Level 1

9 points

How do I remove Trovi after doing the obvious

I acquired Trovi about a week ago. It quickly infected Firefox, Chrome, and Safari. I ran Adware Medic which claimed to move the files to Trash and emptied the Trash. Still present. I then got Adware Doctor and MalwareBytes Anti-Malware, ran them with no fix. I went to Linc Davis's site and followed his advice, found no extensions in any of the browsers, found no obvious files in /Library/LaunchAgents, /Library/LaunchDaemons, or ~/Library/LaunchAgents. I did find one file installed as root and removed it. The file was

~/Library/Application\ Support/Firefox/Profiles/15den4ak.default-1450036030435/searchplugins/

with contents

<SearchPlugin xmlns="http://www.mozilla.org/2006/browser/search/">
<ShortName>Trovi</ShortName>
<Description>Trovi</Description>
<InputEncoding>UTF-8</InputEncoding>
<Image width="16" height="16">data:x-icon;base64,AAABAAEAEBAAAAAAIABoBAAAFgAAACgAAAAQAAAAIAAAAAEA IAAAAAAAQAQAAAAAAAAAAAAAAAAAAAAAAAD///8B////Af///wH///8B////Af///wH///8B////Af// /wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af// /wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////AbuEtUWcTpWfjjWGu55U mI/Bj7wD////AapnpHuON4exqGOiieTO4Sf///8B////Af///wH///8B////AbN1rHmEKHvrgx94/5Eq gv+EGHj/rm6pa7V6r1eGHnz/jCeA/38adf+VQYzNv4q5Tf///wH///8BwIu6V4stgNNuAGP/fxRw/5wn g/+hMYP/njiA/69po/usZKD5mS58/6EuhP+aJ4P/dQNn/2wAYf+vbaefzaTIG61rpqdhAFT/gBh1/6Er h/+bLXn/lEtr/6FffP+pYpj/qWKX/6FffP+VSG3/miN3/6Axif98FnL/WgBM/6NXmrP///8BsXSrYZ41 ifuaH3r/k0pr/5ZTb/+aTYT/dwht/3sQcf+dVYb/kk5p/5ZIb/+eIX//kyqB+axxqZe9ibgp////Adai yCmWFHf/lSd1/5JNaf+lZYb/jDF9/3IAaf95C3H/jzZ9/55ae/+VT2z/lSF1/5sigPP///8B////Af// /wGxVJrVigBr/5w3fP+UTmr/nlh9/5I+f/93BnD/fA50/5RCfv+bVHn/lU9t/5Mgc/95AFT/u2qno/// /wH///8BwHeuW7NPn22rXI+tkEhk/5VIcv+TQnT/jjOB/481gP+WSHj/lUtz/4xAYP+uWpXLt2CjpcqM u33///8B////Af///wH///8Bsn6VQX0kS/+NPWb/k0R0/5VHdv+URnX/jjxt/4MsVv+DL1X/4svZKf// /wH///8B////Af///wH///8B////AbySo1OdWXnnuIece6Rhis2FK2H/gyde/72Lqausc4yvmVJ0/f7/ /Q3///8B////Af///wH///8B////Af///wHWuMYN07XDDf///wHPq8Ezhy5l/5NDdPX///8B////Acml tjHHo7QH////Af///wH///8B////Af///wH///8B////Af///wH///8B////AbF3mpnYvM5d////Af// /wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af// /wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af///wH///8B////Af// /wH///8B////Af///wH///8B////Af///wH///8BAAD//wAA//8AAP//AAD//wAA//8AAP//AAD//wAA //8AAP//AAD//wAA//8AAP//AAD//wAA//8AAP//AAD//w==</Image>
<Url type="application/x-suggestions+json" method="GET" template="http://suggestqueries.google.com/complete/search?output=firefox&client=firef ox&qu={searchTerms}" />
<Url type="text/html" method="GET" template="http://www.trovi.com/">
<Param name="q" value="{searchTerms}" />
</Url>
<SearchForm>http%3A%2F%2Fwww.trovi.com%2FResults.aspx%3Fn%3DDP2791%26searchsource%3D58%26UM%3D8%26gd%3DSY1000250/</Sea rchForm>
</SearchPlugin>

Trove was still active. I remove Player x, Trovi was still active. Removed Firefox and Chrome in the hope that their infection was causing problems for Safari. Safari still has Trovi.

Symptoms in Safari. Trying to show extensions in the browser window yields an empty list. Setting the homepage to something other than trovi temporarily works, but after one or two restarts trovi reappear as the home page, If I set it so that the startup and new tab pages are empty after a bit the window will close and then reappear with trovi set as the home page and start and new tabs set to display the homepage. Turning off Javascript blocks its ads, but makes other things of course impossible and does nothing to avoid trovi becoming the home page.

I have also been having request on startup for the login keychain by

Identityservicesd
comm.apple.icloudHelper.xpc
AddressBookSourceSync
accountsd
MessagesAgent
and CommCenter

FWIW I have OS X El Capitain 10.11.4

EtreCheck reports

EtreCheck version: 2.9.12 (265)

Report generated 2016-05-13 22:29:08

Download EtreCheck from https://etrecheck.com

Runtime 1:33

Performance: Excellent

Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

Check Apple signatures: Enabled

Problem: Other problem

Hardware Information:ⓘ

MacBook Pro (Retina, 15-inch, Early 2013)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Pro - model: MacBookPro10,1

1 2.4 GHz Intel Core i7 CPU: 4-core

8 GB RAM Not upgradeable

BANK 0/DIMM0

4 GB DDR3 1600 MHz ok

BANK 1/DIMM0

4 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n

Battery: Health = Normal - Cycle count = 137

Video Information:ⓘ

Intel HD Graphics 4000

Color LCD 2880 x 1800

NVIDIA GeForce GT 650M - VRAM: 1024 MB

System Software:ⓘ

OS X El Capitan 10.11.4 (15E65) - Time since boot: about one hour

Disk Information:ⓘ

APPLE SSD SD256E disk0 : (251 GB) (Solid State - TRIM: Yes)

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

Macintosh HD (disk1) / : 249.77 GB (29.73 GB free)

Core Storage: disk0s2 250.14 GB Online

USB Information:ⓘ

Apple Inc. FaceTime HD Camera (Built-in)

Apple Inc. Apple Internal Keyboard / Trackpad

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

Thunderbolt Information:ⓘ

Apple Inc. thunderbolt_bus

Gatekeeper:ⓘ

Mac App Store and identified developers

Kernel Extensions:ⓘ

/Library/Extensions

[not loaded] com.BlackBerry.driver.USBCDCNCM (1.0.6 - SDK 10.7 - 2016-04-05) [Support]

[loaded] com.rim.driver.BlackBerryUSBDriverInt (2.2.7 - SDK 10.7 - 2016-04-05) [Support]

[loaded] com.rim.driver.BlackBerryVirtualPrivateNetwork (1.0.18 - SDK 10.8 - 2016-04-05) [Support]

Startup Items:ⓘ

daemonic-dbus: Path: /Library/StartupItems/daemonic-dbus

Startup items are obsolete in OS X Yosemite

System Launch Agents:ⓘ

[not loaded] 8 Apple tasks

[loaded] 154 Apple tasks

[running] 76 Apple tasks

System Launch Daemons:ⓘ

[not loaded] 44 Apple tasks

[loaded] 158 Apple tasks

[running] 88 Apple tasks

Launch Agents:ⓘ

[running] com.mozy.status.plist (2016-03-13) [Support]

[loaded] com.oracle.java.Java-Updater.plist (2014-01-01) [Support]

[running] com.rim.BBLaunchAgent.plist (2013-11-08) [Support]

[running] com.rim.PeerManager.plist (2013-11-08) [Support]

[running] com.rim.blackberrylink.BlackBerry-Link-Helper-Agent.plist (2013-11-08) [Support]

[loaded] org.macosforge.xquartz.startx.plist (2015-10-16) [Support]

Launch Daemons:ⓘ

[failed] com.adobe.fpsaud.plist (2016-04-15) [Support]

[not loaded] com.apple.nysgar.plist (2016-05-08) - Executable not found!

[loaded] com.barebones.authd.plist (2012-11-22) [Support]

[loaded] com.barebones.textwrangler.plist (2010-01-30) [Support]

[loaded] com.github.GitHub.GHInstallCLI.plist (2013-04-06) [Support]

[loaded] com.malwarebytes.MBAMHelperTool.plist (2016-05-09) [Support]

[loaded] com.microsoft.office.licensing.helper.plist (2012-04-02) [Support]

[running] com.mozy.backup.plist (2016-03-13) [Support]

[loaded] com.oracle.java.Helper-Tool.plist (2014-01-01) [Support]

[running] com.rim.BBDaemon.plist (2013-11-08) [Support]

[not loaded] com.rim.nkehelper.plist (2013-11-08) [Support]

[running] com.rim.tunmgr.plist (2013-11-08) [Support]

[loaded] org.macosforge.xquartz.privileged_startx.plist (2015-10-16) [Support]

User Launch Agents:ⓘ

[failed] com.adobe.ARM.[...].plist (2009-10-22) [Support]

[loaded] com.google.keystone.agent.plist (2016-05-11) [Support]

User Login Items:ⓘ

iSyncr Application (/Applications/iSyncr.app)

Skype Application (/Applications/Skype.app)

Other Apps:ⓘ

[running] com.JRTStudio.iSyncrWiFi.58272

[running] com.apple.nysgar

[running] com.etresoft.EtreCheck.268512

[loaded] com.excitedpixel.breaktimelauncher

[running] com.skype.skype.224352

[loaded] org.finkproject.dbus-session

[loaded] 410 Apple tasks

[running] 191 Apple tasks

Internet Plug-ins:ⓘ

Default Browser: 601 - SDK 10.11 (2016-03-22)

Flip4Mac WMV Plugin: 3.1.0.24 - SDK 10.8 (2013-04-06) [Support]

OfficeLiveBrowserPlugin: 12.3.6 (2013-03-20) [Support]

Silverlight: 5.1.10411.0 - SDK 10.6 (2013-04-06) [Support]

FlashPlayer-10.6: 21.0.0.226 - SDK 10.6 (2016-05-03) [Support]

QuickTime Plugin: 7.7.3 (2016-03-22)

Flash Player: 21.0.0.226 - SDK 10.6 (2016-05-03) Outdated! Update

Veoh Plugin: 3.0 (2008-04-15) [Support]

SharePointBrowserPlugin: 14.5.5 - SDK 10.6 (2015-09-12) [Support]

AdobePDFViewer: 9.5.4 (2013-02-22) [Support]

iPhotoPhotocast: 7.0 (2008-07-14)

JavaAppletPlugin: Java 8 Update 73 build 02 (2016-02-14) Check version

3rd Party Preference Panes:ⓘ

Flash Player (2016-04-15) [Support]

Flip4Mac WMV (2013-01-09) [Support]

Java (2016-02-14) [Support]

MozyHome (2016-05-12) [Support]

Perian (2011-07-23) [Support]

Spelling (2015-12-06) [Support]

TeXDistPrefPane (2015-12-06) [Support]

TotalAccess (2005-02-25) [Support]

Tuxera NTFS (2012-08-30) [Support]

Time Machine:ⓘ

Skip System Files: NO

Auto backup: YES

Volumes being backed up:

Macintosh HD: Disk size: 249.77 GB Disk used: 220.04 GB

Destinations:

Toshiba Mac+ [Local]

Total size: 999.86 GB

Total number of backups: 3

Oldest backup: 3/20/13, 11:47 PM

Last backup: 5/12/16, 9:44 PM

Size of backup disk: Excellent

Backup size 999.86 GB > (Disk size 249.77 GB X 3)

Top Processes by CPU:ⓘ

6% WindowServer

5% kernel_task

3% hidd

2% fontd

0% com.apple.WebKit.WebContent(4)

Top Processes by Memory:ⓘ

816 MB kernel_task

492 MB com.apple.WebKit.WebContent(4)

377 MB mds_stores

319 MB Finder

303 MB WindowServer

Virtual Memory Information:ⓘ

589 MB Free RAM

7.42 GB Used RAM (3.15 GB Cached)

0 B Swap Used

Diagnostics Information:ⓘ

May 13, 2016, 08:40:13 PM Self test - passed

May 13, 2016, 08:21:50 PM /Library/Logs/DiagnosticReports/MozyHomeBackup_2016-05-13-202150_[redacted].cpu _resource.diag [Details]

/Library/PreferencePanes/MozyHome.prefPane/Contents/Resources/MozyHomeBackup

May 13, 2016, 07:56:46 PM /Library/Logs/DiagnosticReports/MozyHomeBackup_2016-05-13-195646_[redacted].cpu _resource.diag [Details]

May 12, 2016, 11:35:57 PM /Library/Logs/DiagnosticReports/MozyHomeBackup_2016-05-12-233557_[redacted].cpu _resource.diag [Details]

May 12, 2016, 10:03:31 PM /Library/Logs/DiagnosticReports/MozyHomeBackup_2016-05-12-220331_[redacted].cra sh

May 12, 2016, 08:40:18 PM /Library/Logs/DiagnosticReports/backupd_2016-05-12-204018_[redacted].cpu_resour ce.diag [Details]

/System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd

May 10, 2016, 11:36:03 PM ~/Library/Logs/DiagnosticReports/Finder_2016-05-10-233603_[redacted].crash

com.apple.finder - /System/Library/CoreServices/Finder.app/Contents/MacOS/Finder

May 10, 2016, 10:28:35 PM /Library/Logs/DiagnosticReports/BitMedic_2016-05-10-222835_[redacted].hang

/Applications/BitMedic.app/Contents/MacOS/BitMedic

Posted on May 13, 2016 9:34 PM

45 replies

appreciate

Level 4

1,278 points

May 14, 2016 8:44 PM in response to appreciate

it seems that adobe flash player is pirated as in launch agents com .adobe arm ..... does not exist . launch agent should be empty .

babowa

Level 9

78,568 points

May 14, 2016 10:01 PM in response to appreciate

what is the purpose of installing firefox ?

The purpose is to use Firefox. Some people prefer it. I do.

are you using yosemite

No, the report posted clearly shows which OS version the OP is running and it is not Yosemite.

wclodius Author

Level 1

9 points

May 15, 2016 10:48 AM in response to etresoft

etresoft:

One thing that can be done is to check for executables in obvious locations where executables are not supposed to be: i.e., /Library and ~/Library (and not their subdirectories) where the nysgar executable was located, perhaps the user's home directory, Desktop, and Documents directory. The search would have to find files with root privileges only.

One thing that should always be done is if the offending LaunchAgent or LaunchDaemon file is located is examine its contents to see if it spawns an executable, and always trash the executable withe the agent/daemon.

Lexiepex

Level 6

14,108 points

May 15, 2016 10:56 AM in response to appreciate

apreciate: you don't have to market yourself here, just try to help instead of creating noise and confusion.

etresoft

Level 9

56,692 points

May 15, 2016 12:35 PM in response to wclodius

Hello again wclodius,

Well, it's complicated, but not in a technical sense. I have to be very careful about false positives. You would be surprised how upset people get about that. People are much more forgiving of actual errors than they are about reporting any kind of uncertainty. There are a whole lot of people hacking around, legitimately or not, on OS X these days. There is no way to flag software doing what it is "not supposed" to do. Most developers have no idea what they are supposed to do.

EtreCheck already inspects the details of all of these launch agents and daemons. I have looked into adding the executable to the list of items to be deleted, but that gets really tricky. I'm not going to allow automated deletion of anything unless I'm absolutely sure it is adware. If I'm not sure, I'll just flag it in some other way, as I did in this case.

With EtreCheck, I lean on other helpers here on Apple Support Community. It doesn't have to be perfect because hopefully someone else will see it. I don't have the resources to investigate the behaviour of every single piece of adware or malware. I really don't have the resource to determine which of these new apps are adware or malware. I lean on EtreCheck users to report a lot of that. All I do is verify. If I'm absolutely sure it is safe, it gets whitelisted. If I'm absolutely sure it isn't, it gets blacklisted. Everything else is ignored and that will cause it to show up under an "Unknown Files" section.

Since your files were masquerading as Apple files, EtreCheck automatically detected that they weren't in the correct location. That is why it was printed out in the first place. Normally the hundreds of Apple tasks are hidden. I don't know why it reported a missing executable. For some reason, the "codesign" tool reported that when it tried to verify the Apple digital signature that you have enabled. Unfortunately, the signatures aren't a perfect solution because Apple sometimes doesn't sign its executables or signs them incorrectly. That leads to false positives and enraged EtreCheck users.

At this time, I'm still thinking about how best to handle adware like yours. I don't want to try some solution that only applies to the software you saw. I would have to bug you for a copy of the installer. Plus, the installer could, and most certainly will, change in the future. Instead, I have to come up with a general approach that will work in all cases. I figured they would start doing this at some point. I know how to handle it, but it will take a while to code and test. The downside is that once I do that, all they have to do is start masquerading as Adobe or maybe as any number of other legitimate, but uncommon software. At that point, it is pretty much game over. I'm afraid that in the fight against Mac malware, defeat is inevitable. I estimate six months or maybe a year before we'll all be furiously downloading and running antivirus tools.

appreciate

Level 4

1,278 points

May 15, 2016 1:51 PM in response to Lexiepex

I am very much sure about the article how to remove pop up ads and graphics .support.apple.com/en-us/ht203987 . Also apple has modified the article ,there is no way written how to enter in system library , user library & not mentioned what files are to be removed that are malicious .

To be very honest i followed the article and has written entire old article in my diary . the first step is to check in applications itself .then enter

in system library : click on finder > go >macintosh HD > library > launch agents : com .* agent plist ( * is any word ) , com.*helper.plist ( * is any word ) these are malicious so must be removed .

And rest related files are suspicious .If i am wrong consult apple support and any one is still in doubts close all applications command + tab + Q .

Form a new folder on desktop shift + command + N after that drag and drop the files from launch agents , launch daemons folder in this new folder that is on the desktop .

as user should not be in doubts if they are deleted permanently .we can put back the files once again in original place .

restart from apple logo . kindly remove anti virus cleaner , malwarebytes , adobe ( adobe can be installed once again not a big thing ) . i personally use this manual method . i have clubbed up the contents of article and in which folders what contents are to be removed if any one is having the old article can cross check it .

note : I only use adobe flash player & microsoft office and its plist files are there & also do not download any thing from google , app store , no iTunes songs .

so thats the way to use in normal way .

thanks .

babowa

Level 9

78,568 points

May 15, 2016 2:08 PM in response to appreciate

I am very much sure about the article how to remove pop up ads and graphics .support.apple.com/en-us/ht203987

If you wish to reference an Apple article, simply post a live link to it:

https://support.apple.com/en-us/ht203987

in system library : click on finder > go >macintosh HD > library > launch agents : com .* agent plist ( * is any word ) , com.*helper.plist ( * is any word ) these are malicious so must be removed .

Please be exact when you say System Library: If I use System Library and remove any word as you suggest, then I would be removing all Apple launch agents:

Which would be the wrong thing to do.

And, you are now telling people that the normal way is not to download anything from the Apple app store or iTunes.

wclodius Author

Level 1

9 points

May 15, 2016 2:28 PM in response to etresoft

Etresoft:

I am not going to complain about someone not doing everything that could be done, when their effort is appears to be unfunded and better than what I could probably do. Your judgement is best. I am slightly surprised it reported a missing executable when the executable that was spawned by the script was at the location specified by the script.

appreciate

Level 4

1,278 points

May 15, 2016 7:32 PM in response to babowa

there are two screen shots attached

appreciate

Level 4

1,278 points

May 15, 2016 7:34 PM in response to wclodius

appreciate

Level 4

1,278 points

May 15, 2016 7:47 PM in response to babowa

In system library screen shot of launch daemons

babowa

Level 9

78,568 points

May 15, 2016 7:54 PM in response to appreciate

I know where they are. Thanks. No need for further screenshots. Please stop.

appreciate

Level 4

1,278 points

May 15, 2016 8:04 PM in response to babowa

In your screen shot the path that you are using is to enter in hard disk means you are using this path click on top menu bar > computer > Macintosh HD > system >library > launch agents . but i am not telling to enter in hard disk .

But as i have already stated how to enter in system library : please take your cursor on top menu bar click on finder > go > computer > macintosh HD > library - now we will see folder launch agent , launch daemon .

secondly how to enter in user library : take your cursor on top menu bar click on finder > go then press option key on the key board please don't release it then click on library

May 15, 2016 8:15 PM in response to appreciate

What babowa is trying to tell you is quit calling it the system library when you are referring to the local library (computer library, shared library). The 3 libraries most common are the local, system, and user library. Although there are many other library folders within those.

It is confusing to people when you call it by one name and point to another. If someone takes your first words using system library and doesn't read the rest carefully, they may wind up in the wrong library and damage their system.

babowa

Level 9

78,568 points

May 15, 2016 8:35 PM in response to appreciate

Please stop calling it system library. It is NOT the system library. People can damage their computer following your path to "system library". I do NOT need your explanations.

Please stop posting here - the OP's question has been answered and you are effectively hijacking the thread.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

How do I remove Trovi after doing the obvious