Can't Remove "Plugins Button" adware from Chrome on MacOS Sierra

Question

Can't Remove "Plugins Button" adware from Chrome on MacOS Sierra

I got infected by some freeware and have used Malwarebytes to clear out nearly everything, but there's one thing sticking -- a Chrome plugin called "Plugins Button." When I click on the Developer Mode in my extensions, it says:

ID: bfkmdpfljdpopbemfaelnflapafbflgn

(This extension is managed and cannot be removed or disabled.)

I've run Malwarebytes a bunch. I've gone into the libraries and deleted things via http://www.thesafemac.com/arg-identification/

I've deleted and reinstalled google chrome.

I found this thread which helped me locate the plugin and delete it manually, but every time I close and reopen Chrome, it reinstalls itself. I watched the folder and it only happened upon launch.

This has eaten up my whole day and most of the help out there is for PC. Any help would be much appreciated!!

MacBook Air, macOS Sierra (10.12.6)

Posted on Jul 23, 2017 8:11 PM

Reply

Answer 1

Best reply

softwater

Level 5

5,556 points

Jul 30, 2017 2:30 AM in response to ChateauOfADoubt

OK, I've figured out how to remove this now. There's no need to delete Chrome or any of your folders. This should do it (please note there are some caveats at the end which you should read before you start):

1. Launch DetectX and do a search. You should see at least 5 items

2. Quit Chrome

3. In Terminal, execute this command* (you'll need admin privileges)

sudo /usr/bin/profiles -D; sudo -K

Type 'y' when prompted.

4. In DetectX, click the 'Trash All...' button.**

5. Relaunch Chrome and check that all is well.

Caveats

*If you or the machine's administrator are using 'Managed Preferences' then do NOT use the '-D' switch in step 3. You'll need to identify the correct profiles. Use the -P switch to list the installed profiles and only delete the one with 'org.superduper.extension' identifier. Likewise, do NOT use the Trash All... feature in DetectX. Instead, double-click the items in DetectX's window to open them in Finder and remove them manually that way.

**You'll need to authorise the deletions when macOS asks you as DetectX doesn't have the permissions to do that (a safety feature).

Reply

Answer 2

softwater

Level 5

5,556 points

Jul 24, 2017 6:29 AM in response to ChateauOfADoubt

I don't see anything there, and I'm wondering - having re-read your description - whether this isn't simply being caused by Chrome's preferences or autosaved states. You said you deleted and reinstalled Chrome, but did you reset it to its default settings?

If you haven't done that, go through the steps you did before to delete or disable the extension, then reset Chrome to default by following this guide:

Resetting Browsers on OS X (Safari, Chrome, Firefox)

Reply

Answer 3

Jul 27, 2017 6:00 AM in response to softwater

I do have a Brother all-in-one machine. Here's what resulted when I ran that.

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>OnDemand</key>

<key>Label</key>

<string>com.brother.LOGINserver</string>

<key>ProgramArguments</key>

<array>

<string>/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/Mac OS/LOGINserver</string>

</array>

</dict>

</plist>

I sent you an email with that *.dmg as an attachment the other day (July 25th, 10:15 EST). Did you receive it?

Reply

Answer 4

Jul 27, 2017 10:27 PM in response to softwater

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>OnDemand</key>

<key>Label</key>

<string>com.brother.LOGINserver</string>

<key>ProgramArguments</key>

<array>

<string>/Library/Printers/Brother/Utilities/Server/LOGINserver.app/Contents/Mac OS/LOGINserver</string>

</array>

</dict>

</plist>

Reply

Answer 5

softwater

Level 5

5,556 points

Jul 24, 2017 5:52 AM in response to ChateauOfADoubt

Clearly it's persisting itself through a binary you haven't yet located. Can you run this in Terminal and let me know what if anything it returns:

ps -axo ppid,pid,command | grep 'osascript -e global' | egrep -i "if is_Firefox_running|if is_Safari_running|if is_Chrome_running" | grep -v "grep" | grep -v ' 1 ' | awk '{ print $1, $2}'

The command searches to see if a background adware process is running.

For further explanation of this and other useful commands see Terminal tricks for defeating adware.

Disclaimer: this post contains a link to my website from which I may derive some form of compensation.

Reply

Answer 6

softwater

Level 5

5,556 points

Jul 24, 2017 5:59 AM in response to ChateauOfADoubt

In which case you'll need to look a bit deeper. Try this one, it produces a text file on your Desktop with the results of various searches in places like your LaunchDaemons folder, and it lists a number of background processes. The code redacts your username so you can post it safely here so that we can have a look at what's going on under the hood (a fuller explanation of what this code does can be found on the same webpage I linked to earlier, this is 'Trick 7').

Select the whole lot, paste it into Terminal, and supply an admin password. The output is on your Desktop in a file called 'adware_search.txt'. Copy and paste the results from the text file (wait till the prompt returns at the command line - it takes a few seconds to finish):

w=`id -un`; r="s@$w@[redacted]@g"; f="/Users/"$w"/Desktop/adware_search.txt"; ls -alF /Lib*/Launch*/ ~/Lib*/Launch*/ | sed "$r" >> "$f"; printf "\n\n/etc:\n" >> "$f";ls -alF /etc/*.sh >> "$f"; printf "\n\n# osacript processes:\n" >> "$f"; ps -axo ppid,pid,command | grep 'osascript -e global' | egrep -i "if is_Firefox_running|if is_Safari_running|if is_Chrome_running" | grep -v "grep" | grep -v ' 1 ' | awk '{ print $1, $2}' | sed "$r" >> "$f"; printf "\n\n# User launchd:\n" >> "$f"; launchctl list | grep -v apple | sed "$r" >> "$f"; printf "\n\n# Root launchd:\n" >> "$f"; sudo launchctl list | grep -v apple | sed "$r" >> "$f"; printf "\n\n# Find rec_script.sh:\n" >> "$f"; sudo find /Library ~/Library -name "*rec_script.sh*" | sed "$r" >> "$f"; sudo -K

Reply

Answer 7

Jul 24, 2017 5:59 AM in response to softwater

/Library/LaunchAgents/:

total 64

drwxr-xr-x@ 10 root wheel 340 Jul 23 10:07 ./

drwxr-xr-x+ 61 root wheel 2074 Jul 23 10:07 ../

-rw-r--r-- 1 root wheel 612 Apr 10 2016 com.adobe.AAM.Updater-1.0.plist

-rw-r--r-- 1 root wheel 577 Apr 30 18:48 com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a 23d420d.plist

-rw-r--r-- 1 root wheel 432 Oct 24 2016 com.brother.LOGINserver.plist

lrwxr-xr-x 1 root wheel 104 Sep 27 2016 com.oracle.java.Java-Updater.plist@ -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Java-Update r.plist

-rw-r--r-- 1 root wheel 500 Aug 29 2016 com.paragon-software.NTFS.fsnotify.agent.plist

-rw-r--r-- 1 root wheel 650 Aug 29 2016 com.paragon-software.facebook.agent.plist

-rw-r--r-- 1 root wheel 708 Dec 23 2014 com.wacom.pentablet.plist

-rw-r--r-- 1 root wheel 715 Oct 26 2016 org.macosforge.xquartz.startx.plist

/Library/LaunchDaemons/:

total 72

drwxr-xr-x@ 11 root wheel 374 Jul 23 22:13 ./

drwxr-xr-x+ 61 root wheel 2074 Jul 23 10:07 ../

-rw-r--r-- 1 root wheel 474 Apr 30 18:48 com.adobe.ARMDC.Communicator.plist

-rw-r--r-- 1 root wheel 486 Apr 30 18:48 com.adobe.ARMDC.SMJobBlessHelper.plist

-rw-r--r-- 1 root wheel 663 Apr 10 2016 com.adobe.agsservice.plist

-rw-r--r-- 1 root wheel 899 Apr 10 11:32 com.macpaw.CleanMyMac3.Agent.plist

lrwxr-xr-x 1 root wheel 103 Sep 27 2016 com.oracle.java.Helper-Tool.plist@ -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool .plist

-rw-r--r-- 1 root wheel 550 Aug 29 2016 com.paragon-software.NTFS.fsnotify.daemon.plist

-rw-r--r-- 1 root wheel 641 Aug 29 2016 com.paragon.NTFS.launch.plist

-rw-r--r-- 1 root wheel 736 Aug 14 2016 jp.co.canon.MasterInstaller.plist

-rw-r--r-- 1 root wheel 664 Oct 26 2016 org.macosforge.xquartz.privileged_startx.plist

/Users/[redacted]/Library/LaunchAgents/:

total 24

drwxr-xr-x@ 4 [redacted] staff 136 Jul 23 22:14 ./

drwx------@ 70 [redacted] staff 2380 Jul 23 21:49 ../

-rw-r--r--@ 1 [redacted] staff 6148 Jul 23 22:11 .DS_Store

-rw-r--r-- 1 [redacted] staff 737 Jul 23 22:14 com.macpaw.CleanMyMac3.Scheduler.plist

/etc:

# osacript processes:

# User launchd:

PID Status Label

460 0 com.brother.LOGINserver

522 0 com.wacom.TabletDriver.1568

- 0 com.openssh.ssh-agent

892 0 com.adobe.Photoshop.6752

- 0 org.macosforge.xquartz.startx

- 0 com.paragon-software.facebook.agent

1975 0 com.google.Chrome.7588

- 111 com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a 23d420d

- 0 com.adobe.AAM.Scheduler-1.0

502 0 com.wacom.ConsumerTouchDriver.1516

- 0 com.oracle.java.Java-Updater

- 0 com.macpaw.CleanMyMac3.Scheduler

809 0 com.adobe.illustrator.6708

528 0 com.brother.utility.NETserver.2360

455 0 com.paragon-software.fsnotify.agent.NTFS

- 0 com.google.keystone.user.agent

673 0 org.mozilla.firefox.6828

704 0 com.adobe.AfterEffects.6564

466 0 com.wacom.pentablet

526 0 com.brother.utility.USBserver.2356

# Root launchd:

PID Status Label

- 0 com.macpaw.CleanMyMac3.Agent

- 0 com.adobe.ARMDC.Communicator

1680 0 com.malwarebytes.HelperTool

- 0 org.cups.cupsd

- 0 Adobe_Genuine_Software_Integrity_Service

- 0 com.oracle.java.Helper-Tool

- 0 com.vix.cron

- 0 jp.co.canon.MasterInstaller

- 0 com.paragon.NTFS.launch

- 0 com.adobe.ARMDC.SMJobBlessHelper

215 0 org.ntp.ntpd

- 0 org.macosforge.xquartz.privileged_startx

57 0 com.paragon-software.fsnotify.daemon.NTFS

# Find rec_script.sh:

Reply

Answer 8

softwater

Level 5

5,556 points

Jul 24, 2017 7:25 AM in response to ChateauOfADoubt

Have you cleaned out the Preferences and Saved Application State files for Chrome?

I'd even suggest going step further and removing everything inside ~/Library/Application Support related to Google Chrome.

If you've already been down that road, try another command in Terminal, with Chrome running let's see all the processes associated with it:

w=`id -un`; ps -axo ppid,pid,command | grep -i chrome | grep -v grep | sed "s@$w@[redacted]@g"

Reply

Answer 9

Jul 24, 2017 8:26 AM in response to softwater

I hadn't done those things, so I gave them a shot, but that pesky little Plugins Button popped back up. Ran that command, here's what resulted:

1
2427 /Applications/Google Chrome.app/Contents/MacOS/Google Chrome

1
2430 /Applications/Google Chrome.app/Contents/Versions/59.0.3071.115/Google Chrome Framework.framework/Helpers/crashpad_handler --monitor-self-annotation=ptype=crashpad-handler --database=/Users/[redacted]/Library/Application Support/Google/Chrome/Crashpad --metrics-dir=/Users/[redacted]/Library/Application Support/Google/Chrome --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=OS X --annotation=prod=Chrome_Mac --annotation=ver=59.0.3071.115 --handshake-fd=8

2427
2434 /Applications/Google Chrome.app/Contents/Versions/59.0.3071.115/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=gpu-process --field-trial-handle=1 --supports-dual-gpus=false --gpu-driver-bug-workarounds=0,1,10,24,27,38,41,49,55,63,65,66,67,68,75,76,78,8 6,87,88,91,94,102 --disable-gl-extensions=GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent --gpu-vendor-id=0x8086 --gpu-device-id=0x1626 --gpu-driver-vendor --gpu-driver-version --gpu-driver-date --gpu-active-vendor-id=0x8086 --gpu-active-device-id=0x1626 --service-request-channel-token=A23F2C895FB2361C99B670FA1E735DA2

1
2435 /Applications/Google Chrome.app/Contents/Versions/59.0.3071.115/Google Chrome Framework.framework/Versions/A/XPCServices/AlertNotificationService.xpc/Content s/MacOS/AlertNotificationService

2427
2456 /Applications/Google Chrome.app/Contents/Versions/59.0.3071.115/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=renderer --field-trial-handle=1 --primordial-pipe-token=326F57767CAA6327170DD561E99BD7D3 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --blink-settings=disallowFetchForDocWrittenScriptsInMainFrame=false,disallowFet chForDocWrittenScriptsInMainFrameOnSlowConnections=false --enable-pinch --num-raster-threads=2 --enable-zero-copy --enable-gpu-memory-buffer-compositor-resources --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5 ,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,34037;0,11,34037;0,12,34037;0,13, 3553;0,14,3553;0,15,3553;0,16,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553; 1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,34037;1,11,34037;1,12,34037;1, 13,3553;1,14,3553;1,15,3553;1,16,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,35 53;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,34037;2,11,34037;2,12,34037 ;2,13,3553;2,14,3553;2,15,3553;2,16,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4 ,3553;3,5,34037;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,340 37;3,13,34037;3,14,3553;3,15,34037;3,16,34037;4,0,3553;4,1,3553;4,2,3553;4,3,355 3;4,4,3553;4,5,34037;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,1 2,34037;4,13,34037;4,14,3553;4,15,34037;4,16,34037 --service-request-channel-token=326F57767CAA6327170DD561E99BD7D3 --renderer-client-id=10

2427
2519 /Applications/Google Chrome.app/Contents/Versions/59.0.3071.115/Google Chrome Helper.app/Contents/MacOS/Google Chrome Helper --type=renderer --field-trial-handle=1 --primordial-pipe-token=D022DF35FFD703D79CD1543F98B20487 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --blink-settings=disallowFetchForDocWrittenScriptsInMainFrame=false,disallowFet chForDocWrittenScriptsInMainFrameOnSlowConnections=false --enable-pinch --num-raster-threads=2 --enable-zero-copy --enable-gpu-memory-buffer-compositor-resources --enable-main-frame-before-activation --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5 ,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,34037;0,11,34037;0,12,34037;0,13, 3553;0,14,3553;0,15,3553;0,16,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553; 1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,34037;1,11,34037;1,12,34037;1, 13,3553;1,14,3553;1,15,3553;1,16,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,35 53;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,34037;2,11,34037;2,12,34037 ;2,13,3553;2,14,3553;2,15,3553;2,16,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4 ,3553;3,5,34037;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,340 37;3,13,34037;3,14,3553;3,15,34037;3,16,34037;4,0,3553;4,1,3553;4,2,3553;4,3,355 3;4,4,3553;4,5,34037;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,1 2,34037;4,13,34037;4,14,3553;4,15,34037;4,16,34037 --service-request-channel-token=D022DF35FFD703D79CD1543F98B20487 --renderer-client-id=13

Reply

Answer 10

softwater

Level 5

5,556 points

Jul 24, 2017 9:02 AM in response to ChateauOfADoubt

Hmm, I don't see anything out of the ordinary there, either.

Can you remember anything about where or how you ended up with this plugin? I have a load of quarantined testbeds I use for just this kind of thing. If I could recreate the infection here I'd be better able to diagnose it.

Failing that, I'd need a complete ps -axo output for your machine both before you start Chrome and after. I do NOT suggest you dump that in this thread, quite apart from the size of the dump, it'll reveal too much personal info for a public forum.

You could contact me off list if you want to take that option (you should be able to find an email for me in my profile here, or follow the link to the website I posted earlier and go to the Contact page).

Reply

Answer 11

Jul 25, 2017 11:33 AM in response to softwater

I got it the other night bundled with some alleged software crack. I just looked in my downloads and I believe the .dmg is still in there. I don't recall what website I got it from but I could give you this file if there's a safe way to do that.

Reply

Answer 12

softwater

Level 5

5,556 points

Jul 26, 2017 2:44 AM in response to vivien82

I still don't have a sample yet. If you have one and would like to send it to me, please follow the instructions in my last post.

I'll be happy to post a solution just as soon as I've reproduced the problem on my system.

Reply

Answer 13

vivien82

Level 1

4 points

Jul 26, 2017 4:15 AM in response to softwater

Thanks - unfortunately I blew everything away in my useless effort to try and remove this thing. However, this is the culprit chrome extension, if you want to install it and see if you can reproduce the problem: http://pluginsbutton.com/

Fingers crossed because I have tried everything to no avail !

Reply

Answer 14

softwater

Level 5

5,556 points

Jul 26, 2017 7:11 AM in response to vivien82

Thanks for the link.

It didn't behave badly so far, and I was able to uninstall it just by clicking the Trash button. I'll re-install it and see if it changes behaviour after a bit of use. Sometimes these things lie dormant for a while before playing up.

I did see lots of comments in the Reviews section similar to those here, so it's obviously a fairly comon problem.

I'll get back to you when I can get it to do something bad!

Reply

Answer 15

Jul 27, 2017 12:12 AM in response to softwater

w=`id -un`;ls -alF /Lib*/Launch*/ ~/Lib*/Launch*/ | sed "s@$w@[redacted]@g"

/Library/LaunchAgents/:

total 24

drwxr-xr-x
5 root
wheel
170 Jul 27 01:47 ./

drwxr-xr-x+ 61 root
wheel
2074 Jul 26 00:18 ../

-rw-r--r--
1 root
wheel
751 Sep 21
2016 com.Logitech.Control Center.Daemon.plist

-rw-r--r--
1 root
wheel
432 Nov
9
2015 com.brother.LOGINserver.plist

-r--r--r--
1 root
wheel
662 Jul 25 00:49 com.rosettastone.rosettastonedaemon.plist

/Library/LaunchDaemons/:

total 8

drwxr-xr-x
3 root
wheel
102 Jul 27 02:21 ./

drwxr-xr-x+ 61 root
wheel
2074 Jul 26 00:18 ../

-rw-r--r--
1 root
wheel
267 May 20 22:58 com.microsoft.autoupdate.helper.plist

/Users/[redacted]/Library/LaunchAgents/:

total 48

drwxr-xr-x
7 [redacted]
staff
238 Jul 26 23:43 ./

drwx------@ 72 [redacted]
staff
2448 Jul 26 23:43 ../

-rw-r--r--@
1 [redacted]
staff
6148 Jul 26 23:43 .DS_Store

-rw-r--r--@
1 [redacted]
staff
487 Jan 14
2016 com.bittorrent.uTorrent.plist

-rw-r--r--
1 [redacted]
staff
476 Mar 11 14:08 com.coconut-flavour.coconutBattery-Menu.plist

-rw-r--r--@
1 [redacted]
staff
800 Jul 12
2016 com.google.keystone.agent.plist

-rw-r--r--@
1 [redacted]
staff
530 May 26
2016 com.spotify.webhelper.plist

Reply