how do I get rid of adware?

You installed the "VSearch" trojan, perhaps under a different name. Remove it as follows.

Malware is constantly changing to get around the defenses against it. The instructions in this comment are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.

Back up all data before proceeding.

Step 1

From the Safari menu bar, select

Safari ▹ Preferences... ▹ Extensions

Uninstall any extensions you don't know you need, including any that have the word "Spigot," "Trovi," or "Conduit" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.

Reset the home page and default search engine in all the browsers, if it was changed.

Step 2

Triple-click anywhere in the line below on this page to select it:

/Library/LaunchAgents/com.vsearch.agent.plist

Right-click or control-click the line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item named "com.vsearch.agent.plist" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.

Repeat with each of these lines:

/Library/LaunchDaemons/com.vsearch.daemon.plist
/Library/LaunchDaemons/com.vsearch.helper.plist
/Library/LaunchDaemons/Jack.plist

Restart the computer and empty the Trash. Then delete the following items in the same way:

/Library/Application Support/VSearch
/Library/PrivilegedHelperTools/Jack
/System/Library/Frameworks/VSearch.framework
~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin

Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.

The problem may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it, and if you wish, replace it with the genuine article from mplayerx.org.

This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow.

You may be wondering why you didn't get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that the Internet criminal behind VSearch has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing has not done so, even though it's aware of the problem. This failure of oversight has compromised both Gatekeeper and the Developer ID program. You can't rely on Gatekeeper alone to protect you from harmful software.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

You don't need to follow any manual instructions to solve this problem.

You can download AdwareMedic at http://adwaremedic.com/index.php. It will automatically remove adware and is kept up-to-date with adware definitions.

One other comment. Never take the word of strangers on the Internet that any unknown software is safe. That's just a continuation of the same behavior that got you into trouble in the first place. Whether the software is safe is something you have to decide by your own research.

If you are given that kind of advice by a poster on this site, you should ask him whether he has personally tested it on his own computer, as the agreed terms of use of ASC require.

In order to honestly answer "yes," he would need to have installed every known kind of adware on his computer and then removed it in the way he's recommending to you. He would then need to have verified, not only that the all the adware was completely removed, but that nothing else was removed along with it. Has he in fact done all that?

If he answers "no," then not only is he violating the use agreement, but he also has no factual basis for his comment. In practice, the answer you are likely to get is that he regards someone else as a "malware expert," and since that's his opinion, it should be your opinion too. Think carefully about whether you should accept that argument as a substitute for knowledge.

Linc Davis wrote:

Never take the word of strangers on the Internet that any unknown software is safe.

Also, never take the word of strangers on the internet to run a command in the Terminal. This can be disastrous!

Anything you do with your computer based on the advice of people you don't know should be verified. Check out any apps to make sure they're legit. This is generally fairly easy to do with a little bit of searching to see what the reputation of the app is. Also, never download apps from a download aggregation site, like Download.com or Softonic. Such places are not trustworthy.

Unfortunately, when it comes to lengthy Terminal commands, such as the one you ran to start this topic, there is no good way to determine their safety. Even most people with a good knowledge of Unix shell scripts would struggle to understand Linc's code. In this case, I can vouch for the fact that Linc's code appears to be good and does not appear to contain anything malicious, but running such commands sets a dangerous precedent. Many people have had their entire hard drives wiped after running a Terminal command provided by some anonymous jokester online.

If it needs to be pointed out, I didn't ask you to run a shell command. If I had asked you to do that, I would have told you to read it first or otherwise verify its safety (which you can't do with an application), and even more important, I would have told you to back up your data before doing anything else. I would not have told you to download an opaque application from my website, or my friend's website, without making any attempt to determine whether it was safe. I would not have pretended to guarantee the results on the basis of no knowledge and no responsibility for the consequences. Finally, the script you ran does not phone home to me. You could run it while disconnected from the network.

The reddest of all red flags on the Internet is the stranger who asks you to trust him. Even if he is, in fact, trustworthy in one particular case, the behavior pattern of putting blind faith in strangers will inevitably lead to disaster, and neither "Adwaremedic" nor anything else will save you.

Linc Davis wrote:

If it needs to be pointed out, I didn't ask you to run a shell command.

You have asked countless people on these forums to run that script of yours.

If I had asked you to do that, I would have told you to read it first or otherwise verify its safety (which you can't do with an application)

Linc, you know as well as I do that your script is as opaque as an application to almost everyone here. I mean, I'm no dummy when it comes to Unix, but it would take me days to wade through your script and figure it all out. It honestly reminds me of some of the minified and obfuscated malicious JavaScripts I've seen.

If you're going to continue to bash my app at every opportunity, you need to expect that I will be pointing out the issues of trusting some almost 11,000 character-long obfuscated script posted by a random person in a forum. If anything, such a script is harder to verify than an app, which should have one known, consistent source whose reputation can be checked out far more easily.

it would take me days to wade through your script and figure it all out

Not much I can do about that. Others have succeeded where you failed, and they found nothing harmful in the script. Had it been otherwise, I wouldn't be here now. How long would it take to wade through the "Adwaremedic" binary and figure it all out?

If you're going to continue to bash my app

I have never "bashed your app." I've never tested it, so I have no basis either for criticizing it or endorsing it. What I do criticize is reinforcing the behavior of naive users, who don't know what they can or can't trust, and thereby creating both a false sense of security and a demand for quick fixes, which will be readily exploited by Internet criminals.

Linc Davis wrote:

What I do criticize is reinforcing the behavior of naive users, who don't know what they can or can't trust

I'm constantly boggled at your continued idea that your script is somehow exempt from this. These "naive users" you refer to have no way to verify the validity of your script, except through exactly the same methods that they have to use to evaluate apps - reputation.

We can go on like this all day, with you undermining my efforts and me undermining yours, or we can get back to the business of educating users in our own ways. I'd prefer to focus on the latter, but don't expect me to just roll over and take what you're dishing out without pointing out the flaws in your criticisms.

These "naive users" you refer to have no way to verify the validity of your script, except through exactly the same methods that they have to use to evaluate apps - reputation.

That's incorrect, and if you had actually read one the comments in which I post the script, you would know why it's incorrect. The script is open-source software, and the many-eyes principle applies. Not everyone who uses it has to be able to understand it. Only one of all the (potentially) millions of people who see it would have to raise the alarm that it's harmful, and it would be gone. Whether you know it or not, some of those people have in fact vetted the script. No one is ever going to do that with a compiled app.

That said, the script isn't suitable for everyone, and I say so every time I post it.

Linc Davis wrote:

The script is open-source software

So is OpenSSL, yet Heartbleed existed. So is bash, yet Shellshock managed to go uncaught for decades. The many-eyes principle is overrated, because in principle, everyone assumes someone else is looking at it, and in reality almost nobody is.

Only one of all the (potentially) millions of people who see it would have to raise the alarm that it's harmful, and it would be gone.

If my app were harmful, there would be many people saying so here. Instead, most of the regulars here support it.

The many-eyes principle is overrated, because in principle, everyone assumes someone else is looking at it, and in reality almost nobody is.

If nobody were looking, the bugs would never have been discovered. In any case, a subtle bug is not the same thing as a deliberate exploit.

If my app were harmful, there would be many people saying so here. Instead, most of the regulars here support it.

I never said that your app was malicious. I don't think it is. I never told anyone not to run it. That's not the point. Can you really not understand that? What is harmful is not the app (as far as I know), but the effect on user behavior.

As for the regulars, of course they love your app, because it empowers them to give advice from a position of utter ignorance, to break the TOU with impunity, and often to score points in the ridiculous multi-player online game that is ASC. They don't know or care what the long-term consequences are. In practice, you have nothing to worry about, because they far outnumber me and will always do your bidding. And you don't have to pay them a cent.

Linc Davis wrote:

What is harmful is not the app (as far as I know), but the effect on user behavior.

And my point is that your script has exactly the same effect on user behavior. They don't know who has validated it, nor do they care. They do not understand it, because it's obfuscated beyond comprehension by anyone but a true Unix guru. Those who run it are often doing so simply because you asked them to. You do tell people to try to evaluate whether it is safe or not... yet I also tell people to be cautious of running an app, and refer people specifically to my manual removal instructions if they are uncomfortable running the app.

From a practical standpoint, the only thing that's significantly different is that one of them's mine and one of them's yours... and that's what I have a serious problem with. As long as you continue to tell people not to download my app while providing your own equally-obscure shell script, I'll continue having a problem with your advice.

As for the regulars, of course they love your app, because it empowers them to give advice from a position of utter ignorance, to break the TOU with impunity, and often to score points in the ridiculous multi-player online game that is ASC.

Because you don't agree with something, those supporting it must be ignorant, breaking rules and just playing some kind of game? They couldn't possibly be trying to help people...

I think you've helped me make my point pretty well, Linc. Thanks.