wclodius
Level 1 (8 points)
Mac OS X

Q: How do I remove Trovi after doing the obvious

I acquired Trovi about a week ago. It quickly infected Firefox, Chrome, and Safari. I ran Adware Medic which claimed to move the files to Trash and emptied the Trash. Still present. I then got Adware Doctor and MalwareBytes Anti-Malware, ran them with no fix. I went to Linc Davis's site and followed his advice, found no extensions in any of the browsers, found no obvious files in /Library/LaunchAgents, /Library/LaunchDaemons, or ~/Library/LaunchAgents. I did find one file installed as root and removed it. The file was

~/Library/Application\ Support/Firefox/Profiles/15den4ak.default-1450036030435/searchplugins/

with contents

 

<SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/">
<ShortName>Trovi</ShortName>
<Description>Trovi</Description>
<InputEncoding>UTF-8</InputEncoding>
<Image width="16" height="16">data:x-icon;base64,AAABAAEAEBAAAAAAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEA IAAAAAAAQAQAAAAAAAAAAAAAAAAAAAAAAAD///8B////Af///wH///8B////Af///wH///8B////Af// /wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af// /wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////AbuEtUWcTpWfjjWGu55U mI/Bj7wD////AapnpHuON4exqGOiieTO4Sf///8B////Af///wH///8B////AbN1rHmEKHvrgx94/5Eq gv+EGHj/rm6pa7V6r1eGHnz/jCeA/38adf+VQYzNv4q5Tf///wH///8BwIu6V4stgNNuAGP/fxRw/5wn g/+hMYP/njiA/69po/usZKD5mS58/6EuhP+aJ4P/dQNn/2wAYf+vbaefzaTIG61rpqdhAFT/gBh1/6Er h/+bLXn/lEtr/6FffP+pYpj/qWKX/6FffP+VSG3/miN3/6Axif98FnL/WgBM/6NXmrP///8BsXSrYZ41 ifuaH3r/k0pr/5ZTb/+aTYT/dwht/3sQcf+dVYb/kk5p/5ZIb/+eIX//kyqB+axxqZe9ibgp////Adai yCmWFHf/lSd1/5JNaf+lZYb/jDF9/3IAaf95C3H/jzZ9/55ae/+VT2z/lSF1/5sigPP///8B////Af// /wGxVJrVigBr/5w3fP+UTmr/nlh9/5I+f/93BnD/fA50/5RCfv+bVHn/lU9t/5Mgc/95AFT/u2qno/// /wH///8BwHeuW7NPn22rXI+tkEhk/5VIcv+TQnT/jjOB/481gP+WSHj/lUtz/4xAYP+uWpXLt2CjpcqM u33///8B////Af///wH///8Bsn6VQX0kS/+NPWb/k0R0/5VHdv+URnX/jjxt/4MsVv+DL1X/4svZKf// /wH///8B////Af///wH///8B////AbySo1OdWXnnuIece6Rhis2FK2H/gyde/72Lqausc4yvmVJ0/f7/ /Q3///8B////Af///wH///8B////Af///wHWuMYN07XDDf///wHPq8Ezhy5l/5NDdPX///8B////Acml tjHHo7QH////Af///wH///8B////Af///wH///8B////Af///wH///8B////AbF3mpnYvM5d////Af// /wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af// /wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af// /wH///8B////Af///wH///8B////Af///wH///8BAAD//wAA//8AAP//AAD//wAA//8AAP//AAD//wAA //8AAP//AAD//wAA//8AAP//AAD//wAA//8AAP//AAD//w==</Image>
<Url type="application/x-suggestions+json" method="GET" template="http://suggestqueries.google.com/complete/search?output=firefox&amp;client=firef ox&amp;qu={searchTerms}" />
<Url type="text/html" method="GET" template="http://www.trovi.com/">
<Param name="q" value="{searchTerms}" />
</Url>
<SearchForm>http%3A%2F%2Fwww.trovi.com%2FResults.aspx%3Fn%3DDP2791%26searchsource%3D58%26UM%3D8%26gd%3DSY1000250/</Sea rchForm>
</SearchPlugin>

Trove was still active. I remove Player x, Trovi was still active. Removed Firefox and Chrome in the hope that their infection was causing problems for Safari. Safari still has Trovi.

 

Symptoms in Safari. Trying to show extensions in the browser window yields an empty list. Setting the homepage to something other than trovi temporarily works, but after one or two restarts trovi reappear as the home page, If I set it so that the startup and new tab pages are empty after a bit the window will close and then reappear with trovi set as the home page and start and new tabs set to display the homepage. Turning off Javascript blocks its ads, but makes other things of course impossible and does nothing to avoid trovi becoming the home page.

 

I have also been having request on startup for the login keychain by

  • Identityservicesd
  • comm.apple.icloudHelper.xpc
  • AddressBookSourceSync
  • accountsd
  • MessagesAgent
  • and CommCenter

 

FWIW I have OS X El Capitain 10.11.4

 

EtreCheck reports

EtreCheck version: 2.9.12 (265)

Report generated 2016-05-13 22:29:08

Download EtreCheck from https://etrecheck.com

Runtime 1:33

Performance: Excellent

 

Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

 

Check Apple signatures: Enabled

 

Problem: Other problem

 

Hardware Information: ⓘ

    MacBook Pro (Retina, 15-inch, Early 2013)

    [Technical Specifications] - [User Guide] - [Warranty & Service]

    MacBook Pro - model: MacBookPro10,1

    1 2.4 GHz Intel Core i7 CPU: 4-core

    8 GB RAM Not upgradeable

        BANK 0/DIMM0

            4 GB DDR3 1600 MHz ok

        BANK 1/DIMM0

            4 GB DDR3 1600 MHz ok

    Bluetooth: Good - Handoff/Airdrop2 supported

    Wireless:  en0: 802.11 a/b/g/n

    Battery: Health = Normal - Cycle count = 137

 

Video Information: ⓘ

    Intel HD Graphics 4000

        Color LCD 2880 x 1800

    NVIDIA GeForce GT 650M - VRAM: 1024 MB

 

System Software: ⓘ

    OS X El Capitan 10.11.4 (15E65) - Time since boot: about one hour

 

Disk Information: ⓘ

    APPLE SSD SD256E disk0 : (251 GB) (Solid State - TRIM: Yes)

        EFI (disk0s1) <not mounted> : 210 MB

        Recovery HD (disk0s3) <not mounted>  [Recovery]: 650 MB

        Macintosh HD (disk1) / : 249.77 GB (29.73 GB free)

            Core Storage: disk0s2 250.14 GB Online

 

USB Information: ⓘ

    Apple Inc. FaceTime HD Camera (Built-in)

    Apple Inc. Apple Internal Keyboard / Trackpad

    Apple Inc. BRCM20702 Hub

        Apple Inc. Bluetooth USB Host Controller

 

Thunderbolt Information: ⓘ

    Apple Inc. thunderbolt_bus

 

Gatekeeper: ⓘ

    Mac App Store and identified developers

 

Kernel Extensions: ⓘ

        /Library/Extensions

    [not loaded]    com.BlackBerry.driver.USBCDCNCM (1.0.6 - SDK 10.7 - 2016-04-05) [Support]

    [loaded]    com.rim.driver.BlackBerryUSBDriverInt (2.2.7 - SDK 10.7 - 2016-04-05) [Support]

    [loaded]    com.rim.driver.BlackBerryVirtualPrivateNetwork (1.0.18 - SDK 10.8 - 2016-04-05) [Support]

 

Startup Items: ⓘ

    daemonic-dbus: Path: /Library/StartupItems/daemonic-dbus

    Startup items are obsolete in OS X Yosemite

 

System Launch Agents: ⓘ

    [not loaded]    8 Apple tasks

    [loaded]    154 Apple tasks

    [running]    76 Apple tasks

 

System Launch Daemons: ⓘ

    [not loaded]    44 Apple tasks

    [loaded]    158 Apple tasks

    [running]    88 Apple tasks

 

Launch Agents: ⓘ

    [running]    com.mozy.status.plist (2016-03-13) [Support]

    [loaded]    com.oracle.java.Java-Updater.plist (2014-01-01) [Support]

    [running]    com.rim.BBLaunchAgent.plist (2013-11-08) [Support]

    [running]    com.rim.PeerManager.plist (2013-11-08) [Support]

    [running]    com.rim.blackberrylink.BlackBerry-Link-Helper-Agent.plist (2013-11-08) [Support]

    [loaded]    org.macosforge.xquartz.startx.plist (2015-10-16) [Support]

 

Launch Daemons: ⓘ

    [failed]    com.adobe.fpsaud.plist (2016-04-15) [Support]

    [not loaded]    com.apple.nysgar.plist (2016-05-08) - Executable not found!

    [loaded]    com.barebones.authd.plist (2012-11-22) [Support]

    [loaded]    com.barebones.textwrangler.plist (2010-01-30) [Support]

    [loaded]    com.github.GitHub.GHInstallCLI.plist (2013-04-06) [Support]

    [loaded]    com.malwarebytes.MBAMHelperTool.plist (2016-05-09) [Support]

    [loaded]    com.microsoft.office.licensing.helper.plist (2012-04-02) [Support]

    [running]    com.mozy.backup.plist (2016-03-13) [Support]

    [loaded]    com.oracle.java.Helper-Tool.plist (2014-01-01) [Support]

    [running]    com.rim.BBDaemon.plist (2013-11-08) [Support]

    [not loaded]    com.rim.nkehelper.plist (2013-11-08) [Support]

    [running]    com.rim.tunmgr.plist (2013-11-08) [Support]

    [loaded]    org.macosforge.xquartz.privileged_startx.plist (2015-10-16) [Support]

 

User Launch Agents: ⓘ

    [failed]    com.adobe.ARM.[...].plist (2009-10-22) [Support]

    [loaded]    com.google.keystone.agent.plist (2016-05-11) [Support]

 

User Login Items: ⓘ

    iSyncr    Application  (/Applications/iSyncr.app)

    Skype    Application  (/Applications/Skype.app)

 

Other Apps: ⓘ

    [running]    com.JRTStudio.iSyncrWiFi.58272

    [running]    com.apple.nysgar

    [running]    com.etresoft.EtreCheck.268512

    [loaded]    com.excitedpixel.breaktimelauncher

    [running]    com.skype.skype.224352

    [loaded]    org.finkproject.dbus-session

    [loaded]    410 Apple tasks

    [running]    191 Apple tasks

 

Internet Plug-ins: ⓘ

    Default Browser: 601 - SDK 10.11 (2016-03-22)

    Flip4Mac WMV Plugin: 3.1.0.24   - SDK 10.8 (2013-04-06) [Support]

    OfficeLiveBrowserPlugin: 12.3.6 (2013-03-20) [Support]

    Silverlight: 5.1.10411.0 - SDK 10.6 (2013-04-06) [Support]

    FlashPlayer-10.6: 21.0.0.226 - SDK 10.6 (2016-05-03) [Support]

    QuickTime Plugin: 7.7.3 (2016-03-22)

    Flash Player: 21.0.0.226 - SDK 10.6 (2016-05-03) Outdated! Update

    Veoh Plugin: 3.0 (2008-04-15) [Support]

    SharePointBrowserPlugin: 14.5.5 - SDK 10.6 (2015-09-12) [Support]

    AdobePDFViewer: 9.5.4 (2013-02-22) [Support]

    iPhotoPhotocast: 7.0 (2008-07-14)

    JavaAppletPlugin: Java 8 Update 73 build 02 (2016-02-14) Check version

 

3rd Party Preference Panes: ⓘ

    Flash Player (2016-04-15) [Support]

    Flip4Mac WMV (2013-01-09) [Support]

    Java (2016-02-14) [Support]

    MozyHome (2016-05-12) [Support]

    Perian (2011-07-23) [Support]

    Spelling (2015-12-06) [Support]

    TeXDistPrefPane (2015-12-06) [Support]

    TotalAccess (2005-02-25) [Support]

    Tuxera NTFS (2012-08-30) [Support]

 

Time Machine: ⓘ

    Skip System Files: NO

    Auto backup: YES

    Volumes being backed up:

        Macintosh HD: Disk size: 249.77 GB Disk used: 220.04 GB

    Destinations:

        Toshiba Mac+ [Local]

        Total size: 999.86 GB

        Total number of backups: 3

        Oldest backup: 3/20/13, 11:47 PM

        Last backup: 5/12/16, 9:44 PM

        Size of backup disk: Excellent

            Backup size 999.86 GB > (Disk size 249.77 GB X 3)

 

Top Processes by CPU: ⓘ

         6%    WindowServer

         5%    kernel_task

         3%    hidd

         2%    fontd

         0%    com.apple.WebKit.WebContent(4)

 

Top Processes by Memory: ⓘ

    816 MB    kernel_task

    492 MB    com.apple.WebKit.WebContent(4)

    377 MB    mds_stores

    319 MB    Finder

    303 MB    WindowServer

 

Virtual Memory Information: ⓘ

    589 MB    Free RAM

    7.42 GB    Used RAM (3.15 GB Cached)

    0 B    Swap Used

 

Diagnostics Information: ⓘ

    May 13, 2016, 08:40:13 PM    Self test - passed

    May 13, 2016, 08:21:50 PM    /Library/Logs/DiagnosticReports/MozyHomeBackup_2016-05-13-202150_[redacted].cpu _resource.diag [Details]

        /Library/PreferencePanes/MozyHome.prefPane/Contents/Resources/MozyHomeBackup

    May 13, 2016, 07:56:46 PM    /Library/Logs/DiagnosticReports/MozyHomeBackup_2016-05-13-195646_[redacted].cpu _resource.diag [Details]

    May 12, 2016, 11:35:57 PM    /Library/Logs/DiagnosticReports/MozyHomeBackup_2016-05-12-233557_[redacted].cpu _resource.diag [Details]

    May 12, 2016, 10:03:31 PM    /Library/Logs/DiagnosticReports/MozyHomeBackup_2016-05-12-220331_[redacted].cra sh

    May 12, 2016, 08:40:18 PM    /Library/Logs/DiagnosticReports/backupd_2016-05-12-204018_[redacted].cpu_resour ce.diag [Details]

        /System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd

    May 10, 2016, 11:36:03 PM    ~/Library/Logs/DiagnosticReports/Finder_2016-05-10-233603_[redacted].crash

        com.apple.finder - /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder

    May 10, 2016, 10:28:35 PM    /Library/Logs/DiagnosticReports/BitMedic_2016-05-10-222835_[redacted].hang

        /Applications/BitMedic.app/Contents/MacOS/BitMedic

Posted on May 13, 2016 9:34 PM

Close
wclodius

Q: How do I remove Trovi after doing the obvious

  • All replies
  • Helpful answers

Page 1 of 3 last Next

  • by Linc Davis,

    Linc Davis Linc Davis May 14, 2016 6:43 AM in response to wclodius
    Level 10 (207,925 points)
    Applications
    May 14, 2016 6:43 AM in response to wclodius

    You may have installed ad-injection malware ("adware").

    Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. You've already seen that it doesn't work.

    Back up all data first.

    If you're not already running the latest version of OS X, updating or upgrading in the App Store may cause the adware to be removed automatically. If you are already running the latest version, please log out or restart the computer. Again, some kinds of malware will be removed—not all. There is no such thing as automatic removal of all possible malware, either by OS X or by third-party software. That's why you can't rely on software to protect you.

    If the malware is removed in your case, you'll still need to make changes to the way you use the computer to protect yourself from further attacks. Ask if you need guidance.

    If the malware is not removed automatically, see below.

    This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.

    Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.

    If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. The malware will be disabled temporarily.

    Step 1

    Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C: 

    ~/Library/LaunchAgents

    In the Finder, select

              Go â–¹ Go to Folder...

    from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.

    If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.

    There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.

    Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.

    Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.

    Leave the folder open for now.

    Step 2

    Do as in Step 1 with this line:

    /Library/LaunchAgents

    The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.

    Step 3

    Repeat with this line:

    /Library/LaunchDaemons

    This time the folder will be named "LaunchDaemons."

    Step 4

    Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.

    Step 5

    If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.

  • by appreciate,

    appreciate May 14, 2016 8:01 AM in response to wclodius
    Level 4 (1,276 points)
    Mac OS X
    May 14, 2016 8:01 AM in response to wclodius

    conduit known by different names trovi , my brand  or search protect .

    go to finder - remove from application folder . verify it is sitting in download folder also .

     

      now the method goes like this : enter  in your system library . finder >  go > computer > macintosh HD - library

     

    monitor the folders that are stated below : and removed the contents stated in the folders

     

    application support :  search V search , trovi , jack , midnight

     

    launch agents :  it should be empty always . if found delete it concerning v search , conduit ....files

     

    launch daemons :  it should be empty always  if found delete it .  if user is using adobe flash player or microsoft its plist will be there it should not be removed other wise empty it apart from these two files

     

    privileged helper tools :  it should be empty  - if its file is found -delete it

     

    start up items -  it should be empty

     

    preferences :   conduit , v search , genieo are there - delete it the files will be com.apple.conduit.plist   other contents should not be removed from here in this scenario we are searching trovi file

     

    scripting additions :  always empty

     

    frame works :  remove v. framework , search.framework , genieo extra.framework or file related to trovi

     

    input methods : should be empty

     

    internet plugins :  find it if it is sitting - delete it   don't remove default browser.plugin , flash player .xpt  ,  flash player .plugin ,  ns1qt scriptable plugin.xpt  , quartz composer.webplugin  ,  quicktimeplugin.plugin  ,  sharepointbrowserplugin.plugin  , sharepointwebplugin.webplugin ( total 8 files ).

     

    in the  next post we have to check in user library

  • by appreciate,

    appreciate May 14, 2016 8:24 AM in response to wclodius
    Level 4 (1,276 points)
    Mac OS X
    May 14, 2016 8:24 AM in response to wclodius

    now we have to search in user library :  click to finder > go > keep on holding option key > library

     

    remove the contents from the folders as under : 

     

    application support :  straight away empty it as the fresh contents will be re- created when in the last step we will restart from apple logo and empty the trash but don't do it now .

     

    caches :  clear the folder

    cookies : clear it

    applications :  cinemaprol - 2 .app if it there remove it , if trovi  , genieo

     

    internet plugins : troviNPAPIplugin.plugin  , conduitNPAPIplugin.plugin or some other files related to genieo  basically it should be empty always .

     

    preferences :  com.genieo.global.settings.plistlockfile  , com.genieo.settings.plist.lockfile , com.genieo.global.settings.plist  if trovi , conduit or related files are to be found delete don't delete other contents .

     

    launch agents :  it should be empty .  in yosemite this folder is there . but apple has removed entire launch agent folder from user library .

     

    saved application state : straight away empty it .

     

    now in third step we will move into hard disk or drive

     

    open finder  > computer > macintosh HD > system > library >framework -  remove v.framework , search.framework or conduit , genieo , trovi related files

     

    it is also good to go in a folder container :   remove any files related to conduit , trovi ,and  the above malwares  .

     

     

    in the end :  restart from apple  logo > empty the trash (  i always use keyboard command : shift + command + delete - then hit on enter )

     

    make a habit of viewing system library , user library it will help because lot of issues related to safari are resolved from here .

  • by wclodius,

    wclodius wclodius May 14, 2016 10:34 AM in response to Linc Davis
    Level 1 (8 points)
    Mac OS X
    May 14, 2016 10:34 AM in response to Linc Davis

    Line Davis:

     

    Thanks for your help. This is my reply to your post with the appropriate screen shots

    ~/Library/LaunchAgents

    Screen Shot 2016-05-14 at 11.16.35 AM.png

    /Library/LaunchAgents

    Screen Shot 2016-05-14 at 11.23.23 AM.png

     

    /Library/LaunchDaemons

    Screen Shot 2016-05-14 at 11.25.06 AM.png

    Safari Extensions Folder (As I noted it shows as empty)

    Screen Shot 2016-05-14 at 11.31.23 AM.png

    Yesterday I uninstalled Firefox and Chrome.

  • by Linc Davis,

    Linc Davis Linc Davis May 14, 2016 11:02 AM in response to wclodius
    Level 10 (207,925 points)
    Applications
    May 14, 2016 11:02 AM in response to wclodius

    From the folder shown in your third screenshot, please delete item #2 from the top (a "VSearch" variant.) Then restart the computer and reset the search engine and home page in your web browsers, if necessary.

     

    I suggest you also get rid of the "malwarebytes" product, which has once again proved its uselessness by failing to remove the malware. Never install any "anti-virus" or "anti-malware" product again.

  • by wclodius,

    wclodius wclodius May 14, 2016 11:07 AM in response to appreciate
    Level 1 (8 points)
    Mac OS X
    May 14, 2016 11:07 AM in response to appreciate

    appreciate:

     

    As near as I can tell files with the obvious strings in their names were not present

  • by wclodius,

    wclodius wclodius May 14, 2016 11:14 AM in response to Linc Davis
    Level 1 (8 points)
    Mac OS X
    May 14, 2016 11:14 AM in response to Linc Davis

    Linc Davis:

     

    Note the contents of the second file were

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/Prop\

    ertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

            <key>KeepAlive</key>

            <true/>

            <key>Label</key>

            <string>com.apple.nysgar</string>

            <key>RunAtLoad</key>

            <true/>

            <key>Program</key>

            <string>/Library/nysgar</string>

    </dict>

    </plist>


    There is an application /Library/nysgar. Checking further in Library from Terminal noting the problems started May

    ls -al /Library | grep -i may

    drwxr-xr-x+  78 root            wheel     2652 May 14 10:57 .

    drwxr-xr-x   47 root            wheel     1666 May 13 21:09 ..

    drwxr-xr-x   32 root            admin     1088 May  8 10:41 Application Support

    drwxrwxrwt   10 root            admin      340 May 13 20:00 Caches

    drwxr-xr-x   18 root            wheel      612 May 13 22:43 Internet Plug-Ins

    drwxr-xr-x   10 root            wheel      340 May 14 10:57 Keychains

    drwxr-xr-x    8 root            wheel      272 May 12 22:03 LaunchAgents

    drwxr-xr-x   15 root            wheel      510 May 12 22:03 LaunchDaemons

    drwxr-xr-x    3 root            wheel      102 May 13 19:54 Managed Preferences

    drwxr-xr-x   10 root            wheel      340 May 12 22:03 PreferencePanes

    drwxr-xr-x   87 root            wheel     2958 May 14 11:21 Preferences

    dr-xr-xr-x    7 root            wheel      238 May 13 22:58 Printers

    drwxr-xr-t@   7 root            wheel      238 May  9 21:29 PrivilegedHelperTools

    drwxr-xr-x    5 root            wheel      170 May 13 22:58 Updates

    -rw-r-----    1 root            wheel  6116463 May  8 10:42 backup.zip

    -rwxrwxrwx@   1 root            wheel   126680 May  8 10:42 nysgar

    -rw-------    1 root            wheel      282 May  8 10:42 settings.dat

    -rw-r--r--    1 root            wheel     5539 May 14 12:10 watch.log

     

    Should any of these also be removed?

  • by wclodius,

    wclodius wclodius May 14, 2016 11:27 AM in response to Linc Davis
    Level 1 (8 points)
    Mac OS X
    May 14, 2016 11:27 AM in response to Linc Davis

    Linc:

     

    FWIW when I quit Safari or restart the system the file is being regenerated, so I suspect I have to remove the other files the nysgar in particular.

  • by Linc Davis,

    Linc Davis Linc Davis May 14, 2016 11:43 AM in response to wclodius
    Level 10 (207,925 points)
    Applications
    May 14, 2016 11:43 AM in response to wclodius

    Move the file I indicated to the Trash, then restart and empty the Trash. As for the "nysgar" file, it's part of the malware, and you can of course remove it, but that step is optional. There are always more files, but trying to track them all down is more trouble than it's worth.

  • by wclodius,

    wclodius wclodius May 14, 2016 11:42 AM in response to wclodius
    Level 1 (8 points)
    Mac OS X
    May 14, 2016 11:42 AM in response to wclodius

    Linc:

     

    Removing /Library/nysgar while Safari is not on the trovi home page so far has worked.

  • by wclodius,

    wclodius wclodius May 14, 2016 12:30 PM in response to Linc Davis
    Level 1 (8 points)
    Mac OS X
    May 14, 2016 12:30 PM in response to Linc Davis

    As near as I can tell from the behavior I observed you now have to remove the second file as well. The first one starts at startup, it then runs the second that runs in the background to do the dirty work. The second, in the form I have, checks frequently for the existence of the first, and if absent recreates it. If it checks on the order of a second, which appears likely given the brief time before the first reappeared, it is impractical to shut down the computer before the first is regenerated.

  • by Linc Davis,

    Linc Davis Linc Davis May 14, 2016 1:36 PM in response to wclodius
    Level 10 (207,925 points)
    Applications
    May 14, 2016 1:36 PM in response to wclodius

    If that's true, it's a new behavior that hasn't been reported before.

  • by etresoft,

    etresoft etresoft May 14, 2016 7:12 PM in response to wclodius
    Level 7 (29,046 points)
    May 14, 2016 7:12 PM in response to wclodius

    Hello wclodius,

    Thanks for the detailed posting. I always assumed that it was only a matter of time before adware starting actively trying to avoid EtreCheck. It is time to follow your lead and turn those Apple signature checks back on.

  • by appreciate,

    appreciate May 14, 2016 8:39 PM in response to wclodius
    Level 4 (1,276 points)
    Mac OS X
    May 14, 2016 8:39 PM in response to wclodius

    in launch agents folder - empty it

    launch daemons - keep com.adobrfpsaud.plist  ,  malwarebytesplist  ,  microsoft .officelicensing helper .plist and remove all if them as i am not using chrome & firefox so  having no idea about the files that are created . but what is the purpose of installing firefox ?

     

     

    try to remove firefox & chrome and then see what happens is that malware still there .

     

    note : malware reside in launch daemons  , launch agents folder of system library .

     

    are you using yosemite ?  launch agents folders exist in user library . these screen shots seems to be of system library please do check in user library and what about internet plugins . also  in previous versions in system library > input managers > ct loader . this ct loader has to be removed but in latest versions , el capitan apple has removed the folder input managers .

     

    have you checked in hard disk i.e. in frameworks .

Page 1 of 3 last Next