Q: How can I remove a Malware called Leperdvil from my MacBook Pro?
-
Aug 19, 2015 6:23 PMby Linc Davis,A
Back up all data before making any changes.
In the folder arranged as shown in the first screenshot, please delete these items:
#5 and #6 ("VSearch")
In the second folder:
#3 ("VSearch")
You may be prompted for your password.
In the third folder:
None
Restart the computer.
From the Applications folder (not shown in the screenshots), delete items with any of the following names:
MPlayerX
These steps will permanently inactivate the malware, as long as you never reinstall it. A few small files may remain in hidden folders, but they have no effect.
The instructions above apply only to you. I'm including more general—and complete—removal instructions below for the benefit of others who may find this discussion. You can skip the remaining steps, but you should read them.
B (optional)
You installed one or more variants of the "VSearch" ad-injection malware. Follow Apple Support's instructions to remove it.
If you have trouble following those instructions, see below.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
The VSearch malware tries to hide itself by varying the names of the files it installs. To remove it, you must first identify the naming pattern.
Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
/Library/LaunchDaemons
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
A folder named "LaunchDaemons" may open. Look inside it for two files with names of the form
com.something.daemon.plist
and
com.something.helper.plist
Here something is a variable string of characters, which can be different in each VSearch infection. So far it has always been an alphanumeric string without punctuation, such as "cloud," "dot," "highway," "submarine," or "trusteddownloads." Sometimes it's a meaningless string such as "e8dec5ae7fc75c28" rather than a word. Sometimes the string is "apple," and then you must be especially careful not to delete the wrong files, because many built-in OS X files have similar names.
You could have more than one copy of the malware, with different values of something.
If you find these files, leave the LaunchDaemons folder open, and open the following folder in the same way:
/Library/LaunchAgents
In this folder, there may be a file named
com.something.agent.plist
where the string something is the same as before.
If you feel confident that you've identified the above files, back up all data, then drag just those three files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder windows and restart the computer.
Don't delete the "LaunchAgents" or "LaunchDaemons" folder or anything else inside either one.
The malware is now permanently inactivated, as long as you never reinstall it. You can stop here if you like, or you can remove two remaining components for the sake of completeness.
Open this folder:
/Library/Application Support
If it has a subfolder named just
something
where something is the same string you saw before, drag that subfolder to the Trash and close the window.
Don't delete the "Application Support" folder or anything else inside it.
Finally, in this folder:
/System/Library/Frameworks
there may be an item named exactly
v.framework
or else an item named
something.framework
Again, something is the same string as before.
This item is actually a folder, though it has a different icon than usual. Drag it to the Trash and close the window.
Don't delete the "Frameworks" folder or anything else inside it.
If you didn't find the files or you're not sure about the identification, post what you found.
If in doubt, or if you have no backups, change nothing at all.
The trouble may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it. I don't recommend that you install the genuine "MPlayerX," because it's hosted on the rogue "SourceForge" website and is bundled with other malware.
This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.
In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.
Then, still in System Preferences, open the App Store or Software Update pane and check the box marked
Install system data files and security updates (OS X 10.10 or later)
or
Download updates automatically (OS X 10.9 or earlier)
if it's not already checked.
-
Aug 26, 2015 7:53 PMby talychka,I had the same problem. Managed to get rid of leperdvil everywhere else on my system (that I could tell - anyway firefox and safari), but even after manually deleting it from chrome preferences (homepage, extensions and search engines), it still came up as the home page. I tried uninstalling chrome and all associated files from library etc. and it still came up after reinstalling it. Finally found a file called 'nice player' or something like that in applications and deleted it, this turned out to be the culprit. I think I am free of the devil now!
-
Sep 13, 2015 8:41 AMby Swpea75,Ciao Linc Davis,
New to this blog (or any blog by the way), i was desperate because I bought a Mac to get rid of these bloody viruses and stuff you can't get rid off.
Then, about a year ago, obviously when the guarantee was finished, I started getting a slow running Mac with a troublesome Firefox navigation.
I "did with it", untill last week end when I couldn't surf on any browser (Firefox or Safari) and got PANICK. I do not have financial possibility to pay for "repairs" on my own and then..... I found YOU. I resad the diverse replies you gave to people about Leperdvil (the name does say the menace).
I Do not know what I did exactly, probably it started with downloading McKeeper, however if I did such it WAS because my cimputer was slower, or more precise the surf on internet was slower. I first thought it was because I left open 5 to 6 different windows, with each 5-20 thumbnails. Obviously I was wrong.
Back to today : I did what you advised and followed all steps. DOUBTS remain and I do not want to do terrible things (I'm a newcomer in "do it yourself" techno)
- Here is my trashbin: Before I empty it, did I delete anything I should not have?
Portsayd Folder today 13 sptember 2015
Leperdvil Folder 06 September 2015
MacKeeper Folder 16 August 2015
com.adobe.fpsaud.plist 06 August 2015
Otwexplain Folder 03 August 2015
com.paviourtrichophyte.agent.plist 23 July 2015
com.paviourtrichophyte.daemon.plist 23 July 2015
com.paviourtrichophyte.helper.plist 23 July 2015
Listchack Folder 14 July 2015
MacKeeper Application 14 July 2015
VSearch Folder 14 May 2015
com.vsearch.agent.plist 14 september 2015
com.vsearch.daemon.plist 14 september 2015
com.vsearch.helper.plist 14 september 2015
MPlayerX Application 27 january 2014
- Here is the Folder "Frameworks" from where you say to delete "v.framework" what about "VSearch.framework and all the others??
WebKit.framework
VSearch.framework
vmnet.framework
VideoToolbox.framework
VideoDecodeAcceleration.framework
vecLib.framework
TWAIN.framework
Tk.framework
Tcl.framework
SystemConfiguration.framework
System.framework
SyncServices.framework
StoreKit.framework
SpriteKit.framework
Social.framework
ServiceManagement.framework
SecurityInterface.framework
SecurityFoundation.framework
Security.framework
ScriptingBridge.framework
Scripting.framework
ScreenSaver.framework
SceneKit.framework
Ruby.framework
QuickTime.framework
QuickLook.framework
QuartzCore.framework
Quartz.framework
QTKit.framework
Python.framework
PubSub.framework
PreferencePanes.framework
PCSC.framework
PaviourTrichophyte.framework
OSAKit.framework
OpenGL.framework
OpenDirectory.framework
OpenCL.framework
OpenAL.framework
NotificationCenter.framework
NetworkExtension.framework
NetFS.framework
MultipeerConnectivity.framework
module.map
Message.framework
MediaToolbox.framework
MediaLibrary.framework
MediaAccessibility.framework
MapKit.framework
LocalAuthentication.framework
LDAP.framework
LatentSemanticMapping.framework
Kernel.framework
Kerberos.framework
JavaVM.framework
JavaScriptCore.framework
JavaFrameEmbedding.framework
IOSurface.framework
IOKit.framework
IOBluetoothUI.framework
IOBluetooth.framework
InstantMessage.framework
InstallerPlugins.framework
InputMethodKit.framework
IMServicePlugIn.framework
IMCore.framework
ImageIO.framework
ImageCaptureCore.framework
ICADevices.framework
Hypervisor.framework
GSS.framework
GLUT.framework
GLKit.framework
GameKit.framework
GameController.framework
FWAUserLib.framework
Foundation.framework
ForceFeedback.framework
FinderSync.framework
ExceptionHandling.framework
EventKit.framework
DVDPlayback.framework
DVComponentGlue.framework
DrawSprocket.framework
DiskArbitration.framework
DiscRecordingUI.framework
DiscRecording.framework
DirectoryService.framework
CryptoTokenKit.framework
CoreWLAN.framework
CoreVideo.framework
CoreText.framework
CoreTelephony.framework
CoreServices.framework
CoreMIDIServer.framework
CoreMIDI.framework
CoreMediaIO.framework
CoreMedia.framework
CoreLocation.framework
CoreGraphics.framework
CoreFoundation.framework
CoreData.framework
CoreBluetooth.framework
CoreAuthentication.framework
CoreAudioKit.framework
CoreAudio.framework
Collaboration.framework
Cocoa.framework
CloudKit.framework
CFNetwork.framework
Carbon.framework
CalendarStore.framework
AVKit.framework
AVFoundation.framework
Automator.framework
AudioVideoBridging.framework
AudioUnit.framework
AudioToolbox.framework
ApplicationServices.framework
AppleScriptObjC.framework
AppleScriptKit.framework
AppKitScripting.framework
AppKit.framework
AGL.framework
AddressBook.framework
Accounts.framework
Accelerate.framework
- I have a folder, and other files named "PaviourTrichotype" . Are they malevolent?
Thanks for all, you really are great.
-
Sep 13, 2015 9:54 AMby Linc Davis,New to this blog
The best way to get help is, first, to search the site for answered questions similar to yours. If you don't find a solution that way, start your own thread with a full description of the symptoms, the context, and what you've already done. That thread will be all yours. You'll have the same chance as anyone else of getting a useful response.
did I delete anything I should not have?
No.
what about VSearch.framework and all the others?
"VSearch.framework" is part of an older variant of VSearch, and. "PaviourTrichophyte.framework" is from the newer variant. Both can be deleted, but it's not necessary to do so. Don't touch anything else in that folder, and if in doubt, leave the whole folder as it is.
I have a folder, and other files named "PaviourTrichotype" . Are they malevolent?
They are also part of VSearch, but if you take the required steps, removing them is optional. What's not optional is changing the way you use the computer so that you stop being victimized by Internet criminals. That has happened to you more than once already, and it will only get worse.
