Basically ads keep popping up everywhere on other websites. It's also changed my home page and search engine. I've deleted the files I downloaded but every time I try to reset my safari browser back to google (as the main page and search engine), as soon as I reopen my tabs / windows it goes back to bing.
I checked my extensions but there's nothing out of the ordinary there.
All help would be appreciated, thank you!
NightshadeTefached wrote:
I did this up to opening the LaunchDaemon folder. This is what I found. My LaunchAgents was completely empty....now, I wouldn't know one way or the other which of these files I should delete and which need to stay for operating purposes. This is mostly because I didn't quite understand your sample list. How do I tell the difference between good files and bad files?
Which is why using MalwareBytes is sound advicefor those looking to save time and not accidently remove files that are necessary.
Jerome "Curly" Horowitz gives sound advice in the post above. You can choose to ignore it out of concern that anything that does not require a series of un-automated steps are the only way to accomplish a task or you can DL the Malware bytes for Mac which is free and that 99% of us here have discovered works as advertised and bears no ill will to your system and installs nothing malicious or pesty.
I will point out if this seems like an untrustworthy source Malwarebytes was the company that first reported the Mac ransomware variant just the other day and the process of it's removal, at which time Apple quietly patched and revoked the developers code with no formal announcement form Cupertino about that lil' chestnut.
Hi!
Thanks! I just have 1 question to clarify...
Do I have to delete all the files in the "LaunchDemon" folder with the names you mention AND the one with .agent.plist in the "LaunchAgents" but only if the 'something' is a word that was in the "LaunchDemon"?
Sorry if it's a stupid question but just want to make sure I delete the right thing.
Thanks!
If nothing else, it should be clear to everyone who's read this discussion that files containing the string "Upd" belong to Vsearch. A closer reading of Linc's original post should help you sort through the rest. What I find interesting is how many people asking for help also seem to have MalwareBytes installed.
Nothing is clear to anyone replying to this thread asking for help. Davis posted at the top of this page that people should follow his earlier directions and/or start a new thread, but the "me too" posts just keep coming.
Malwares not only reside only in launch agents , launch daemon folder .
They are to be found in other folders also .like in applications , downloads
First of all click to go > computer > mac HD > library
We have to search malware in the following folders also
1. application support
2.launch agents
3. launch daemon
4. privileged helper tools
5.start up items
6.preferences
7.scripting additions
8.input methods
9. frameworks
10. internet plugins
11 . caches
then we have to search in hidden library
click on go > hold option key > library
1. application support
2.caches
3.cookies
4.applications
5.internet plugins
6.input methods
7.preferences
8.caches
9. cookies
10 . saved application state
11. launch agents : this folder is removed in latest version of EL - capitan
now we will click to go > computer > mac HD > system > library > framework : malware can be here also
if any one needs guidance please post .
I can follow most of it, but I am not sure which files, especially if they contain Microsoft for example, but end in the plist, are ok. I'm sorry, I am trying to learn as I go, but have not done this before. I am a graphic designer and writer and am pretty tech savvy, so I'll get it eventually. It's just really frustrating and I have a huge project that I can't work on because of this malware. I'm gathering that the files that are okay contain a . and more than 3 strings. The ones that have the only 3 strings are the ones I don't recognize. The agents seem okay, but I see many folders in the library that l don't recognize (abazeUpd being one them and clownishness). I have backed up my computer and am going to try to move them to the trash. I'm not 100% on which files; that is my only issue. ...Everything else is clear to me. Thanks for writing back.
This attacker is going to ever greater lengths to make his malware hard to remove, but he's not some kind of evil genius; in fact, he's rather stupid, like most criminals. Eventually he'll reach the limits of his intellectual capacity. It's now at the point where removal takes some concentration. I think almost anyone should still be able to do it, if the instructions are clear enough.
My instructions refer to file names that fit two possible patterns. Please give an example of a file name that you can't assign to either of those patterns, or to neither pattern.
Hello everyone, I'm very happy to have found this thread. I've been beset by top deal pop ups for several days. Today I have followed all the instructions, and even installed El Capitan, but the adware remains. I therefore looked up in /Library/LaunchDaemons and found about 50 or more dodgy entries. The only ones that may be safe are:
com.adobe.fpsaud.plist
com.apple.usktas.plist (this one looks dodgy too, actually),
con.google.keystone.daemon.plist
com. microsoft.office.licensing...lper.plist
com.oracle.java.Helper-Tool.plist
Apart from the above, all the others have ridiculous names. There are so many and I as I'm not quite good at posting a screenshot, I hope the above allows some of you to advise me if I can remove all but the above. I run both Safari and Opera, but the ads are only on Safari since I've installed El Capitan.
Thanks for whatever help you can give me. 🙂
graziana1 wrote:
Hello everyone, I'm very happy to have found this thread. I've been beset by top deal pop ups for several days. Today I have followed all the instructions, and even installed El Capitan, but the adware remains. I therefore looked up in /Library/LaunchDaemons and found about 50 or more dodgy entries. The only ones that may be safe are:
com.adobe.fpsaud.plist
com.apple.usktas.plist (this one looks dodgy too, actually),
con.google.keystone.daemon.plist
com. microsoft.office.licensing...lper.plist
com.oracle.java.Helper-Tool.plist
Apart from the above, all the others have ridiculous names. There are so many and I as I'm not quite good at posting a screenshot, I hope the above allows some of you to advise me if I can remove all but the above. I run both Safari and Opera, but the ads are only on Safari since I've installed El Capitan.
Thanks for whatever help you can give me. 🙂
Drag the screenshot into the reply box.
The site tells me there's an error and the content cannot be save. Maybe the screenshot is too big. Sorry, I'm losing the will to live, lol. Will see what I can do. Maybe a series of smaller screenshots.
I'm asking for help from those who find my instructions unclear. How are they unclear? You have to understand what this attacker is doing: he randomizes the names of his files. It's impossible to give a complete list of all possible malware files, and it's equally impossible to give a complete list of all possible non-malware files. If the attack is to be defeated, you have to recognize the patterns. If I can do it, so can you. Why are you having trouble deciding whether those file names match either of the patterns I stated? How could I make it easier for you?
Linc Davis, Your instructions are quite clear, but you also say that some strings contain, say "apple" and we have to be careful not to delete a necessary file. That is the reason I have listed, in my first post above, the five files that MAY be legitimate, just so I do not delete them.
If you're not sure whether a file is part of the malware, order the folder contents by modification date, not by name. The malware files will be clustered together, usually within a minute of each other. There could be more than one such cluster. A file dated years in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.
Thanks. It is not clear by date because some of the definitely dodgy ones come before "adobe" "apple" and so on. Also I have installed El Capitan earlier this evening, so I think all the files, legit or not, have come in pretty much close in time. As I say, there are only five that I'm unsure of. Can I delete them safely or not? They are:
com.adobe.fpsaud.plist
com.apple.usktas.plist (this one looks dodgy too, actually),
con.google.keystone.daemon.plist
com. microsoft.office.licensing...lper.plist
com.oracle.java.Helper-Tool.plist
Hang on, I missed your "modification" date. Thank you so much, I now see what I have to do! 🙂
How do I remove the TopDeal / Deal Top virus?
