remove trovi from safari
Hello,
For few days when I open Safari, open with trovi.
I try to delete it from the macbook but I can't.
Have you ideea about this and what I must do.
Best regards
Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.
You may have installed one or more variants of the "VSearch" ad-injection malware. Please back up all data, then follow Apple Support's instructions to remove it.
If you have trouble following those instructions, or if they don't work, see below.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
The VSearch malware tries to hide itself by varying the names of the files it installs. To remove it, you must first identify the naming pattern.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
/Library/LaunchDaemons
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.
A folder named "LaunchDaemons" may open. Look inside it for two files with names of any of these forms:
com.something.daemon.plist
com.something.helper.plist
com.something.net-preferences.plist
com.something.preferences.plist
Here something is a variable string of characters, which can be different in each VSearch infection. So far it has always been an alphanumeric string without punctuation, such as "cloud," "dot," "highway," "submarine," or "trusteddownloads." Sometimes it's a meaningless string such as "e8dec5ae7fc75c28" rather than a word. Sometimes the string is "apple," and then you must be especially careful not to delete the wrong files, because many built-in OS X files have similar names.
You could have more than one copy of the malware, with different values of something.
There may also be one or more files with a name of this form:
com.somethingUpd.plist
where something may be a different meaningless string than in the other files. Again, there may be more than one such file, with different values of something.
Here's a specific example of a VSearch infection:
com.disbalance.daemon.plist
com.disbalance.helper.plist
com.thunderbearerUpd.plist
You will have files with names similar, but probably not identical, to these.
2. If you find such files, leave the LaunchDaemons folder open, and open the following folder in the same way:
/Library/LaunchAgents
In this folder, there may be a file named
com.something.agent.plist
where the string something is the same as before.
If you feel confident that you've identified the above files, back up all data, then drag just those files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder windows and restart the computer.
Don't delete the "LaunchAgents" or "LaunchDaemons" folder or anything else inside either one.
3. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select
Safari ▹ Preferences... ▹ General
and click
Set to Current Page
The malware is now permanently inactivated, as long as you never reinstall it. You can stop here if you like, or you can remove two remaining components for the sake of completeness.
4. This step is optional. Open this folder:
/Library
It may have subfolders named as follows
something
somethingUpd
where something is any of the strings you saw before. Drag any such subfolders to the Trash and close the window.
Don't delete the "Library" folder or anything else inside it.
5. This step doesn't apply to OS X 10.11 ("El Capitan") or later, and is optional if you're running an older version of OS X.
In this folder:
/System/Library/Frameworks
there may be an item named exactly
v.framework
or else an item named
something.framework
Again, something is the same string as before.
This item is actually a folder, though it has a different icon than usual. Drag it to the Trash and close the window.
Don't delete the "Frameworks" folder or anything else inside it.
6. If you didn't find the files or you're not sure about the identification, post what you found.
If in doubt, or if you have no backups, change nothing at all.
7. The trouble may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it. I don't recommend that you install the genuine "MPlayerX," because it's hosted on the rogue "SourceForge" website and is bundled with other malware.
This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.
In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.
Then, still in System Preferences, open the App Store or Software Update pane and check the box marked
Install system data files and security updates (OS X 10.10 or later)
or
Download updates automatically (OS X 10.9 or earlier)
if it's not already checked.
