Q: I get random links to advertisements ("Deal Top") everywhere on websites

Click here and follow the instructions, or if there’s a type of adware not covered by them on the computer, these ones. If you'd rather not remove it manually, you can instead run MalwareBytes for Mac.

MalwareBytes simplifies the process of removing adware but doesn't stop it or other malware from getting onto the computer. It shouldn’t be relied on to prevent future incidents; instead, avoid downloading software from sources other than the Mac App Store or the developer websites.

(141988)

You may have installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then take the steps below to inactivate it.

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

The VSearch malware tries to hide itself by varying the names of the files it installs. To remove it, you must first identify the naming pattern.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination  command-C:

/Library/LaunchDaemons

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" may open. If it does, press the key combination command-2 to select list view, if it's not already selected.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within about one minute, so they will be clustered together when you sort the folder this way, making them easy to identify.

Look inside the folder for files with a name of any of these forms:

          com.something.daemon.plist

          com.something.helper.plist

          com.something.net-preferences.plist

Here something is a meaningless, random string of characters, which can be different in each instance of VSearch. So far it has always been an alphanumeric string without punctuation, such as "disbalance" or "thunderbearer."

You could have more than one copy of the malware, with different values of something.

There may also be one or more files with a name of this form:

           com.somethingelseUpd.plist

where somethingelse may be a different meaningless string than something. Again, there may be more than one such file, with different values of somethingelse.

Here's a typical example of a VSearch infection:

          com.disbalance.net-preferences.plist

          com.thunderbearerUpd.plist

You will have files with names similar, but probably not identical, to these.

IMPORTANT: Lately the attacker has been breaking out of his usual naming pattern in an attempt to defeat this procedure. If you see any files in the LaunchDaemons folder that have a modification time within one minute of files that fit the pattern, those can be assumed to be part of the infection. The name may contain the word "apple" to make it look like part of OS X. Normally there would be no OS X files in that folder, and if there were any, they would have a different modification time. Ask if you're in doubt.

If you feel confident that you've identified the malicious files, drag just those files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder window.

2. Open this folder as in Step 1:

/Library/LaunchAgents

Move to the Trash any files with a name of the form

          com.something.agent.plist

where something is one of the strings you found in Step 1. There may not be any such files.

3. If you moved anything to the Trash in Step 1 and/or Step 2, restart the computer and empty the Trash.

Don't delete the "LaunchAgents" or "LaunchDaemons" folder, or anything else inside either one, unless you know you have some other kind of unwanted software besides VSearch. The folders are a normal part of OS X. The terms "agent' and "daemon" refer to a program that starts automatically. That's not inherently bad, but the mechanism is sometimes exploited by malware attackers.

4. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select

          Safari ▹ Preferences... ▹ General

and click

          Set to Current Page

The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.

5. If you didn't find the files or you're not sure about the identification, post what you found.

If in doubt, or if you have no backups, change nothing at all.

6. The trouble may have started when you downloaded and ran an application called "MPlayerX" or "PDF Pronto." If there is an item with either name in the Applications folder, delete it.

This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.

In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere  should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.

Then, still in System Preferences, open the App Store or Software Update pane and check the box marked

          Install system data files and security updates (OS X 10.10 or later)

or

          Download updates automatically (OS X 10.9 or earlier)

if it's not already checked.