Q: How do I remove the TopDeal / Deal Top virus?

What files should I delete?

#4 and #5.

Anyone else finding this thread, please try the instructions I posted earlier. If they don't work, start a new discussion.

Hi, can you help me to identify which files to delete? Thanks in advance!

Hi!

Thanks! I just have 1 question to clarify...

Do I have to delete all the files in the "LaunchDemon" folder with the names you mention AND the one with .agent.plist in the "LaunchAgents" but only if the 'something' is a word that was in the "LaunchDemon"?

Sorry if it's a stupid question but just want to make sure I delete the right thing.

Thanks!

Hi Linc,

I have the same problem but can't see the files that I should delete. Could you please help?

I really don't know which one I must delete to remove TopDeal of my Mac, could you help me please ?

Hi. We have solved the problem?

I also have the same problem

Im also having the same issues which ones shall i delete?

Can anyone help me please?

If nothing else, it should be clear to everyone who's read this discussion that files containing the string "Upd" belong to Vsearch. A closer reading of Linc's original post should help you sort through the rest. What I find interesting is how many people asking for help also seem to have MalwareBytes installed.

Nothing is clear to anyone replying to this thread asking for help. Davis posted at the top of this page that people should follow his earlier directions and/or start a new thread, but the "me too" posts just keep coming.

Thanks Linc Davis.

This helped me get rid of Deal Top malware. The name of it was psychoclinicovercharge.

Hopefully it is all back to normal..

Cheers

Hello, I tried to delete the suspicious files and restarted my mac, but I still receive the text link ads. Could someone kindly take a look? I did have Malwarebytes installed, but I did uninstall it.

You installed one or more variants of the "VSearch" trojan. Please inactivate them as follows. This procedure will leave a few small files behind, but they have no effect, and trying to remove them all would be a lot more trouble than it's worth.

This malware has many variants. Anyone else finding this comment should not expect it to be applicable.

Back up all data before proceeding.

The VSearch variant that you have regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.

While running in safe mode, move to the Trash items #7 through #12 and #14 through #16, as shown in the screenshot of the LaunchDaemons folder—in other words, everything except the Adobe and Oracle files. You may be prompted for your administrator login password.

Restart the computer and empty the Trash.

Reset the home page in each of your web browsers, if it was changed. In Safari, first load the home page you want, then select

          Safari ▹ Preferences... ▹ General

and click

          Set to Current Page

If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.

The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.

Okay, I followed the steps and thought I was in the clear: but I still have the DealTop word popups on some webpages. Not as many as before, but still a few. The version my mac is running is 10.11.5 El Capitan. And all of my browsers' homepages are set to google & there are no plugins or extensions activated.

The folder looks like this now:


You need to delete the last item in that screenshot, then restart. If it comes back, boot in safe mode again and delete it.