A
Please back up all data before making any changes.
Below is a suggested procedure to inactivate the malware you installed.
The numbers refer to the items in the screenshots, in the order shown. Use the screenshots as a guide. #1 would be the topmost item, #2 the one below, and so on.
The names in quotes refer to malware types, not to the names of the files. Don't expect the files to have similar names. For example, if you installed the "VSearch" malware, usually none of the files will have the word "VSearch" in the name. Malware attackers don't make it that easy for you.
In the first folder arranged as shown in the screenshots, delete these items:
#2 through #4 and #7 through #13 ("VSearch")
You may be prompted for your password.
In the second folder:
#7 ("Spigot")
In the third folder:
#2 and #3 ("VSearch")
Restart the computer. Until you've done that, the malware will still be active, even after you delete the files.
Uninstall any Safari extensions you don't know you need. If in doubt, remove all of them. None is needed for normal operation.
Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
Reset the Safari home page, if it was changed. You may need to do the same in the other browsers.
From the Applications folder (not shown in the screenshots), delete items with any of the following names:
MPlayerX
These steps will permanently inactivate the malware, as long as you never reinstall it. A few small files may remain in hidden folders, but they have no effect.
The instructions above apply only to you. I'm including more general—and complete—self-contained removal instructions below for the benefit of others who may find this discussion. You can skip the remaining steps, but you should read them.
B (optional)
You may have installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then take the steps below to inactivate it.
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
The VSearch malware tries to hide itself by varying the names of the files it installs. To remove it, you must first identify the naming pattern.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
/Library/LaunchDaemons
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
A folder named "LaunchDaemons" may open. If it does, press the key combination command-2 to select list view, if it's not already selected.
There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within about one minute, so they will be clustered together when you sort the folder this way, making them easy to identify.
Look inside the folder for files with a name of any of these forms:
com.something.daemon.plist
com.something.helper.plist
com.something.net-preferences.plist
Here something is a meaningless, random string of characters, which can be different in each instance of VSearch. So far it has always been an alphanumeric string without punctuation, such as "disbalance" or "thunderbearer."
You could have more than one copy of the malware, with different values of something.
There may also be one or more files with a name of this form:
com.somethingelseUpd.plist
where somethingelse may be a different meaningless string than something. Again, there may be more than one such file, with different values of somethingelse.
Here's a typical example of a VSearch infection:
com.disbalance.net-preferences.plist
com.thunderbearerUpd.plist
You will have files with names similar, but probably not identical, to these.
If you feel confident that you've identified the above files, drag just those files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder window.
2. Open this folder as in Step 1:
/Library/LaunchAgents
Move to the Trash any files with a name of the form
com.something.agent.plist
where something is one of the strings you found in Step 1. There may not be any such files.
3. If you moved anything to the Trash in Step 1 and/or Step 2, restart the computer and empty the Trash.
Don't delete the "LaunchAgents" or "LaunchDaemons" folder, or anything else inside either one, unless you know you have some other kind of unwanted software besides VSearch. The folders are a normal part of OS X. The terms "agent' and "daemon" refer to a program that starts automatically. That's not inherently bad, but the mechanism is sometimes exploited by malware attackers.
4. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.
5. If you didn't find the files or you're not sure about the identification, post what you found.
If in doubt, or if you have no backups, change nothing at all.
6. The trouble may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it. I don't recommend that you install the genuine "MPlayerX," because it's hosted on the rogue "SourceForge" website and is bundled with other malware.
This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.
In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.
Then, still in System Preferences, open the App Store or Software Update pane and check the box marked
Install system data files and security updates (OS X 10.10 or later)
or
Download updates automatically (OS X 10.9 or earlier)
if it's not already checked.
C (optional)
You installed the "Spigot" ad-injection malware. Please take the steps below to disable it.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
Back up all data before continuing.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.
2. Inside the folder you just opened, there may be one or more files with a name beginning as follows:
com.spigot
Move all such items to the Trash.
Log out or restart the computer. Empty the Trash.
3. From the Safari menu bar, select
Safari ▹ Preferences... ▹ Extensions
Uninstall all extensions you don't know you need, including any with the word "Spigot" in the description. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.
The trojan will now be inactive.
4. This step is optional. Do as in Step 1 with this line:
~/Library/Application Support
and delete an item named
Spigot
If it's present.
Make sure you don't repeat the mistake that led you to install the malware. Chances are you got it from an Internet cesspit such as "MacUpdate," "Softonic," "CNET Download," or "SourceForge." Never visit any of those sites again. You might also have downloaded it from an ad in a page on some other site. The ad would probably have included a large green button labeled "Download" or "Download Now" in white letters. The button is designed to confuse people who intend to download something else on the same page. If you ever download a file that isn't obviously what you expected, delete it immediately.
In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.
Still in System Preferences, open the App Store or Software Update pane and check the box marked
Install system data files and security updates (OS X 10.10 or later)
or
Download updates automatically (OS X 10.9 or earlier)
if it's not already checked.