-
All replies
-
Helpful answers
-
-
Jun 1, 2016 8:50 AM in response to Linc Davisby Forest86,hey!
I did everything as instructed, but there are still some things I don't trust - can you take a look, please.
my mac is acting crazy past few days, I hope it's just it. all that new files added today and yesterday, may that be a problem?
(already deleted few based on previous comments)
Thanks for your help!
-
-
-
Jun 1, 2016 11:27 AM in response to Linc Davisby Linc Davis,This comment is for anyone else finding the discussion. I'm just one person, and this problem could potentially affect many thousands. I can't deal with every case individually. I hope to make it possible for most victims of malware attack to help themselves.
The last few questions have been about infections with a specific new variant of the "VSearch" malware. Below are general instructions for recognizing and inactivating that malware. If the instructions don't solve your problem or you don't feel able to follow them, please start your own thread. Your chances of getting a correct response on this site are not good, and unfortunately you won't get useful help from Apple Support either, because they're not equipped to deal with this kind of problem. As a last resort, if you can't get rid of the malware any other way and you know when it was installed, restore the startup volume from a Time Machine or other backup that predates the attack.
You may have installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then take the steps below to inactivate it.
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
1. The VSearch malware tries to hide itself by varying the names of the files it installs. It also regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.
Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.
2. While running in safe mode, triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
/Library/LaunchDaemons
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
A folder named "LaunchDaemons" may open. If it does, press the key combination command-2 to select list view, if it's not already selected.
There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within about one minute, so they will be clustered together when you sort the folder this way, making them easy to identify.
3. Look inside the LaunchDaemons folder for files with a name of the form
com.apple.something.plist
where something is a meaningless string without punctuation, different in every case. The name includes the word "apple" to make it look like part of OS X. Usually there would be no OS X files in that folder, and if there were any, they would have a much older modification date.
There may also be one or more items with a three-part name of this form:
com.somethingelse.plist
where something is another meaningless string.
Here are some typical examples of a VSearch infection of this type:
com.apple.builins.plist
com.apple.cereng.plist
com.apple.nysgar.plist
com.semifasciaUpd.plist
com.ubuiling.plist
You may have files with names similar, but probably not identical, to these.
On the other hand, here are examples of legitimate files that might be found in the same folder:
com.apple.FinalCutServer.fcsvr_ldsd.plist
com.apple.qmaster.qmasterd.plist
com.apple.serverd.plist
The first two are clearly not VSearch files because the names don't fit either pattern (something is not a string without punctuation.) The last one is not easy to distinguish by the name alone, but the modification date will be earlier than the date when VSearch was installed. None of these legitimate files will be present in most installations of OS X.
If you feel confident that you've identified the malicious file or files, drag just those files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder window.
4. If you moved anything to the Trash in Step 3, restart the computer and empty the Trash.
Don't delete the "LaunchDaemons" folder or anything else inside it, unless you know you have some other kind of unwanted software besides VSearch. The folder is a normal part of OS X. The term "daemon" refers to a program that starts automatically. That's not inherently bad, but the mechanism is sometimes exploited by malware attackers.
5. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.
The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.
-
Jun 1, 2016 11:48 AM in response to keshikunby appreciate,Malwares not only reside only in launch agents , launch daemon folder .
They are to be found in other folders also .like in applications , downloads
First of all click to go > computer > mac HD > library
We have to search malware in the following folders also
1. application support
2.launch agents
3. launch daemon
4. privileged helper tools
5.start up items
6.preferences
7.scripting additions
8.input methods
9. frameworks
10. internet plugins
11 . caches
then we have to search in hidden library
click on go > hold option key > library
1. application support
2.caches
3.cookies
4.applications
5.internet plugins
6.input methods
7.preferences
8.caches
9. cookies
10 . saved application state
11. launch agents : this folder is removed in latest version of EL - capitan
now we will click to go > computer > mac HD > system > library > framework : malware can be here also
if any one needs guidance please post .
-
Jun 1, 2016 2:36 PM in response to Linc Davisby soundmind99,Hi Linc,
Can you please advise? I have followed your instructions, with the following results, and not sure what I need to be deleting here (btw, I have Snow Leopard installed and not yet wanting to upgrade). I was unable to locate any of the strings you suggested. The problem is only occurring on some web sites too at this stage:
and (from the same folder):
same folder continued:
Thanks for your help,
Natalie
-
Jun 1, 2016 2:50 PM in response to soundmind99by soundmind99,Please ignore the above post. I deleted a few suspect files and restarted and the problem appears to be solved! Thanks for your advice.
-
-
-
-
-
Jun 2, 2016 4:53 PM in response to Slate_48by pinkstones,Could you all please read Linc Davis's posts in this thread or better yet, start your own? Quit hijacking this thread.
-
-

















