You may have installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then take the steps below to inactivate it.
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
Step 1
The VSearch malware tries to hide itself by varying the names of the files it installs. It also regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.
Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.
Step 2
While running in safe mode, load this web page and then triple-click the line below to select it. Copy the text to the Clipboard by pressing the key combination command-C:
/Library/LaunchDaemons
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
A folder named "LaunchDaemons" may open. If it does, press the key combination command-2 to select list view, if it's not already selected.
There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within a few minutes, so they will be clustered together when you sort the folder this way, making them easy to identify.
Step 3
Inside the LaunchDaemons folder, there may be one or more files with a name of this form:
com.apple.something.plist
where something is a random, meaningless string of letters, different in every case.
Note that the name consists of four words separated by periods. Typical examples:
com.apple.builins.plist
com.apple.cereng.plist
com.apple.nysgar.plist
There may also be one or more items with a name of this form:
com.something.plist
Again, something is a random, meaningless string—not necessarily the same one that appears in any of the other file names.
These names consist of three words separated by periods. Typical examples:
com.semifasciaUpd.plist
com.ubuiling.plist
Sometimes there are items (usually no more than one) with a name of this form:
com.something.net-preferences.plist
This name consists of four words (the third one hyphenated) separated by periods. Typical example:
com.jangly.net-preferences.plist
Drag all such items to the Trash. You may be prompted for your administrator login password.
Restart the computer and empty the Trash.
Here are examples of legitimate files that might be found in the same folder:
com.apple.FinalCutServer.fcsvr_ldsd.plist
com.apple.installer.osmessagetracing.plist
com.apple.qmaster.qmasterd.plist
com.apple.aelwriter.plist
com.apple.serverd.plist
com.tether.plist
The first three are clearly not VSearch files because the names don't fit any of the above patterns. The last three are not easy to distinguish by the name alone, but the modification date will be earlier than the date on which VSearch was installed, perhaps by several years. None of these files will be present in most installations of OS X.
Don't delete the "LaunchDaemons" folder or anything else inside it, unless you know you have some other kind of unwanted software besides VSearch. The folder is a normal part of OS X. The term "daemon" refers to a program that starts automatically. That's not inherently bad, but the mechanism is sometimes exploited by malware attackers.
If you're not sure whether a file is part of the malware, order the folder contents by modification date as I wrote in Step 2, not by name. The malware files will be clustered together. There could be more than one such cluster, if you were attacked more than once. A file dated far in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.
If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Go back to Step 1 and try again.
Step 4
Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.
The malware is now permanently inactivated, as long as you never reinstall it. A few small files will be left behind, but they have no effect, and trying to find them all is more trouble than it's worth.
Step 5
The malware enables web proxy discovery in the network settings. If you know that the setting was already enabled for a good reason, skip this step. Otherwise you should revert the change.
Open the Network pane in System Preferences. If there is a closed padlock icon in the lower left corner of the window, click it and authenticate to unlock the settings. Click the Advanced button, then select Proxies in the sheet that drops down. Uncheck the box marked Auto Proxy Discovery if it's checked. Click OK, then Apply.
Step 6
This step is optional. Open the Users & Groups pane in System Preferences and click the lock icon to unlock the settings. In the list of users, there may be some with random names that were added by the malware. You can delete those users. If you're not sure whether a user is legitimate, don't delete it.
