You may have installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then take the steps below to inactivate it.
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
The VSearch malware tries to hide itself by varying the names of the files it installs. To remove it, you must first identify the naming pattern.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
/Library/LaunchDaemons
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
A folder named "LaunchDaemons" may open. If it does, press the key combination command-2 to select list view, if it's not already selected.
There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within about one minute, so they will be clustered together when you sort the folder this way, making them easy to identify.
Look inside the folder for files with a name of any of these forms:
com.something.daemon.plist
com.something.helper.plist
com.something.net-preferences.plist
Here something is a meaningless, random string of characters, which can be different in each instance of VSearch. So far it has always been an alphanumeric string without punctuation, such as "disbalance" or "thunderbearer."
You could have more than one copy of the malware, with different values of something.
There may also be one or more files with a name of this form:
com.somethingelseUpd.plist
where somethingelse may be a different meaningless string than something. Again, there may be more than one such file, with different values of somethingelse.
Here's a typical example of a VSearch infection:
com.disbalance.net-preferences.plist
com.thunderbearerUpd.plist
You will have files with names similar, but probably not identical, to these.
If you feel confident that you've identified the above files, drag just those files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder window.
2. Open this folder as in Step 1:
/Library/LaunchAgents
Move to the Trash any files with a name of the form
com.something.agent.plist
where something is one of the strings you found in Step 1. There may not be any such files.
3. If you moved anything to the Trash in Step 1 and/or Step 2, restart the computer and empty the Trash.
Don't delete the "LaunchAgents" or "LaunchDaemons" folder, or anything else inside either one, unless you know you have some other kind of unwanted software besides VSearch. The folders are a normal part of OS X. The terms "agent' and "daemon" refer to a program that starts automatically. That's not inherently bad, but the mechanism is sometimes exploited by malware attackers.
4. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.
5. If you didn't find the files or you're not sure about the identification, post what you found.
If in doubt, or if you have no backups, change nothing at all.
6. The trouble may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it. I don't recommend that you install the genuine "MPlayerX," because it's hosted on the rogue "SourceForge" website and is bundled with other malware.
This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.
In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.
Then, still in System Preferences, open the App Store or Software Update pane and check the box marked
Install system data files and security updates (OS X 10.10 or later)
or
Download updates automatically (OS X 10.9 or earlier)
if it's not already checked.
