In MacBook Pro pop-up pages from MacKeeper and Casino etc

Clickhereand follow the instructions, or if there’s a type of adware not covered by them on the computer,these ones. If you'd rather not remove it manually, you can instead runMalwareBytes for Mac.

MalwareBytes is a removal tool and doesn't stop adware or other malware from getting onto the computer. To prevent future incidents, avoid downloading software from sources other than the Mac App Store or the developer websites.

(132541)

You may have installed ad-injection malware ("adware").

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

Some of the most common types of adware can be removed by following Apple's instructions. If those instructions don't work for you, or if you have trouble following them, see below.

This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure that doesn't involve downloading anything.

Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.

If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. That will disable the malware temporarily.

Step 1

Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.

If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.

Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.

Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.

Leave the folder open for now.

Step 2

Do as in Step 1 with this line:

/Library/LaunchAgents

The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.

Step 3

Repeat with this line:

/Library/LaunchDaemons

This time the folder will be named "LaunchDaemons."

Step 4

Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.

Step 5

If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.

Linc Davis wrote:

You may have installed ad-injection malware ("adware").

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

Some of the most common types of adware can be removed by following Apple's instructions. If those instructions don't work for you, or if you have trouble following them, see below.

Be advised that Malwarebytes Anti-Malware for Mac is not an anti-virus or anti-malware application, but a tool designed to delete adware. (So is the reference you make to the Apple support article.) By making this statement, you may be confusing the OP and others as well. Don't you agree? If you are uncertain, I suggest that you investigate what Malwarebytes Anti-Malware for Mac actually is prior to associating it will unrelated applications.

Ciao

A

"MacKeeper" is a scam with only one useful feature: it deletes itself.

First, back up all data.

Note: These instructions apply to the version of the product that I downloaded and tested in early 2012. I can't be sure that they apply to other versions.

If you have incompletely removed MacKeeper—for example, by dragging the application to the Trash and immediately emptying—then you'll have to reinstall it and start over.

IMPORTANT: "MacKeeper" has what the developer calls an “encryption” feature. In my tests, I didn't try to verify what this feature really does. If you used it to “encrypt” any of your files, “decrypt” them before you uninstall, or (preferably) restore the files from backups made before they were “encrypted.” As the developer is not trustworthy, you should assume that the "decrypted" files are corrupt unless proven otherwise.

In the Finder, select

Go ▹ Applications

from the menu bar, or press the key combination shift-command-A. The "MacKeeper" application is in the folder that opens. Quit it if it's running, then drag it to the Trash. You'll be prompted for your login password. Click the Uninstall MacKeeper button in the dialog that appears. All the other functional components of the software will be deleted. Restart the computer and empty the Trash.

☞ Quit MacKeeper before dragging it to the Trash.

☞ Let MacKeeper delete its other components before you empty the Trash.

☞ Don't try to drag MacKeeper from the Dock or the Launchpad to the Trash.

☞ Don't try to remove MacKeeper while running in safe mode.

B

Back up all data before making any changes.

In the folder arranged as shown in the 4th screenshot, please delete these items:

#1 and #5 through #7 ("InstallMac")

In the second folder:

#3 ("VSearch")

You may be prompted for your password.

In the third folder:

#3 and #4 ("VSearch")

Restart the computer.

Uninstall at least the following Safari extension(s) , as well as any others you don't know you need. If in doubt, remove all of them. None is needed for normal operation.

Conduit Search

Qamails

Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

Reset the Safari home page, if it was changed. You may need to do the same in the other browsers.

From the Applications folder (not shown in the screenshots), delete items with any of the following names:

InKeepr

InstallMac

Manroling

MPlayerX

Qamails

Open your home folder by clicking the house icon with your name in the sidebar of a Finder window. If there is a subfolder named "Applications" (different from the main Applications folder), remove anything in it that you did not put there yourself. Never, in my experience, does a legitimate software installer put anything in that folder automatically.

These steps will permanently inactivate the malware, as long as you never reinstall it. A few small files may remain in hidden folders, but they have no effect.

The instructions above apply only to you. I'm including more general—and complete—removal instructions below for the benefit of others who may find this discussion. You can skip the remaining steps, but you should read them.

C (optional)

You installed one or more variants of the "InstallMac" trojan. Take the steps below to disable it.

The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

2. Inside the folder you just opened, there may files with a name of the form

something.download.plist

something.ltvbit.plist

something.update.plist

where something is usually a meaningless string, such as any of the following:

InKeepr

InstallMac

Javeview

Leperdvil

Manroling

Otwexplain

These are examples, not a complete list. The string could be anything. The point is that the same string will appear in the name of three files.

You could have more than one copy of the malware, with different values of something.

Move all such items to the Trash. There may not be any other files in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)

Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.

3. Open this folder in the same way as above:

~/Library/Application Support

and move to the Trash any subfolders named with the same something you found in Step 2.

Don't move the Application Support folder or anything else inside it.

4. Open the Applications folder. If there is an item with the same name as in Step 3, or any of the other names listed in Step 2, drag it to the Trash.

If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.

Empty the Trash.

If you get an alert that the application is in use, force it to quit.

5. From the Safari menu bar, select

Safari ▹ Preferences... ▹ Extensions

Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

6. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select

Safari ▹ Preferences... ▹ General

and click

Set to Current Page

D (optional)

You also installed one or more variants of the "VSearch" ad-injection malware. Follow Apple Support's instructions to remove it.

If you have trouble following those instructions, see below.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

The VSearch malware tries to hide itself by varying the names of the files it installs. To remove it, you must first identify the naming pattern.

Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

/Library/LaunchDaemons

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" may open. Look inside it for two files with names of the form

com.something.daemon.plist

and

com.something.helper.plist

Here something is a variable string of characters, which can be different in each VSearch infection. So far it has always been an alphanumeric string without punctuation, such as "cloud," "dot," "highway," "submarine," or "trusteddownloads." Sometimes it's a meaningless string such as "e8dec5ae7fc75c28" rather than a word. Sometimes the string is "apple," and then you must be especially careful not to delete the wrong files, because many built-in OS X files have similar names.

You could have more than one copy of the malware, with different values of something.

If you find these files, leave the LaunchDaemons folder open, and open the following folder in the same way:

/Library/LaunchAgents

In this folder, there may be a file named

com.something.agent.plist

where the string something is the same as before.

If you feel confident that you've identified the above files, back up all data, then drag just those three files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder windows and restart the computer.

Don't delete the "LaunchAgents" or "LaunchDaemons" folder or anything else inside either one.

The malware is now permanently inactivated, as long as you never reinstall it. You can stop here if you like, or you can remove two remaining components for the sake of completeness.

Open this folder:

/Library/Application Support

If it has a subfolder named just

something

where something is the same string you saw before, drag that subfolder to the Trash and close the window.

Don't delete the "Application Support" folder or anything else inside it.

Finally, in this folder:

/System/Library/Frameworks

there may be an item named exactly

v.framework

or else an item named

something.framework

Again, something is the same string as before.

This item is actually a folder, though it has a different icon than usual. Drag it to the Trash and close the window.

Don't delete the "Frameworks" folder or anything else inside it.

If you didn't find the files or you're not sure about the identification, post what you found.

If in doubt, or if you have no backups, change nothing at all.

The trouble may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it. I don't recommend that you install the genuine "MPlayerX," because it's hosted on the rogue "SourceForge" website and is bundled with other malware.

This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.

Your question brings up the subject of removing adware. This is a general comment on that subject.

Under no circumstances should you ever allow anti-virus software to delete something for you.

The only tools that anyone needs to detect and remove adware are the Finder and a web browser, both of which you already have. Anyone who has enough computer skill to install adware can just as well remove it without using anything else.

Apple doesn't endorse any third-party "anti-virus" or "anti-malware" product. Here and here are its general statements about malware protection, and here are its instructions for removing the most common types of ad-injection malware. None of those support pages mentions anti-malware products. An Apple employee who recommends such a product is speaking only for himself or herself, not for the company. See this thread for an example of what the results can be.

You become infected with malware by downloading unknown software without doing research to determine whether it's safe. If you keep making that mistake, the same, and worse, will keep happening, and no anti-malware will rescue you. Your own intelligence and caution are the only reliable defense.

The Windows/Android anti-malware industry had more than $75 billion in sales in 2014 [source: Gartner, Inc.] Its marketing strategy is to convince people that they're helpless against malware attack unless they use its products. But with all that anti-malware, the Windows and Android platforms are still infested with malware—most of it far more harmful than mere adware. The same can be expected to happen to the Mac platform if its users trust the same industry to protect them, instead of protecting themselves.

You are not helpless, and you don't have to give full control of your computer—and your data—to strangers in order to be rid of adware.

These are generalities. Regarding the "malwarebytes" product in particular, you may be told that there are no reports that is has caused damage. In fact, I know of two such reports: one by ASC user Big Kev55 in this thread, and one by LizardMBP in this thread. Read those reports and draw your own conclusions. There are also many reports that the Windows version of the product has deleted essential Windows system files; see, for example, this thread on the developer's own support forum.

Whether the software damages the system or not, it takes full adminstrative control and connects to a server controlled by the developer. The developer's privacy policy, linked directly to the Mac product page, reads in part as follows:

"Without limiting the Privacy Policy, you agree that Malwarebytes may track certain data it obtains from your Computer including data about any malicious software or other threats flagged by the Software, data about your license, data about what version of the Software you are using and what operating conditions it runs under and data concerning your geographic location."

(Emphasis added.) So the developer admits to tracking your location, as well as other unspecified data, and gives itself the legal right to collect any data it chooses. How it uses that right, you don't know. By running the software, you accept these terms.

In case there's any doubt about whether this "anti-malware" product is really anti-malware, the developer's own description distinguishes between adware and malware, and specifically mentions removing malware as a selling point six times. A self-identified employee of the developer wrote in an ASC discussion, "Actually, it's also a malware removal app..." (emphasis added.)

The question then is: as a security-conscious computer user, do you want to take such risks when there is no offsetting benefit?

<Edited By Host>

You apparently do not understand how large businesses are organized and run. In the case of Apple, telephone support personnel and genius bar technicians are trained by Apple on how to deal with the Apple consumer community. They are coached what to say, how to say it and what to avoid saying, all of which is common to a multitude of large corporations. They do this because all of these people DO speak for Apple when they are engaged with customers. Sadly this statement of yours is a gross error.Linc Davis wrote:

Under no circumstances should you ever allow anti-virus software to delete something for you.

Be advised that Malwarebytes Anti-Malware for Mac is not an anti-virus or anti-malware application. By making this statement, you may be confusing the OP and others as well. Don't you agree? After all I have already explained why your assertion is incorrect. If you are uncertain, I suggest that you investigate what Malwarebytes Anti-Malware for Mac actually is.

Linc Davis wrote:

Apple doesn't endorse any third-party "anti-virus" or "anti-malware" product. Here and here are its general statements about malware protection, and here are its instructions for removing the most common types of ad-injection malware. None of those support pages mentions anti-malware products.

What you omit to mention is that Apple does NOT discourage the use of third party applications for solving various problems and it never has. The reader should understand that there can be and often are better and simpler alternatives to problem solving than just what is available from Apple. Downloading Malwarebytes Anti-Malware for Mac is essentially a 2 step process, if that, than the complicated 5 step process that you advocate or the Apple support instructions. Perhaps if you tried it yourself, you would see that I am correct.

Also may I point out that Apple telephone support personnel and genius bar technicians use and have advised Apple customers to use Malwarebytes Anti-Malware for Mac in lieu of the Apple support alternative because it is faster, simpler, more comprehensive and much easier to use.

An Apple employee who recommends such a product is speaking only for himself or herself, not for the company. See this thread for an example of what the results can be.

You apparently do not understand how large businesses are organized and run. In the case of Apple, telephone support personnel and genius bar technicians are trained by Apple on how to deal with the Apple consumer community. They are coached what to say, how to say it and what to avoid saying, all of which is common to a multitude of large corporations. They do this because all of these people DO speak for Apple when they are engaged with customers. Sadly this statement of yours is a gross error.

Also note that the discussion that you are alluding to is in regards to Sophos, not Malwarebytes Anti-Malware for Mac. Sophos is an AV application, Malwarebytes Anti-Malware for Mac is not. Your thinking seems confused here.

These are generalities. Regarding the "malwarebytes" product in particular, you may be told that there are no reports that is has caused damage. In fact, I know of two such reports: one by ASC user Big Kev55 in this thread, and one by LizardMBP in this thread.

Both of these discussions have been found to be spurious with unsubstantiated comments. Why use bogus examples to make a point?

Whether the software damages the system or not, it takes full adminstrative control and connects to a server controlled by the developer. The developer's privacy policy, linked directly to the Mac product page, reads in part as follows:

"Without limiting the Privacy Policy, you agree that Malwarebytes may track certain data it obtains from your Computer including data about any malicious software or other threats flagged by the Software, data about your license, data about what version of the Software you are using and what operating conditions it runs under and data concerning your geographic location."

(Emphasis added.) So the developer admits to tracking your location, as well as other unspecified data, and gives itself the legal right to collect any data it chooses. How it uses that right, you don't know. By running the software, you accept these terms.

The question then is: as a security-conscious computer user, do you want to take such risks when there is no offsetting benefit?

That simply is false. How can you state Malwarebytes Anti-Malware for Mac can take control of a computer and track the activities. You may have it confused with some other application. Proof on your part is required if you are to be believed.

I suggest that you thoroughly review this prepared article of yours and make appropriate adjustments. I would be more than willing to proof read any future revision that you may create.

Ciao.