Naughty software

This is usually attributed to adware. AdwareMedic is a good program to remove it. Some adware will block it, so try this direct download link: http://adwaremedic.com/AdwareMedic.dmg.

You could also remove adware based on manual removal instructions others may post here, but they can be rigorous and sometimes incomplete.

At least one adware program I know of that uses only-search may try to prevent you from loading the AdwareMedic page that stevejobsfan0123 referred you to. If you see the page flash up briefly before being replaced by a fake page saying that your browser can't find the server, you are infected with Downlite. For an explanation and some solutions, see:

http://www.thesafemac.com/adware-blocking-adwaremedic-downloads/

If the adware prevents you from loading that page as well, try this one:

https://discussions.apple.com/docs/DOC-7792

(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com, in the form of buttons allowing for donations. Donations are not required to use my site or software.)

thomas_r. wrote:

If you see the page flash up briefly before being replaced by a fake page saying that your browser can't find the server, you are infected with Downlite.

Does the direct download I linked still work, or do they block that, too?

stevejobsfan0123 wrote:

Does the direct download I linked still work, or do they block that, too?

I'm not sure. It seems to work in my testing, but I've had some people tell me a direct download link wasn't working for them. So I'm just covering the bases! 🙂

Gotcha!

There is no need to download anything to solve this problem.

You may have installed the "VSearch" trojan. Remove it as follows.

Malware is always changing to get around the defenses against it. These instructions are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.

Back up all data before proceeding.

Step 1

From the Safari menu bar, select

Safari ▹ Preferences... ▹ Extensions

Uninstall any extensions you don't know you need, including any that have the word "Spigot," "Trovi," or "Conduit" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.

Reset the home page and default search engine in all the browsers, if it was changed.

Step 2

Triple-click anywhere in the line below on this page to select it:

/Library/LaunchAgents/com.vsearch.agent.plist

Right-click or control-click the line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item named "com.vsearch.agent.plist" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.

Repeat with each of these lines:

/Library/LaunchDaemons/com.vsearch.daemon.plist
/Library/LaunchDaemons/com.vsearch.helper.plist

Restart the computer and empty the Trash. Then delete the following items in the same way:

/Library/Application Support/VSearch
/System/Library/Frameworks/VSearch.framework
~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin

Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.

The problem may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it, and if you wish, replace it with the genuine article from mplayerx.org.

This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow.

You may be wondering why you didn't get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that the Internet criminal behind VSearch has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing has not done so, even though it's aware of the problem. This failure of oversight has compromised both Gatekeeper and the Developer ID program. You can't rely on Gatekeeper alone to protect you from harmful software.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

If you need help deciding what to do with whatever it's finding, please visit the ClamXav Forum for fastest, most efficient answers. These instructions will get us started.

To get detailed infomation on what ClamXav has found, after completing the scan, click in the top pane of the ClamXav window where it shows the Infection / File Name / Status to make sure it's in front and type the key combinations <command>-A, <command>-C (or choose "Select-All", "Copy" from the "Edit" menu) to copy the information to your clipboard, then type <command>-V or choose "Paste" to show what was found where.

As I wrote above, VSearch.

Some of those are just suspected phishing e-mails, and they may or may not actually be phishing e-mails. Much of the rest is Windows malware. Some appear to be associated with the download of stolen software and videos. If you have been engaging in such activities, you need to stop ASAP, as this is probably why you have adware on your computer.

MadMacs0 can advise you better than I on how to handle those items and why ClamXav isn't able to remove them.

As for the adware, you have Genieo and Downlite (aka VSearch) installed, and may have others as well. I don't believe that ClamXav will properly and fully remove those things. Linc's instructions will remove Downlite only. AdwareMedic, which was referred to earlier by stevejobsfan0123 and myself, will remove both, though Downlite will make you jump through some hoops to download it. If using an app recommended by a couple strangers makes you uncomfortable, my Adware Removal Guide provides manual removal instructions for all the adware that AdwareMedic removes.

(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com, in the form of buttons allowing for donations. Donations are not required to use my site or software.)

audiomuff wrote:

So after the scan this is what turned up but not all could be quarantined into the folder. Any one know why?

These are still on my HD however.

Filename	Infection Name	Status
/Users/Muffy/Library/Mail/V2/Mac-audiojunkygarcia/Legal Zoom.mbox/8D04FDA5-9811-4B26-9920-9BDCEDEA887C/Data/2/2/1/Messages/122334.emlx	Heuristics.Phishing.Email.SpoofedDomain

Filename	Infection Name	Status
/Users/Muffy/Library/Mail/V2/Mac-audiojunkygarcia/Deleted Messages.mbox/8D04FDA5-9811-4B26-9920-9BDCEDEA887C/Data/4/3/Messages/34359.emlx	Email.Phishing.Bank-78

Filename	Infection Name	Status
/Users/Muffy/Library/Mail/V2/Mac-audiojunkygarcia/Deleted Messages.mbox/8D04FDA5-9811-4B26-9920-9BDCEDEA887C/Data/3/4/Messages/43233.emlx	Heuristics.Phishing.Email.SSL-Spoof

The ClamXav application will not allow you to quarantine e-mail unless you force it to.

Never use ClamXav (or any other A-V software) to move (quarantine) or delete e-mail. It will corrupt the mailbox index which could cause loss of other e-mail and other issues with functions such as searching. It may also leave the original e-mail on your ISP's e-mail server and will be re-downloaded to your hard drive the next time you check for new mail.

When possibly infected e-mail files are found:

• Highlight the entry in the ClamXav window's top pane that needs to be dealt with.
• Right-click/<Control>-click on the entry.
• Select "Reveal In Finder" from the pop-up menu.
• When the window opens, double-click on the file to open the message in your e-mail client application.
• Read the message and if you agree that it is junk/spam/phishing then note the date and subject of the message and close the e-mail window. Now, using your e-mail client, locate that message in whatever mailbox folder it was found in and delete the message using the delete button. Reading it is especially important when the word "Heuristics" appears in the infection name.If you disagree and choose to retain the message, return to ClamXav and choose "Exclude From Future Scans" from the pop-up menu.
• If this is a g-mail account and those messages continue to show up after you have deleted them in the above manner, you may need to log in to webmail using your browser, go to the "All Mail" folder, find the message(s) and use the delete button there to permanently delete them from the server. Then check the "Trash" folder and delete them there.

According to the ClamXav output, Genieo is not now installed (though it could be anyway.) The output shows that it has been "quarantined." VSearch, on the other hand, is still installed and still active.

Linc Davis wrote:

According to the ClamXav output, Genieo is not now installed

Some components of Genieo have been quarantined. Certainly not all of them. Others are undoubtedly still installed.