Q: How do I remove the TopDeal / Deal Top virus?

Thank you so much, it's all clear now!

hey!

I did everything as instructed, but there are still some things I don't trust - can you take a look, please.

my mac is acting crazy past few days, I hope it's just it. all that new files added today and yesterday, may that be a problem?

(already deleted few based on previous comments)

Thanks for your help!

Ok, did another check, am left with those now.

Please please, help me get rid of that s***

Hello, after following your steps and deleting all the files that you mentioned in the very first, I still get deal top pop ups everywhere.

There are some files that appeared recently so could you take a look at mine as well?

Thank you!

This comment is for anyone else finding the discussion. I'm just one person, and this problem could potentially affect many thousands. I can't deal with every case individually. I hope to make it possible for most victims of malware attack to help themselves.

The last few questions have been about infections with a specific new variant of the "VSearch" malware. Below are general instructions for recognizing and inactivating that malware. If the instructions don't solve your problem or you don't feel able to follow them, please start your own thread. Your chances of getting a correct response on this site are not good, and unfortunately you won't get useful help from Apple Support either, because they're not equipped to deal with this kind of problem. As a last resort, if you can't get rid of the malware any other way and you know when it was installed, restore the startup volume from a Time Machine or other backup that predates the attack.

You may have installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then take the steps below to inactivate it.

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

1. The VSearch malware tries to hide itself by varying the names of the files it installs. It also regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.

2. While running in safe mode, triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination  command-C:

/Library/LaunchDaemons

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" may open. If it does, press the key combination command-2 to select list view, if it's not already selected.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within about one minute, so they will be clustered together when you sort the folder this way, making them easy to identify.

3. Look inside the LaunchDaemons folder for files with a name of the form

          com.apple.something.plist

where something is a meaningless string without punctuation, different in every case. The name includes the word "apple" to make it look like part of OS X. Usually there would be no OS X files in that folder, and if there were any, they would have a much older modification date.

There may also be one or more items with a three-part name of this form:

          com.somethingelse.plist

where something is another meaningless string.

Here are some typical examples of a VSearch infection of this type:

          com.apple.builins.plist

          com.apple.cereng.plist

          com.apple.nysgar.plist

          com.semifasciaUpd.plist

          com.ubuiling.plist

You may have files with names similar, but probably not identical, to these.

On the other hand, here are examples of legitimate files that might be found in the same folder:

          com.apple.FinalCutServer.fcsvr_ldsd.plist

          com.apple.qmaster.qmasterd.plist

          com.apple.serverd.plist

The first two are clearly not VSearch files because the names don't fit either pattern (something is not a string without punctuation.) The last one is not easy to distinguish by the name alone, but the modification date will be earlier than the date when VSearch was installed. None of these legitimate files will be present in most installations of OS X.

If you feel confident that you've identified the malicious file or files, drag just those files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder window.

4. If you moved anything to the Trash in Step 3, restart the computer and empty the Trash.

Don't delete the "LaunchDaemons" folder or anything else inside it, unless you know you have some other kind of unwanted software besides VSearch. The folder is a normal part of OS X. The term "daemon" refers to a program that starts automatically. That's not inherently bad, but the mechanism is sometimes exploited by malware attackers.

5. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select

          Safari ▹ Preferences... ▹ General

and click

          Set to Current Page

If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.

The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.

Malwares not only reside only in launch agents , launch daemon folder .

They are to be found in other folders also .like in applications , downloads

First of all click to go > computer > mac HD > library

We have to search malware in the following folders also

1. application support

2.launch agents

3. launch daemon

4. privileged helper tools

5.start up items

6.preferences

7.scripting additions

8.input methods

9. frameworks

10. internet plugins

11 . caches

then we have to search in hidden library

click on go > hold option key > library

1. application support

2.caches

3.cookies

4.applications

5.internet plugins

6.input methods

7.preferences

8.caches

9. cookies

10 . saved application state

11. launch agents :  this folder is removed in latest version of EL - capitan

now we will click to go > computer > mac HD > system > library > framework : malware can be here also

if any one needs guidance please post .

Hi Linc,

Can you please advise? I have followed your instructions, with the following results, and not sure what I need to be deleting here (btw, I have Snow Leopard installed and not yet wanting to upgrade). I was unable to locate any of the strings you suggested. The problem is only occurring on some web sites too at this stage:

and (from the same folder):

same folder continued:

Thanks for your help,

Natalie

Please ignore the above post. I deleted a few suspect files and restarted and the problem appears to be solved! Thanks for your advice.

Here's what I got. Which ones are not good?

Hi guys, I really need help, I'm desperate

I could not found those files on LaunchDeamons and LaunchAgents.

Please help me identify the bad guys!

Thanks a lot!!!

Hi guys, I really need help, I'm desperate

I could not found those files on LaunchDeamons and LaunchAgents.

Please help me identify the bad guys!

Thanks a lot!!!

I am receiving the same virus issue and can't seem to identify which specific file to delete, any help?

Could you all please read Linc Davis's posts in this thread or better yet, start your own?  Quit hijacking this thread.

Hi all

how about this one.? what should i delete?

Thankyou.

Hi,

I have the same problem.

this is my file. Can you check it and say me what I will delete, please? Thanks a lot