Is this a virus? It keeps downloading "plugins button 0.9" which the internet keeps telling me is a virus.

Question

Level 1

8 points

Is this a virus? It keeps downloading "plugins button 0.9" which the internet keeps telling me is a virus.

I'm using a MacBook Air and running macOS Sierra

Recently got a virus on Google Chrome called "plugins button 0.9"

Everything on the internet tells me that it's a virus and that I need to get rid of its but every website tells me that I also need to download "macbooster" or "mackeeper".

It keeps changing my default search engine to Yahoo! when I keep changing it back to Google.

It downloaded another extension called Alien Tab or something which changed my new tab page to something different

I've ran Anti-Malware Bytes for mac several times and it found something every time and i deleted it and restarted computer every time

Also used DetectX which found 15 files the first time and then after I deleted those and restarted several more times, it kept finding two files.

The files are always in this folder called Managed Preferences and only contains the items above. (Items are enclosed below)

Everytime I delete them they come back and I can't find what's creating them. This is as far as I've gotten.

It worries me because it links apple.com in it and says ExtensionInstallForceList.

The String "bfkmdpflsdpop..." is the ID of the extension that I see when i go into developer mode on Chrome.

I'm seriously confused I have no idea how to get rid of this thing. Please help.

I've gone directly into the library and went into Application Support and deleted all the files in the extension part of Chrome and deleted the app multiple times and reinstalled and it still came up with the same plugin button.

How do i get rid of this thing???!?!?!

(Also the Chrome Extension has been reported several times on the chrome store for the exact same reason.)

This one is "com.google.Chrome.plist"

This one is "complete.plist"

MacBook Air, macOS Sierra (10.12.6)

Posted on Aug 1, 2017 7:13 AM

Reply

Answer 1

LethalHugs Author

Level 1

8 points

Aug 1, 2017 9:10 AM in response to macjack

I ran you're software and I didn't do anything else but run it (Aware that it's not supposed to delete/change anything quite yet)

Just providing creation times for the files in question after a restart.

Not sure what to do right now

EtreCheck version: 3.4.2 (436)

Report generated 2017-08-01 09:01:37

Download EtreCheck from https://etrecheck.com

Runtime: 3:01

Performance: Good

Click the [Lookup] links for more information from Apple Support Communities.

Click the [Details] links for more information about that line.

Click the [Clean up] link to delete unused files.

Problem: Other problem

Description:

Plugin Button 0.9 is a Google Chrome extension and I can’t uninstall or remove it from my computer. Continues to reinstall itself after every reboot. It will not be deleted. Changes my default search engine on Google Chrome.

Hardware Information: ⓘ

MacBook Air (13-inch, Early 2015)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Air - model: MacBookAir7,2

1 1.6 GHz Intel Core i5 (i5-5250U) CPU: 2-core

8 GB RAM Not upgradeable

BANK 0/DIMM0

4 GB DDR3 1600 MHz ok

BANK 1/DIMM0

4 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 4

iCloud Quota: 46.76 GB available

Video Information: ⓘ

Intel HD Graphics 6000 - VRAM: 1536 MB

Color LCD 1440 x 900

Disk Information: ⓘ

APPLE SSD SM0256G disk0: (251 GB) (Solid State - TRIM: Yes)

[Show SMART report]

EFI (disk0s1 - MS-DOS FAT32) <not mounted> [EFI]: 210 MB

(disk0s2) <not mounted> [CoreStorage Container]: 250.14 GB

Recovery HD (disk0s3 - Journaled HFS+) <not mounted> [Recovery]: 650 MB

USB Information: ⓘ

USB30Bus

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

Thunderbolt Information: ⓘ

Apple Inc. thunderbolt_bus

Virtual disks: ⓘ

Macintosh HD (disk1 - Journaled HFS+) / [Startup]: 249.78 GB (94.52 GB free)

Physical disk: disk0s2 250.14 GB Online

System Software: ⓘ

macOS Sierra 10.12.6 (16G29) - Time since boot: less than an hour

Gatekeeper: ⓘ

Mac App Store and identified developers

Clean up: ⓘ

/Library/LaunchDaemons/com.apple.installer.cleanupinstaller.plist

/macOS Install Data/Locked Files/cleanup_installer

Executable not found!

~/Library/LaunchAgents/com.google.keystone.agent.plist

~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Reso urces/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent -runMode ifneeded

Executable not found!

~/Library/LaunchAgents/user.launchkeep.cold-turkey.plist

~/Applications/Cold Turkey.app/Contents/MacOS/Cold Turkey

Executable not found!

3 orphan files found. [Clean up]

Kernel Extensions: ⓘ

/Library/Extensions

[loaded] com.paragon-software.filesystems.ntfs (14.2.288 - SDK 10.5) [Lookup]

[not loaded] com.seagate.driver.PowSecDriverCore (5.2.7 (26995) - SDK 10.4) [Lookup]

[loaded] com.sophos.kext.oas (9.6.51 - SDK 10.11) [Lookup]

[loaded] com.sophos.nke.swi (9.6.51 - SDK 10.11) [Lookup]

/Library/Extensions/Seagate Storage Driver.kext/Contents/PlugIns

[not loaded] com.seagate.driver.PowSecLeafDriver_10_4 (5.2.7 (26995) - SDK 10.4) [Lookup]

[not loaded] com.seagate.driver.PowSecLeafDriver_10_5 (5.2.7 (26995) - SDK 10.5) [Lookup]

[not loaded] com.seagate.driver.SeagateDriveIcons (5.2.7 (26995) - SDK 10.4) [Lookup]

System Launch Agents: ⓘ

[not loaded] 6 Apple tasks

[loaded] 185 Apple tasks

[running] 91 Apple tasks

System Launch Daemons: ⓘ

[not loaded] 42 Apple tasks

[loaded] 177 Apple tasks

[running] 97 Apple tasks

Launch Agents: ⓘ

[failed] com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d.plist (Adobe Systems, Inc. - installed 2017-01-12) [Lookup]

[loaded] com.oracle.java.Java-Updater.plist (? c1a721 be93c7fb - installed 2017-07-25) [Lookup]

[running] com.paragon-software.NTFS.fsnotify.agent.plist (? dcda45f4 848b1897 - installed 2017-04-19) [Lookup]

[loaded] com.paragon-software.facebook.agent.plist (? 95fb0bd4 e9648c48 - installed 2017-04-19) [Lookup]

[running] com.sophos.uiserver.plist (Sophos - installed 2017-08-01) [Lookup]

Launch Daemons: ⓘ

[loaded] com.adobe.ARMDC.Communicator.plist (Adobe Systems, Inc. - installed 2017-01-12) [Lookup]

[loaded] com.adobe.ARMDC.SMJobBlessHelper.plist (Adobe Systems, Inc. - installed 2017-01-12) [Lookup]

[loaded] com.adobe.fpsaud.plist (? 2afb3af7 178755d7 - installed 2017-06-23) [Lookup]

[not loaded] com.apple.installer.cleanupinstaller.plist (? ? ? - installed 2017-04-19) - /macOS Install Data/Locked Files/cleanup_installer: Executable not found!

[loaded] com.malwarebytes.HelperTool.plist (Malwarebytes Corporation - installed 2017-05-20) [Lookup]

[loaded] com.microsoft.autoupdate.helper.plist (Microsoft Corporation - installed 2017-05-24) [Lookup]

[loaded] com.microsoft.office.licensing.helper.plist (? 6d8cb30e afb3bef0 - installed 2010-08-25) [Lookup]

[loaded] com.microsoft.office.licensingV2.helper.plist (Microsoft Corporation - installed 2016-04-11) [Lookup]

[loaded] com.oracle.java.Helper-Tool.plist (Shell Script e3fefdd2 - installed 2017-07-12) [Lookup]

[running] com.paragon-software.NTFS.fsnotify.daemon.plist (? 66744841 b1cb5590 - installed 2016-08-29) [Lookup]

[loaded] com.paragon.NTFS.launch.plist (Apple, Inc. - installed 2017-07-14)

[loaded] com.rockysandstudio.WUHelper.plist (Rocky Sand Studio Ltd. - installed 2017-05-08) [Lookup]

[running] com.seagate.TBDecorator.plist (? 595582c 212092b1 - installed 2015-11-02) [Lookup]

[running] com.sophos.common.servicemanager.plist (Sophos - installed 2017-08-01) [Lookup]

[not loaded] org.eyebeam.SelfControl.plist (Charlie Stigler - installed 2017-07-03) [Lookup]

User Launch Agents: ⓘ

[failed] com.google.keystone.agent.plist (? 6efb3bc1 0 - installed 2016-07-17) [Lookup] - ~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Reso urces/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent: Executable not found!

[loaded] com.skype.skype.shareagent.plist (Skype Communications S.a.r.l - installed 2017-05-16) [Lookup]

[failed] user.launchkeep.cold-turkey.plist (? df239023 0 - installed 2017-06-06) [Lookup] - ~/Applications/Cold Turkey.app/Contents/MacOS/Cold Turkey: Executable not found!

User Login Items: ⓘ

iTunesHelper Application (Apple, Inc. - installed 2017-07-20)

(/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

Internet Plug-ins: ⓘ

FlashPlayer-10.6: 26.0.0.137 (installed 2017-07-11) [Lookup]

QuickTime Plugin: 7.7.3 (installed 2017-07-29)

AdobePDFViewerNPAPI: 17.009.20058 (installed 2017-07-23) [Lookup]

AdobePDFViewer: 17.009.20058 (installed 2017-07-23) [Lookup]

Flash Player: 26.0.0.137 (installed 2017-07-11) [Lookup]

SharePointBrowserPlugin: 14.0.0 (installed 2010-08-25) [Lookup]

PepperFlashPlayer: 26.0.0.137 (installed 2017-07-11) [Lookup]

JavaAppletPlugin: Java 8 Update 141 build 15 (installed 2017-07-25) Check version

3rd Party Preference Panes: ⓘ

Flash Player (installed 2017-06-23) [Lookup]

Java (installed 2017-07-25) [Lookup]

Paragon NTFS for Mac® (installed 2017-04-19) [Lookup]

Seagate Dashboard for Mac OSX (installed 2017-03-21) [Lookup]

Time Machine: ⓘ

Time Machine not configured!

Top Processes by CPU: ⓘ

57% mdworker

56% mdworker

5% WindowServer

3% kernel_task

2% trustd

Top Processes by Memory: ⓘ

593 MB kernel_task

273 MB SophosScanD

62 MB WindowServer

60 MB assistant_service

58 MB assistantd

Top Processes by Network Use: ⓘ

Input Output Process name

10 KB 67 KB SophosMcsAgentD

13 KB 16 KB apsd

17 KB 7 KB mDNSResponder

1 KB 1 KB SophosScanD

764 B 354 B netbiosd

Top Processes by Energy Use: ⓘ

7.78 WindowServer

1.82 SophosUIServer

0.90 apsd

0.34 syncdefaultsd

Virtual Memory Information: ⓘ

5.68 GB Available RAM

3.88 GB Free RAM

2.32 GB Used RAM

1.80 GB Cached files

0 B Swap Used

Software installs: ⓘ

Kindle: 1.20.2 (installed 2017-07-03)

Adobe Flash Player: (installed 2017-07-11)

Adobe Pepper Flash Player: (installed 2017-07-11)

Adobe Acrobat Reader DC (17.009.20058): (installed 2017-07-23)

NetBeans 8.2: (installed 2017-07-25)

JDK 8 Update 141: (installed 2017-07-25)

JDK 8 Update 131: (installed 2017-07-26)

downloader: (installed 2017-07-31)

Install information may not be complete.

Diagnostics Information: ⓘ

2017-08-01 03:31:20 DesktopServicesHelper Crash [Open]

2017-08-01 03:30:02 SophosScanD.app High CPU use [Open] [Details]

Reply

Answer 2

macjack

Level 10

111,242 points

Aug 1, 2017 7:20 AM in response to LethalHugs

Do not download either MacBooster or MacKeeper. Did you change your default search engine back after removing the adware?

Force Quit Safari ( command + option + esc keys).Then restart Safari holding the Shift key. If you still have problems Empty Caches (Safari menu > Preferences > Privacy > Remove all website data. (This will also remove history if you do not want to remove History open Safari Preferences > Advanced and check mark “Show Develop Menu” then choose “Empty Caches” from Develop Menu ) If the problem persists download and run

EtreCheck, created by one of own helpers here in ASC. It is a diagnostic tool that's very useful to us in finding problems. Also it will give us further specs on your Mac. After it runs post the log file here. It will contain no personal information.

Reply

Answer 3

etresoft

Level 9

56,656 points

Aug 1, 2017 7:20 AM in response to LethalHugs

Hello LethalHugs,

This probably isn't the suggestion you want to hear, but could you try to download and run yet another tool? 🙂 I wrote a little diagnostic program to help show what adware is installed. Download EtreCheck from https://www.etrecheck.com, run it, and paste the results here. EtreCheck is perfectly safe to run, does not ask for your password to install, and is signed with my Apple Developer ID. When you are done, EtreCheck can be thrown in the trash.

If adware is installed, EtreCheck will help you remove it, although you may have to supply a password. If you aren’t comfortable with that, just post the EtreCheck report here and other helpers can tell you exactly what files need to be deleted and how to do so.

Normally, EtreCheck ignores every browser other than Safari. I just can't keep up with the whole world. But if you have manually deleted the plugin in Chrome and it keeps coming back, there may be something external to Chrome that keeps putting it back. Instead of trying to detect "threats" or "files", EtreCheck just lists everything that is running in the background on your machine. Hopefully one of those items can be identified as the culprit that is screwing around with Chrome.

Disclaimer: Although EtreCheck is free, there are other links on my site that could give me some form of compensation, financial or otherwise.

Reply

Answer 4

LethalHugs Author

Level 1

8 points

Aug 1, 2017 12:05 PM in response to etresoft

I've already moved all the files I need into a folder so that i can transfer it to a external hard drive. Do you think that it would just be more worth it to do a factory reset at this point? None of my files are executables, json, java, or anything. Would it be possible for the virus to be hidden in a PDF, JPG, PNG, DOC, or EPUB file? These are the only kinds of files that are in my folder as of now and have not been transferred to my external hard drive yet.

Also, in an effort to get rid of the virus, I reset my Chrome and deleted all extensions. The file was still there of course. I also went into the library itself and deleted the files there.

Problem started like 6 - 10 hours ago I think.

Reply

Answer 5

etresoft

Level 9

56,656 points

Aug 1, 2017 12:13 PM in response to LethalHugs

Adware and malware does sometimes try to masquerade as something else. But that is just to fool a human. There are much more strict requirements to have the computer automatically run software. I'm not familiar with Chrome so I can't comment on how things inside of Chrome.

I wouldn't recommend doing a factory reset without a Time Machine backup. There are files all over your machine. There is no way to say if you have recovered them all or if you would be able to restore. In fact, I don't recommend you do anything except make a Time Machine backup at this point. Once you have a backup, you have more options. Without a backup, you are teaching yourself the trapeze without a safety net.

I don't see anything at the system level. One easy test you can do is to create a new user account on you ur machine. Run Chrome from that account to see if it works correctly. If it does, then you can use that new, virtually empty account as a guide to see what files need to be reset on your main account.

Reply

Answer 6

LethalHugs Author

Level 1

8 points

Aug 1, 2017 1:10 PM in response to softwater

Yes indeed it is. Perhaps I was doing the steps wrong but my process was

Open detectX and search and open the paths to the file did not hit 'Trash all'

Opened terminal and then ran the "...-D; sudo -K" code

Then I ran the "...sudo -P; sudo -K4

(This second line of code returned no results)

Ran search on detectX again, files were still there

Went to the path directly and then deleted the files myself

Emptied bin

Looked around a bit more for the umpteenth time and actually found chrome labeled files in another file.

(I checked this file because creation/modify time was the same as the Managed Preferences folder)

Deleted those and the Virus seems to be gone.

I will do a shut down and start up and let you know how it goes.

@etresoft

The files I need to keep are relatively minimal and simple and pretty much all of them open with a double click and are all just text files on adobe acrobat, iBook, and textedit. I have a couple dumb codes in Netbeans but thats about it.

Seeing as that all the files I want are in that folder, what other dangers would there be in doing a factory reset? Isn't it the same as if I were to have just bought the computer?

P.S.

If this works thank you all so much for your help. Dunno why all the help out there was for PC only. Perhaps the virus is new to everyone.

Anyways thx again.

Reply

Answer 7

etresoft

Level 9

56,656 points

Aug 1, 2017 1:50 PM in response to LethalHugs

LethalHugs wrote:

Seeing as that all the files I want are in that folder, what other dangers would there be in doing a factory reset? Isn't it the same as if I were to have just bought the computer?

The danger is in what you didn't realize you needed. You won't know that until after it is gone for good. I don't know what is on your machine so I can't make any comment other than that you need a Time Machine backup.

Reply

Answer 8

softwater

Level 5

5,556 points

Aug 1, 2017 6:29 PM in response to LethalHugs

That's interesting info, thanks. My analysis was based on a sample which had the filepaths hard-coded into it, but your experience suggests there's more than one variant out there.

It would be useful if you could send me the reports from DetectX so that I could see what was removed in your case and update the search paths for everyone else. If you're willing to do that (and I perfectly understand if you're not), go to the Help menu in DetectX and click 'Report a Problem to Sqwarq Support'.

Reply

Answer 9

softwater

Level 5

5,556 points

Aug 1, 2017 12:18 PM in response to LethalHugs

Is it the same problem as this?

Re: Can't Remove "Plugins Button" adware from Chrome on MacOS Sierra

Reply

Answer 10

etresoft

Level 9

56,656 points

Aug 1, 2017 12:03 PM in response to LethalHugs

Hello again LethalHugs,

When did this problem start? I don't see anything at the system layer. What other Chrome extensions do you have? Sometimes different pieces of adware works togther.

Reply