OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Adware Removal Guide : VSearch

Published February 25th, 2014 at 1:30 PM EDT , modified August 21st, 2015 at 6:23 AM EDT

VSearch is one of the most common adware programs, commonly found in fake “video streaming” installers. It originally began as a fake torrent downloading app, under the name Downlite, but this name hasn’t been seen in some time now. VSearch displays pop-up ads and redirects the user to a different search engine.

VSearch was one of the first modern adware programs to be identified as malicious by Apple, following an episode of blocking this site and the AdwareMedic site on Macs infected with this adware. Newer variants of VSearch have not been similarly blocked, however, and are still a threat.

Removal

Move the following items to the trash. Note that removing many of these files will require administrator access, so you will need to be sure you are logged in to an admin account on your Mac. If you are not, you will be unable to remove some of them. Also, this list represents all files installed by all known variants of VSearch, so not all files listed will be present. If you don’t know how to locate a file based on the path given below, you should read Locating files from paths.

/Library/Application Support/VSearch
/Library/LaunchAgents/com.vsearch.agent.plist
/Library/LaunchDaemons/com.vsearch.daemon.plist
/Library/LaunchDaemons/com.vsearch.helper.plist
/Library/LaunchDaemons/Jack.plist
/Library/PrivilegedHelperTools/Jack
/System/Library/Frameworks/VSearch.framework
/System/Library/Frameworks/v.framework

You may also find files with the following names, where “xxx” can be any word:

/Library/LaunchAgents/com.xxx.agent.plist
/Library/LaunchDaemons/com.xxx.daemon.plist
/Library/LaunchDaemons/com.xxx.helper.plist

Some examples of words used in place of the “xxx” that I have seen are “heizenberg,” “dot,” “steak” and “moonlight.” However, many other variants also exist. In all cases, whatever word was used on a particular Mac was used for all these files. In other words, you should only see one single word used in place of “xxx” in all of these files on your Mac. (If you have more than one variant of VSearch, you may see duplicated sets of these files, where each set has a different name.) If you see any files matching these descriptions, move them to the trash.

In addition, you should look for files in the following locations with the same names as the “xxx” in the LaunchAgent and LaunchDaemons files that you found:

/Library/Application Support/xxx
/System/Library/Frameworks/xxx.framework

After you have moved all VSearch-related items to the trash, restart the computer. After restarting, you can empty the trash.

<- Back to Adware Removal Guide