VSearch is a adware targeting macOS, first discovered in 2014. VSearch is a persistent macOS adware that injects advertisements into web pages and search results across all browsers. It installs a system-level daemon that runs with root privileges, making it harder to remove than typical adware. VSearch redirects search queries through its own advertising network, replaces legitimate ads on web pages with its own, and inserts additional banner and pop-up advertisements. It was one of the first Mac adware families to use a kernel extension for persistence on older macOS versions and is frequently bundled with other adware like Genieo and Conduit. CoreLock detects this threat using CoreLock detects VSearch through system daemon monitoring that flags unauthorized privileged helper tools, browser integrity checks that identify ad-injection modifications, YARA rules matching VSearch binary signatures and known variant hashes, and behavioral detection of search query redirection through advertising proxy networks.
Also known as: OSX.VSearch, MacVSearch, OperatorMac
VSearch is a persistent macOS adware that injects advertisements into web pages and search results across all browsers. It installs a system-level daemon that runs with root privileges, making it harder to remove than typical adware. VSearch redirects search queries through its own advertising network, replaces legitimate ads on web pages with its own, and inserts additional banner and pop-up advertisements. It was one of the first Mac adware families to use a kernel extension for persistence on older macOS versions and is frequently bundled with other adware like Genieo and Conduit.
Bundled with free software downloads from third-party sites including fake media players and PDF readers
Deceptive installer dialogs where VSearch is pre-selected as an 'optional' component during software installation
Fake Flash Player update prompts on compromised or malicious websites
Download portals that wrap legitimate software in ad-injecting installer shells
Additional ads appearing on websites that normally don't show ads, including Google search results and Wikipedia
A daemon process named 'VSearchHelper' or 'VSearchAgent' visible in Activity Monitor
Files present at /Library/PrivilegedHelperTools/VSearchHelper or /Library/Application Support/VSearch/
Browser search queries being redirected through unfamiliar advertising domains before reaching the intended search engine
Stop and remove the VSearch system daemon: sudo launchctl unload /Library/LaunchDaemons/com.vsearch.helper.plist and then sudo rm /Library/LaunchDaemons/com.vsearch.helper.plist. Also remove sudo rm /Library/PrivilegedHelperTools/VSearchHelper
Remove VSearch data directories: sudo rm -rf /Library/Application\ Support/VSearch and rm -rf ~/Library/Application\ Support/VSearch. Also check for and remove any VSearch-related folders in /Library/Application Support/.
Delete VSearch user-level persistence: rm ~/Library/LaunchAgents/com.vsearch.agent.plist. Also check for variant names: ls ~/Library/LaunchAgents/ | grep -i vsearch and remove any matches.
Remove VSearch or ad-injecting extensions from all browsers. Safari: Settings > Extensions. Chrome: chrome://extensions. Firefox: about:addons. Reset your homepage and search engine settings in each browser.
On macOS 10.14 and earlier, VSearch may have installed a kernel extension. Check: ls /Library/Extensions/ | grep -i vsearch. If found: sudo kextunload /Library/Extensions/VSearch.kext and sudo rm -rf /Library/Extensions/VSearch.kext. This is not applicable to macOS 10.15+ which blocks third-party kexts.
Run a full CoreLock scan to detect remaining VSearch components, verify no residual daemon or helper processes are running, and ensure all browser modifications have been reversed.
Avoid downloading software from third-party download wrapper sites that bundle adware with legitimate applications
Always select 'Custom Install' and uncheck any pre-selected optional software during installations
Ignore 'Update Flash Player' prompts on websites — Flash Player has been discontinued since 2020
Use CoreLock to monitor for unauthorized system daemon installations and ad-injection browser modifications
Real-time Detection
CoreLock detects VSearch through system daemon monitoring that flags unauthorized privileged helper tools, browser integrity checks that identify ad-injection modifications, YARA rules matching VSearch binary signatures and known variant hashes, and behavioral detection of search query redirection through advertising proxy networks.
Check which apps have camera access on your Mac and revoke access you didn't approve.
Check which apps have microphone access on your Mac and revoke access you didn't approve.
Check which apps have screen recording on your Mac and revoke access you didn't approve.
The clearest sign is seeing extra advertisements on websites that normally don't display them, such as Wikipedia, Google search results, or news sites. These injected ads often look out of place and may appear as banner ads, pop-ups, or highlighted text links. Check Activity Monitor for processes named VSearchHelper or VSearchAgent, and look for files in /Library/Application Support/VSearch/ or /Library/PrivilegedHelperTools/VSearchHelper.
VSearch installs a privileged helper daemon that runs with root (administrator) privileges, meaning it can reinstall itself even after you delete the main application. On older macOS versions, it could also install a kernel extension for even deeper persistence. You must remove the LaunchDaemon plist, the helper tool, and all support files — not just the visible application — to fully eliminate it.
While VSearch is primarily an ad-injector and does not steal passwords or encrypt files, it runs with root privileges and modifies your web traffic, which poses real security risks. It can redirect you to malicious websites, expose you to malvertising that installs additional malware, and compromise your browsing privacy by tracking all web activity. Apple classifies it as malware in XProtect.
Yes. Because VSearch operates at the system level through a privileged daemon rather than as a browser extension, it can inject ads into web traffic for all browsers simultaneously. Even if you clean one browser's extensions, the system-level component continues to modify web pages in all browsers until the root daemon and helper tools are removed.
Download CoreLock to detect and remove VSearch and other macOS threats. AI-powered analysis, real-time monitoring, and one-click remediation.
Download CoreLock FreeAvailable for macOS and Windows