Q: How do I remove the TopDeal / Deal Top virus?
-
Jun 4, 2016 4:48 PMby Kurt Lang,A person can never know for sure what's going to be installed when acquiring software from illegal sources (not at all saying this is what you did). The main problem has become legitimate sources.
Aggregate sites such as www.softonic.com, www.downloads.com and others saw a great revenue scheme for them by tacking on adware with the software you actually wanted to try. While annoying, it wasn't so bad when this garbage wasn't as difficult to remove. They don't care. The adware makers pay them lots of money to add this stuff onto the downloads with little work to them to do it. What was a nuisance has crossed over to invasive malware. Especially newer versions that go out of their way to prevent removing them.
It won't happen, but about the only way to stop, or greatly slow the downloading of this junk is for everyone to stop using aggregate sites entirely. If you want to try a particular title you've heard or read about, go directly to the vendor's site to get it.
-
Jun 4, 2016 5:00 PMby graziana1,Well, I've restarted the computer and it all seems to work now!!! There was a forum I hadn't been able to access since all this started, and now I can! Thank you so much Linc Davis. I'm fairly new to Apple and I have lots of gaps to fill. Hopefully by reading the threads here I will learn a lot. I certainly have learnt something very useful this evening! Big ups!
-
Jun 4, 2016 5:38 PMby Linc Davis,Below is a revised version of the instructions I posted earlier in this thread. If anyone else finds the thread by searching for a term such as "DealTop," and if the instructions below don't solve the problem or you don't understand them, please either start your own thread or at least state clearly why you were unable to to follow the instructions. My time is not unlimited and I probably won't respond if your question merely duplicates those that have already been asked and answered here. It's clear that many people have been affected by this malware, and I can't respond individually to every one of them.
ASC, to the extent that it works at all, is a two-way street. You get help, and you give help. If you have any information to contribute that could help others, most importantly the source of the malware (which as of now I don't know), please post it.
You may have installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then take the steps below to inactivate it.
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
1. The VSearch malware tries to hide itself by varying the names of the files it installs. It also regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.
Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.
2. While running in safe mode, load this web page and then triple-click the line below to select it. Copy the text to the Clipboard by pressing the key combination command-C:
/Library/LaunchDaemons
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
A folder named "LaunchDaemons" may open. If it does, press the key combination command-2 to select list view, if it's not already selected.
There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within about one minute, so they will be clustered together when you sort the folder this way, making them easy to identify.
3. Look inside the LaunchDaemons folder for files with a name of the form
com.apple.something.plist
where something is a meaningless string without punctuation, different in every case. The name includes the word "apple" to make it look like part of OS X. Usually there would be no OS X files in that folder, and if there were any, they would have a much older modification date.
There may also be items with a name of either of these forms:
com.something.plist
com.something.net-preferences.plist
where something is another meaningless string.
Here are some typical examples of a VSearch infection of this type:
com.apple.builins.plist
com.apple.cereng.plist
com.apple.nysgar.plist
com.hemolymphatic.net-preferences.plist
com.semifasciaUpd.plist
com.ubuiling.plist
You may have files with names similar, but probably not identical, to these.
On the other hand, here are examples of legitimate files that might be found in the same folder:
com.apple.FinalCutServer.fcsvr_ldsd.plist
com.apple.installer.osmessagetracing.plist
com.apple.qmaster.qmasterd.plist
com.apple.aelwriter.plist
com.apple.serverd.plist
The first three are clearly not VSearch files because the names don't fit any of the above patterns (something is not a string without punctuation.) The last two are not easy to distinguish by the name alone, but the modification date will be earlier than the date on which VSearch was installed, perhaps by several years. None of these legitimate files will be present in most installations of OS X.
If you feel confident that you've identified the malicious file or files, drag just those files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder window.
4. If you moved anything to the Trash in Step 3, restart the computer and empty the Trash.
Don't delete the "LaunchDaemons" folder or anything else inside it, unless you know you have some other kind of unwanted software besides VSearch. The folder is a normal part of OS X. The term "daemon" refers to a program that starts automatically. That's not inherently bad, but the mechanism is sometimes exploited by malware attackers.
If you're not sure whether a file is part of the malware, order the folder contents by modification date as I wrote in Step 2, not by name. The malware files will be clustered together. There could be more than one such cluster, if you were attacked more than once. A file dated years in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.
If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Try again.
5. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.
The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.
-
Jun 5, 2016 2:21 AMby Davii347,Thank you so much, Linc! (: I really appreciate that you took the time out of your day to write those steps. They helped me so much!
I had those pesky pop ups and random links in the sentences and my antivirus thing kept trying to delete it but it kept coming back x.x Doing what Linc said worked wonders!
<----if it keeps regenerating.
I combined both, and they are all gone. (: The main difference is the deleting in safe mode and deleting the similar files in the Launch Agent AND Library. Didn't take much time either. If you organize from the Date modified.
Thanks again, Linc!
-
Jun 8, 2016 12:00 PMby Cobalt314,Here are screenshots of my Library, LaunchAgents, and LaunchDaemons folders. I've deleted all files and folders like those you mentioned, but Deal Top is still on my Chrome browser. I've also checked the extensions, but I saw no suspicious extensions. Am I missing anything?
Note: I installed Malwarebytes at a much later point in time in an effort to combat this adware, and I don't think it has any bearing on what I should delete.
-
Jun 13, 2016 4:12 PMby KaitWells,Hi Linc Davis,
Thank you for posting the instructions. They are very helpful. I believe I've identified all of all the harmful items on my machine (running El Captain), but I might be wrong. I've moved a few items to my trash and restarted my computer, but I'm still receiving some pop ups.
(I know the instructions said to ignore Frameworks, but including it just in case.)
Also, just to clarify, are you supposed to empty the trash after moving the items and restarting the computer? (Your Jan. 2016 response doesn’t specify this step, but other responses say yes to empty the trash, so I’m unsure.)
Thank you again for your time.
