Q: How do I remove the TopDeal / Deal Top virus?

Hello, I get stuck when identifying files. Based on what's here, I can see Upd files and have deleted them, but as you mentioned, they regenerate. I will try from start mode; however, I can't clearly tell (although I suspect) many files shouldn't be there. I unfortunately, don't have this knowledge base and as you also mentioned Apple (and others) haven't been able to help. If you can't help, do you know who I should reach out to, even to do a reinstall? My MacBook Pro is only a few months old and the Internet is now very slow with pop ups everywhere as well as embedded links. First it was Offers4U and now it's Top Deals. It also causes me functionality issues when working on the backend of my website, where ads and links also appear. Thanks in advance if you can. No problem if you can't.

You have the same malware infection. I need to understand why the instructions I posted earlier are not clear enough for you to follow.

I can follow most of it, but I am not sure which files, especially if they contain Microsoft for example, but end in the plist, are ok. I'm sorry, I am trying to learn as I go, but have not done this before. I am a graphic designer and writer and am pretty tech savvy, so I'll get it eventually. It's just really frustrating and I have a huge project that I can't work on because of this malware. I'm gathering that the files that are okay contain a . and more than 3 strings. The ones that have the only 3 strings are the ones I don't recognize. The agents seem okay, but I see many folders in the library that l don't recognize (abazeUpd being one them and clownishness). I have backed up my computer and am going to try to move them to the trash. I'm not 100% on which files; that is my only issue. ...Everything else is clear to me. Thanks for writing back.

This attacker is going to ever greater lengths to make his malware hard to remove, but he's not some kind of evil genius; in fact, he's rather stupid, like most criminals. Eventually he'll reach the limits of his intellectual capacity. It's now at the point where removal takes some concentration. I think almost anyone should still be able to do it, if the instructions are clear enough.

My instructions refer to file names that fit two possible patterns. Please give an example of a file name that you can't assign to either of those patterns, or to neither pattern.

Hello everyone, I'm very happy to have found this thread. I've been beset by top deal pop ups for several days. Today I have followed all the instructions, and even installed El Capitan, but the adware remains. I therefore looked up in   /Library/LaunchDaemons and found about 50 or more dodgy entries. The only ones that may be safe are: 

com.adobe.fpsaud.plist

com.apple.usktas.plist (this one looks dodgy too, actually),

con.google.keystone.daemon.plist

com. microsoft.office.licensing...lper.plist

com.oracle.java.Helper-Tool.plist

Apart from the above, all the others have ridiculous names. There are so many and I as I'm not quite good at posting a screenshot, I hope the above allows some of you to advise me if I can remove all but the above.  I run both Safari and Opera, but the ads are only on Safari since I've installed El Capitan. 

Thanks for whatever help you can give me.

graziana1 wrote:

 

Hello everyone, I'm very happy to have found this thread. I've been beset by top deal pop ups for several days. Today I have followed all the instructions, and even installed El Capitan, but the adware remains. I therefore looked up in   /Library/LaunchDaemons and found about 50 or more dodgy entries. The only ones that may be safe are: 

com.adobe.fpsaud.plist

com.apple.usktas.plist (this one looks dodgy too, actually),

con.google.keystone.daemon.plist

com. microsoft.office.licensing...lper.plist

com.oracle.java.Helper-Tool.plist

Apart from the above, all the others have ridiculous names. There are so many and I as I'm not quite good at posting a screenshot, I hope the above allows some of you to advise me if I can remove all but the above.  I run both Safari and Opera, but the ads are only on Safari since I've installed El Capitan. 

 

Thanks for whatever help you can give me.

Drag the screenshot into the reply box.

The site tells me there's an error and the content cannot be save. Maybe the screenshot is too big. Sorry, I'm losing the will to live, lol. Will see what I can do. Maybe a series of smaller screenshots.

Thanks. It's large... First page:

Second page (overlapping with first, sorry)

I'm asking for help from those who find my instructions unclear. How are they unclear? You have to understand what this attacker is doing: he randomizes the names of his files. It's impossible to give a complete list of all possible malware files, and it's equally impossible to give a complete list of all possible non-malware files. If the attack is to be defeated, you have to recognize the patterns. If I can do it, so can you. Why are you having trouble deciding whether those file names match either of the patterns I stated? How could I make it easier for you?

Another try:

Oooopppsss sorry no can do. I'm not as techie as you lot.

Linc Davis, Your instructions are quite clear, but you also say that some strings contain, say "apple" and we have to be careful not to delete a necessary file. That is the reason I have listed, in my first post above, the five files that MAY be legitimate, just so I do not delete them.

If you're not sure whether a file is part of the malware, order the folder contents by modification date, not by name. The malware files will be clustered together, usually within a minute of each other. There could be more than one such cluster. A file dated years in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.

Thanks. It is not clear by date because some of the definitely dodgy ones come before "adobe" "apple" and so on. Also I have installed El Capitan earlier this evening, so I think all the files, legit or not, have come in pretty much close in time. As I say, there are only five that I'm unsure of. Can I delete them safely or not? They are:

com.adobe.fpsaud.plist

com.apple.usktas.plist (this one looks dodgy too, actually),

con.google.keystone.daemon.plist

com. microsoft.office.licensing...lper.plist

com.oracle.java.Helper-Tool.plist

Hang on, I missed your "modification" date. Thank you so much, I now see what I have to do! 

Despite your misgivings, you did recognize the pattern. The file that you describe as "dodgy" actually is. The others are not.

Hmm,   I could strangle these malware idiots.

Deleted all those, but the pop ups remain. Meh