Q: How do I remove the TopDeal / Deal Top virus?

Adware is installed without your knowledge, removing it will help.

1. Use  free Malwarebytes Anti-Malware for Mac/ AdwareMedic to remove adware

     http://www.adwaremedic.com/index.php

   Download, install , open,  and run it by clicking “Scan for Adware” button   to remove adware.

   Once done, quit Malwarebytes Anti-Malware.

   or

   Remove the adware manually by following the “HowTo” from Apple.

   http://support.apple.com/en-us/HT203987

  2. Disable Extensions and test.

    Safari > Preferences > Extensions

    Enable Extensions one by one and test.

    To uninstall any extension, select it and click the “Uninstall” button.

3. Safari > Preferences >  Search > Search Engine :

    Select your preferred   search engine.

4. Safari > Preferences > General > Homepage:

     Set your Homepage.

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

You may have installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then follow Apple Support's instructions to remove it.

If you have trouble following those instructions, or if they don't work, see below.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

The VSearch malware tries to hide itself by varying the names of the files it installs. To remove it, you must first identify the naming pattern.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination  command-C:

/Library/LaunchDaemons

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" may open. Look inside it for two files with names of any of these forms:

          com.something.daemon.plist

          com.something.helper.plist

          com.something.net-preferences.plist

          com.something.preferences.plist

Here something is a variable string of characters, which can be different in each VSearch infection. So far it has always been an alphanumeric string without punctuation, such as "cloud," "dot," "highway," "submarine," or "trusteddownloads." Sometimes it's a meaningless string such as "e8dec5ae7fc75c28" rather than a word. Sometimes the string is "apple," and then you must be especially careful not to delete the wrong files, because many built-in OS X files have similar names.

You could have more than one copy of the malware, with different values of something.

There may also be one or more files with a name of this form:

           com.somethingUpd.plist

where something may be a different meaningless string than in the other files. Again, there may be more than one such file, with different values of something.

Here's a specific example of a VSearch infection:

          com.disbalance.daemon.plist

          com.disbalance.helper.plist

          com.thunderbearerUpd.plist

You will have files with names similar, but probably not identical, to these.

2. If you find such files, leave the LaunchDaemons folder open, and open the following folder in the same way:

/Library/LaunchAgents

In this folder, there may be a file named

          com.something.agent.plist

where the string something is the same as before.

If you feel confident that you've identified the above files, back up all data, then drag just those files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder windows and restart the computer.

Don't delete the "LaunchAgents" or "LaunchDaemons" folder or anything else inside either one.

3. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select

          Safari ▹ Preferences... ▹ General

and click

          Set to Current Page

The malware is now permanently inactivated, as long as you never reinstall it. You can stop here if you like, or you can remove two remaining components for the sake of completeness.

4. This step is optional. Open this folder:

/Library

It may have subfolders named as follows

           something

           somethingUpd

where something is any of the strings you saw before. Drag any such subfolders to the Trash and close the window.

Don't delete the "Library" folder or anything else inside it.

5. This step doesn't apply to OS X 10.11 ("El Capitan") or later, and is optional if you're running an older version of OS X.

In this folder:

/System/Library/Frameworks

there may be an item named exactly

            v.framework

or else an item named

            something.framework

Again, something is the same string as before.

This item is actually a folder, though it has a different icon than usual. Drag it to the Trash and close the window.

Don't delete the "Frameworks" folder or anything else inside it.

6. If you didn't find the files or you're not sure about the identification, post what you found.

If in doubt, or if you have no backups, change nothing at all.

7. The trouble may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it. I don't recommend that you install the genuine "MPlayerX," because it's hosted on the rogue "SourceForge" website and is bundled with other malware.

This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.

In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere  should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.

Then, still in System Preferences, open the App Store or Software Update pane and check the box marked

          Install system data files and security updates (OS X 10.10 or later)

or

          Download updates automatically (OS X 10.9 or earlier)

if it's not already checked.

I did this up to opening the LaunchDaemon folder. This is what I found. My LaunchAgents was completely empty....now, I wouldn't know one way or the other which of these files I should delete and which need to stay for operating purposes. This is mostly because I didn't quite understand your sample list. How do I tell the difference between good files and bad files?

Items #3, #5, and $6 in your screenshot (counting from the top down) are VSearch files.

Thank you! That did the trick.

THANK YOU.  Your instructions we thorough, clear, and concise.  My problem is solved!

I have had to follow this too, as the instructions from Apple did not work. Here is my list under the LaunchDaemons....

Please help me identify the bad guys. I think it's #8 and #9 for sure, maybe #7 too? Thank you so much!

I think it's #8 and #9

Also #4. Not #7.

NightshadeTefached wrote:

 

I did this up to opening the LaunchDaemon folder. This is what I found. My LaunchAgents was completely empty....now, I wouldn't know one way or the other which of these files I should delete and which need to stay for operating purposes. This is mostly because I didn't quite understand your sample list. How do I tell the difference between good files and bad files?

 

 

 

 

 

 

Which is why using MalwareBytes is sound advicefor those looking to save time and not accidently remove files that are necessary.

Hi, I'm having the same issue as well. Here's what my folder looks like. I think I need to delete #3, 4, 9 and maybe #7 and 8 too. Any help would be greatly appreciated. Thanks!

Jerome "Curly" Horowitz gives sound advice in the post above. You can choose to ignore it out of concern that anything that does not require a series of un-automated steps are the only way to accomplish a task or you can DL the Malware bytes for Mac which is free and that 99% of us here have discovered works as advertised and bears no ill will to your system and installs nothing malicious or pesty.

I will point out if this seems like an untrustworthy source Malwarebytes was the company that first reported the Mac ransomware variant just the other day and the process of it's removal, at which time Apple quietly patched and revoked the developers code with no formal announcement form Cupertino about that lil' chestnut.

Reading left to right and top to bottom, delete only the last three files.

<Edited by Host>

Thank you very much! It worked perfectly. So glad to be gone with all those ads and pop-ups.

Hi, this is how my LaunchDaemons folder looks like. What files should I delete? Thanks a lot in advance!