Malware, virus, or other? Seeking tips to fix iMac

You may have installed some adware. The easy method to check and remove is to run MalwareBytes http://www.adwaremedic.com/index.php It's written by one of the most trusted members of these forums and as I said is the easiest method and completely safe.

Apple also offers instructions for manual identification and file removal Stop pop-up ads and adware in Safari - Apple Support although they don't keep their information as up to date as some of us would like.

A bit more up to date method of manual removal is here http://www.thesafemac.com/arg-identification/

You may have installed ad-injection malware ("adware").

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

Back up all data first.

Some of the most common types of adware can be removed by following Apple's instructions. But before you follow those instructions, you can attempt an automatic removal.

If you're not already running the latest version of OS X ("El Capitan"), updating or upgrading in the App Store may cause the adware to be removed automatically. If you're already running the latest version of El Capitan, you can nevertheless download the current updater from the Apple Support Downloads page and run it. Again, some kinds of malware will be removed—not all. There is no such thing as automatic removal of all possible malware, either by OS X or by third-party software. That's why you can't rely on software to protect you.

If the malware is removed in your case, you'll still need to make changes to the way you use the computer to protect yourself from further attacks. Ask if you need guidance.

If the malware is not removed automatically, and you can't remove it yourself by following Apple's instructions, see below.

This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.

Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.

If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. That will disable the malware temporarily.

Step 1

Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.

If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.

Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.

Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.

Leave the folder open for now.

Step 2

Do as in Step 1 with this line:

/Library/LaunchAgents

The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.

Step 3

Repeat with this line:

/Library/LaunchDaemons

This time the folder will be named "LaunchDaemons."

Step 4

Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.

Step 5

If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.

I'm not the guy you left those directions for, but I'll gladly follow them. An hour or two ago I found instructions by you from back in '14, I think, on basically this same issue where you advised that if much time passes to look for new instructions. I searched YOUR articles for new instructions rather than starting from scratch, and low and behold, two years later, you posted one just the day before! Good on ya, mate.

Anyway... My issues are popups everywhere and it sometimes taking a full 5 minutes to load pages.

Step 1. That folder DOES exist, but it's empty (so, no screenshot needed).

Step 2.

In case that's not easily readable, "com.occupationalistsemese.agent.plist" is the recent one – and i'd say it's the guilty party (causing SERIOUS delay in loading of pages and bringing up popup ads with every fifth or so activity), because the timestamp is right around the time that I ... d/led a pirated product 😟, which marked the beginning of my problems.

That "occupationalistsemese" word (with .framework, and a bunch of other stuff after it) was found in System/Library/Frameworks by BitDefender (which I tried before reading your advice) and was identified by that program as "Adware.MAC.OSX.VSearch.FC" and that is what led me to your earlier article.

Step 3.

4. No extensions were listed.

5. Though I do sometimes (infrequently) use Firefox, I have not done so in a couple of weeks. Since this just happened yesterday, they will be safe (from this most recent, more severe attack), right?

If you don't mind, I'd like to have you also drop any wisdom that might be inspired by hearing about the other problem files BitDefender found. After 4 "pages" (about 30 lines) of VSearch files (all including that "Occupational..." word), the rest – some 25 pages, or 200 lines – listed in groups of various threat names, all appears to be linked to the "IMAP" of one of my old email addresses:

6 PAGES of "Gen:Variant.Kazy [+ various numbers, such as Kazy.324982 or Kazy.47555"

16 "JS:Trojan.JS.Redirector.P"

6 "Trojan.WPS.Fareit.D"

6 "Trojan.Inject.ADV"

12 "Gen:Variant.Delf.118"

6 "Trojan.Generic.KD.766866"

6 "Gen:Variant.Symmi.3807"

6 "Gen:Trojan.Ipatre.1"

6 "Trojan.Generic.KDV.711612"

16 "JS:Trojan.JS.Redirector.ZL"

6 "Trojan.Zmutzy.256"

2 "JS:Exploit.JS.Agent.K"

6 "Trojan.Agent.AVKP"

6 "Gen:Variant.Delf.56"

6 "Gen:Heur.Conjar.9"

6 "Gen:Variant.Graftor.1558"

6 "Trojan.Downloader.JOQU"

5 "Trojan.Generic.6635448"

3 "Trojan.Agent.ASQV"

Many of the paths show seemingly innocuous things suck as images, documents, and pdfs to end with .exe or .bat, proving they are programs.

Others end with "(INFECTED_JS), unless the part in parentheses is not really part of the path, though it says it successfully deleted them. I'm not sure if I trust that or not.

OK, I look forward to your advice. I've had a Mac since '11 but I don't dig around in it like this, so be gentle. Thanks, man!