Basically ads keep popping up everywhere on other websites. It's also changed my home page and search engine. I've deleted the files I downloaded but every time I try to reset my safari browser back to google (as the main page and search engine), as soon as I reopen my tabs / windows it goes back to bing.
I checked my extensions but there's nothing out of the ordinary there.
All help would be appreciated, thank you!
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
You may have installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then follow Apple Support's instructions to remove it.
If you have trouble following those instructions, or if they don't work, see below.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
The VSearch malware tries to hide itself by varying the names of the files it installs. To remove it, you must first identify the naming pattern.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
/Library/LaunchDaemons
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
A folder named "LaunchDaemons" may open. Look inside it for two files with names of any of these forms:
com.something.daemon.plist
com.something.helper.plist
com.something.net-preferences.plist
com.something.preferences.plist
Here something is a variable string of characters, which can be different in each VSearch infection. So far it has always been an alphanumeric string without punctuation, such as "cloud," "dot," "highway," "submarine," or "trusteddownloads." Sometimes it's a meaningless string such as "e8dec5ae7fc75c28" rather than a word. Sometimes the string is "apple," and then you must be especially careful not to delete the wrong files, because many built-in OS X files have similar names.
You could have more than one copy of the malware, with different values of something.
There may also be one or more files with a name of this form:
com.somethingUpd.plist
where something may be a different meaningless string than in the other files. Again, there may be more than one such file, with different values of something.
Here's a specific example of a VSearch infection:
com.disbalance.daemon.plist
com.disbalance.helper.plist
com.thunderbearerUpd.plist
You will have files with names similar, but probably not identical, to these.
2. If you find such files, leave the LaunchDaemons folder open, and open the following folder in the same way:
/Library/LaunchAgents
In this folder, there may be a file named
com.something.agent.plist
where the string something is the same as before.
If you feel confident that you've identified the above files, back up all data, then drag just those files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder windows and restart the computer.
Don't delete the "LaunchAgents" or "LaunchDaemons" folder or anything else inside either one.
3. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
The malware is now permanently inactivated, as long as you never reinstall it. You can stop here if you like, or you can remove two remaining components for the sake of completeness.
4. This step is optional. Open this folder:
/Library
It may have subfolders named as follows
something
somethingUpd
where something is any of the strings you saw before. Drag any such subfolders to the Trash and close the window.
Don't delete the "Library" folder or anything else inside it.
5. This step doesn't apply to OS X 10.11 ("El Capitan") or later, and is optional if you're running an older version of OS X.
In this folder:
/System/Library/Frameworks
there may be an item named exactly
v.framework
or else an item named
something.framework
Again, something is the same string as before.
This item is actually a folder, though it has a different icon than usual. Drag it to the Trash and close the window.
Don't delete the "Frameworks" folder or anything else inside it.
6. If you didn't find the files or you're not sure about the identification, post what you found.
If in doubt, or if you have no backups, change nothing at all.
7. The trouble may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it. I don't recommend that you install the genuine "MPlayerX," because it's hosted on the rogue "SourceForge" website and is bundled with other malware.
This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.
In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.
Then, still in System Preferences, open the App Store or Software Update pane and check the box marked
Install system data files and security updates (OS X 10.10 or later)
or
Download updates automatically (OS X 10.9 or earlier)
if it's not already checked.
I did this up to opening the LaunchDaemon folder. This is what I found. My LaunchAgents was completely empty....now, I wouldn't know one way or the other which of these files I should delete and which need to stay for operating purposes. This is mostly because I didn't quite understand your sample list. How do I tell the difference between good files and bad files?
I have had to follow this too, as the instructions from Apple did not work. Here is my list under the LaunchDaemons....
Please help me identify the bad guys. I think it's #8 and #9 for sure, maybe #7 too? Thank you so much!
Okay, I followed the steps and thought I was in the clear: but I still have the DealTop word popups on some webpages. Not as many as before, but still a few. The version my mac is running is 10.11.5 El Capitan. And all of my browsers' homepages are set to google & there are no plugins or extensions activated.
The folder looks like this now:
hey!
I did everything as instructed, but there are still some things I don't trust - can you take a look, please.
my mac is acting crazy past few days, I hope it's just it. all that new files added today and yesterday, may that be a problem?
(already deleted few based on previous comments)
Thanks for your help!
Hello, after following your steps and deleting all the files that you mentioned in the very first, I still get deal top pop ups everywhere.
There are some files that appeared recently so could you take a look at mine as well?
Thank you!
Hi Linc,
Can you please advise? I have followed your instructions, with the following results, and not sure what I need to be deleting here (btw, I have Snow Leopard installed and not yet wanting to upgrade). I was unable to locate any of the strings you suggested. The problem is only occurring on some web sites too at this stage:
and (from the same folder):
same folder continued:
Thanks for your help,
Natalie
Hello, I get stuck when identifying files. Based on what's here, I can see Upd files and have deleted them, but as you mentioned, they regenerate. I will try from start mode; however, I can't clearly tell (although I suspect) many files shouldn't be there. I unfortunately, don't have this knowledge base and as you also mentioned Apple (and others) haven't been able to help. If you can't help, do you know who I should reach out to, even to do a reinstall? My MacBook Pro is only a few months old and the Internet is now very slow with pop ups everywhere as well as embedded links. First it was Offers4U and now it's Top Deals. It also causes me functionality issues when working on the backend of my website, where ads and links also appear. Thanks in advance if you can. No problem if you can't. 🙂
Here are screenshots of my Library, LaunchAgents, and LaunchDaemons folders. I've deleted all files and folders like those you mentioned, but Deal Top is still on my Chrome browser. I've also checked the extensions, but I saw no suspicious extensions. Am I missing anything?
Note: I installed Malwarebytes at a much later point in time in an effort to combat this adware, and I don't think it has any bearing on what I should delete.
Hi Linc Davis,
Thank you for posting the instructions. They are very helpful. I believe I've identified all of all the harmful items on my machine (running El Captain), but I might be wrong. I've moved a few items to my trash and restarted my computer, but I'm still receiving some pop ups.
(I know the instructions said to ignore Frameworks, but including it just in case.)
Also, just to clarify, are you supposed to empty the trash after moving the items and restarting the computer? (Your Jan. 2016 response doesn’t specify this step, but other responses say yes to empty the trash, so I’m unsure.)
Thank you again for your time.
Adware is installed without your knowledge, removing it will help.
1. Use free Malwarebytes Anti-Malware for Mac/ AdwareMedic to remove adware
http://www.adwaremedic.com/index.php
Download, install , open, and run it by clicking “Scan for Adware” button to remove adware.
Once done, quit Malwarebytes Anti-Malware.
or
Remove the adware manually by following the “HowTo” from Apple.
http://support.apple.com/en-us/HT203987
2. Disable Extensions and test.
Safari > Preferences > Extensions
Enable Extensions one by one and test.
To uninstall any extension, select it and click the “Uninstall” button.
3. Safari > Preferences > Search > Search Engine :
Select your preferred search engine.
4. Safari > Preferences > General > Homepage:
Set your Homepage.
You installed one or more variants of the "VSearch" trojan. Please inactivate them as follows. This procedure will leave a few small files behind, but they have no effect, and trying to remove them all would be a lot more trouble than it's worth.
This malware has many variants. Anyone else finding this comment should not expect it to be applicable.
Back up all data before proceeding.
The VSearch variant that you have regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.
Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.
While running in safe mode, move to the Trash items #7 through #12 and #14 through #16, as shown in the screenshot of the LaunchDaemons folder—in other words, everything except the Adobe and Oracle files. You may be prompted for your administrator login password.
Restart the computer and empty the Trash.
Reset the home page in each of your web browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.
The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.
This comment is for anyone else finding the discussion. I'm just one person, and this problem could potentially affect many thousands. I can't deal with every case individually. I hope to make it possible for most victims of malware attack to help themselves.
The last few questions have been about infections with a specific new variant of the "VSearch" malware. Below are general instructions for recognizing and inactivating that malware. If the instructions don't solve your problem or you don't feel able to follow them, please start your own thread. Your chances of getting a correct response on this site are not good, and unfortunately you won't get useful help from Apple Support either, because they're not equipped to deal with this kind of problem. As a last resort, if you can't get rid of the malware any other way and you know when it was installed, restore the startup volume from a Time Machine or other backup that predates the attack.
You may have installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then take the steps below to inactivate it.
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
1. The VSearch malware tries to hide itself by varying the names of the files it installs. It also regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.
Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.
2. While running in safe mode, triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
/Library/LaunchDaemons
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
A folder named "LaunchDaemons" may open. If it does, press the key combination command-2 to select list view, if it's not already selected.
There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within about one minute, so they will be clustered together when you sort the folder this way, making them easy to identify.
3. Look inside the LaunchDaemons folder for files with a name of the form
com.apple.something.plist
where something is a meaningless string without punctuation, different in every case. The name includes the word "apple" to make it look like part of OS X. Usually there would be no OS X files in that folder, and if there were any, they would have a much older modification date.
There may also be one or more items with a three-part name of this form:
com.somethingelse.plist
where something is another meaningless string.
Here are some typical examples of a VSearch infection of this type:
com.apple.builins.plist
com.apple.cereng.plist
com.apple.nysgar.plist
com.semifasciaUpd.plist
com.ubuiling.plist
You may have files with names similar, but probably not identical, to these.
On the other hand, here are examples of legitimate files that might be found in the same folder:
com.apple.FinalCutServer.fcsvr_ldsd.plist
com.apple.qmaster.qmasterd.plist
com.apple.serverd.plist
The first two are clearly not VSearch files because the names don't fit either pattern (something is not a string without punctuation.) The last one is not easy to distinguish by the name alone, but the modification date will be earlier than the date when VSearch was installed. None of these legitimate files will be present in most installations of OS X.
If you feel confident that you've identified the malicious file or files, drag just those files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder window.
4. If you moved anything to the Trash in Step 3, restart the computer and empty the Trash.
Don't delete the "LaunchDaemons" folder or anything else inside it, unless you know you have some other kind of unwanted software besides VSearch. The folder is a normal part of OS X. The term "daemon" refers to a program that starts automatically. That's not inherently bad, but the mechanism is sometimes exploited by malware attackers.
5. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.
The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.
Below is a revised version of the instructions I posted earlier in this thread. If anyone else finds the thread by searching for a term such as "DealTop," and if the instructions below don't solve the problem or you don't understand them, please either start your own thread or at least state clearly why you were unable to to follow the instructions. My time is not unlimited and I probably won't respond if your question merely duplicates those that have already been asked and answered here. It's clear that many people have been affected by this malware, and I can't respond individually to every one of them.
ASC, to the extent that it works at all, is a two-way street. You get help, and you give help. If you have any information to contribute that could help others, most importantly the source of the malware (which as of now I don't know), please post it.
You may have installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then take the steps below to inactivate it.
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
1. The VSearch malware tries to hide itself by varying the names of the files it installs. It also regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.
Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.
2. While running in safe mode, load this web page and then triple-click the line below to select it. Copy the text to the Clipboard by pressing the key combination command-C:
/Library/LaunchDaemons
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
A folder named "LaunchDaemons" may open. If it does, press the key combination command-2 to select list view, if it's not already selected.
There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within about one minute, so they will be clustered together when you sort the folder this way, making them easy to identify.
3. Look inside the LaunchDaemons folder for files with a name of the form
com.apple.something.plist
where something is a meaningless string without punctuation, different in every case. The name includes the word "apple" to make it look like part of OS X. Usually there would be no OS X files in that folder, and if there were any, they would have a much older modification date.
There may also be items with a name of either of these forms:
com.something.plist
com.something.net-preferences.plist
where something is another meaningless string.
Here are some typical examples of a VSearch infection of this type:
com.apple.builins.plist
com.apple.cereng.plist
com.apple.nysgar.plist
com.hemolymphatic.net-preferences.plist
com.semifasciaUpd.plist
com.ubuiling.plist
You may have files with names similar, but probably not identical, to these.
On the other hand, here are examples of legitimate files that might be found in the same folder:
com.apple.FinalCutServer.fcsvr_ldsd.plist
com.apple.installer.osmessagetracing.plist
com.apple.qmaster.qmasterd.plist
com.apple.aelwriter.plist
com.apple.serverd.plist
The first three are clearly not VSearch files because the names don't fit any of the above patterns (something is not a string without punctuation.) The last two are not easy to distinguish by the name alone, but the modification date will be earlier than the date on which VSearch was installed, perhaps by several years. None of these legitimate files will be present in most installations of OS X.
If you feel confident that you've identified the malicious file or files, drag just those files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder window.
4. If you moved anything to the Trash in Step 3, restart the computer and empty the Trash.
Don't delete the "LaunchDaemons" folder or anything else inside it, unless you know you have some other kind of unwanted software besides VSearch. The folder is a normal part of OS X. The term "daemon" refers to a program that starts automatically. That's not inherently bad, but the mechanism is sometimes exploited by malware attackers.
If you're not sure whether a file is part of the malware, order the folder contents by modification date as I wrote in Step 2, not by name. The malware files will be clustered together. There could be more than one such cluster, if you were attacked more than once. A file dated years in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.
If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Try again.
5. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.
The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.
Thank you so much, Linc! (: I really appreciate that you took the time out of your day to write those steps. They helped me so much!
I had those pesky pop ups and random links in the sentences and my antivirus thing kept trying to delete it but it kept coming back x.x Doing what Linc said worked wonders!
Revised with safe mode <----if it keeps regenerating.
I combined both, and they are all gone. (: The main difference is the deleting in safe mode and deleting the similar files in the Launch Agent AND Library. Didn't take much time either. 😀 If you organize from the Date modified.
Thanks again, Linc!
How do I remove the TopDeal / Deal Top virus?
