Got a malware on OS X Yosemite, how do I get rid of it?

Read up on removing Conduit

http://macsecurity.net/view/59/

this may be different for whatever browser you use that's been compromised and some of the info showing features in Safari to "Safari>Reset Safari" have been removed by Apple and broken into a different set of commands elsewhwere

Read up on Malware

https://discussions.apple.com/docs/DOC-2435

there are dozens of Mac Malware removal tools out there but I have no personal experience with them and I don't want to recommend something I never used that could turn out to be malware itself.

You may have installed the "VSearch" trojan. Remove it as follows.

Malware is always changing to get around the defenses against it. These instructions are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.

Back up all data before proceeding.

Step 1

From the Safari menu bar, select

Safari ▹ Preferences... ▹ Extensions

Uninstall any extensions you don't know you need, including any that have the word "Spigot," "Trovi," or "Conduit" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.

Reset the home page and default search engine in all the browsers, if it was changed.

Step 2

Triple-click anywhere in the line below on this page to select it:

/Library/LaunchAgents/com.vsearch.agent.plist

Right-click or control-click the line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item named "com.vsearch.agent.plist" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.

Repeat with each of these lines:

/Library/LaunchDaemons/com.vsearch.daemon.plist
/Library/LaunchDaemons/com.vsearch.helper.plist

Restart the computer and empty the Trash. Then delete the following items in the same way:

/Library/Application Support/VSearch
/System/Library/Frameworks/VSearch.framework
~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin

Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.

The problem may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it, and if you wish, replace it with the genuine article from mplayerx.org.

This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow.

You may be wondering why you didn't get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that the Internet criminal behind VSearch has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing has not done so, even though it's aware of the problem. This failure of oversight has compromised both Gatekeeper and the Developer ID program. You can't rely on Gatekeeper alone to protect you from harmful software.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

I had that problem also. I have just followed the steps you suggested and I believe it has worked. Thanks so much!

Thank you, it worked like a champ!

Thanks so much Linc. Its really great help and i really appreciate it. Everything Linc mentioned is 100% correct for my problem and i simply follow the troubleshot the steps as per Linc's suggestion and now my mac is working fine.

Thanks

Thanks, Linc! This issue was resolved by following your steps. I appreciate your assistance!

Thanks for the guidance Linc.

Followed your guide step by step and cleared my problem perfectly.

Great work!

I followed Linc's directions exactly but it did not work for me. Still have the problem on Chrome. Anyone have any other ideas or suggestions?

thank you so much! the only guidance that worked.

An excellent post, but as of Wednesday, November 19, 2014 1:16 pm I got infected and the steps outlined did not get rid of enough of Vsearch. Came back like the plague. Learning the time of the installation was helpful, as I was able to root out more files hidden in odd places. I am sad to say I did not note where they were, but in any event they'd probably get moved, renamed shortly anyhow.

This was the worst infection ever. It locked me out of Safari as the redirections, notices whatever, kept coming faster than I could open another tab. Even when force-quitting, the malicious pages would reappear on relaunch, even after a reboot. I did clear out History in Safari of everything after 1:16, and that may have helped.

Good luck to others, and may the perpetrators of this rot in ****.

I was able to root out more files

What files were those? Do you know where you got the trojan?

The files were the ones you've listed above, except ~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin was not found. There were other files with the same time stamp which I removed, and sorry to say I deleted them, emptied Trash and rebooted as fast as I could. Did not take notes.

More interesting, if I have my facts straight, I was cleaning out old Preference Panels in System Prefs, and clicked on the old MplayerX and then the link embedded therein. Without looking at the URL's ultimate disposition I clicked on it and went to town. The app (since deleted) appeared on the DT in the normal "drag to App folder" formation.

Later, after cleaning out the garbage by hand and downloading your app, I was able to run it and remove a couple of other bits from something else listed. Sorry to be so useless in not having written down names and locations. I've also removed anything at all suspicious looking in Extensions and elsewhere. Now I'll have to see if I've handicapped the System!

I also had the malware on my MAC mini, but I am guilty of it myself. The first was Genieo and I accepted update thinking that it was related to Genius on iTunes. The second one was MPlayer, I downloaded it looking for online winter sports channel . I read the supports over the weekend with serach-only adverts poping up every few seconds ; all these advices were so complicated and then I reminded myself 20 or so years having a PC and that was Eureka, I downloaded AVG for MAC and after 20 minutes all was back to normal. By the way why nobody mentioned the AVG antivirus?

Mirek Paczynski

As of November 30, 2014, Linc's advice is still working. It removed my Malware. Thank you.

Just got this same thing, and I have never seen the likes of this before in the my long years of mac computing. Seems like no one here uses anything but safari to browse. This got a hold of all browsers, and it really loves firefox. I even trashed and replaced firefox, and it still comes back and takes over. Freaks me out. Can't seem t find it. I was installing a "Java update" from the antichrist known as Downloads.com. They should be put in jail.