Safari has been hijacked by ads (javascript)

You don't need anti-virus software on a Mac. The Mac OS/IOS have security features built into them that handle almost all problems. Anti-virus software tends to interfere with normal computer operation.

You may have installed ad-injection malware ("adware").

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

Back up all data first.

Some of the most common types of adware can be removed by following Apple's instructions. But before you follow those instructions, you can attempt an automatic removal.

If you're not already running the latest version of OS X ("El Capitan"), updating or upgrading in the App Store may cause the adware to be removed automatically. If you're already running the latest version of El Capitan, you can nevertheless download the current updater from the Apple Support Downloads page and run it. Again, some kinds of malware will be removed—not all. There is no such thing as automatic removal of all possible malware, either by OS X or by third-party software. That's why you can't rely on software to protect you.

If the malware is removed in your case, you'll still need to make changes to the way you use the computer to protect yourself from further attacks. Ask if you need guidance.

If the malware is not removed automatically, and you can't remove it yourself by following Apple's instructions, see below.

This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.

Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.

If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. That will disable the malware temporarily.

Step 1

Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.

If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.

Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.

Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.

Leave the folder open for now.

Step 2

Do as in Step 1 with this line:

/Library/LaunchAgents

The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.

Step 3

Repeat with this line:

/Library/LaunchDaemons

This time the folder will be named "LaunchDaemons."

Step 4

Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.

Step 5

If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.

A

Please back up all data before making any changes.

In the first folder arranged as shown in the screenshots, please delete these items:

None

In the second folder:

None

In the third folder:

#2 and #5 ("VSearch")

You may be prompted for your password.

Restart the computer.

Reset the Safari home page, if it was changed. You may need to do the same in the other browsers.

From the Applications folder (not shown in the screenshots), delete items with any of the following names:

MPlayerX

These steps will permanently inactivate the malware, as long as you never reinstall it. A few small files may remain in hidden folders, but they have no effect.

The instructions above apply only to you. I'm including more general—and complete—self-contained removal instructions below for the benefit of others who may find this discussion. You can skip the remaining steps, but you should read them.

B (optional)

You installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then take the steps below to inactivate it.

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

The VSearch malware tries to hide itself by varying the names of the files it installs. To remove it, you must first identify the naming pattern.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

/Library/LaunchDaemons

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" may open. Look inside it for files with a name of this form:

com.something.net-preferences.plist

Here something is a meaningless, random string of characters, which can be different in each instance of VSearch. So far it has always been an alphanumeric string without punctuation, such as "disbalance" or "thunderbearer."

You could have more than one copy of the malware, with different values of something.

There may also be one or more files with a name of this form:

com.somethingelseUpd.plist

where somethingelse may be a different meaningless string than something. Again, there may be more than one such file, with different values of somethingelse.

Here's a typical example of a VSearch infection:

com.disbalance.net-preferences.plist

com.thunderbearerUpd.plist

You will have files with names similar, but probably not identical, to these.

If you feel confident that you've identified the above files, back up all data, then drag just those files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder windows and restart the computer.

Don't delete the "LaunchDaemons" folder or anything else inside it, unless you know you have some other kind of unwanted software besides VSearch. The folder is a normal part of OS X. The term "daemon" refers to a program that starts automatically and runs with no direct user interaction. That's not necessarily bad.

2. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select

Safari ▹ Preferences... ▹ General

and click

Set to Current Page

The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.

3. If you didn't find the files or you're not sure about the identification, post what you found.

If in doubt, or if you have no backups, change nothing at all.

4. The trouble may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it. I don't recommend that you install the genuine "MPlayerX," because it's hosted on the rogue "SourceForge" website and is bundled with other malware.

This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.

In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.

Then, still in System Preferences, open the App Store or Software Update pane and check the box marked

Install system data files and security updates (OS X 10.10 or later)

or

Download updates automatically (OS X 10.9 or earlier)

if it's not already checked.

You now know more about the subject than almost all the people who give what they consider to be advice about it on this site. You also know more than some Apple Support representatives do, apparently. Share what you know with others. That's what makes this site work, to the extent that it does work.

<Edited by Host>

I CALLED Apple and their PAID support left me with "Well, it's a Javascript problem contact them." And he OBVIOUSLY didn't really know any more than me, he just had a protocol script or whatever in front of him to read from, which is fine, I don't expect everyone who happens to work for them to be an actual expert on every aspect of the system, but still.

I'm sure the support reps do the best they can with what they have. But as this experience shows, they're not trained or equipped to answer questions about a malware problem.

But as this experience shows, they're not trained or equipped to answer questions about a malware problem.

The Apple Support reps do not know how to handle Malware questions? There are lots of ways to handle Malware on a Mac. The long way or the short way.

One easy and great way is to use MalwareBytes, developed by another Helper here.

Others posters here have stated that it has been recommended by Apple Reps, and has solved their Malware problem quickly and efficiently.

Let's summarize what was reported in this thread, so that others who may find it can draw their own conclusions.

1. You were infected with the "VSearch" trojan.

2. You contacted Apple Support for help. They told you to run a third-party "anti-malware" product, which didn't work. Then they told you to contact the developer of "JavaScript." The developer of the JavaScript interpreter in OS X is Apple itself, so that suggestion didn't work either.

3. You asked for help here, and were given simple instructions to detect and remove the trojan using only the Finder and Safari. Those instructions solved the problem immediately.

ALWAYS ask (politely, but assertively) for a "supervisor". I have NEVER had a 1st responder specialist solve any of my issues, because they have been "real stumpers" or required "behind the curtain" actions by RealAppleFolks == 2 went to 5th transfer = "The Engineers"

Thank-you Linc Davis for your post. I found & removed every file you mentioned.

You stated: /Library/Application Support/amc, but I found "that" file in my home library, not my computer library.

In addition to your post, I found & did the following:

1) turn on AppTrap (in System Preferences) >go to Applications/goodgame empire >delete > turn off AppTrap.

AppTrap: is an app that attempts to find and remove additional related folders & files.

AppTrap did find a few offending folders & files.

2) System Preferences >Users & Groups >your admin account >Login Items >remove the adware item.

I believe I unknowingly brought in this adware when I installed an update for YTD.app (YouTube Downloader).

YouTube Downloader is a great app, but I have to do browser preference & extension clean-ups after each of it's updates.

During it's last update, it installed a Mac cleaner app (as a prerequisite) but sneaked in the "Goodgame Empire" adware.

Thank-you, Michael Rooney

Whitch anti-virus software can I use for my Mac, iPad and iPhone????

None is the best.