Q: Getting redirected!

Try installing an antivirus which you can get for free for the first 30 days and run a full system scan.

You may have installed ad-injection malware ("adware").

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

Back up all data first.

If you're not already running the latest version of OS X, updating or upgrading in the App Store may cause the adware to be removed automatically. If you are already running the latest version, please log out or restart the computer. Again, some kinds of malware will be removed—not all. There is no such thing as automatic removal of all possible malware, either by OS X or by third-party software. That's why you can't rely on software to protect you.

If the malware is removed in your case, you'll still need to make changes to the way you use the computer to protect yourself from further attacks. Ask if you need guidance.

If the malware is not removed automatically, see below.

This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.

Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.

If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. The malware will be disabled temporarily.

Step 1

Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.

If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.

Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.

Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.

Leave the folder open for now.

Step 2

Do as in Step 1 with this line:

/Library/LaunchAgents

The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.

Step 3

Repeat with this line:

/Library/LaunchDaemons

This time the folder will be named "LaunchDaemons."

Step 4

Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.

Step 5

If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.

neel95 wrote:

 

Try installing an antivirus which you can get for free for the first 30 days and run a full system scan.

Why would they do this when there are no viruses for OS X and the problem they're having has nothing to do with viruses anyway?  It's not going to find anything because there's nothing to find.  The problem they're having sounds like malware or adware, and anti-virus programs can't do jack squat about them.

I know but if you install something like Norton, it is all in one which scans or malware and adwares.

Does that make sense?

No, because as I said, Macs do not need anti-virus programs.  That's any anti-virus program.  I don't care if it's Norton, Sophos, Avast, Avira, Intego, Kaspersky....the list goes on.  The majority of them, from what I and other contributors here have seen, negatively affect the performance of whatever system they're installed on.  They use up resources and don't provide any actual protection as there is nothing for them to protect you from.  Malware and adware are what Mac users really need to worry about, but avoiding it is simple.  Don't download anything from torrents, no matter what it is, and don't download anything from an aggregate download site.  Only download applications/plugins/extensions/drivers from either the Mac App Store/Safari Extensions Gallery or the developer's own website. 

Installing an anti-virus program is not going to help this person.  Removing the malware/adware and resetting things like their preferred search engine and home page is what will.

Safari/Browsers - Eliminating browser redirects and advertisements

Safari/Browsers - Eliminating browser redirects and advertisements (2)

URL requests can be configured to jump to another location using various redirect mechanisms. Here is an article about those redirect mechanisms.

A

You installed one or more variants of the "VSearch" trojan. Please inactivate them as follows. This procedure will leave a few small files behind, but they have no effect, and trying to remove them all would be a lot more trouble than it's worth.

This malware has many variants. Anyone else finding this comment should not expect it to be applicable.

Back up all data before proceeding.

Step 1

The VSearch variant that you have regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.

Step 2

While running in safe mode, load this web page and then triple-click anywhere in the line below to select it:

/Library/LaunchDaemons

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" will open. Press the key combination command-2 to select list view, if it's not already selected.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within a few minutes, so they will be clustered together when you sort the folder this way, making them easy to identify.

Step 3

Inside the LaunchDaemons folder, there may be one or more files with a name of this form:

          com.apple.something.plist

where something is a random, meaningless string of letters, different in every case.

Note that the name consists of four words separated by periods. Typical examples:

          com.apple.builins.plist

          com.apple.cereng.plist

          com.apple.nysgar.plist

There may also be one or more items with a name of this form:

          com.something.plist

Again, something is a random, meaningless string—not necessarily the same one that appears in any of the other file names.

These names consist of three words separated by periods. Typical examples:

          com.semifasciaUpd.plist

          com.ubuiling.plist

Drag all such items to the Trash. You may be prompted for your administrator login password.

Restart the computer and empty the Trash.

If you're not sure whether a file is part of the malware, order the folder contents by modification date, not by name. The malware files will be clustered together. There could be more than one such cluster. A file dated far in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.

If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Go back to Step 1 and try again.

Step 4

Reset the home page in each of your web browsers, if it was changed. In Safari, first load the home page you want, then select

          Safari ▹ Preferences... ▹ General

and click

          Set to Current Page

If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.

Step 5

The malware enables web proxy discovery in the network settings. If you know that the setting was already enabled for a good reason, skip this step. Otherwise you should revert the change.

Open the Network pane in System Preferences. If there is a closed padlock icon in the lower left corner of the window, click it and authenticate to unlock the settings. Click the Advanced button, then select Proxies in the sheet that drops down. Uncheck the box marked Auto Proxy Discovery if it's checked. Click OK, then Apply.

Step 6

This step is optional. Open the Users & Groups pane in System Preferences and click the lock icon to unlock the settings. In the list of users, there may be one or more with random names that were added by the malware. You can delete those users. If you're not sure whether a user is legitimate, don't delete it.

B

You also installed one or more variants of the "InstallMac" trojan. Please take the steps below to disable it.

The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

Press the key combination command-2 to select list view, if it's not already selected.

There should be a column in the Finder window headed Date Modified. Click that heading to sort the contents by date. This will make related files easy to identify regardless of their names, because they will have the same modification date.

2. Inside the folder you just opened, there may be files with a name of any of these forms:

          something.AppRemoval.plist

          something.download.plist

          something.ltvbit.plist

          something.notification.plist

          something.update.plist

Here something is usually a meaningless string, such as any of the following:

          Epolife

          InstallMac

          Javeview

          Kuklorest

          Manroling

          Otwexplain

These are examples, not a complete list. The string could be anything, and there could be more than value of something. Look for a cluster of files with the same modification date that fit the description.

Lately, the "InstallMac" attacker has been scrambling the strings "AppRemoval," "download," "ltvbit," and "update" in the names of his files. For example, you might see file names such as these, instead of the above:

          something.AppVemoral.plist

          something.dolnwoad.plist

          something.btvlit.plist

          something.uadpte.plist

You could have more than one copy of the malware, with different values of something.

Move all such items to the Trash. If there are any other files with a name that begins with something, move those to the Trash also. You may get a warning that some of the files are locked; delete them anyway.

After you've done that, there may not be anything left in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)

Log out or restart the computer. The trojan should now be inactive.

3. This step is optional. Open the following folder as in Step 1:

~/Library/Application Support

and move to the Trash any subfolders with the name something that you found in Step 2.

Don't move the Application Support folder or anything else inside it.

4. Open the Applications folder. If there is an item named something, or "Zip Devil," or with any of the other names listed in Step 2, drag it to the Trash.

If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.

You may get an alert that the item is locked. Confirm that you want to move it to the Trash.

Empty the Trash.

If you get an alert that the application is in use, force it to quit.

5. From the Safari menu bar, select

          Safari ▹ Preferences... ▹ Extensions

Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

If the Preference window won't open, restart the computer in safe mode. Certain caches maintained by the system will be rebuilt.

6. Reset the search engine and the home page in each of your browsers, if either was changed. In Safari, first load the home page you want, then select

          Safari ▹ Preferences... ▹ General

and click

          Set to Current Page

C

Until you have more experience as a Mac user, I suggest that you change a setting to allow only Apple updates and software from the App Store to be installed.

Open the Security & Privacy pane in System Preferences and select the General tab. Click the lock icon in the lower left corner and enter your password to unlock the settings. Select the button marked

          Mac App Store

and close the preference pane. For information about the effects of the setting, see this support article. You may need to change the setting temporarily to install some third-party software, such as Adobe Flash Player. Be especially careful with that, as malware is often distributed in the form of a fake Flash update. Never follow a link to a Flash update on any web page. Instead, use the built-in updater in the Flash Player preference pane.

The products in the App Store, while they aren't always very good, can at least be considered safe enough to use.