Login Items subheading Allow in Background YONGMING ZHANG

[generdude]

As I was just about to close up my '24 macbook air ventura I saw this notification pop up and disappear quickly - something like this: YONGMING ZHANG has been added to your login items.
So in General_Login items_Allow in Background there is an item called YONGMING ZHANG. I can't find this anywhere on the computer. With login items you can + or - them, but with the ones in Allow in Background you can't.
So, what is this and how do I get rid of it?
And why - how did it get placed in there out of nowhere? Malwarebytes doesn't see it.

 

[Bigwaff]

Screenshot please.. Google Adware Doctor

 

[Beowulf404]

Yes, that name was linked to Adware Doctor 2018. Malware harvesting and sending stolen user data.

 

[Beowulf404]

The story is wild - allegedly the unknown developer has an identity based on the name of a notorious Chinese serial killer.

 

[russell_314]

As I was just about to close up my '24 macbook air ventura I saw this notification pop up and disappear quickly - something like this: YONGMING ZHANG has been added to your login items.
So in General_Login items_Allow in Background there is an item called YONGMING ZHANG. I can't find this anywhere on the computer. With login items you can + or - them, but with the ones in Allow in Background you can't.
So, what is this and how do I get rid of it?
And why - how did it get placed in there out of nowhere? Malwarebytes doesn't see it.

Normally login items are due to some software you install. I would think about what you might’ve recently installed.

If I remember right, login items might get identified by the developer name so it gets confusing sometimes.

Also you mentioned macOS Ventura. Right now we’re at macOS Sequoia. Make sure you have at least security updates installed, but it’s always good to have the current version because some security features only get installed with the current version.

 

[ab22]

Leftover / stuck 'allow in background' entries can be due to a file in either Home/Library/LaunchAgents or the same folder in Macintosh HD/Library… as well as …/ LaunchDaemons (one was found on a family computer here today - remainder of an unwanted install, causing the same problem described by generdude. No trace of the long-since trashed app).

The file(s) might not be obviously named after the app or developer; the folders might not exist in either place.

Files will likely be in the form, com.google.keystone.agent.plist where google could be related to the developer ID & keystone the app or process name.

Trash them if you're sure, screenshot & ask if not.

Guessing : something was installed then removed - perhaps by the user or a 'protection' app & this was left hanging.

 

[generdude]

My MacBook Air is Sonoma, not Ventura. I have an iMac with Ventura, my old brain got mixed up.
So yes, I was a couple of security updates behind on the Air which has the problem. I usually check for those as I don’t get a notification for them.

When I first notice this strange login item I checked for and did not find within:
1. ~/Library/LaunchAgents
2. /Library/LaunchAgents
3. ~/Library/LaunchDaemons
4. /Library/LaunchDaemons

At the time I was on the Verizon website.
The only thing I’d downloaded anything was MalwareBytes about a week previous. I run it now and it finds nothing. Although it previously had found something that MalwareBytes did “quarantine” and later found it not a danger.

 

[svenmany]

You might try running the following command using Terminal.

sudo sfltool dumpbtm

That will give you much more detail on all login items.

 

[generdude]

I ran sudo sfltool dumpbtm in Terminal but it wasn't there. There's a lot of other stuff that I don't exactly remember.

 

[svenmany]

I ran sudo sfltool dumpbtm in Terminal but it wasn't there. There's a lot of other stuff that I don't exactly remember.

I've never experienced not finding all login items represented in that output. Could you confirm that

sudo sfltool dumpbtm | grep -i YONGMING

produces no output?

 

[generdude]

sudo sfltool dumpbtm | grep -i YONGMING

Name: YONGMING ZHANG


Developer Name: YONGMING ZHANG


Identifier: YONGMING ZHANG


Developer Name: YONGMING ZHANG


Parent Identifier: YONGMING ZHANG


Name: YONGMING ZHANG


Developer Name: YONGMING ZHANG


Identifier: YONGMING ZHANG


Name: YONGMING ZHANG


Developer Name: YONGMING ZHANG


Identifier: YONGMING ZHANG

 

[svenmany]

sudo sfltool dumpbtm | grep -i YONGMING

Name: YONGMING ZHANG


Developer Name: YONGMING ZHANG


Identifier: YONGMING ZHANG


Developer Name: YONGMING ZHANG


Parent Identifier: YONGMING ZHANG


Name: YONGMING ZHANG


Developer Name: YONGMING ZHANG


Identifier: YONGMING ZHANG


Name: YONGMING ZHANG


Developer Name: YONGMING ZHANG


Identifier: YONGMING ZHANG

That means that this name has an entry in the file produced by the "sfltool dumpbtm" command.

There are many entries output by this command. Each entry has a bunch of lines and each entry is separated from other entries by a blank line. You do need to get the result of the command open in an editor (like TextEdit) to review the other lines in the various entries associated with "YONGMING ZHANG". Do you know how to do that? For example, you could run

sudo sfltool dumpbtm > zhang.txt

and then just double click zhang.txt in Finder.

I can make a guess that what you've shown says there are 4 entries. Lines 1,2,3 are lines in one entry identifying the developer (not software). Lines 4 and 5 are another entry that identifies the software. Those two entries do reference each other within the file. The remainder of the lines you posted are different "generations" of the developer (and I don't know what that means).

 

[generdude]

svenmany:
How do I "then just double click zhang.txt in Finder?"
I am also working with Malwarebytes but so far no suggestions. But they are still working on it and I will post here the result when/if it comes.

 

[svenmany]

svenmany:
How do I "then just double click zhang.txt in Finder?"
I am also working with Malwarebytes but so far no suggestions. But they are still working on it and I will post here the result when/if it comes.

When you run the Terminal application, you're likely working in your home folder, so the file would have been created there. Do you know how to open Finder on your home folder? It's the directory one up from your Documents folder.

Another easy way is to just run "open zhang.txt" right in Terminal, just after you run the sfltool command. That should open TextEdit on the file (or some other text editor if you've installed one).

I suspect that once you see the resulting file, you'll recognize the program that developer wrote and you'll remember having installed it. Fingers crossed.

 

[generdude]

svenmany​

Oh, I misunderstood. Of course I know how to open a file.
There is no zhang.txt in Finder. I've tried all the suggested Terminal commands.
I appreciate your patience.

 

[svenmany]

Let me try again. Open Terminal and type the following exactly:

sudo sfltool dumpbtm > zhang.txt; open zhang.txt

then hit enter. Then type your password and hit enter again. Does an editor open showing stuff?

If it shows stuff, then look for paragraphs that mention that developer's name. One of them will identify the installed software.

By the way, "zhang.txt" can be any name for a file. I just picked that so that you can remember its purpose and be reminded to delete it at some point.

I once had an unrecognized entry shown in settings; it just said "Davide Feroldi". I had no idea who that was. When I looked in the output of dumpbtm, I saw

 #11:
                 UUID: FC504B8C-A644-4AB6-B973-44E95FE215D6
                 Name: Davide Feroldi
       Developer Name: Davide Feroldi
                 Type: developer (0x20)
                Flags: [  ] (0)
          Disposition: [disabled, allowed, visible, not notified] (0x2)
           Identifier: Davide Feroldi
                  URL: (null)
           Generation: 0
  Embedded Item Identifiers:
    #1: 16.it.murus.pf.helper

 #12:
                 UUID: 46D1F78C-CEE2-48EC-9E78-E038AE1E3E96
                 Name: it.murus.pf.helper
       Developer Name: Davide Feroldi
      Team Identifier: RNLG254GCK
                 Type: legacy daemon (0x10010)
                Flags: [ legacy ] (0x1)
          Disposition: [enabled, allowed, visible, notified] (0xb)
           Identifier: 16.it.murus.pf.helper
                  URL: file:///Library/LaunchDaemons/it.murus.pf.helper.plist
      Executable Path: /Library/PrivilegedHelperTools/it.murus.pf.helper
           Generation: 4
    Parent Identifier: Davide Feroldi

The first paragraph identified the developer, the second identified the software. I then knew that Davide Feroldi was the developer who created Murus Firewall, which I've purchased.

 

[generdude]

svenmany-​

I just got this and it shows YONGMING ZHANG 11 times within Items # 12, 32, 27, 28
Now what do I do?

#12:
UUID: 8C694B56-5B82-4383-A6C3-543C7F401967
Name: YONGMING ZHANG
Developer Name: YONGMING ZHANG
Type: developer (0x20)
Disposition: [disabled, allowed, visible, not notified] (2)
Identifier: YONGMING ZHANG
URL: (null)
Generation: 1

#32:
UUID: C2D718EB-6FD7-4B9A-979B-E2250634C36B
Name: YONGMING ZHANG
Developer Name: YONGMING ZHANG
Type: developer (0x20)
Disposition: [disabled, allowed, visible, notified] (10)
Identifier: YONGMING ZHANG
URL: (null)
Generation: 1
Embedded Item Identifiers:
#1: com.yelab.AdwareRemovalHelper

#27:
UUID: 8C694B56-5B82-4383-A6C3-543C7F401967
Name: zMING ZHANG
Developer Name: YONGMING ZHANG
Type: developer (0x20)
Disposition: [disabled, allowed, visible, not notified] (2)
Identifier: YONGMING ZHANG
URL: (null)
Generation: 0
Embedded Item Identifiers:
#1: com.yelab.AdwareRemovalHelper

#28:
UUID: C3D2A9FE-16C0-47AF-863D-B1F9EA3B989C
Name: com.yelab.AdwareRemovalHelper
Developer Name: YONGMING ZHANG
Team Identifier: 3333L99H4N
Type: legacy daemon (0x10010)
Disposition: [enabled, disallowed, visible, notified] (9)
Identifier: com.yelab.AdwareRemovalHelper
URL: file:///Library/LaunchDaemons/com.yelab.AdwareRemovalHelper.plist
Executable Path: /Library/PrivilegedHelperTools/com.yelab.AdwareRemovalHelper
Generation: 2
Parent Identifier: YONGMING ZHANG

 

[svenmany]

So that tells you the files associated with the name. The earlier posters are correct that this is affiliated with Yelab, the developers of Adware Doctor.

/Library/LaunchDaemons/com.yelab.AdwareRemovalHelper.plist
/Library/PrivilegedHelperTools/com.yelab.AdwareRemovalHelper

Within the plist you will also find a reference to the executable that's being run as a daemon. Removing those files might be enough. Reboot right after.

There is some information on the web about Yelab. There some hard evidence that they were doing some harvesting of information.

A Deceitful 'Doctor' in the Mac App Store

objective-see.org

Yelab has posted an objection to the Malwarebytes forum asking to not be labeled as a PUP (potentially unwanted program).

https://forums.malwarebytes.com/topic/195667-complaint-from-yelab/

That was from 2017, before the application was removed from the App Store.

Is there any chance you intentionally installed "Komros Anti Malware & Adware" or "Adware Doctor" yourself? You could have done this from the App Store. It seems Yelab makes/made both. If you did install such an app (App Store or otherwise), you might find it in the /Applications folder. If so, I would use App Cleaner to delete it and all related files automatically.

I do wonder why you only just saw the login item popup. But, I will say, that every time I run VMware I get the following popup, even though I installed VMware along time ago:

 

[generdude]

svenmany-
With some help from you and Malwarebytes these were found and deleted and all is good now. Thank you so much!

URL: file:///Library/LaunchDaemons/com.yelab.AdwareRemovalHelper.plist
Executable Path: /Library/PrivilegedHelperTools/com.yelab.AdwareRemovalHelper,