Learn, share, and get recognized

Learn more about the Apple Support Community >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: SteveMcRed
SteveMcRed Author
User level: Level 1
4 points

Impossible Adware

Hello Everyone,

I'll go direct to the point.


I had some issues with "Trovi" adware so I used some apps provided for free on the Store and they found the trouble and fixed it. Basically, all of my browsers opened it at the login even if I did not want to do that.


Unfortunately, the issue remained and I found that this strange "virus" create arbitrarily some peculiar folders with strange names (pathway: user/Library) like multiflagellata, duodenocolangitis ecc.inside each folder there's an Unix executable file with the same name.

(Macintosh HD/Users/[my username]/Library/duodenocolangitis/duodenocolangitis)

Yesterday I found a plethora of different files like that and tried to open it. Once opened the executable file, it opened Safari browser instantaneously like in the start up (I use firefox). So I understood that it was not a good file and put it into the trash, and I was able to empty it only after the reboot (because the system was using it to open Safari, I presume).


Today I discovered that in the LaunchDaemons folder there are some plist files tightly linked to these executable (com.duodenocholangitis.service.plist) and so I copied and pasted the following:


<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.d">

<plist version="1.0">

<dict>

<key>UserName</key>

<string>root</string>

<key>KeepAlive</key>

<true/>

<key>Label</key>

<string>com.pref.service-preferences</string>

<key>RunAtLoad</key>

<true/>

<key>ProgramArguments</key>

<array>

<string>/etc/run_app.sh</string>

</array>

</dict>

</plist>

so I followed this path (/etc/run_app.sh) and removed it. There are other suspicious files (also in the var folder), by the way, that I don't want to remove. Anyway, intriguingly, when I simply remove these files (duodenocolangitis and com.duodenocholangitis.service.plist) without internet connection and I reboot the Mac the problem seems to be fixed. But when I do the same thing with the internet connection and I reboot the Mac, the problematic folders reappear under other names with other plist files related.


<Link Edited by Host>

VIN, iMac (27-inch Mid 2010)

Posted on Nov 13, 2016 2:56 AM

Reply
1 reply

Impossible Adware

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up