Q: ANNOYING MACKEEPER TABS AND POPUP ADS

any other suggestions before I call apple support?

Please read this whole message before doing anything.

Disconnect all wired peripherals except those needed for the test, and remove all aftermarket expansion cards, if applicable. Start up in safe mode and log in to the account with the problem. You must hold down the shift key twice: once when you turn on the computer, and again when you log in.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for further instructions.

Safe mode is much slower to start up and run than normal, with limited graphics performance, and some things won’t work at all, including sound output and Wi-Fi on certain models. The next normal startup may also be somewhat slow.

The login screen appears even if you usually login automatically. You must know your login password in order to log in. If you’ve forgotten the password, you will need to reset it before you begin.

Try again to run the test script.

Dear Linc,

You are awesome, it finally worked through safe mode and this is what I got

Start time: 14:21:34 01/11/15

Model Identifier: iMac14,1

System Version: OS X 10.9.5 (13F34)

Kernel Version: Darwin 13.4.0

Boot Mode: Safe

Time since boot: 6 minutes

Bluetooth

  Apple Magic Mouse

  Apple Wireless Keyboard

Diagnostic reports

  2015-01-11 Garmin Express Service crash

  2015-01-11 com.apple.prefs.backup.remoteservice crash

  2015-01-11 helpd crash

Log

  Jan 10 15:43:29 com.period.searchprotectd: Job failed to exec(3) for weird reason: 2

  Jan 10 16:04:52 com.apple.PackageKit.InstallStatus: Throttling respawn: Will start in 6 seconds

  Jan 11 09:42:20 com.period.searchprotectd: Throttling respawn: Will start in 10 seconds

  Jan 11 09:42:28 pci pause: SDXC

  Jan 11 09:42:30 com.period.searchprotectd: Throttling respawn: Will start in 10 seconds

  Jan 11 09:42:33 com.period.searchprotectd: Throttling respawn: Will start in 7 seconds

  Jan 11 09:42:40 com.period.searchprotectd: Throttling respawn: Will start in 1 seconds

  Jan 11 09:42:40 com.period.searchprotectd: Throttling respawn: Will start in 1 seconds

  Jan 11 09:42:41 com.period.searchprotectd: Job failed to exec(3). Setting up event to tell us when to try again: 2: No such file or directory

  Jan 11 09:42:41 com.period.searchprotectd: Job failed to exec(3) for weird reason: 2

  Jan 11 09:47:36 jnl: disk1s2: replay_journal: from: 25609216 to: 27596800 (joffset 0xe8e000)

  Jan 11 09:47:36 jnl: disk1s2: journal replay done.

  Jan 11 12:51:45 com.apple.appleseed.seedusaged: Throttling respawn: Will start in 7 seconds

  Jan 11 12:52:00 com.apple.appleseed.seedusaged: Throttling respawn: Will start in 3 seconds

  Jan 11 12:52:30 pci pause: SDXC

  Jan 11 13:27:51 com.apple.PackageKit.InstallStatus: Throttling respawn: Will start in 10 seconds

  Jan 11 13:28:41 com.period.searchprotectd: Throttling respawn: Will start in 5 seconds

  Jan 11 13:28:46 com.period.searchprotectd: Throttling respawn: Will start in 10 seconds

  Jan 11 13:28:48 pci pause: SDXC

  Jan 11 13:28:56 com.period.searchprotectd: Job failed to exec(3). Setting up event to tell us when to try again: 2: No such file or directory

  Jan 11 13:28:56 com.period.searchprotectd: Job failed to exec(3) for weird reason: 2

  Jan 11 13:45:08 com.apple.PackageKit.InstallStatus: Throttling respawn: Will start in 3 seconds

  Jan 11 13:46:03 pci pause: SDXC

  Jan 11 14:14:49 com.apple.PackageKit.InstallStatus: Throttling respawn: Will start in 10 seconds

  Jan 11 14:17:12 pci pause: SDXC

Agents

  com.apple.AirPortBaseStationAgent

  com.apple.photostream-agent

Frameworks

  /System/Library/Frameworks/v.framework

  - not

PrefPane

  /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deploy/JavaControlPanel.pref Pane

  - could

  /Library/PreferencePanes/Flash Player.prefPane

  - could

Contents of /Library/LaunchAgents/com.mouse.agent.plist

  - mod date: Jan  4 15:01:14 2015

  - checksum: 4051420290

  <?xml version="1.0" encoding="UTF-8"?>

  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

  <plist version="1.0">

  <dict>

  <key>Label</key>

  <string>com.v.agent</string>

  <key>OnDemand</key>

  <false/>

  <key>ProgramArguments</key>

  <array>

  <string>/Library/Application Support/mouse/Agent/agent.app/Contents/MacOS/agent</string>

  </array>

  <key>RunAtLoad</key>

  <true/>

  <key>KeepAlive</key>

  <true/>

  <key>LimitLoadToSessionType</key>

  <string>Aqua</string>

  <key>ThrottleInterval</key>

  <integer>10</integer>

  </dict>

  </plist>

Contents of /Library/LaunchAgents/com.oracle.java.Java-Updater.plist

  - mod date: Nov 22 18:14:41 2013

  - checksum: 1211197771

  <?xml version="1.0" encoding="UTF-8"?>

  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

  <plist version="1.0">

  <dict>

  <key>Label</key>

  <string>com.oracle.java.Java-Updater</string>

  <key>ProgramArguments</key>

  <array>

  <string>/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater</string>

  <string>-bgcheck</string>

  </array>

  <key>StandardErrorPath</key>

  <string>/dev/null</string>

  <key>StandardOutPath</key>

  <string>/dev/null</string>

  <key>StartCalendarInterval</key>

  <dict>

  <key>Hour</key>

  <integer>21</integer>

  <key>Minute</key>

  <integer>54</integer>

  <key>Weekday</key>

  <integer>5</integer>

  </dict>

  </dict>

  ...and 1 more line(s)

Contents of /Library/LaunchDaemons/com.mouse.daemon.plist

  - mod date: Jan  4 15:01:14 2015

  - checksum: 432533803

  <?xml version="1.0" encoding="UTF-8"?>

  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

  <plist version="1.0">

  <dict>

  <key>Disabled</key>

          <true/>

  <key>Label</key>

  <string>com.v.daemon</string>

  <key>OnDemand</key>

  <true/>

  <key>ProgramArguments</key>

          <array>

                  <string>/Library/Application Support/mouse/Agent/agent.app/Contents/MacOS/agent</string>

  <string>-update</string>

          </array>

  <key>KeepAlive</key>

  <true/>

  <key>RunAtLoad</key>

  <true/>

  <key>ThrottleInterval</key>

  <integer>10</integer>

  </dict>

  </plist>

Contents of /Library/LaunchDaemons/com.mouse.helper.plist

  - mod date: Jan  4 15:01:14 2015

  - checksum: 853748285

  <?xml version="1.0" encoding="UTF-8"?>

  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

  <plist version="1.0">

  <dict>

  <key>Label</key>

  <string>com.v.helper</string>

  <key>OnDemand</key>

  <true/>

  <key>ProgramArguments</key>

          <array>

                  <string>/Library/Application Support/mouse/Agent/agent.app/Contents/MacOS/agent</string>

  <string>-helper</string>

          </array>

  <key>KeepAlive</key>

  <true/>

  <key>RunAtLoad</key>

  <true/>

  <key>ThrottleInterval</key>

  <integer>10</integer>

  </dict>

  </plist>

Contents of Library/LaunchAgents/com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID. plist

  - mod date: Nov 15 09:06:18 2013

  - checksum: 3091590745

  <?xml version="1.0" encoding="UTF-8"?>

  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

  <plist version="1.0">

  <dict>

  <key>Label</key>

  <string>com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID</string>

  <key>ProgramArguments</key>

  <array>

  <string>/System/Library/Frameworks/AddressBook.framework/Resources/AddressBookS ourceSyncScheduleHelper</string>

  <string>-scheduleSync</string>

  <string>UUID</string>

  </array>

  <key>StartInterval</key>

  <integer>120000</integer>

  </dict>

  </plist>

Contents of Library/LaunchAgents/com.crossrider.wss002501.agent.plist

  - mod date: Jan  4 14:52:31 2015

  - checksum: 767249010

  <?xml version="1.0" encoding="UTF-8"?>

  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

  <plist version="1.0">

  <dict>

  <key>KeepAlive</key>

  <true/>

  <key>Label</key>

  <string>com.crossrider.wss002501.agent.plist</string>

  <key>ProgramArguments</key>

  <array>

  <string>/Users/USER/Library/LaunchAgents/WebSocketServerApp</string>

  <string>cmpId=2501</string>

  <string>ibic=UUID</string>

  <string>verifier=UUID</string>

  <string>extId=67619</string>

  </array>

  <key>RunAtLoad</key>

  <true/>

  </dict>

  </plist>

Contents of Library/LaunchAgents/com.google.keystone.agent.plist

  - mod date: Oct  9 19:09:12 2014

  - checksum: 847523142

  <?xml version="1.0" encoding="UTF-8"?>

  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

  <plist version="1.0">

  <dict>

  <key>Label</key>

  <string>com.google.keystone.user.agent</string>

  <key>LimitLoadToSessionType</key>

  <string>Aqua</string>

  <key>ProgramArguments</key>

  <array>

   <string>/Users/USER/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bu ndle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftw areUpdateAgent</string>

   <string>-runMode</string>

   <string>ifneeded</string>

  </array>

  <key>RunAtLoad</key>

  <true/>

  <key>StartInterval</key>

  <integer>3523</integer>

  <key>StandardErrorPath</key>

  <string>/dev/null</string>

  <key>StandardOutPath</key>

  <string>/dev/null</string>

  </dict>

  </plist>

Contents of Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist

  - mod date: Jan  4 15:02:26 2015

  - checksum: 3699077557

  <?xml version="1.0" encoding="UTF-8"?>

  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

  <plist version="1.0">

  <dict>

      <key>Label</key>

      <string>com.jdibackup.ZipCloud.autostart</string>

      <key>ProgramArguments</key>

      <array>

          <string>open</string>

          <string>/Applications/ZipCloud.app/Contents/Resources/Utility.app</string>

          <string>-n</string>

          <string>--args</string>

          <string>9</string>

          <string>-l</string>

      </array>

      <key>StandardOutPath</key>

      <string>/Users/USER/Library/Logs/ZipCloud/lagent_out.log</string>

      <key>StandardErrorPath</key>

      <string>/Users/USER/Library/Logs/ZipCloud/lagent_err.log</string>

      <key>RunAtLoad</key>

      <true/>

  </dict>

  </plist>

Contents of Library/LaunchAgents/com.jdibackup.ZipCloud.notify.plist

  - mod date: Jan  4 15:02:26 2015

  - checksum: 1711469413

  <?xml version="1.0" encoding="UTF-8"?>

  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

  <plist version="1.0">

  <dict>

      <key>Label</key>

      <string>com.jdibackup.ZipCloud.notify</string>

      <key>ProgramArguments</key>

      <array>

          <string>open</string>

          <string>/Applications/ZipCloud.app/Contents/Resources/Utility.app</string>

          <string>--args</string>

          <string>7</string>

          <string>1</string>

      </array>

      <key>StandardOutPath</key>

      <string>/Users/USER/Library/Logs/ZipCloud/lagent_out.log</string>

      <key>StandardErrorPath</key>

      <string>/Users/USER/Library/Logs/ZipCloud/lagent_err.log</string>

      <key>StartInterval</key>

      <integer>1200</integer>

      <key>RunAtLoad</key>

      <false/>

  </dict>

  </plist>

Contents of Library/LaunchAgents/com.webhelper.plist

  - mod date: Jan  4 14:52:35 2015

  - checksum: 3762664612

  <?xml version="1.0" encoding="UTF-8"?>

  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

  <plist version="1.0">

  <dict>

  <key>Label</key>

  <string>com.webhelper</string>

  <key>EnableGlobbing</key>

  <true/>

  <key>ProgramArguments</key>

  <array>

  <string>/Users/USER/Library/Application Support/webHelperApp/launch</string>

  </array>

  <key>KeepAlive</key>

  <true/>

  <key>RunAtLoad</key>

  <true/>

  <key>OnDemand</key>

  <true/>

  <key>StandardErrorPath</key>

  <string>/dev/null</string>

  <key>StandardOutPath</key>

  <string>/dev/null</string>

  <key>ThrottleInterval</key>

  <integer>10</integer>

  </dict>

  ...and 1 more line(s)

Contents of Library/LaunchAgents/com.webtools.update.agent.plist

  - mod date: Jan  4 14:52:35 2015

  - checksum: 393078621

  <?xml version="1.0" encoding="UTF-8"?>

  <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

  <plist version="1.0">

  <dict>

  <key>EnableGlobbing</key>

  <true/>

  <key>Label</key>

  <string>com.webtools.update.agent</string>

  <key>OnDemand</key>

  <true/>

  <key>ProgramArguments</key>

  <array>

  <string>/Users/USER/Library/WebTools/UpdateAgent/run_update.sh</string>

  </array>

  <key>RunAtLoad</key>

  <true/>

  <key>StartInterval</key>

  <integer>3600</integer>

  </dict>

  </plist>

Contents of Library/LaunchAgents/flashmall_updater.plist

  - Apple binary property list

  - mod date: Jan  4 14:52:22 2015

  - checksum: 3535794380

  Dict {

      StartInterval = 86400

      ProgramArguments = Array {

          bash

          /Users/USER/Library/LaunchAgents/flashmall_updater.sh

      }

      Label = com.flashmall.updater

  }

Spotlight: Indexing and searching disabled

Font issues: 11

DNS: 204.186.110.76

User login items

  iTunesHelper

  - /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app

  Garmin Express Service

  - /Applications/Garmin Express.app/Contents/Library/LoginItems/Garmin Express Service.app

Lockfiles: 55

High file counts

  Desktop: 51

Elapsed time (s): 185

Many Thanks Linc, I have changed the router settings and removed the Norton Antivirus, things seems to be working back to normal again.

Appreciate your time and efforts.

Regards.

A

You installed a variant of the "VSearch" trojan. Remove it as follows.

This malware has many variants. Anyone else finding this comment should not expect it to be applicable.

Back up all data before proceeding.

Triple-click anywhere in the line below on this page to select it:

/Library/LaunchAgents/com.mouse.agent.plist

Right-click or control-click the line and select

          Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.

Repeat with each of these lines:

/Library/LaunchDaemons/com.mouse.daemon.plist
/Library/LaunchDaemons/com.mouse.helper.plist

Restart the computer and empty the Trash. Then delete the following items in the same way:

/Library/Application Support/mouse
/System/Library/Frameworks/v.framework

The problem may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it, and if you wish, replace it with the genuine article from mplayerx.org.

This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.

In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere  should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.

Then, still in System Preferences, open the App Store or Software Update pane and check the box marked

          Install system data files and security updates (OS X 10.10 or later)

or

          Download updates automatically (OS X 10.9 or earlier)

if it's not already checked.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination  command-C. In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

B

You also installed the "Crossrider" trojan. Take the steps below to disable it.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination  command-C:

~/Library/LaunchAgents

In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

2. Inside the folder you just opened, there may be files with any of the following names:

           com.crossrider.wss*.agent.plist

           flashmall_updater.plist

           flashmall_updater.sh

           com.webhelper.plist

           com.webtools.update.agent.plist

           WebSocketServerApp

Here * stands for a variable six-digit number. Some of these files may be absent. Move any that you have to the Trash and close the Finder window. Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.

3. Do as in Step 1 with this line:

~/Library/Application Support

A folder named "Application Support" will open. Inside it there may be a subfolder with this name:

            webHelperApp

If so, move that subfolder—not the "Application Support" folder—to the Trash.

4. Finally, open this folder in the same way as above:

~/Library

Look for a subfolder with this name:

             WebTools

and move it to the Trash, if present. Finally, empty the Trash.

C

As of yesterday, you had even a third malware infection, "SearchProtect," but it was removed before you ran the test.

D

"ZipCloud" is some sort of cloud-storage service with a doubtful reputation. The OS X client is sometimes distributed along with malware. Although ZipCloud may not be malicious itself, it should be deemed suspect by virtue of the company it keeps.

To remove ZipCloud, start by backing up all data (not with ZipCloud itself, of course.)

Quit the application, if it's running, and drag it from the Applications folder to the Trash.

Triple-click anywhere in the line below on this page to select it:

~/Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist

Right-click or control-click the highlighted line and select

          Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with a file selected. Move the selected file to the Trash.

In the same folder, there may also be a file named

           com.jdibackup.ZipCloud.notify.plist

Move that to the Trash as well.

Log out or restart the computer and empty the Trash.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination  command-C. In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

E

Spotlight indexing has been disabled on the startup volume. If you added the volume to the Privacy list in the Spotlight  preference pane, you should remove it. Otherwise, ask for instructions.

F

Back up all data before proceeding.

Launch the Font Book application and validate all fonts. You must select the fonts in order to validate them. See the built-in help and this support article for instructions. If Font Book finds any issues, resolve them.

Start up in safe mode to rebuild the font caches. Restart as usual and test.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t start in safe mode. In that case, ask for instructions.

If you still have problems, then from the Font Book menu bar, select

          File ▹ Restore Standard Fonts...

You'll be prompted to confirm, and then to enter your administrator login password.

Also note that if you deactivate or remove any built-in fonts, for instance by using a third-party font manager, the system may become unstable.

G

Run the following command in the same way as before. It moves to the Trash "semaphore" files that have not been cleaned up by the system and may be interfering with normal operation. The files are empty; they contain no data. There will be no output this time.

find L*/{Con*/*/Data/L*/,}Pref* -type f -size 0c -name *.plist.??????? -exec mv {} .Trash/ \;

Log out or restart the computer.

You are awesome!!!  Thank you so much, it looks like everything is back to normal with no pop ups and hopefully everything is okay.  Thank you so much for your time!!!!

I have tried the things given in this thread, but no luck. so i began digging in the settings of my macbook. I had downloaded the Adware Media program and scanned my pc, found some result the the problem kept existing.

When looking at the DNS server i noticed something weird. There was a third DNS-number entered. (from what i know about it there are allways 2) I clicked on the ( + ) symbol to add my own DNS-servers, i added the google-DNS (8.8.8.8 and 8.8.4.4) and clicked apply.

Now i dont have the anoying tab-popups anymore. Its not a perfect fix but it works for me (for now) The virus/malware is still on my computer (or server at work) but it doesn't affect me anymore. Really hate this kind of stuff and hope that the people behind that rdsrv - virus/malware get a taste of their own medicine

Hopes this helps some other people to

Dear Linc

This is an amazing piece of work you did, but unfortunately it did not work for me. The first step didn't open  -

"Triple-click anywhere in the line below on this page to select it:

/Library/LaunchAgents/com.mouse.agent.plist

Right-click or control-click the line and select

          Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item selected. Drag the selected item to the Trash. You may be prompted for your administrator login password."

And nor did the asterisked variation:

"*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination  command-C. In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return."

I looked through the rest of your advice, and couldn't find any other way of getting started.

Eventually I downloaded the AdwareMedic software - which was free - and so far it appears to have worked, and stopped the infernal pop-ups.

I believe my machine may have been infected when I tried downloading a couple of pieces of software which enable you to download videos or audio tracks from YouTube. There was something a bit suspicious about one of them - I will be (much) more careful next time.

Best regards.

made an account on here just to thank you for your amazing program. my computer is running much faster, all ads are GONE, and my old macbook pro is  even running at a considerably lower temperature. I will definitely be donating-- thanks so much!  Highly recommended, everyone-- cleared up my mackeeper/detox my mac issues with one quick scan, removal, and restart!

Can you please give me any help?

Start time: 19:09:07 01/13/15

Model Identifier: MacBookAir6,2

System Version: OS X 10.10.1 (14B25)

Kernel Version: Darwin 14.0.0

Time since boot: 23:17

Diagnostic reports

   2014-12-17 com.apple.WebKit.Plugin.64 crash

   2015-01-04 discoveryd crash

   2015-01-08 discoveryd crash

Log

   Jan  7 22:25:44 PM notification timeout (pid 160, com.apple.ifdrea)

   Jan  8 17:57:05 PM notification timeout (pid 160, com.apple.ifdrea)

   Jan  8 18:15:06 PM notification timeout (pid 160, com.apple.ifdrea)

   Jan  8 18:57:00 PM notification timeout (pid 160, com.apple.ifdrea)

   Jan  8 23:40:50 PM notification timeout (pid 160, com.apple.ifdrea)

   Jan  9 02:06:32 PM notification timeout (pid 160, com.apple.ifdrea)

   Jan  9 17:29:46 PM notification timeout (pid 160, com.apple.ifdrea)

   Jan  9 20:36:06 PM notification timeout (pid 160, com.apple.ifdrea)

   Jan 10 02:29:02 PM notification timeout (pid 160, com.apple.ifdrea)

   Jan 10 03:14:46 PM notification timeout (pid 160, com.apple.ifdrea)

   Jan 10 13:26:20 process com.apple.WebKit[6805] caught causing excessive wakeups. EXC_RESOURCE supressed due to audio playback

   Jan 11 21:36:26 PM notification timeout (pid 160, com.apple.ifdrea)

   Jan 11 21:45:04 PM notification timeout (pid 160, com.apple.ifdrea)

   Jan 11 22:01:14 PM notification timeout (pid 160, com.apple.ifdrea)

   Jan 11 22:41:30 PM notification timeout (pid 160, com.apple.ifdrea)

   Jan 12 19:52:11 com.apple.iTunesHelper.50584: Service exited with abnormal code: 1

   Jan 12 19:52:40 com.apple.xpc.launchd.domain.pid.om.apple.photostream-agent.260: Path not allowed in target domain: type = pid, path = /Applications/iPhoto.app/Contents/Frameworks/PhotoFoundation.framework/Versions /A/XPCServices/com.apple.PhotoApps.DevicePropertyReader.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/iPhoto.app/Contents/Library/LoginItems/PhotoStreamAgent.app

   Jan 12 19:52:40 com.apple.xpc.launchd.domain.pid.om.apple.photostream-agent.260: Path not allowed in target domain: type = pid, path = /Applications/iPhoto.app/Contents/Frameworks/PhotoFoundation.framework/Versions /A/XPCServices/com.apple.PhotoApps.DevicePropertyReader.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /Applications/iPhoto.app/Contents/Library/LoginItems/PhotoStreamAgent.app

   Jan 13 18:43:31 com.zeobit.MacKeeper.Helper: Service setup event to handle failure and will not launch until it fires.

   Jan 13 19:05:14 com.apple.xpc.launchd.domain.pid.quicklookd.725: Path not allowed in target domain: type = pid, path = /Library/Frameworks/iTunesLibrary.framework/Versions/A/XPCServices/com.apple.iT unesLibraryService.xpc error = 147: The specified service did not ship in the requestor's bundle, origin = /System/Library/Frameworks/QuickLook.framework/Versions/A/Resources/quicklookd. app

Swap (MiB): 1199

Daemons

   com.v.helper

   com.adobe.fpsaud

Agents

   com.v.agent

   com.adobe.ARM.UUID

   com.apple.photostream-agent

   com.spotify.webhelper

   com.google.keystone.user.agent

   com.apple.AirPortBaseStationAgent

Bundles

   /Library/Internet Plug-Ins/AdobePDFViewer.plugin

   - com.adobe.acrobat.pdfviewer

   /Library/Internet Plug-Ins/AdobePDFViewerNPAPI.plugin

   - com.adobe.acrobat.pdfviewerNPAPI

   /Library/Internet Plug-Ins/Flash Player.plugin

   - N/A

   /Library/PreferencePanes/Flash Player.prefPane

   - com.adobe.flashplayerpreferences

dylibs

   /usr/lib/pkcs11/cackey.dylib

Contents of /Library/LaunchAgents/com.heizenberg.agent.plist (checksum 603885961)

   <?xml version="1.0" encoding="UTF-8"?>

   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

   <plist version="1.0">

   <dict>

    <key>Label</key>

    <string>com.v.agent</string>

    <key>OnDemand</key>

    <false/>

    <key>ProgramArguments</key>

    <array>

    <string>/Library/Application Support/heizenberg/Agent/agent.app/Contents/MacOS/agent</string>

    </array>

    <key>RunAtLoad</key>

    <true/>

    <key>KeepAlive</key>

    <true/>

    <key>LimitLoadToSessionType</key>

    <string>Aqua</string>

    <key>ThrottleInterval</key>

    <integer>10</integer>

   </dict>

   </plist>

Contents of /Library/LaunchDaemons/com.heizenberg.daemon.plist (checksum 718796932)

   <?xml version="1.0" encoding="UTF-8"?>

   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

   <plist version="1.0">

   <dict>

    <key>Disabled</key>

           <true/>

    <key>Label</key>

    <string>com.v.daemon</string>

    <key>OnDemand</key>

    <true/>

    <key>ProgramArguments</key>

           <array>

                   <string>/Library/Application Support/heizenberg/Agent/agent.app/Contents/MacOS/agent</string>

    <string>-update</string>

           </array>

    <key>KeepAlive</key>

    <true/>

    <key>RunAtLoad</key>

    <true/>

    <key>ThrottleInterval</key>

    <integer>10</integer>

   </dict>

   </plist>

Contents of /Library/LaunchDaemons/com.heizenberg.helper.plist (checksum 3051251653)

   <?xml version="1.0" encoding="UTF-8"?>

   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

   <plist version="1.0">

   <dict>

    <key>Label</key>

    <string>com.v.helper</string>

    <key>OnDemand</key>

    <true/>

    <key>ProgramArguments</key>

           <array>

                   <string>/Library/Application Support/heizenberg/Agent/agent.app/Contents/MacOS/agent</string>

    <string>-helper</string>

           </array>

    <key>KeepAlive</key>

    <true/>

    <key>RunAtLoad</key>

    <true/>

    <key>ThrottleInterval</key>

    <integer>10</integer>

   </dict>

   </plist>

Contents of Library/LaunchAgents/com.adobe.ARM.UUID.plist (checksum 394026997)

   <?xml version="1.0" encoding="UTF-8"?>

   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

   <plist version="1.0">

   <dict>

    <key>Label</key>

    <string>com.adobe.ARM.UUID</string>

    <key>ProgramArguments</key>

    <array>

    <string>/Applications/Adobe Reader.app/Contents/MacOS/Updater/Adobe Reader Updater Helper.app/Contents/MacOS/Adobe Reader Updater Helper</string>

    <string>semi-auto</string>

    </array>

    <key>RunAtLoad</key>

    <true/>

    <key>StartInterval</key>

    <integer>12600</integer>

   </dict>

   </plist>

Contents of Library/LaunchAgents/com.google.keystone.agent.plist (checksum 3955816640)

   <?xml version="1.0" encoding="UTF-8"?>

   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

   <plist version="1.0">

   <dict>

    <key>Label</key>

    <string>com.google.keystone.user.agent</string>

    <key>LimitLoadToSessionType</key>

    <string>Aqua</string>

    <key>ProgramArguments</key>

    <array>

     <string>/Users/USER/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bu ndle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftw areUpdateAgent</string>

     <string>-runMode</string>

     <string>ifneeded</string>

    </array>

    <key>RunAtLoad</key>

    <true/>

    <key>StartInterval</key>

    <integer>3523</integer>

    <key>StandardErrorPath</key>

    <string>/dev/null</string>

    <key>StandardOutPath</key>

    <string>/dev/null</string>

   </dict>

   </plist>

Contents of Library/LaunchAgents/com.spotify.webhelper.plist (checksum 3937736025)

   <?xml version="1.0" encoding="UTF-8"?>

   <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

   <plist version="1.0">

   <dict>

    <key>Label</key>

    <string>com.spotify.webhelper</string>

    <key>KeepAlive</key>

    <dict>

     <key>NetworkState</key>

     <true/>

    </dict>

    <key>RunAtLoad</key>

    <true/>

    <key>Program</key>

    <string>/Users/USER/Library/Application Support/Spotify/SpotifyWebHelper</string>

    <key>SpotifyPath</key>

    <string>/Applications/Spotify.app</string></dict>

   </plist>

Wi-Fi

   link auth: wpa-psk

User login items

   iTunesHelper

   - /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app

   AdobeResourceSynchronizer

   - /Applications/Adobe Reader.app/Contents/Support/AdobeResourceSynchronizer.app

Restricted files: 46

Elapsed time (s): 175

You have a variant of the Downlite adware installed. For removal instructions, see:

http://www.thesafemac.com/arg-downlite

(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com, in the form of buttons allowing for donations. Donations are not required to use my site or software.)

You installed a variant of the "VSearch" trojan. Remove it as follows.

This malware has many variants. Anyone else finding this comment should not expect it to be applicable.

Back up all data before proceeding.

Triple-click anywhere in the line below on this page to select it:

/Library/LaunchAgents/com.heizenberg.agent.plist

Right-click or control-click the line and select

          Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.

Repeat with each of these lines:

/Library/LaunchDaemons/com.heizenberg.daemon.plist
/Library/LaunchDaemons/com.heizenberg.helper.plist

Restart the computer and empty the Trash. Then delete the following items in the same way:

/Library/Application Support/heizenberg
/System/Library/Frameworks/v.framework

The problem may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it, and if you wish, replace it with the genuine article from mplayerx.org.

This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.

In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere  should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.

Then, still in System Preferences, open the App Store or Software Update pane and check the box marked

          Install system data files and security updates (OS X 10.10 or later)

or

          Download updates automatically (OS X 10.9 or earlier)

if it's not already checked.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination  command-C. In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

Thanks, Linc.

Here is the log after running the scripts.

Start time: 23:15:46 01/13/15

Model Identifier: MacBookAir6,2

System Version: OS X 10.9.5 (13F34)

Kernel Version: Darwin 13.4.0

Time since boot: 13 days 8:18

Log

   Jan  7 22:23:17 com.apple.aslmanager: Throttling respawn: Will start in 8 seconds

   Jan  7 22:28:16 disk logger: failed to open output file /Volumes/Seagate Expansion Drive/.fseventsd/fc00759d4409e9ab (No such file or directory). mount point /Volumes/Seagate Expansion Drive/.fseventsd

   Jan  7 22:28:16 disk logger: failed to open output file /Volumes/Seagate Expansion Drive/.fseventsd/fc00759d4409e9ab (No such file or directory). mount point /Volumes/Seagate Expansion Drive/.fseventsd

   Jan  9 20:38:42 com.apple.newsyslog: Throttling respawn: Will start in 2 seconds

   Jan  9 20:38:42 com.apple.logsyswritesd: Throttling respawn: Will start in 2 seconds

   Jan  9 20:38:42 com.apple.bsd.dirhelper: Throttling respawn: Will start in 2 seconds

   Jan  9 20:38:49 com.apple.aslmanager: Throttling respawn: Will start in 3 seconds

   Jan  9 23:30:00 com.apple.newsyslog: Throttling respawn: Will start in 10 seconds

   Jan 10 08:29:03 com.apple.newsyslog: Throttling respawn: Will start in 5 seconds

   Jan 10 17:49:18 com.apple.newsyslog: Throttling respawn: Will start in 5 seconds

   Jan 10 18:00:31 process com.apple.WebKit[3937] caught causing excessive wakeups. Observed wakeups rate (per sec): 184; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 80048

   Jan 10 18:38:15 process com.apple.WebKit[4072] caught causing excessive wakeups. EXC_RESOURCE supressed due to audio playback

   Jan 10 22:39:13 com.apple.newsyslog: Throttling respawn: Will start in 5 seconds

   Jan 11 00:47:25 process com.apple.WebKit[4197] caught causing excessive wakeups. Observed wakeups rate (per sec): 229; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 100876

   Jan 11 18:52:52 com.apple.newsyslog: Throttling respawn: Will start in 5 seconds

   Jan 11 19:12:36 process com.apple.WebKit[4560] caught causing excessive wakeups. Observed wakeups rate (per sec): 168; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 185009

   Jan 11 23:53:53 process com.apple.WebKit[4626] thread 576487 caught burning CPU! It used more than 50% CPU (Actual recent usage: 60%) over 180 seconds. thread lifetime cpu usage 279.974460 seconds, (214.784328 user, 65.190132 system) ledger info: balance: 90004849325 credit: 277041175240 debit: 187036325915 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 147998454900

   Jan 12 00:22:23 IOPPF: Sent cpu-plimit-notification last value 4 (rounded time weighted average 4)

   Jan 12 20:54:19 com.apple.aslmanager: Throttling respawn: Will start in 5 seconds

   Jan 12 23:39:47 process com.apple.WebKit[4879] thread 602487 caught burning CPU! It used more than 50% CPU (Actual recent usage: 86%) over 180 seconds. thread lifetime cpu usage 610.931698 seconds, (513.168999 user, 97.762699 system) ledger info: balance: 90005221141 credit: 586106481220 debit: 496101260079 limit: 90000000000 (50%) period: 180000000000 time since last refill (ns): 104488723935

   Jan 12 23:39:49 process com.apple.WebKit[4879] caught causing excessive wakeups. Observed wakeups rate (per sec): 3482; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 2230033

   Jan 13 00:00:05 com.apple.aslmanager: Throttling respawn: Will start in 5 seconds

   Jan 13 01:41:45 process com.apple.WebKit[5150] caught causing excessive wakeups. Observed wakeups rate (per sec): 257; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 54199

   Jan 13 20:28:10 com.apple.newsyslog: Throttling respawn: Will start in 4 seconds

   Jan 13 22:35:43 process com.apple.WebKit[5370] caught causing excessive wakeups. Observed wakeups rate (per sec): 224; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 90687

Swap (MiB): 10453

Daemons

   com.adobe.fpsaud

   com.v.helper

Agents

   com.apple.AirPortBaseStationAgent

   com.apple.photostream-agent

   com.v.agent

Applications

   /Applications/CoronaSDK/Corona Simulator.app

   - com.coronalabs.Corona_Simulator

   /Applications/MPlayerX.app

   - org.niltsh.MPlayerX

   /Applications/Utilities/Adobe Flash Player Install Manager.app

   - com.adobe.flashplayer.installmanager

   /Applications/iBackupBot.app

   - com.icopybot.ibackupbot

   /Library/Application Support/bingo/Agent/agent.app

   - com.someproduct.agent

   /Users/USER/Downloads/Boxer.app

   - net.washboardabs.boxer

Frameworks

   /System/Library/Frameworks/v.framework

   - null

PrefPane

   /Library/PreferencePanes/Flash Player.prefPane

   - com.adobe.flashplayerpreferences

Bundles

   /Library/Internet Plug-Ins/Flash Player.plugin

   - com.macromedia.Flash

dylibs

   /System/Library/Frameworks/v.framework/Versions/A/Libraries/libLoader.dylib

Contents of /Library/LaunchAgents/com.bingo.agent.plist

   - mod date: Dec 28 10:38:59 2014

   - checksum: 2345383136

   <?xml version="1.0" encoding="UTF-8"?>

   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

   <plist version="1.0">

   <dict>

    <key>Label</key>

    <string>com.v.agent</string>

    <key>OnDemand</key>

    <false/>

    <key>ProgramArguments</key>

    <array>

    <string>/Library/Application Support/bingo/Agent/agent.app/Contents/MacOS/agent</string>

    </array>

    <key>RunAtLoad</key>

    <true/>

    <key>KeepAlive</key>

    <true/>

    <key>LimitLoadToSessionType</key>

    <string>Aqua</string>

    <key>ThrottleInterval</key>

    <integer>10</integer>

   </dict>

   </plist>

Contents of /Library/LaunchDaemons/com.bingo.daemon.plist

   - mod date: Dec 28 10:38:59 2014

   - checksum: 4070751674

   <?xml version="1.0" encoding="UTF-8"?>

   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

   <plist version="1.0">

   <dict>

    <key>Disabled</key>

           <true/>

    <key>Label</key>

    <string>com.v.daemon</string>

    <key>OnDemand</key>

    <true/>

    <key>ProgramArguments</key>

           <array>

                   <string>/Library/Application Support/bingo/Agent/agent.app/Contents/MacOS/agent</string>

    <string>-update</string>

           </array>

    <key>KeepAlive</key>

    <true/>

    <key>RunAtLoad</key>

    <true/>

    <key>ThrottleInterval</key>

    <integer>10</integer>

   </dict>

   </plist>

Contents of /Library/LaunchDaemons/com.bingo.helper.plist

   - mod date: Dec 28 10:38:59 2014

   - checksum: 3649463980

   <?xml version="1.0" encoding="UTF-8"?>

   <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

   <plist version="1.0">

   <dict>

    <key>Label</key>

    <string>com.v.helper</string>

    <key>OnDemand</key>

    <true/>

    <key>ProgramArguments</key>

           <array>

                   <string>/Library/Application Support/bingo/Agent/agent.app/Contents/MacOS/agent</string>

    <string>-helper</string>

           </array>

    <key>KeepAlive</key>

    <true/>

    <key>RunAtLoad</key>

    <true/>

    <key>ThrottleInterval</key>

    <integer>10</integer>

   </dict>

   </plist>

DNS: 209.18.47.61 (static)

User login items

   iTunesHelper

   - /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app

Restricted files: 209

Lockfiles: 4

Elapsed time (s): 236

You installed a variant of the "VSearch" trojan. Remove it as follows.

This malware has many variants. Anyone else finding this comment should not expect it to be applicable.

Back up all data before proceeding.

Triple-click anywhere in the line below on this page to select it:

/Library/LaunchAgents/com.bingo.agent.plist

Right-click or control-click the line and select

          Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.

Repeat with each of these lines:

/Library/LaunchDaemons/com.bingo.daemon.plist
/Library/LaunchDaemons/com.bingo.helper.plist

Restart the computer and empty the Trash. Then delete the following items in the same way:

/Library/Application Support/bingo
/System/Library/Frameworks/v.framework

The problem may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it, and if you wish, replace it with the genuine article from mplayerx.org.

This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.

In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere  should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.

Then, still in System Preferences, open the App Store or Software Update pane and check the box marked

          Install system data files and security updates (OS X 10.10 or later)

or

          Download updates automatically (OS X 10.9 or earlier)

if it's not already checked.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination  command-C. In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

Linc, do you have an updated solution as this no longer works? thank you

h1r23 wrote:

 

Linc, do you have an updated solution as this no longer works?

The problem is, Linc's directions only work for people who have a specific variant of this adware installed, and requires each individual to wait for a personal response from him.

Try my Adware Removal Guide instead. This should help you remove the adware on your own, and if it doesn't, just e-mail me or post back here.

(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com, in the form of buttons allowing for donations. Donations are not required to use my site or software.)