inact 2269, cleaned 0 spec 458, zf 65158, throt 0, compr 44921, xpmapped 161226

Feb 22 22:32:22 hibernate_alloc_pages act 504205, inact 133361, anon 81506, throt 0, spec 87220, wire 181024, wireinit 132206

Feb 23 02:19:54 pages 884487, wire 114769, act 432490, inact 2269, cleaned 0 spec 459, zf 65158, throt 0, compr 44921, xpmapped 251318

Feb 23 06:04:31 pages 842213, wire 162326, act 441570, inact 26424, cleaned 0 spec 459, zf 61544, throt 0, compr 40636, xpmapped 251318

Feb 23 06:25:39 hibernate_alloc_pages act 109436, inact 70199, anon 6605, throt 0, spec 37187, wire 170102, wireinit 132206

Feb 23 06:25:39 pages 309521, wire 92616, act 79299, inact 5739, cleaned 0 spec 265, zf 0, throt 0, compr 83, xpmapped 85303

Feb 23 06:29:04 pages 583442, wire 150966, act 249754, inact 5728, cleaned 0 spec 297, zf 2439, throt 0, compr 136599, xpmapped 85303

Feb 23 06:29:04 hibernate_alloc_pages act 269444, inact 15979, anon 4544, throt 0, spec 10456, wire 174277, wireinit 132206

Feb 23 06:29:12 pages 583312, wire 150829, act 249759, inact 5728, cleaned 0 spec 298, zf 2439, throt 0, compr 136599, xpmapped 170604

Feb 23 07:47:22 pages 564403, wire 151211, act 256122, inact 5726, cleaned 0 spec 294, zf 2445, throt 0, compr 109614, xpmapped 170604

Feb 23 13:02:49 hibernate_alloc_pages act 99494, inact 13985, anon 2126, throt 0, spec 11230, wire 170287, wireinit 132206

Feb 23 13:02:49 pages 217573, wire 92741, act 79317, inact 5723, cleaned 0 spec 265, zf 0, throt 0, compr 123, xpmapped 85305

Feb 23 14:36:33 pages 1273745, wire 173845, act 623557, inact 6081, cleaned 0 spec 735, zf 19970, throt 0, compr 95046, xpmapped 85305

Feb 23 14:36:33 hibernate_alloc_pages act 713059, inact 189836, anon 53026, throt 0, spec 101961, wire 198300, wireinit 132206

Feb 23 15:01:04 pages 1237598, wire 137692, act 623561, inact 6081, cleaned 0 spec 736, zf 19970, throt 0, compr 95046, xpmapped 183258

Feb 23 18:49:53 pages 1228624, wire 184407, act 647765, inact 6206, cleaned 0 spec 594, zf 37909, throt 0, compr 79511, xpmapped 183258

Feb 23 19:42:25 hibernate_alloc_pages act 194877, inact 79768, anon 17553, throt 0, spec 99365, wire 187679, wireinit 132206

Feb 23 19:42:25 pages 485079, wire 111039, act 94296, inact 6203, cleaned 0 spec 300, zf 0, throt 0, compr 30, xpmapped 100799

Total CPU usage: user 32%, system 5%

CPU usage by process "clamscan" with UID 501: 96.2%

Extrinsic daemons

net.juniper.UninstallPulse

net.juniper.AccessService

Jack

com.vsearch.helper

com.microsoft.office.licensing.helper

com.google.keystone.daemon

com.adobe.fpsaud

Extrinsic agents

net.juniper.pulsetray

com.vsearch.agent

com.pharos.popup

com.pharos.notify

com.google.keystone.system.agent

com.spotify.webhelper

com.hp.printerAgent

com.adobe.ARM.UUID

launchd items

/Library/LaunchAgents/com.google.keystone.agent.plist

(com.google.keystone.system.agent)

/Library/LaunchAgents/com.pharos.notify.plist

(com.pharos.notify)

/Library/LaunchAgents/com.pharos.popup.plist

(com.pharos.popup)

/Library/LaunchAgents/com.vsearch.agent.plist

(com.vsearch.agent)

/Library/LaunchAgents/net.juniper.pulsetray.plist

(net.juniper.pulsetray)

/Library/LaunchDaemons/com.adobe.fpsaud.plist

(com.adobe.fpsaud)

/Library/LaunchDaemons/com.google.keystone.daemon.plist

(com.google.keystone.daemon)

/Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist

(com.microsoft.office.licensing.helper)

/Library/LaunchDaemons/com.vsearch.daemon.plist

(com.vsearch.daemon)

/Library/LaunchDaemons/com.vsearch.helper.plist

(com.vsearch.helper)

/Library/LaunchDaemons/Jack.plist

(Jack)

/Library/LaunchDaemons/net.juniper.AccessService.plist

(net.juniper.AccessService)

/Library/LaunchDaemons/net.juniper.UninstallPulse.plist

(net.juniper.UninstallPulse)

Library/LaunchAgents/com.adobe.ARM.UUID.plist

(com.adobe.ARM.UUID)

Library/LaunchAgents/com.hp.printerAgent.plist

(com.hp.printerAgent)

Library/LaunchAgents/com.spotify.webhelper.plist

(com.spotify.webhelper)

Extrinsic loadable bundles

/System/Library/Extensions/USBGenericPrinterClass.kext

(com.marvell.kext.USBGenericPrinterClass)

/Library/Audio/MIDI Drivers/EmagicUSBMIDIDriver.plugin

(info.emagic.driver.unitor)

/Library/Internet Plug-Ins/AdobePDFViewer.plugin

(com.adobe.acrobat.pdfviewer)

/Library/Internet Plug-Ins/AdobePDFViewerNPAPI.plugin

(com.adobe.acrobat.pdfviewerNPAPI)

/Library/Internet Plug-Ins/AmazonMP3DownloaderPlugin1017265.plugin

(com.AmazonMP3DownloaderPluginLib.Amazon MP3 Downloader Plugin)

/Library/Internet Plug-Ins/DirectorShockwave.plugin

(com.adobe.shockwave.pluginshim)

/Library/Internet Plug-Ins/Flash Player.plugin

(com.macromedia.Flash Player.plugin)

/Library/Internet Plug-Ins/Google Earth Web Plug-in.plugin

(com.Google.GoogleEarthPlugin.plugin)

/Library/Internet Plug-Ins/googletalkbrowserplugin.plugin

(com.google.googletalkbrowserplugin)

/Library/Internet Plug-Ins/net.juniper.DSSafariExtensions.plugin

(net.juniper.DSSafariExtensions.plugin)

/Library/Internet Plug-Ins/npgtpo3dautoplugin.plugin

(com.google.o3d)

/Library/Internet Plug-Ins/o1dbrowserplugin.plugin

(com.google.o1dbrowserplugin)

/Library/Internet Plug-Ins/OfficeLiveBrowserPlugin.plugin

(com.microsoft.officelive.browserplugin)

/Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin

(com.microsoft.sharepoint.browserplugin)

/Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin

(com.microsoft.sharepoint.webkitplugin)

/Library/Internet Plug-Ins/Silverlight.plugin

(com.microsoft.SilverlightPlugin)

/Library/PreferencePanes/Flash Player.prefPane

(com.adobe.flashplayerpreferences)

Library/Address Book Plug-Ins/SkypeABDialer.bundle

(com.skype.skypeabdialer)

Library/Address Book Plug-Ins/SkypeABSMS.bundle

(com.skype.skypeabsms)

Library/Internet Plug-Ins/Google Earth Web Plug-in.plugin

(com.Google.GoogleEarthPlugin.plugin)

Library/Services/ENService.app

(com.ThomsonResearchSoft.EndNote.ENService)

Unsigned shared libraries

/usr/lib/libtcl.dylib

/usr/lib/libtcl8.5.dylib

/usr/lib/libtk.dylib

/usr/lib/libtk8.5.dylib

User login items

iTunesHelper

Mail

Firefox

Dropbox

Restricted user files: 566

Font problems: 45

Elapsed time (s): 556

You have some suspicious findings that may represent a new type of malware or adware. I'll try to save you the trouble of erasing your startup volume. For that, I would need more information. Please run the following command in a Terminal window in the same way as before and post the output:

{ sudo launchctl list com.vsearch.helper; echo; launchctl list com.vsearch.agent; echo; /usr/libexec/PlistBuddy -c Print /L*/L*/com.vsearch.daemon.plist; } | pbcopy

You'll be prompted for your password again. This command makes no changes; it's only a test.

the "test" didn't help an "average user" in the slightest.

That's because you didn't run it, or didn't post the output.

Thanks! Here goes:

{

"Label" = "com.vsearch.helper";

"LimitLoadToSessionType" = "System";

"OnDemand" = true;

"LastExitStatus" = 0;

"PID" = 87;

"TimeOut" = 30;

"ProgramArguments" = (

"/Library/Application Support/VSearch/Agent/VSearchAgent.app/Contents/MacOS/VSearchAgent";

"-helper";

);

};

{

"Label" = "com.vsearch.agent";

"LimitLoadToSessionType" = "Aqua";

"OnDemand" = false;

"LastExitStatus" = 0;

"PID" = 267;

"TimeOut" = 30;

"ProgramArguments" = (

"/Library/Application Support/VSearch/Agent/VSearchAgent.app/Contents/MacOS/VSearchAgent";

);

"MachServices" = {

};

"PerJobMachServices" = {

"com.apple.CFPasteboardClient" = mach-port-object;

"com.apple.tsm.portname" = mach-port-object;

"com.apple.axserver" = mach-port-object;

};

};

Dict {

RunAtLoad = true

ThrottleInterval = 10

Disabled = true

ProgramArguments = Array {

/Library/Application Support/VSearch/Agent/VSearchAgent.app/Contents/MacOS/VSearchAgent

-update

}

KeepAlive = true

OnDemand = true

Label = com.vsearch.daemon

}

Back up all data.

Triple-click anywhere in the line below on this page to select it:

/Library/Application Support/VSearch

Right-click or control-click the line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item selected. Move the selected item to the Trash. You may be prompted for your administrator password.

Repeat with each of the following lines:

/Library/LaunchAgents/com.vsearch.agent.plist

/Library/LaunchDaemons/com.vsearch.daemon.plist

/Library/LaunchDaemons/com.vsearch.helper.plist

/Library/LaunchDaemons/Jack.plist

/Library/PrivilegedHelperTools/Jack

Restart, empty the Trash, and test.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar, paste into the box that opens (command-V). You won't see what you pasted because a line break is included. Press return.

I backed up my files, found those folders, deleted them, restarted, and emptied the trash. The Jack folder dated back only to the night of 2/12 (I forgot to check the date on the others), which is conceivably when my computer got infected. But Firefox is still acting up - every time I restart the program, the default website is the Whitesmoke search engine, even though before restarting Firefox I set the default website to a different site. And also, twice this morning I have gotten the "Disk Not Ejected Properly" message for my external backup hard drive (4 months old, no previous problems), which has remained firmly plugged into its USB slot.

Are there more diagnostics I can run to try to fix this?

Should I give up trying to selectively remove this malware and just restore my computer to how it was on February 11th?

Thank you for your help!

You may have installed a malicious Firefox add-on. Remove any add-ons you don't recognize, or if in doubt, remove all of them.

I am having the exact same issue (I wish I could blame a son or daughter on this) and have followed this thread from last Friday. There appears to be a lot of details on this threat in the PC world and some specific Malware tools to remove it. I did try to download MacScan which I read somewhere fixed the issue, but alas, it didn't even find it.

So I am at the same point ihowley is at with a delete/reinstall looming. Not really sure I wan't to down this path, becuase my last backup is actually not too recent. But it doesn't look like the traditional methods are working, which implies that this particular thread is something the Mac community should be concerned about.

For those finding this thread, here's a more complete set of instructions for removing the adware.

You installed the "DownLite" adware, perhaps under a different name. Remove it as follows.

Back up all data.

Triple-click anywhere in the line below on this page to select it:

/Library/Application Support/VSearch

Right-click or control-click the line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item named "VSearch" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.

Repeat with each of these lines:

/Library/LaunchAgents/com.vsearch.agent.plist /Library/LaunchDaemons/com.vsearch.daemon.plist /Library/LaunchDaemons/com.vsearch.helper.plist /Library/LaunchDaemons/Jack.plist /Library/PrivilegedHelperTools/Jack /System/Library/Frameworks/VSearch.framework

After moving all the files, restart and empty the Trash.

This unwanted program is distributed on illegal websites that traffic in pirated movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect much worse to happen in the future.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar, paste into the box that opens (command-V). You won't see what you pasted because a line break is included. Press return.