Q: Adware keeps coming back

Empty the Trash.

Launch Finder.

Click Macintosh HD in the Finder sidebar.

Open the Library folder.

Open the Launch Daemons folder.

Remove unfamiliar looking entries to trash.

Don’t empty the Trash yet.

Test Safari.

1. Disable all Extensions and test.

    Safari > Preferences > Extensions

    To uninstall any extension, select it and click the “Uninstall” button.

2. Safari > Preferences >  Search > Search Engine :

     Select your preferred   search engine.

3. Visit the site you want it be your Homepage

     Safari > Preferences > General > Homepage:

     Click “Set to Current Page” button under Homepage.

     Set your Homepage.

4. Run Malwarebytes Anti-Malware for Mac again, there may be an updated version available.

     https://www.malwarebytes.org/antimalware/mac/

You may have installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then take the steps below to inactivate it.

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and you've already found that it doesn't work.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Step 1

The VSearch malware tries to hide itself by varying the names of the files it installs. It also regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.

Step 2

While running in safe mode, load this web page and then triple-click the line below to select it. Copy the text to the Clipboard by pressing the key combination  command-C:

/Library/LaunchDaemons

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" may open. If it does, press the key combination command-2 to select list view, if it's not already selected.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within a few minutes, so they will be clustered together when you sort the folder this way, making them easy to identify.

Step 3

Inside the LaunchDaemons folder, there may be one or more files with a name of this form:

          com.apple.something.plist

where something is a random, meaningless string of letters, different in every case.

Note that the name consists of four words separated by periods. Typical examples:

          com.apple.builins.plist

          com.apple.cereng.plist

          com.apple.nysgar.plist

There may also be one or more items with a name of this form:

          com.something.plist

Again, something is a random, meaningless string—not necessarily the same one that appears in any of the other file names.

These names consist of three words separated by periods. Typical examples:

          com.semifasciaUpd.plist

          com.ubuiling.plist

Sometimes there are items (usually no more than one) with a name of this form:

          com.something.net-preferences.plist

This name consists of four words (the third one hyphenated) separated by periods. Typical example:

          com.jangly.net-preferences.plist

Drag all such items to the Trash. You may be prompted for your administrator login password.

Restart the computer and empty the Trash.

Here are examples of legitimate files that might be found in the same folder:

          com.apple.FinalCutServer.fcsvr_ldsd.plist

          com.apple.installer.osmessagetracing.plist

          com.apple.qmaster.qmasterd.plist

          com.apple.aelwriter.plist

          com.apple.serverd.plist

          com.tether.plist

The first three are clearly not VSearch files because the names don't fit any of the above patterns. The last three are not easy to distinguish by the name alone, but the modification date will be earlier than the date on which VSearch was installed, perhaps by several years. None of these files will be present in most installations of OS X.

Don't delete the "LaunchDaemons" folder or anything else inside it, unless you know you have some other kind of unwanted software besides VSearch. The folder is a normal part of OS X. The term "daemon" refers to a program that starts automatically. That's not inherently bad, but the mechanism is sometimes exploited by malware attackers.

If you're not sure whether a file is part of the malware, order the folder contents by modification date as I wrote in Step 2, not by name. The malware files will be clustered together. There could be more than one such cluster, if you were attacked more than once. A file dated far in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.

If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Go back to Step 1 and try again.

Step 4

Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select

          Safari ▹ Preferences... ▹ General

and click

          Set to Current Page

If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.

The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.

Step 5

The malware enables web proxy discovery in the network settings. If you know that the setting was already enabled for a good reason, skip this step. Otherwise you should revert the change.

Open the Network pane in System Preferences. If there is a closed padlock icon in the lower left corner of the window, click it and authenticate to unlock the settings. Click the Advanced button, then select Proxies in the sheet that drops down. Uncheck the box marked Auto Proxy Discovery if it's checked. Click OK, then Apply.

Step 6

This step is optional. Open the Users & Groups pane in System Preferences and click the lock icon to unlock the settings. In the list of users, there may be some with random names that were added by the malware. You can delete those users. If you're not sure whether a user is legitimate, don't delete it.

Run Malwarebytes Anti-Malware for Mac and the odds are good that it will identify undesirable adware/malware and allow you to delete it.

https://www.malwarebytes.org/antimalware/mac/

Understand it does not protect your Mac nor does it run in the background. All it does is identify candidates for removal when you run it.

Note that it has be often recommended for use by Apple telephone support and is extensively used by Apple store genius bar technicians.

Ciao.

The "malwarebytes" product, as you already know (because you've tried it), does not work and is incapable of removing this malware.

You may try these instructions :

http://www.thesafemac.com/arg-vsearch/

Ciao.

A link has been posted to instructions for removing an early version of "VSearch." Those instructions are years out of date and won't work, any more than the "malwarebytes" product worked. Malware doesn't remain unchanged for years. It changes all the time to overcome the defenses against it.

<Edited by Host>

Hello elpinator,

Unfortunately, all of the suggestions you have received in this thread are wrong.

You seem to be dealing with a new malware version that MalwareBytes cannot remove. The first thing you should do is contact MalwareBytes and tell them. They should also you for information and samples of the malware in question. It is important to do that now, while you are still infected. MalwareBytes should also help you to manually remove the malware.

If you don't want to wait or if MalwareBytes is too swamped with other new malware, we can help you will manual removal instructions. That will start by running EtreCheck. Download EtreCheck from http://www.etrecheck.com, run it, and paste the results here. EtreCheck is perfectly safe to run, does not ask for your password to install, and is signed with my Apple Developer ID.

If adware is installed, EtreCheck will help you remove it, although you may have to supply a password. If you aren’t comfortable with that, just post the EtreCheck report here and other helpers can tell you exactly what files need to be deleted and how to do so.

EtreCheck probably won't have any more success than MalwareBytes. I need to update it to handle this recent strain of newly aggressive malware. And you really should give MalwareBytes first crack at it so they can improve the software and help other people in the future. Here is the problem. You only posted here and received a reply trashing MalwareBytes because MalwareBytes didn't work for you. If it had, you wouldn't have posted. But if you help them identify and track down this malware, thre will be a lot more people in the future who won't have to post like you have done. With malware, there is always someone who is going to be the unlucky sap who is one of the first to get a new strain of malware. None of the people who get the malware later, and have MalwareBytes wily remove it, will ever have reason to complain. But someone has to be first. But if all else fails, EtreCheck will include the necessary information to manually remove the malware. It won't be easy though.

Disclaimer: Although EtreCheck is free, there are other links on my site that could give me some form of compensation, financial or otherwise.

If you'd like to read a discussion in which the procedure I posted for removing "VSearch" was applied successfully, see this one from yesterday:

Re: cdn.freefarcy.*** removal

You can find many more by searching the site. What you will not find is an instance in which the procedure failed. It has been 100% successful so far when the instructions were followed.

Another thing you won't find is a discussion in which I asked anyone to download an unknown application from my website. There are several reasons for that:

1. ***********
2. All you need to remove the malware is a web browser and the Finder. Nothing else.
3. No software should ever be trusted to automatically remove files that it didn't install.
4. Downloading unknown, unnecessary software at the behest of a stranger is more of the same behavior that caused the problem in the first place. If you continue that behavior, you can expect more of the same, and worse, to come.

<Edited by Host>

There are obviously always going to be different vintages of adware in circulation. If the adware in that thread was removed with your manual instructions, then the OP could have also used EtreCheck to remove it with a single click. But there have been a number of recent threads where someone had to manually kill processes first. Otherwise, the adware would just reinstall itself instantly. That certainly seems to be the case in this thread.

<Edited by Host>

Linc Davis wrote:

 

Another thing you won't find is a discussion in which I asked anyone to download an unknown application from my website so that I could beg for money.

1. Downloading unknown, unnecessary software at the behest of a stranger is more of the same behavior that caused the problem in the first place.

Are using directions 'at the behest of a stranger' any different than downloading and using third party software?  In either case there is an element of risk.

What does the introduction of 'money' by you have to do with the problem at hand?  Perhaps you should review the Terms of Use for these forums.

Ciao.

Please follow  linc davis as he is a senior and to be respected and expert in computers .

To be very honest i always read his methods to sort out the issues and do write down the solutions that are very helpful . he will never misguide you .we are here to share knowledge & help each other and are still students thirsting for knowledge till the end of the time .

as he is a senior and to be respected

Respect isn't earned by a number. Someone's level is the last thing a person should take into consideration. The quality of a person's post and whether or not it was helpful is what matters.

Using your method of determination, if Stephen Hawking, Jony Ive, or Tim Cook signed up as a member of these forums, I should ignore anything they say because they would be level 0 users.