Q: Getting rid of Trovi adware

Hi greff, download and run MalwareBytes. Malwarebytes was developed by one of our own colleagues here in ASC. It gets rave reviews and is about the most proven anti-malware software for Mac. Also, see this...

https://malwaretips.com/blogs/trovi-removal/

Try https://malwaretips.com/blogs/remove-trovi-mac-os-x/

I was recently looking for a movie online and I got into a website that supposedly stream it. Since I have my adblocker on, there was a message that says the video wont play without disabling it first. Being the dummy that I am, I disabled my adblocker for that site and the chaos started. Suddenly my screen went all white and the esc button wasn't functioning. I used my 3 fingers to swipe over the screen and luckily it worked. However, whenever I open my safari, the all white background returns again. I pressed the shift button when trying to open the safari (to avoid automatically reopening prior task), and somehow the "virus" seemed to be gone now. I tried looking for any malware using the procedures on the other discussions and removed those that ends with .helper.plst under the LaunchAgent file.

tl;dr

I dont know if there are still something left, so could anyone please check it for me? Here's the result of my etrecheck. Thank you so much!!!

EtreCheck version: 2.9.11 (264)

Report generated 2016-04-25 00:02:30

Download EtreCheck from https://etrecheck.com

Runtime 3:13

Performance: Good

Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

Problem: No problem - just checking

Hardware Information: ⓘ

    MacBook Pro (13-inch, Mid 2012)

    [Technical Specifications] - [User Guide] - [Warranty & Service]

    MacBook Pro - model: MacBookPro9,2

    1 2.5 GHz Intel Core i5 CPU: 2-core

    4 GB RAM Upgradeable - [Instructions]

        BANK 0/DIMM0

            2 GB DDR3 1600 MHz ok

        BANK 1/DIMM0

            2 GB DDR3 1600 MHz ok

    Bluetooth: Good - Handoff/Airdrop2 supported

    Wireless:  en1: 802.11 a/b/g/n

    Battery: Health = Normal - Cycle count = 548

Video Information: ⓘ

    Intel HD Graphics 4000

        Color LCD 1280 x 800

System Software: ⓘ

    OS X Yosemite 10.10 (14A389) - Time since boot: less than an hour

Disk Information: ⓘ

    APPLE HDD HTS547550A9E384 disk0 : (500.11 GB) (Rotational)

        EFI (disk0s1) <not mounted> : 210 MB

        Recovery HD (disk0s3) <not mounted>  [Recovery]: 650 MB

        Media (disk0s4) /Volumes/Media : 160.00 GB (152.46 GB free)

        Macintosh HD 2  (disk0s5) /Volumes/Macintosh HD 2  : 114.62 GB (114.40 GB free)

        Macintosh HD 3 (disk0s6) /Volumes/Macintosh HD 3 : 114.22 GB (16.80 GB free)

        Macintosh HD (disk1) / : 109.63 GB (34.57 GB free)

            Core Storage: disk0s2 110.00 GB Online

    MATSHITADVD-R  UJ-8A8 disk2 : (196.8 MB) ()

USB Information: ⓘ

    Apple Inc. FaceTime HD Camera (Built-in)

    Apple Inc. BRCM20702 Hub

        Apple Inc. Bluetooth USB Host Controller

    Apple Computer, Inc. IR Receiver

    Apple Inc. Apple Internal Keyboard / Trackpad

Thunderbolt Information: ⓘ

    Apple Inc. thunderbolt_bus

Gatekeeper: ⓘ

    Mac App Store

Kernel Extensions: ⓘ

        /System/Library/Extensions

    [not loaded]    com.devguru.driver.SamsungComposite (1.4.18 - SDK 10.6 - 2016-03-22) [Support]

        /System/Library/Extensions/ssuddrv.kext/Contents/PlugIns

    [not loaded]    com.devguru.driver.SamsungACMControl (1.4.18 - SDK 10.6 - 2014-01-27) [Support]

    [not loaded]    com.devguru.driver.SamsungACMData (1.4.18 - SDK 10.6 - 2014-01-27) [Support]

    [not loaded]    com.devguru.driver.SamsungMTP (1.4.18 - SDK 10.5 - 2014-01-27) [Support]

    [not loaded]    com.devguru.driver.SamsungSerial (1.4.18 - SDK 10.6 - 2014-01-27) [Support]

System Launch Agents: ⓘ

    [not loaded]    5 Apple tasks

    [loaded]    142 Apple tasks

    [running]    56 Apple tasks

System Launch Daemons: ⓘ

    [not loaded]    45 Apple tasks

    [loaded]    137 Apple tasks

    [running]    80 Apple tasks

Launch Daemons: ⓘ

    [loaded]    com.adobe.SwitchBoard.plist (2012-08-11) [Support]

    [loaded]    com.adobe.fpsaud.plist (2016-04-05) [Support]

    [loaded]    com.malwarebytes.MBAMHelperTool.plist (2016-04-11) [Support]

    [loaded]    com.oracle.java.Helper-Tool.plist (2014-09-20) [Support]

User Launch Agents: ⓘ

    [failed]    com.apple.CSConfigDotMacCert-[...]@me.com-SharedServices.Agent.plist

    [failed]    com.facebook.videochat.[redacted].plist (2014-08-13) [Support]

    [loaded]    com.google.keystone.agent.plist (2016-03-02) [Support]

    [running]    com.spotify.webhelper.plist (2016-04-24) [Support]

User Login Items: ⓘ

    iTunesHelper    Application  (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

    Android File Transfer Agent    Application  (~/Library/Application Support/Google/Android File Transfer/Android File Transfer Agent.app)

    Spotify    Application Hidden (/Applications/Spotify.app)

Other Apps: ⓘ

    [running]    com.google.Chrome.5996

    [running]    com.google.android.mtpagent.98864

    [running]    com.spotify.client.49448

    [loaded]    357 Apple tasks

    [running]    163 Apple tasks

Internet Plug-ins: ⓘ

    FlashPlayer-10.6: 21.0.0.213 - SDK 10.6 (2016-04-08) [Support]

    QuickTime Plugin: 7.7.3 (2014-11-06)

    Flash Player: 21.0.0.213 - SDK 10.6 (2016-04-08) Outdated! Update

    EPPEX Plugin: 4.1.0.0 (2011-07-26) [Support]

    Default Browser: 600 - SDK 10.10 (2014-11-06)

    SharePointBrowserPlugin: 14.3.4 - SDK 10.6 (2013-05-19) [Support]

    Silverlight: 5.1.30317.0 - SDK 10.6 (2014-05-20) [Support]

    JavaAppletPlugin: Java 8 Update 65 build 17 (2015-11-09) Check version

3rd Party Preference Panes: ⓘ

    Flash Player (2016-04-05) [Support]

    Java (2015-11-09) [Support]

Time Machine: ⓘ

    Auto backup: YES

    Volumes being backed up:

        Macintosh HD: Disk size: 109.63 GB Disk used: 75.06 GB

    Destinations:

        Macintosh HD 3 [Local]

        Total size: 114.22 GB

        Total number of backups: 60

        Oldest backup: 7/1/15, 4:44 PM

        Last backup: 4/24/16, 6:40 PM

        Size of backup disk: Too small

            Backup size 114.22 GB < (Disk used 75.06 GB X 3)

Top Processes by CPU: ⓘ

        5%    mdworker(9)

        3%    kernel_task

        3%    Google Chrome

        2%    Google Chrome Helper(6)

        2%    fontd

Top Processes by Memory: ⓘ

    766 MB    Google Chrome Helper(6)

    447 MB    kernel_task

    209 MB    Google Chrome

    147 MB    mdworker(9)

    119 MB    imagent

Virtual Memory Information: ⓘ

    320 MB    Free RAM

    3.69 GB    Used RAM (1.02 GB Cached)

    0 B    Swap Used

Diagnostics Information: ⓘ

    Apr 24, 2016, 11:19:51 PM    Self test - passed

    Apr 24, 2016, 07:05:27 PM    /Library/Logs/DiagnosticReports/storedownloadd_2016-04-24-190527_[redacted].cpu _resource.diag [Details]

        /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/st oredownloadd

    Apr 23, 2016, 11:14:57 PM    ~/Library/Logs/DiagnosticReports/VTDecoderXPCService_2016-04-23-231457_[redacte d].crash

        /System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDeco derXPCService.xpc/Contents/MacOS/VTDecoderXPCService

Try uninstalling Spotify.

Spotify Uninstall

Allan Eckert wrote:

 

Try https://malwaretips.com/blogs/remove-trovi-mac-os-x/

Please note that AdwareMedic (as listed on the Malware Tips blog) is now Malwarebytes Anti-Malware for Mac.

The software you mentioned works. In addition to that I had to do the following.

- Remove some weird looking programs in /Library directory (they have names like tasard)

- Stop the processes corresponding to these programs in Activity Monitor

Until you remove these programs manually, (and you will need to be root to do that). You can sudo t root, you will not be able to fix the problems. I had to go into the browser a couple of times and reset them, and delete all the caches as well as remove the search engine for Trovi.

Here is a snippet of what cr*p I see in the watch.log file in /Library that really alerted me about a bunch of daemons that were constantly running. I have changed the User to xxxxx for purpose of discreteness. Notice how it hits a website and tries to download and unzip a gz file. This is definitely a virus. On some sites they have said this is not a virus. This website should be shut down (trovi.com) and the people need to be arrested and put in jail. I spent an upwards of 6 hours fixing this problem.

debug(): Safari new version url error

debug(): Safari's homepage not found. Reinstall.

Name tasard User xxxxx Browsers Trovi__Chrome-Succeed __Firefox-Succeed __Safari-Failed-http://www.trovi.com/?n=PP55de9d4bd4464c22-0-OM-US&searchsource=55&UM=8&gd=SY100 0250 is not registered

Log-"http://t.trkitok.com/track/slog?mid=C27924BC-A736-5ECF-9D81-8F7542464F28&log=Dat a replaced_Name tasard User xxxxx Browsers Trovi__Chrome-Succeed __Firefox-Succeed __Safari-Failed-http://www.trovi.com/?n=PP55de9d4bd4464c22-0-OM-US&searchsource=55&UM=8&gd=SY100 0250 is not registered"

Ping-"http://t.trkitok.com/track/surl?mid=C27924BC-A736-5ECF-9D81-8F7542464F28&ht=http ://www.trovi.com/?n=PP55de9d4bd4464c22-0-OM-US&searchsource=55&UM=8&gd=SY1000250 &nt=http://www.trovi.com/?n=PP55de9d4bd4464c22-0-OM-US&searchsource=69&UM=8&gd=S Y1000250&su=http://www.trovi.com/Results.aspx?n=PP55de9d4bd4464c22-0-OM-US&searc hsource=58&UM=8&gd=SY1000250"

Watcher - Reinstalling...

Watcher - cd /Library/; tar xfz Trovi.tar.gz; rm -f Trovi.tar.gz;

Watcher - cd /Library/Trovi; ./setup.sh "http://www.trovi.com/?n=PP55de9d4bd4464c22-0-OM-US&searchsource=55&UM=8&gd=SY100 0250" "http://www.trovi.com/?n=PP55de9d4bd4464c22-0-OM-US&searchsource=69&UM=8&gd=SY100 0250" "http://www.trovi.com/Results.aspx?n=PP55de9d4bd4464c22-0-OM-US&searchsource=58&U M=8&gd=SY1000250" Trovi PP55de9d4bd4464c22-0-OM-US--C27924BC-A736-5ECF-9D81-8F7542464F28 noinit;

Checking for competitors... done.