Got a malware on OS X Yosemite, how do I get rid of it?

Thanks so much Linc. Its really great help and i really appreciate it. Everything Linc mentioned is 100% correct for my problem and i simply follow the troubleshot the steps as per Linc's suggestion and now my mac is working fine.

Thanks

An excellent post, but as of Wednesday, November 19, 2014 1:16 pm I got infected and the steps outlined did not get rid of enough of Vsearch. Came back like the plague. Learning the time of the installation was helpful, as I was able to root out more files hidden in odd places. I am sad to say I did not note where they were, but in any event they'd probably get moved, renamed shortly anyhow.

This was the worst infection ever. It locked me out of Safari as the redirections, notices whatever, kept coming faster than I could open another tab. Even when force-quitting, the malicious pages would reappear on relaunch, even after a reboot. I did clear out History in Safari of everything after 1:16, and that may have helped.

Good luck to others, and may the perpetrators of this rot in ****.

The files were the ones you've listed above, except ~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin was not found. There were other files with the same time stamp which I removed, and sorry to say I deleted them, emptied Trash and rebooted as fast as I could. Did not take notes.

More interesting, if I have my facts straight, I was cleaning out old Preference Panels in System Prefs, and clicked on the old MplayerX and then the link embedded therein. Without looking at the URL's ultimate disposition I clicked on it and went to town. The app (since deleted) appeared on the DT in the normal "drag to App folder" formation.

Later, after cleaning out the garbage by hand and downloading your app, I was able to run it and remove a couple of other bits from something else listed. Sorry to be so useless in not having written down names and locations. I've also removed anything at all suspicious looking in Extensions and elsewhere. Now I'll have to see if I've handicapped the System!

I also had the malware on my MAC mini, but I am guilty of it myself. The first was Genieo and I accepted update thinking that it was related to Genius on iTunes. The second one was MPlayer, I downloaded it looking for online winter sports channel . I read the supports over the weekend with serach-only adverts poping up every few seconds ; all these advices were so complicated and then I reminded myself 20 or so years having a PC and that was Eureka, I downloaded AVG for MAC and after 20 minutes all was back to normal. By the way why nobody mentioned the AVG antivirus?

Mirek Paczynski

Just got this same thing, and I have never seen the likes of this before in the my long years of mac computing. Seems like no one here uses anything but safari to browse. This got a hold of all browsers, and it really loves firefox. I even trashed and replaced firefox, and it still comes back and takes over. Freaks me out. Can't seem t find it. I was installing a "Java update" from the antichrist known as Downloads.com. They should be put in jail.

Besides illegal torrent downloads, sites like C|Net and Softpedia is where most of the adware garbage is coming form. You do install the app you want to try, but it also installs the adware. Sometimes there's a notice you can check a box on to prevent it from doing that. Other times, even if you do specifically say you don't want the "great extras" installed, it installs them anyway.

I will at times go to these sites so I can find a lot of similar software I'm looking for in one place, but I will NOT download them from these sites. Once I have the name of the software I want to try, I find the web site of the vendor who writes the software and get it directly from them.

I found out that the MPlayer was downloaded to my machine exactly when this issue started happening for me on chrome.

I tried the steps you listed but it didn't remove anything. So I went to the downloads folder where this program was still sitting and moved it to trash. It seems to have worked, although I worry that did not remove the program entirely?

(Edit) this only worked temporarily. Apparently it is happening when I try to use Reddit enhancement sweet now, this is the link it redirects me to:

http://www1.dlinksearch.com/main?url=www.reddit.com%2Fr%2FEnhancement%2Fcomments %2Fs72xt%2Fnever_ending_reddit_and_reddit_barfing_explained&ref=http%3A%2F%2Fwww .reddit.com%2Fr%2Fall%2F&w=1440&h=740&ifc=0

Well what I did was restore each of those folders dated today and restored them from time machine from the point before the changes and so far things seem okay. Some files didn't exist in the backups so I just deleted them. And there was nothing in the cache folder in my backups so according to an article online it said it was safe to delete the cache folder so I did. Then I shut down my machine. So far things seem stable but we'll see. But the files mentioned in the post that helped everybody else weren't there.

Time machine didn't appear to be set up so I followed the prompts and it was setting up. Fortunately my backups were still there.

Good luck folks, and good luck to me.

Linc Davis you absolute legend, had this trogen for sometime now, been racking my brains deleting everything lol, done step by step of what you have described and bang ...... Back on ... Happy days :-D so thank you :-)

I have had various issues with everything mentioned. Adwaremedic did not resolve this. When I boot and open the first window in Chrome, the bing/trvoli screen comes up once. Once I close it, then chrome is back in control. I had to remove FireFox completely because it would take over no matter what. Have tried everything I have seen on this and other threads. Anyway, I am living with this until something comes along to help. I appreciate everyone in this thread assisting to rid this. It's good to know we have a community.

Michael Guthrie1 wrote:

I have had various issues with everything mentioned. Adwaremedic did not resolve this.

Give it another try... I have added a number of additional signatures over the last few days... most of them this morning, in fact. Make sure you've got a network connection when you open AdwareMedic and it'll download the latest signatures.

If it still finds nothing, the problems you're having are either not due to adware, or they're caused by adware I haven't seen before. Either way, you can find further steps here:

http://www.adwaremedic.com/kb/unsolved.php

(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com.)

Michael Guthrie1 wrote:

Did you not read my post, or is this an automated ad post (which I really hope it is not)?

That was definitely not an ad post. I don't know who MacBirdAir is... I would assume just a satisfied user. As the owner of AdwareMedic, I can assure you that I have never used any form of advertising (unless you count posting about it as a potential solution in replies on these forums, which I've been an active participant in since long before AdwareMedic existed), and will not ever do so. Advertising an adware remover would be more than a bit hypocritical.

This just happened to me, but I never installed anything. I just went to a web page and it popped up almost immediately! It took a couple force-quits, but I was able to remove the page causing the problem. I couldn't find any of the files you tell us to find (in the older posts). I hope that means closing the web page was enough? Here's the link to my test results:

http://pastebin.com/q60ZJS6q

If what you saw was a popup insisting that your computer was infected with something and to call a phone number RIGHT NOW!, it was nothing but a scam. Nothing was ever downloaded to, or installed on your Mac. There's also no software anywhere in the world that can examine a remote computer through a web browser. Any message on any web site claiming it has done so is a flat out lie.

Right. I know that. What was scary was that it blocked me from going into Preferences or shutting down the page. When I went into Activity Monitor to force quit Safari, it came back up on relaunch. When I tried to shut down the individual page using Activity Monitor to force quit it, it relaunched itself. Other than being super fast, I'm not sure how I managed to close it after restarting Safari a couple times. I lost complete control of Safari.

They should all be arrested and thrown in jail. 😠