How to remove Adware?

Hi Linc Davis,

I believe that I have the same issues as discussed in this forum. Like Annon, the files were not found in the finder-but that was just a test, correct?

Next I followed this:

Here's a summary of what you need to do, if you choose to proceed: Copy a line of text from this web page into the WINDOW of another application. Wait for the script to run. It usually takes a few minutes. Then paste the results, which will have been copied automatically, back into a reply on this page. The sequence is: copy, paste, wait, paste again. Details follow.

Do you mean to copy one of your text lines from this forum and insert it into the search bar of Microsoft Application?

Linc does not normally respond to "me too" requests, especially one this old. I doubt that he isn't even monitoring this discussion any more and I'm not sure why I am still here.

Even more important is that much has changed in the past eight months since this was started and there are now many more different types and varieties of adware to contend with and I would also guess that Linc's recommendations have changed along with it.

The fastest, most effective way to identify and optionally remove all currently known adware is by using AdwareMedic, developed by thomas_r. this Forum's malware guru, owner of TheSafeMac and a colleague of mine.

If it turns out to be the Downlite adware, then they have managed to block your access to that site and you will need to use an alternate technique as described in About the Downlite adware.

To understand why this happened and how to avoid such things in the future read John Galt's How to install adware.

If you are unwilling to try AdwareMedic then your best bet would be to start a new discussion, outlining your problem in much greater detail than you have here, to include a screenshot of what you are seeing so that we can identify what type of adware you installed and hopefully give you clear instructions on how to remove it.

Thank You , the VSEARCH files was removed based on your advice.

thanks, this worked for me,

thousand times grateful

Avnan

thanks, this worked for me. With the adware it felt like working with windows 🙂.

thousand times grateful.

Avnan

Thomas_r - You mentioned to, PercEpTivE, that they have Downlite. I have been having very similar situation as what was noted ("fake" Yahoo home page). I followed the instructions on your website "The Safe Mac," and it didn't seem to help. I used your app to clean my computer and I was able to locate and remove spigot files from my computer. However, Yahoo still populates as my homepage. I also noticed whenever I open a folder whether documents, library etc. the file DS_Store appears (which I tried to deleted but it keeps reappering) - my gut says this is the problem. I tried to do the VSearch and I am told there are no files. In Safari Extensions I have no extensions. I ran the "take system snapshot" from your app but have no clue as to what I am looking at. Is there anyway you could help with this?

Saj_Ryder wrote:

I was able to locate and remove spigot files from my computer. However, Yahoo still populates as my homepage.

I guess you missed the part in Next Steps where you need to go into Safari Preferences->General and re-enter your preferred "Homepage: ". The default is http://www.apple.com/startpage/ but you can set it to whatever you want. While you are there go to the "Search" tab and make sure the "Search engine: " setting is the one you prefer.

I also noticed whenever I open a folder whether documents, library etc. the file DS_Store appears (which I tried to deleted but it keeps reappering)

There is one in most every folder. They contain information concerning your viewing preferences for that window, but normally they are hidden. Did you do something to show hidden files by any chance?

I ran the "take system snapshot" from your app but have no clue as to what I am looking at. Is there anyway you could help with this?

I don't see any need for it as it would appear that once you fix your home page (and perhaps search engine) that you are good to go, but if you still feel a need for Thomas' help, use the "Submit to The Safe Mac" button in the upper right corner of the System Snapshot window.

This is what mine looks like, I did what you provided and removed some but also couldnt find some.

Boot Mode: Normal

Model: iMac10,1

USB

My Book 1110 (Western Digital Technologies, Inc.)

USB-PS/2 Optical Mouse (Logitech Inc.)

System diagnostics

2014-10-20 Activity Monitor crash

2014-11-05 Adobe Fireworks CS4 hang

User diagnostics

2014-11-02 garcon crash

2014-11-05 CoreServicesUIAgent crash

2014-11-05 garcon crash

2014-11-05 garcon crash

2014-11-05 garcon crash

2014-11-05 garcon crash

2014-11-07 garcon crash

2014-11-11 garcon crash

2014-11-15 garcon crash

2014-11-17 garcon crash

Kernel messages

Nov 11 20:43:18 BUG in process suhelperd[211]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 152 times ---

Nov 11 20:43:35 BUG in process suhelperd[211]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

--- last message repeated 117 times ---

Nov 11 20:43:35 BUG in process suhelperd[211]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 4 times ---

Nov 11 20:43:36 BUG in process suhelperd[211]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

--- last message repeated 1 time ---

Nov 13 02:43:05 BUG in process suhelperd[211]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 425 times ---

Nov 14 08:44:13 BUG in process suhelperd[211]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

--- last message repeated 129 times ---

Nov 14 08:45:32 BUG in process suhelperd[211]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 273 times ---

Nov 17 09:42:02 BUG in process suhelperd[211]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

--- last message repeated 132 times ---

Nov 17 09:42:17 BUG in process suhelperd[211]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 4 times ---

Nov 17 09:42:22 BUG in process suhelperd[211]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

--- last message repeated 1 time ---

Nov 17 10:07:00 BUG in process suhelperd[303]: over-released legacy external boost assertions (2 total, 1 external, 0 legacy-external)

Nov 17 10:07:01 BUG in process suhelperd[303]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 117 times ---

Nov 17 10:07:49 BUG in process suhelperd[303]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

Nov 17 10:11:10 process rpcsvchost[151] thread 963 caught burning CPU! It used more than 50% CPU (Actual recent usage: 86%) over 180 seconds. thread lifetime cpu usage 179.263518 seconds, (141.605594 user, 37.657924 system) ledger info: balance: 90004054133 credit: 179252124897 debit: 89248070764 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 104565392757

Total CPU usage: user 40%, system 10%

CPU usage by process "rpcsvchost" with UID 0: 100.0%

Loaded extrinsic kernel extensions

com.logmein.driver.LogMeInSoundDriver (4.1.46f67)

Extrinsic daemons

com.logmein.logmeinserver

com.oracle.java.JavaUpdateHelper

com.adobe.versioncueCS4

com.google.keystone.daemon

com.oracle.java.Helper-Tool

com.logmein.raupdate

com.adobe.fpsaud

Extrinsic agents

com.adobe.CS4ServiceManager

com.logmein.LMILaunchAgentFixer

com.nike.nikeplusconnect

com.flipvideo.FlipShareAutoRun

com.facebook.videochat.arvinomar.updater

com.google.keystone.system.agent

com.oracle.java.Java-Updater

com.logmein.logmeingui

com.logmein.logmeinguiagent

launchd items

/Library/LaunchAgents/com.adobe.CS4ServiceManager.plist

(com.adobe.CS4ServiceManager)

/Library/LaunchAgents/com.flipvideo.FlipShare.AutoRun.plist

(com.flipvideo.FlipShareAutoRun)

/Library/LaunchAgents/com.google.keystone.agent.plist

(com.google.keystone.system.agent)

/Library/LaunchAgents/com.logmein.LMILaunchAgentFixer.plist

(com.logmein.LMILaunchAgentFixer)

/Library/LaunchAgents/com.logmein.logmeingui.plist

(com.logmein.logmeingui)

/Library/LaunchAgents/com.logmein.logmeinguiagent.plist

(com.logmein.logmeinguiagent)

/Library/LaunchAgents/com.logmein.logmeinguiagentatlogin.plist

(com.logmein.logmeinguiagentatlogin)

/Library/LaunchAgents/com.nike.nikeplusconnect.plist

(com.nike.nikeplusconnect)

/Library/LaunchAgents/com.oracle.java.Java-Updater.plist

(com.oracle.java.Java-Updater)

/Library/LaunchDaemons/com.adobe.fpsaud.plist

(com.adobe.fpsaud)

/Library/LaunchDaemons/com.adobe.versioncueCS4.plist

(com.adobe.versioncueCS4)

/Library/LaunchDaemons/com.apple.aelwriter.plist

(com.apple.aelwriter)

/Library/LaunchDaemons/com.google.keystone.daemon.plist

(com.google.keystone.daemon)

/Library/LaunchDaemons/com.logmein.logmeinserver.plist

(com.logmein.logmeinserver)

/Library/LaunchDaemons/com.logmein.raupdate.plist

(com.logmein.raupdate)

/Library/LaunchDaemons/com.oracle.java.Helper-Tool.plist

(com.oracle.java.Helper-Tool)

/Library/LaunchDaemons/com.oracle.java.JavaUpdateHelper.plist

(com.oracle.java.JavaUpdateHelper)

Library/LaunchAgents/com.facebook.videochat.arvinomar.plist

(com.facebook.videochat.arvinomar.updater)

Library/LaunchAgents/jp.co.canon.Inkjet_Extended_Survey_Agent.plist

(jp.co.canon.Inkjet_Extended_Survey_Agent)

DNS (from DHCP): 75.75.75.75

hosts

127.0.0.1 activate.adobe.com

127.0.0.1 practivate.adobe.com

127.0.0.1 ereg.adobe.com

127.0.0.1 activate.wip3.adobe.com

127.0.0.1 wip3.adobe.com

127.0.0.1 3dns-3.adobe.com

127.0.0.1 3dns-2.adobe.com

127.0.0.1 adobe-dns.adobe.com

127.0.0.1 adobe-dns-2.adobe.com

127.0.0.1 adobe-dns-3.adobe.com

127.0.0.1 ereg.wip3.adobe.com

127.0.0.1 activate-sea.adobe.com

127.0.0.1 wwis-dubc1-vip60.adobe.com

127.0.0.1 activate-sjc0.adobe.com

127.0.0.1 hl2rcv.adobe.com

Safari extensions

extension

Restricted user files: 301

Font problems: 9

Desktop file count: 55

Elapsed time (s): 348

many thanks for these useful information , it helped me to solve my MAC problem ,

Linc, If you are still out there, can you tell me what I should do with the following results:

System:

Mac Mini, Yosemite 10.10.1

I recently purchased my Mac Mini, and approx 3 weeks ago my wife installed a program called MacKeeper. Since that point we have had major issues with adware on our mac. Avast constantly is blocking phishing sites, warning us about adware sites etc, however when we perform a scan, it finds nothing. We looked into MacKeeper, and found out it was not an apple product, removed it as the instructions said, however, it left command lines behind that are still running hijack scripts I believe. I searched the communities and found some help from a user "Linc Davis" that provided a command prompt script to run to discover what objects are running in the background and sure enough, there are all kinds of stuff including MacKeeper. I will list the results of that scan below. Link Davis, if you are still out there or if anyone else would be willing to help me figure out how to remove this garbage, I would greatly appreciate it.

Results from Linc Davis's Command line script:

Boot Mode: Normal

Model: Macmini6,2

Thunderbolt

Thunderbolt Bus (Apple Inc.)

USB

IR Receiver (Apple Inc.)

BRCM20702 Hub (Broadcom Corp.)

Bluetooth USB Host Controller (Apple Inc.)

System diagnostics

2014-12-03 spindump crash

Kernel messages

Dec 11 19:14:50 wl0: Roamed or switched channel, reason #4, bssid 0c:f8:93:e2:04:20, last RSSI -69

Dec 13 13:19:56 BUG in process suhelperd[996]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

Dec 13 13:20:03 [[0xffffff801fe69000] OpCode 0x0C01 (Set Event Mask) from: kernel_task (0) Synchronous status: 0x00 (kIOReturnSuccess) state: 2 (BUSY) timeout: 5000] Bluetooth warning: An HCI Req timeout occurred.

Dec 13 13:20:54 BUG in process suhelperd[996]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 300 times ---

Dec 13 13:22:10 BUG in process suhelperd[996]: over-released legacy external boost assertions (0 total, 0 external, 0 legacy-external)

--- last message repeated 1 time ---

Dec 13 13:22:14 BUG in process suhelperd[996]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 5 times ---

Dec 13 13:30:21 PM notification timeout (pid 3984, Safari)

--- last message repeated 2 times ---

Dec 13 14:17:19 PM notification timeout (pid 4160, com.apple.WebKit)

--- last message repeated 1 time ---

Dec 13 15:18:05 Sound assertion in AppleHDAFunctionGroup at line 1243

Dec 13 19:18:16 wl0: Roamed or switched channel, reason #2, bssid 0c:f8:93:e2:04:20, last RSSI -65

Dec 16 10:13:54 BUG in process suhelperd[996]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 1 time ---

Dec 16 10:14:11 [[0xffffff80228de000] OpCode 0x0C01 (Set Event Mask) from: kernel_task (0) Synchronous status: 0x00 (kIOReturnSuccess) state: 2 (BUSY) timeout: 5000] Bluetooth warning: An HCI Req timeout occurred.

Dec 16 10:15:11 BUG in process suhelperd[996]: over-released legacy external boost assertions (1 total, 1 external, 0 legacy-external)

--- last message repeated 318 times ---

Dec 16 10:24:17 PM notification timeout (pid 3984, Safari)

--- last message repeated 1 time ---

Dec 16 10:24:47 Sound assertion in AppleHDAFunctionGroup at line 1243

Dec 17 07:57:52 [[0xffffff8020404000] OpCode 0x0C01 (Set Event Mask) from: kernel_task (0) Synchronous status: 0x00 (kIOReturnSuccess) state: 2 (BUSY) timeout: 5000] Bluetooth warning: An HCI Req timeout occurred.

Loaded extrinsic kernel extensions

com.avast.PacketForwarder (2.0)

com.avast.AvastFileShield (2.1.0)

Extrinsic daemons

com.avast.uninstall

com.avast.daemon

com.avast.proxy

com.avast.service

com.avast.fileshield

com.avast.account

com.adobe.fpsaud

com.avast.crashreport

com.avast.init

Extrinsic agents

com.brother.LOGINserver

com.avast.userinit

com.avast.helper

com.citrix.ServiceRecords

com.adobe.ARM.UUID

com.cinema-+-hd.updater

com.citrix.ReceiverHelper

com.citrix.AuthManager_Mac

com.zeobit.MacKeeper.Helper

com.google.keystone.user.agent

launchd items

/Library/LaunchAgents/com.avast.userinit.plist

(com.avast.userinit)

/Library/LaunchAgents/com.brother.LOGINserver.plist

(com.brother.LOGINserver)

/Library/LaunchAgents/com.citrix.AuthManager_Mac.plist

(com.citrix.AuthManager_Mac)

/Library/LaunchAgents/com.citrix.ReceiverHelper.plist

(com.citrix.ReceiverHelper)

/Library/LaunchAgents/com.citrix.ServiceRecords.plist

(com.citrix.ServiceRecords)

/Library/LaunchDaemons/com.adobe.fpsaud.plist

(com.adobe.fpsaud)

/Library/LaunchDaemons/com.avast.init.plist

(com.avast.init)

/Library/LaunchDaemons/com.avast.uninstall.plist

(com.avast.uninstall)

/Library/LaunchDaemons/com.avast.update.plist

(com.avast.update)

Library/LaunchAgents/com.adobe.ARM.UUID.plist

(com.adobe.ARM.UUID)

Library/LaunchAgents/com.avast.home.userinit.plist

(com.avast.home.userinit)

Library/LaunchAgents/com.google.keystone.agent.plist

(com.google.keystone.user.agent)

Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist

(com.zeobit.MacKeeper.Helper)

Extrinsic loadable bundles

/System/Library/Extensions/JMicronATA.kext

(com.jmicron.JMicronATA)

/Library/Internet Plug-Ins/AdobePDFViewer.plugin

(com.adobe.acrobat.pdfviewer)

/Library/Internet Plug-Ins/AdobePDFViewerNPAPI.plugin

(com.adobe.acrobat.pdfviewerNPAPI)

/Library/Internet Plug-Ins/CitrixICAClientPlugIn.plugin

(com.citrix.citrixicaclientplugIn)

/Library/Internet Plug-Ins/Flash Player.plugin

(com.macromedia.Flash Player.plugin)

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin

(com.apple.java.JavaAppletPlugin)

/Library/PreferencePanes/Flash Player.prefPane

(com.adobe.flashplayerpreferences)

DNS (from DHCP): 24.116.0.53

User login items

iTunesHelper

Restricted user files: 49

Elapsed time (s): 147

Linc rarely responds to "me too" postings and probably isn't even monitoring this eight month old, way too long discussion, so you need to start a new topic with the description of what you have done but wait to be told to post anything like Linc's diagnostics.

I suspect your adware problem is more due to your use of Avast! than an incomplete removal of MacKeeper. See Avast installs adware!. You probably don't need any A-V software, but there are certainly better choices available if you do.

I'm brand new to the "Apple community" and for whatever reason I was not able to post my question to a new thread, but was able to post it as a response. I just barely tried again, and figured out I had to choose a "community" to post to. Thanks for the response, I will have to look into the avast adware thing. I use my Mac to view highly confidential medical records, so I thought I would need a virus scanner, and avast seemed to get good ratings... Any advice would be helpful. I was always told "macs are virus proof" however given newer information stating that macs are specific targets, I cannot risk personal info being breeched.

Welcome to the community.

Elderathome wrote:

I use my Mac to view highly confidential medical records, so I thought I would need a virus scanner, and avast seemed to get good ratings...

Only in it's ability to detect most OS X malware, but it's also the most likely to give you "false alarms" and has been implicated in completely running down the battery of sleeping laptops not on a charger, over night. And I've already pointed out the adware they can bring with it. Nothing you find on the Internet is truly free.

I was always told "macs are virus proof" however given newer information stating that macs are specific targets, I cannot risk personal info being breeched.

Most anything you might read about that comes from A-V scanning vendors who need to sell software in order to stay in business. The only "Targetted Macs" belong to a small group of Tibetan sympathizers and as long as Windows maintains their 89% marketshare, they will remain the main target of cybercriminals. Here's some advise from John Galt, a frequent contributor here:

OS X already includes everything it needs to protect itself from viruses and malware. Keep it that way with software updates from Apple.

A much better question is "how should I protect my Mac":

• Never install any product that claims to "speed up", "clean up", "optimize", or "accelerate" your Mac, or to make it "shiny". Those claims are absurd.

Such products are very aggressively marketed. They are all scams.

• Never install pirated or "cracked" software, software obtained from dubious websites, or other questionable sources.

Illegally obtained software is almost certain to contain malware.

"Questionable sources" include but are not limited to spontaneously appearing web pages or popups, download hosting sites such as C net dot com, Softonic dot com, Soft pedia dot com, Download dot com, Mac Update dot com, or any other site whose revenue is primarily derived from junk product advertisements.

• Don’t supply your password in response to a popup window requesting it, unless you know what it is and the reason your credentials are required.
• Don’t open email attachments from email addresses that you do not recognize, or click links contained in an email:
• Most of these are scams that direct you to fraudulent sites that attempt to convince you to disclose personal information.
• Such "phishing" attempts are the 21st century equivalent of a social exploit that has existed since the dawn of civilization. Don’t fall for it.

Apple will never ask you to reveal personal information in an email. If you receive an unexpected email from Apple saying your account will be closed unless you take immediate action, just ignore it. If your iTunes or App Store account becomes disabled for valid reasons, you will know when you try to buy something or log in to this support site, and are unable to.

• Don’t install browser extensions unless you understand their purpose. Go to the Safari menu > Preferences > Extensions. If you see any extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone.
• Don’t install Java unless you are certain that you need it:
• Java, a non-Apple product, is a potential vector for malware. If you are required to use Java, be mindful of that possibility.
• Java can be disabled in System Preferences.

Despite its name JavaScript is unrelated to Java. No malware can infect your Mac through JavaScript. It’s OK to leave it enabled.

• Block browser popups: Safari menu > Preferences > Security > and check "Block popup windows":
• Popup windows are useful and required for some websites, but popups have devolved to become a common means to deliver targeted advertising that you probably do not want.
• Popups themselves cannot infect your Mac, but many contain resource-hungry code that will slow down Internet browsing.

If you ever see a popup indicating it detected registry errors, that your Mac is infected with some ick, or that you won some prize, it is 100% fraudulent. Ignore it.

• Ignore hyperventilating popular media outlets that thrive by promoting fear and discord with entertainment products arrogantly presented as "news". Learn what real threats actually exist and how to arm yourself against them:
• The most serious threat to your data security is phishing. To date, most of these attempts have been pathetic and are easily recognized, but that is likely to change in the future as criminals become more clever.
• OS X viruses do not exist, but intentionally malicious or poorly written code, created by either nefarious or inept individuals, is nothing new.
• Never install something without first knowing what it is, what it does, how it works, and how to get rid of it when you don’t want it any more.
• If you elect to use "anti-virus" software, familiarize yourself with its limitations and potential to cause adverse effects, and apply the principle immediately preceding this one.

Most such utilities will only slow down and destabilize your Mac while they look for viruses that do not exist, conveying no benefit whatsoever - other than to make you "feel good" about security, when you should actually be exercising sound judgment, derived from accurate knowledge, based on verifiable facts.

• Do install updates from Apple as they become available. No one knows more about Macs and how to protect them than the company that builds them.

Summary: Use common sense and caution when you use your Mac, just like you would in any social context. There is no product, utility, or magic talisman that can protect you from all the evils of mankind.

As far as advise on an alternative to Avast!, if you must have something, I refrain from doing so since I provide uncompensated tech support on the ClamXav Forum and might be seen as bias. A couple of independent test sites that I trust are TheSafeMac and SecurityScan.

Thank you for you help! Greatly appreciated!

So, around Dec 28th, I made an error and clicked where I should not have. Since then I have had Mackeeper, Zipcloud, sisplay, bulletflix, and a few other annoying sites. They tend to pop up every 5 or so clicks if I add tabs.

I tried the advice from Linc Davis earlier in the year that seemed to work for most people, but none of the files were found. When I ran a diagnostic test, I found the following suspicious lines. Suspect vsearch is has evovled as Linc mentioned in his March post.

I found files under the name steak in /Application Support/ and /Daemons/ and /Launch Agents/ et al.

Keep you eyes open. This link is also helpful to find this program: http://www.thesafemac.com/arg-downlite/

Good luck