How do I remove Trovi after doing the obvious

Question

Level 1

9 points

How do I remove Trovi after doing the obvious

I acquired Trovi about a week ago. It quickly infected Firefox, Chrome, and Safari. I ran Adware Medic which claimed to move the files to Trash and emptied the Trash. Still present. I then got Adware Doctor and MalwareBytes Anti-Malware, ran them with no fix. I went to Linc Davis's site and followed his advice, found no extensions in any of the browsers, found no obvious files in /Library/LaunchAgents, /Library/LaunchDaemons, or ~/Library/LaunchAgents. I did find one file installed as root and removed it. The file was

~/Library/Application\ Support/Firefox/Profiles/15den4ak.default-1450036030435/searchplugins/

with contents

<SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/">
<ShortName>Trovi</ShortName>
<Description>Trovi</Description>
<InputEncoding>UTF-8</InputEncoding>
<Image width="16" height="16">data:x-icon;base64,AAABAAEAEBAAAAAAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEA IAAAAAAAQAQAAAAAAAAAAAAAAAAAAAAAAAD///8B////Af///wH///8B////Af///wH///8B////Af// /wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af// /wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////AbuEtUWcTpWfjjWGu55U mI/Bj7wD////AapnpHuON4exqGOiieTO4Sf///8B////Af///wH///8B////AbN1rHmEKHvrgx94/5Eq gv+EGHj/rm6pa7V6r1eGHnz/jCeA/38adf+VQYzNv4q5Tf///wH///8BwIu6V4stgNNuAGP/fxRw/5wn g/+hMYP/njiA/69po/usZKD5mS58/6EuhP+aJ4P/dQNn/2wAYf+vbaefzaTIG61rpqdhAFT/gBh1/6Er h/+bLXn/lEtr/6FffP+pYpj/qWKX/6FffP+VSG3/miN3/6Axif98FnL/WgBM/6NXmrP///8BsXSrYZ41 ifuaH3r/k0pr/5ZTb/+aTYT/dwht/3sQcf+dVYb/kk5p/5ZIb/+eIX//kyqB+axxqZe9ibgp////Adai yCmWFHf/lSd1/5JNaf+lZYb/jDF9/3IAaf95C3H/jzZ9/55ae/+VT2z/lSF1/5sigPP///8B////Af// /wGxVJrVigBr/5w3fP+UTmr/nlh9/5I+f/93BnD/fA50/5RCfv+bVHn/lU9t/5Mgc/95AFT/u2qno/// /wH///8BwHeuW7NPn22rXI+tkEhk/5VIcv+TQnT/jjOB/481gP+WSHj/lUtz/4xAYP+uWpXLt2CjpcqM u33///8B////Af///wH///8Bsn6VQX0kS/+NPWb/k0R0/5VHdv+URnX/jjxt/4MsVv+DL1X/4svZKf// /wH///8B////Af///wH///8B////AbySo1OdWXnnuIece6Rhis2FK2H/gyde/72Lqausc4yvmVJ0/f7/ /Q3///8B////Af///wH///8B////Af///wHWuMYN07XDDf///wHPq8Ezhy5l/5NDdPX///8B////Acml tjHHo7QH////Af///wH///8B////Af///wH///8B////Af///wH///8B////AbF3mpnYvM5d////Af// /wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af// /wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af// /wH///8B////Af///wH///8B////Af///wH///8BAAD//wAA//8AAP//AAD//wAA//8AAP//AAD//wAA //8AAP//AAD//wAA//8AAP//AAD//wAA//8AAP//AAD//w==</Image>
<Url type="application/x-suggestions+json" method="GET" template="http://suggestqueries.google.com/complete/search?output=firefox&client=firef ox&qu={searchTerms}" />
<Url type="text/html" method="GET" template="http://www.trovi.com/">
<Param name="q" value="{searchTerms}" />
</Url>
<SearchForm>http%3A%2F%2Fwww.trovi.com%2FResults.aspx%3Fn%3DDP2791%26searchsource%3D58%26UM%3D8%26gd%3DSY1000250/</Sea rchForm>
</SearchPlugin>

Trove was still active. I remove Player x, Trovi was still active. Removed Firefox and Chrome in the hope that their infection was causing problems for Safari. Safari still has Trovi.

Symptoms in Safari. Trying to show extensions in the browser window yields an empty list. Setting the homepage to something other than trovi temporarily works, but after one or two restarts trovi reappear as the home page, If I set it so that the startup and new tab pages are empty after a bit the window will close and then reappear with trovi set as the home page and start and new tabs set to display the homepage. Turning off Javascript blocks its ads, but makes other things of course impossible and does nothing to avoid trovi becoming the home page.

I have also been having request on startup for the login keychain by

Identityservicesd
comm.apple.icloudHelper.xpc
AddressBookSourceSync
accountsd
MessagesAgent
and CommCenter

FWIW I have OS X El Capitain 10.11.4

EtreCheck reports

EtreCheck version: 2.9.12 (265)

Report generated 2016-05-13 22:29:08

Download EtreCheck from https://etrecheck.com

Runtime 1:33

Performance: Excellent

Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

Check Apple signatures: Enabled

Problem: Other problem

Hardware Information:ⓘ

MacBook Pro (Retina, 15-inch, Early 2013)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Pro - model: MacBookPro10,1

1 2.4 GHz Intel Core i7 CPU: 4-core

8 GB RAM Not upgradeable

BANK 0/DIMM0

4 GB DDR3 1600 MHz ok

BANK 1/DIMM0

4 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n

Battery: Health = Normal - Cycle count = 137

Video Information:ⓘ

Intel HD Graphics 4000

Color LCD 2880 x 1800

NVIDIA GeForce GT 650M - VRAM: 1024 MB

System Software:ⓘ

OS X El Capitan 10.11.4 (15E65) - Time since boot: about one hour

Disk Information:ⓘ

APPLE SSD SD256E disk0 : (251 GB) (Solid State - TRIM: Yes)

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

Macintosh HD (disk1) / : 249.77 GB (29.73 GB free)

Core Storage: disk0s2 250.14 GB Online

USB Information:ⓘ

Apple Inc. FaceTime HD Camera (Built-in)

Apple Inc. Apple Internal Keyboard / Trackpad

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

Thunderbolt Information:ⓘ

Apple Inc. thunderbolt_bus

Gatekeeper:ⓘ

Mac App Store and identified developers

Kernel Extensions:ⓘ

/Library/Extensions

[not loaded] com.BlackBerry.driver.USBCDCNCM (1.0.6 - SDK 10.7 - 2016-04-05) [Support]

[loaded] com.rim.driver.BlackBerryUSBDriverInt (2.2.7 - SDK 10.7 - 2016-04-05) [Support]

[loaded] com.rim.driver.BlackBerryVirtualPrivateNetwork (1.0.18 - SDK 10.8 - 2016-04-05) [Support]

Startup Items:ⓘ

daemonic-dbus: Path: /Library/StartupItems/daemonic-dbus

Startup items are obsolete in OS X Yosemite

System Launch Agents:ⓘ

[not loaded] 8 Apple tasks

[loaded] 154 Apple tasks

[running] 76 Apple tasks

System Launch Daemons:ⓘ

[not loaded] 44 Apple tasks

[loaded] 158 Apple tasks

[running] 88 Apple tasks

Launch Agents:ⓘ

[running] com.mozy.status.plist (2016-03-13) [Support]

[loaded] com.oracle.java.Java-Updater.plist (2014-01-01) [Support]

[running] com.rim.BBLaunchAgent.plist (2013-11-08) [Support]

[running] com.rim.PeerManager.plist (2013-11-08) [Support]

[running] com.rim.blackberrylink.BlackBerry-Link-Helper-Agent.plist (2013-11-08) [Support]

[loaded] org.macosforge.xquartz.startx.plist (2015-10-16) [Support]

Launch Daemons:ⓘ

[failed] com.adobe.fpsaud.plist (2016-04-15) [Support]

[not loaded] com.apple.nysgar.plist (2016-05-08) - Executable not found!

[loaded] com.barebones.authd.plist (2012-11-22) [Support]

[loaded] com.barebones.textwrangler.plist (2010-01-30) [Support]

[loaded] com.github.GitHub.GHInstallCLI.plist (2013-04-06) [Support]

[loaded] com.malwarebytes.MBAMHelperTool.plist (2016-05-09) [Support]

[loaded] com.microsoft.office.licensing.helper.plist (2012-04-02) [Support]

[running] com.mozy.backup.plist (2016-03-13) [Support]

[loaded] com.oracle.java.Helper-Tool.plist (2014-01-01) [Support]

[running] com.rim.BBDaemon.plist (2013-11-08) [Support]

[not loaded] com.rim.nkehelper.plist (2013-11-08) [Support]

[running] com.rim.tunmgr.plist (2013-11-08) [Support]

[loaded] org.macosforge.xquartz.privileged_startx.plist (2015-10-16) [Support]

User Launch Agents:ⓘ

[failed] com.adobe.ARM.[...].plist (2009-10-22) [Support]

[loaded] com.google.keystone.agent.plist (2016-05-11) [Support]

User Login Items:ⓘ

iSyncr Application (/Applications/iSyncr.app)

Skype Application (/Applications/Skype.app)

Other Apps:ⓘ

[running] com.JRTStudio.iSyncrWiFi.58272

[running] com.apple.nysgar

[running] com.etresoft.EtreCheck.268512

[loaded] com.excitedpixel.breaktimelauncher

[running] com.skype.skype.224352

[loaded] org.finkproject.dbus-session

[loaded] 410 Apple tasks

[running] 191 Apple tasks

Internet Plug-ins:ⓘ

Default Browser: 601 - SDK 10.11 (2016-03-22)

Flip4Mac WMV Plugin: 3.1.0.24 - SDK 10.8 (2013-04-06) [Support]

OfficeLiveBrowserPlugin: 12.3.6 (2013-03-20) [Support]

Silverlight: 5.1.10411.0 - SDK 10.6 (2013-04-06) [Support]

FlashPlayer-10.6: 21.0.0.226 - SDK 10.6 (2016-05-03) [Support]

QuickTime Plugin: 7.7.3 (2016-03-22)

Flash Player: 21.0.0.226 - SDK 10.6 (2016-05-03) Outdated! Update

Veoh Plugin: 3.0 (2008-04-15) [Support]

SharePointBrowserPlugin: 14.5.5 - SDK 10.6 (2015-09-12) [Support]

AdobePDFViewer: 9.5.4 (2013-02-22) [Support]

iPhotoPhotocast: 7.0 (2008-07-14)

JavaAppletPlugin: Java 8 Update 73 build 02 (2016-02-14) Check version

3rd Party Preference Panes:ⓘ

Flash Player (2016-04-15) [Support]

Flip4Mac WMV (2013-01-09) [Support]

Java (2016-02-14) [Support]

MozyHome (2016-05-12) [Support]

Perian (2011-07-23) [Support]

Spelling (2015-12-06) [Support]

TeXDistPrefPane (2015-12-06) [Support]

TotalAccess (2005-02-25) [Support]

Tuxera NTFS (2012-08-30) [Support]

Time Machine:ⓘ

Skip System Files: NO

Auto backup: YES

Volumes being backed up:

Macintosh HD: Disk size: 249.77 GB Disk used: 220.04 GB

Destinations:

Toshiba Mac+ [Local]

Total size: 999.86 GB

Total number of backups: 3

Oldest backup: 3/20/13, 11:47 PM

Last backup: 5/12/16, 9:44 PM

Size of backup disk: Excellent

Backup size 999.86 GB > (Disk size 249.77 GB X 3)

Top Processes by CPU:ⓘ

6% WindowServer

5% kernel_task

3% hidd

2% fontd

0% com.apple.WebKit.WebContent(4)

Top Processes by Memory:ⓘ

816 MB kernel_task

492 MB com.apple.WebKit.WebContent(4)

377 MB mds_stores

319 MB Finder

303 MB WindowServer

Virtual Memory Information:ⓘ

589 MB Free RAM

7.42 GB Used RAM (3.15 GB Cached)

0 B Swap Used

Diagnostics Information:ⓘ

May 13, 2016, 08:40:13 PM Self test - passed

May 13, 2016, 08:21:50 PM /Library/Logs/DiagnosticReports/MozyHomeBackup_2016-05-13-202150_[redacted].cpu _resource.diag [Details]

/Library/PreferencePanes/MozyHome.prefPane/Contents/Resources/MozyHomeBackup

May 13, 2016, 07:56:46 PM /Library/Logs/DiagnosticReports/MozyHomeBackup_2016-05-13-195646_[redacted].cpu _resource.diag [Details]

May 12, 2016, 11:35:57 PM /Library/Logs/DiagnosticReports/MozyHomeBackup_2016-05-12-233557_[redacted].cpu _resource.diag [Details]

May 12, 2016, 10:03:31 PM /Library/Logs/DiagnosticReports/MozyHomeBackup_2016-05-12-220331_[redacted].cra sh

May 12, 2016, 08:40:18 PM /Library/Logs/DiagnosticReports/backupd_2016-05-12-204018_[redacted].cpu_resour ce.diag [Details]

/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd

May 10, 2016, 11:36:03 PM ~/Library/Logs/DiagnosticReports/Finder_2016-05-10-233603_[redacted].crash

com.apple.finder - /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder

May 10, 2016, 10:28:35 PM /Library/Logs/DiagnosticReports/BitMedic_2016-05-10-222835_[redacted].hang

/Applications/BitMedic.app/Contents/MacOS/BitMedic

Posted on May 13, 2016 9:34 PM

Reply

Answer 1

Cole9

Level 1

4 points

Jan 8, 2017 4:10 PM in response to wclodius

Thanks in advance for your help!

Reply

Answer 2

Linc Davis

Level 10

209,739 points

May 14, 2016 6:43 AM in response to wclodius

You may have installed ad-injection malware ("adware").

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. You've already seen that it doesn't work.

Back up all data first.

If you're not already running the latest version of OS X, updating or upgrading in the App Store may cause the adware to be removed automatically. If you are already running the latest version, please log out or restart the computer. Again, some kinds of malware will be removed—not all. There is no such thing as automatic removal of all possible malware, either by OS X or by third-party software. That's why you can't rely on software to protect you.

If the malware is removed in your case, you'll still need to make changes to the way you use the computer to protect yourself from further attacks. Ask if you need guidance.

If the malware is not removed automatically, see below.

This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.

Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.

If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. The malware will be disabled temporarily.

Step 1

Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.

If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.

Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.

Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.

Leave the folder open for now.

Step 2

Do as in Step 1 with this line:

/Library/LaunchAgents

The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.

Step 3

Repeat with this line:

/Library/LaunchDaemons

This time the folder will be named "LaunchDaemons."

Step 4

Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.

Step 5

If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.

Reply

Answer 3

appreciate

Level 4

1,278 points

May 14, 2016 8:01 AM in response to wclodius

conduit known by different names trovi , my brand or search protect .

go to finder - remove from application folder . verify it is sitting in download folder also .

now the method goes like this : enter in your system library . finder > go > computer > macintosh HD - library

monitor the folders that are stated below : and removed the contents stated in the folders

application support : search V search , trovi , jack , midnight

launch agents : it should be empty always . if found delete it concerning v search , conduit ....files

launch daemons : it should be empty always if found delete it . if user is using adobe flash player or microsoft its plist will be there it should not be removed other wise empty it apart from these two files

privileged helper tools : it should be empty - if its file is found -delete it

start up items - it should be empty

preferences : conduit , v search , genieo are there - delete it the files will be com.apple.conduit.plist other contents should not be removed from here in this scenario we are searching trovi file

scripting additions : always empty

frame works : remove v. framework , search.framework , genieo extra.framework or file related to trovi

input methods : should be empty

internet plugins : find it if it is sitting - delete it don't remove default browser.plugin , flash player .xpt , flash player .plugin , ns1qt scriptable plugin.xpt , quartz composer.webplugin , quicktimeplugin.plugin , sharepointbrowserplugin.plugin , sharepointwebplugin.webplugin ( total 8 files ).

in the next post we have to check in user library

Reply

Answer 4

appreciate

Level 4

1,278 points

May 14, 2016 8:24 AM in response to wclodius

now we have to search in user library : click to finder > go > keep on holding option key > library

remove the contents from the folders as under :

application support : straight away empty it as the fresh contents will be re- created when in the last step we will restart from apple logo and empty the trash but don't do it now .

caches : clear the folder

cookies : clear it

applications : cinemaprol - 2 .app if it there remove it , if trovi , genieo

internet plugins : troviNPAPIplugin.plugin , conduitNPAPIplugin.plugin or some other files related to genieo basically it should be empty always .

preferences : com.genieo.global.settings.plistlockfile , com.genieo.settings.plist.lockfile , com.genieo.global.settings.plist if trovi , conduit or related files are to be found delete don't delete other contents .

launch agents : it should be empty . in yosemite this folder is there . but apple has removed entire launch agent folder from user library .

saved application state : straight away empty it .

now in third step we will move into hard disk or drive

open finder > computer > macintosh HD > system > library >framework - remove v.framework , search.framework or conduit , genieo , trovi related files

it is also good to go in a folder container : remove any files related to conduit , trovi ,and the above malwares .

in the end : restart from apple logo > empty the trash ( i always use keyboard command : shift + command + delete - then hit on enter )

make a habit of viewing system library , user library it will help because lot of issues related to safari are resolved from here .

Reply

Answer 5

wclodius Author

Level 1

9 points

May 14, 2016 10:34 AM in response to Linc Davis

Line Davis:

Thanks for your help. This is my reply to your post with the appropriate screen shots

~/Library/LaunchAgents

/Library/LaunchAgents

/Library/LaunchDaemons

Safari Extensions Folder (As I noted it shows as empty)

Yesterday I uninstalled Firefox and Chrome.

Reply

Answer 6

Linc Davis

Level 10

209,739 points

May 14, 2016 11:02 AM in response to wclodius

From the folder shown in your third screenshot, please delete item #2 from the top (a "VSearch" variant.) Then restart the computer and reset the search engine and home page in your web browsers, if necessary.

I suggest you also get rid of the "malwarebytes" product, which has once again proved its uselessness by failing to remove the malware. Never install any "anti-virus" or "anti-malware" product again.

Reply

Answer 7

wclodius Author

Level 1

9 points

May 14, 2016 11:07 AM in response to appreciate

appreciate:

As near as I can tell files with the obvious strings in their names were not present

Reply

Answer 8

wclodius Author

Level 1

9 points

May 14, 2016 11:14 AM in response to Linc Davis

Linc Davis:

Note the contents of the second file were

<?xmlversion="1.0"encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/Prop\

ertyList-1.0.dtd">

<plistversion="1.0">

<dict>

<key>KeepAlive</key>

<true/>

<key>Label</key>

<string>com.apple.nysgar</string>

<key>RunAtLoad</key>

<true/>

<key>Program</key>

<string>/Library/nysgar</string>

</dict>

</plist>

There is an application /Library/nysgar. Checking further in Library from Terminal noting the problems started May

ls -al /Library | grep -i may

drwxr-xr-x+ 78 root wheel 2652 May 14 10:57 .

drwxr-xr-x 47 root wheel 1666 May 13 21:09 ..

drwxr-xr-x 32 root admin 1088 May 8 10:41 Application Support

drwxrwxrwt 10 root admin 340 May 13 20:00 Caches

drwxr-xr-x 18 root wheel 612 May 13 22:43 Internet Plug-Ins

drwxr-xr-x 10 root wheel 340 May 14 10:57 Keychains

drwxr-xr-x 8 root wheel 272 May 12 22:03 LaunchAgents

drwxr-xr-x 15 root wheel 510 May 12 22:03 LaunchDaemons

drwxr-xr-x 3 root wheel 102 May 13 19:54 Managed Preferences

drwxr-xr-x 10 root wheel 340 May 12 22:03 PreferencePanes

drwxr-xr-x 87 root wheel 2958 May 14 11:21 Preferences

dr-xr-xr-x 7 root wheel 238 May 13 22:58 Printers

drwxr-xr-t@ 7 root wheel 238 May 9 21:29 PrivilegedHelperTools

drwxr-xr-x 5 root wheel 170 May 13 22:58 Updates

-rw-r----- 1 root wheel 6116463 May 8 10:42 backup.zip

-rwxrwxrwx@ 1 root wheel 126680 May 8 10:42 nysgar

-rw------- 1 root wheel 282 May 8 10:42 settings.dat

-rw-r--r-- 1 root wheel 5539 May 14 12:10 watch.log

Should any of these also be removed?

Reply

Answer 9

wclodius Author

Level 1

9 points

May 14, 2016 11:27 AM in response to Linc Davis

Linc:

FWIW when I quit Safari or restart the system the file is being regenerated, so I suspect I have to remove the other files the nysgar in particular.

Reply

Answer 10

Linc Davis

Level 10

209,739 points

May 14, 2016 11:43 AM in response to wclodius

Move the file I indicated to the Trash, then restart and empty the Trash. As for the "nysgar" file, it's part of the malware, and you can of course remove it, but that step is optional. There are always more files, but trying to track them all down is more trouble than it's worth.

Reply

Answer 11

wclodius Author

Level 1

9 points

May 14, 2016 11:42 AM in response to wclodius

Linc:

Removing /Library/nysgar while Safari is not on the trovi home page so far has worked.

Reply

Answer 12

wclodius Author

Level 1

9 points

May 14, 2016 12:30 PM in response to Linc Davis

As near as I can tell from the behavior I observed you now have to remove the second file as well. The first one starts at startup, it then runs the second that runs in the background to do the dirty work. The second, in the form I have, checks frequently for the existence of the first, and if absent recreates it. If it checks on the order of a second, which appears likely given the brief time before the first reappeared, it is impractical to shut down the computer before the first is regenerated.

Reply

Answer 13

Linc Davis

Level 10

209,739 points

May 14, 2016 1:36 PM in response to wclodius

If that's true, it's a new behavior that hasn't been reported before.

Reply

Answer 14

etresoft

Level 9

56,692 points

May 14, 2016 7:12 PM in response to wclodius

Hello wclodius,

Thanks for the detailed posting. I always assumed that it was only a matter of time before adware starting actively trying to avoid EtreCheck. It is time to follow your lead and turn those Apple signature checks back on.

Reply

Answer 15

appreciate

Level 4

1,278 points

May 14, 2016 8:39 PM in response to wclodius

in launch agents folder - empty it

launch daemons - keep com.adobrfpsaud.plist , malwarebytesplist , microsoft .officelicensing helper .plist and remove all if them as i am not using chrome & firefox so having no idea about the files that are created . but what is the purpose of installing firefox ?

try to remove firefox & chrome and then see what happens is that malware still there .

note : malware reside in launch daemons , launch agents folder of system library .

are you using yosemite ? launch agents folders exist in user library . these screen shots seems to be of system library please do check in user library and what about internet plugins . also in previous versions in system library > input managers > ct loader . this ct loader has to be removed but in latest versions , el capitan apple has removed the folder input managers .

have you checked in hard disk i.e. in frameworks .

Reply