User profile for user: JaneLSS
JaneLSS Author
User level: Level 1
5 points

Help identify malware in launchdaemon

I suddenly have pop up ads appearing all the time in new browser windows and words in documents are linking up to ads too. I have checked my launchdaemon folder and found all of the following:


com.semisquare.plist

com.infatuate.plist

com.principate.plist

  • com.arthrotome.plist
  • com.Aegipan.plist
  • com.urinology.plist
  • com.obliquate.plist
  • com.unstridulous.plist
  • com.Tachyglossidae.plist
  • com.underbitten.plist
  • com.acetamide.plist
  • com.AlbizziaUpd.plist
  • com.childly.plist
  • com.apple.etiao.plist
  • com.uquoroden.plist
  • com.apple.ertur.plist
  • com.apple.beldanash.plist
  • com.adobe.fpsaud.plist
  • com.lacie.desktopmanager.service.plist

com.adobe.SwitchBoard.plist


Most of them ( apart from the last 3 on the list) have been modified in the last few days.


When I go to the launchagents folder I have the following:


com.adobe.AAM.Updater-1.0.plist

com.adobe.CS5ServiceManager.plist

com.lacie.eventsactions.launcher.agent.plist


all of which have been on my MAC for several years.


So - are all of the items in launchdaemons malware? If so, can I just remove them by trashing them?


Any help much appreciated.


Thanks

JAne

iMac (21.5-inch Mid 2010), OS X El Capitan (10.11.4)

Posted on Jun 2, 2016 12:34 PM

Reply
2 replies
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,971 points

Jun 2, 2016 3:00 PM in response to JaneLSS

You installed one or more variants of the "VSearch" trojan. Please inactivate them as follows. This procedure will leave a few small files behind, but they have no effect, and trying to remove them all would be a lot more trouble than it's worth.

This malware has many variants. Anyone else finding this comment should not expect it to be applicable.

Back up all data before proceeding.

The VSearch variant that you have regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.

While running in safe mode, triple-click anywhere in the line below on this page to select it:

/Library/LaunchDaemons

Right-click or control-click the line and select

Services Open

from the contextual menu.* A folder named "LaunchDaemons" should open.

Inside that folder there are one or more items with a name that begins like this:

com.apple.

There are also one or more items with a three-part name of this form:

com.something.plist

where something is a meaningless string of letters, different in every case. Typical examples:

com.semifasciaUpd.plist

com.ubuiling.plist

Drag all such items to the Trash. You may be prompted for your administrator login password.

Restart the computer and empty the Trash.

Reset the home page in each of your web browsers, if it was changed. In Safari, first load the home page you want, then select

Safari Preferences... General

and click

Set to Current Page

If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.

If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Try again.

The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Help identify malware in launchdaemon

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up