how do I remove the "only Search" virus?
My Mac Pro has got the "Only Search Virus " how can I remove this and resolve the issue
Thanks! http://pastebin.com/Rreqsw2u
Apple Event: May 7th at 7 am PT
48 replies
You have what seems to be a new variant of the "VSearch" malware, makingthis Apple Support page obsolete. Use the technique in the linked article to remove these items:
/Library/Application Support/dot
/Library/LaunchAgents/com.dot.agent.plist
/Library/LaunchDaemons/com.dot.daemon.plist
/Library/LaunchDaemons/com.dot.helper.plist
You don't have any Safari extensions, but you should remove any Chrome or Firefox extensions that you don't know you need. If in doubt, remove all of them.
Without a sample of this new malware to test, I can't be sure that it's nothing more than an ad injector, so you may prefer to consider the machine totally compromised. That decision is yours to make. Ask for guidance if you need it.
If you know where you downloaded the fake MPlayerX application, please post a link.
Wooo, it actually seems like it worked! I deleted those files, eptied the bin, cancelled the last extension I had on Chrome, restarted the laptop.
Both Chrome and Safari seem to be only-search/vsearch free.
Thanks so much for your time! I'll keep you posted, should it come back.
Cheers
Linc Davis wrote:
/Library/Application Support/dot
/Library/LaunchAgents/com.dot.agent.plist
/Library/LaunchDaemons/com.dot.daemon.plist
/Library/LaunchDaemons/com.dot.helper.plist
There will probably also be another file:
/System/Library/Frameworks/v.framework
[Edit: fixed error in path]
That also needs to be removed, if present. It's possible that the file will have a different name, but probably not.
Also, Linc, FYI - there's another variant that appears to be nearly identical to this one, with the only difference being the use of the name "heizenberg" in place of "dot" or "vsearch". I suspect we'll see others as well. I've forwarded this information on to Apple's product security team.
Hi Thomas, can't really find the file you linked. In Library I have no "Frameworks" folder...
It's not in the /Library folder like all the other items, it's in /System/Library. Select the path to that v.framework file and copy it, then go to the Finder and choose Go -> Go to Folder and paste the path in, then click Go. A Finder window should open showing that file. If it's not there, it may be named something else in the case of the variant of Downlite that you have installed.
can't find any system/library in my yosemite
It's there. If it weren't, your system wouldn't start up.
Let's try to figure out where this is going wrong. Select and copy the following line in its entirety:
/System/Library/Frameworks/
Now, go to the Finder and choose Go -> Go to Folder, paste the copied text into the box, and click Go. Does a folder named Frameworks open in the Finder? If it doesn't, you did something wrong, and need to review and repeat the instructions.
In the folder that opens, look for an item named "v.framework" and drag it to the trash. Report back here if you don't see this item.
Even if there is a framework stashed somewhere, it will have no effect once you remove the persistence mechanism of the malware, which you have done. It would be merely a cosmetic issue.
Ok found it and cosmetically removed. Thank you all
the fake MPlayerX that I downloaded is connected to MacKeeper and zoebit. My safari works just fine after uninstall MacKeeper and MPlayerX. I didn't find any files that you mentioned. Found the 'v.framework' files though and deleted it. I wonder if there's still anything else that I need to fix?
Thanks for all the help by the way^^
lydcarol wrote:
I didn't find any files that you mentioned. Found the 'v.framework' files though and deleted it.
You have one of the newest variants of Downlite, and the files mentioned by Linc above containing the word "dot" will have a different name on your system. This variant seems to be using random words as filenames... only the v.framework item has the same name among all the variants I've seen.
For manual removal, see:
http://www.thesafemac.com/arg-downlite
Alternately, you could download my AdwareMedic app, which will find these files no matter what they are named and remove them:
(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com, in the form of buttons allowing for donations. Donations are not required to use my site or software.)
thank you!
You saved me!
Also found a few more adware issues using Yosemite -
com.bubble.agent.plist
com.bubble.daemon.plist
com.bubble.helper.plist
how do I remove the "only Search" virus?