MBA5

Q: new and unknown user account - being hacked?

I have a MacBook Pro, on which I recently installed OS X El Capitan. A few minutes ago I had to force a shut down as my MacBook did not respond to anything anymore. When I restarted it, I saw a new user account I have never created. Has my macbook been hacked? How can I remove such unknown account? I am worried as at some stage, I was asked to put in my password for iCloud and other Apple ID - which I didn't. Help would very much be appreciated!!!!! Thanks in advance

MacBook Pro, OS X El Capitan (10.11.5)

Posted on May 31, 2016 12:04 PM

Close

Q: new and unknown user account - being hacked?

  • All replies
  • Helpful answers

Previous Page 2 of 4 last Next
  • by macjack,

    macjack macjack May 31, 2016 2:24 PM in response to MBA5
    Level 9 (55,709 points)
    Mac OS X
    May 31, 2016 2:24 PM in response to MBA5

    No bother, for the fonts I will try to get a font expert for you.

  • by Linc Davis,

    Linc Davis Linc Davis May 31, 2016 2:30 PM in response to MBA5
    Level 10 (208,037 points)
    Applications
    May 31, 2016 2:30 PM in response to MBA5

    1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.

    The test works on OS X 10.8 ("Mountain Lion") and later. I don't recommend running it on older versions of OS X. It will do no harm, but it won't do much good either.

    Don't be put off by the complexity of these instructions. The procedure is easy to do right, but it's also easy to do wrong, so I've made the instructions very detailed. You do harder tasks with the computer all the time.

    2. If you don't already have a current backup, please back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.

    There are ways to back up a computer that isn't fully functional. Ask if you need guidance.

    3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.

    You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.

    In this case, however, there are ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone who understands the code can verify what it does.

    You may not be able to understand the script yourself. But variations of it have been posted on this website many times over a period of years. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message. See, for example, this discussion.

    Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.

    4. Here's a general summary of what you need to do, if you choose to proceed:

    ☞ Copy the text of a particular web page (not this one) to the Clipboard.

    ☞ Paste into the window of another application.

    ☞ Wait for the test to run. It usually takes a few minutes.

    ☞ Paste the results, which will have been copied automatically, back into a reply on this page.

    These are not specific instructions; just an overview. The details are in parts 7 and 8 of this comment. The sequence is: copy, paste, wait, paste again. You don't need to copy a second time.

    5. Try to test under conditions that reproduce the problem, as far as possible. For example, if the computer is intermittently slow, run the test during a slowdown.

    You may have started up in safe mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual before running it. If you can only test in safe mode, do that.

    6. If you have more than one user, and only one user is affected by the problem,, and the affected user is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.

    7. Load this linked web page (on the website "Pastebin") in Safari. Press the key combination command-A to select all the text, then copy it to the Clipboard by pressing command-C.

    8. Launch the built-in Terminal application in any one of the following ways:

    ☞ Enter the first few letters of its name ("Terminal") into a Spotlight search. Select it in the results (it should be at the top.)

    ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

    ☞ Open LaunchPad and start typing the name.

    Click anywhere in the Terminal window to activate it. Paste from the Clipboard into the window by pressing command-V, then press return. The text you pasted should vanish immediately.

    9. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. If you don't know the password, or if you prefer not to enter it, just press return three times at the password prompt. Again, the script will still run.

    If the test is taking much longer than usual to run because the computer is very slow, you might be prompted for your password a second time. The authorization that you grant by entering it expires automatically after five minutes.

    If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.

    10. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, a series of lines will appear in the Terminal window like this:

        Test started
            Part 1 of 4 done at: … sec
            …
            Part 4 of 4 done at: … sec
        The test results are on the Clipboard.
        Please close this window.

    The intervals between parts won't be exactly equal, but they give a rough indication of progress.

    Wait for the final message "Please close this window" to appear—again, usually within a few minutes. If you don't see that message within about 30 minutes, the test probably won't complete in a reasonable time. In that case, press the key combination control-C or command-period to stop it. Then go to the next step. You'll have incomplete results, but still something.

    In order to get results, the test must either be allowed to complete or else manually stopped as above. If you close the Terminal window while the test is still running, the partial results won't be saved.

    11. When the test is complete, or if you stopped it manually, quit Terminal. The results will have been saved to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.

    At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "close this window" message. Please wait for it and try again.

    If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.

    12. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "The message contains invalid characters." That's a bug in the software that runs this website. Please post the test results on Pastebin, then post a link here to the page you created.

    If you have an account on Pastebin, please don't select Private from the Paste Exposure menu on the page, because then no one but you will be able to see it.

    13. When you're done with the test, it's gone. There is nothing to uninstall or clean up.

    14. This is a public forum, and others may give you advice based on the results of the test. They speak for themselves, not for me. The test itself is harmless, but whatever else you do may not be. For others who choose to run it, I don't recommend that you post the test results on this website unless I asked you to.

    15. The linked UNIX shell script bears a notice of copyright. Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

  • by MBA5,

    MBA5 MBA5 May 31, 2016 3:11 PM in response to Linc Davis
    Level 1 (8 points)
    Notebooks
    May 31, 2016 3:11 PM in response to Linc Davis

    Hi, thanks for your reply. I've run the test:

     

       1  Start time: 23:58:36 05/31/16

       2 

       3  Revision: 1605

       4 

       5  Model Identifier: MacBookPro11,3

       6  Boot ROM Version: MBP112.0138.B17

       7  System Version: OS X 10.11.5 (15F34)

       8  Kernel Version: Darwin 15.5.0

       9  Time since boot: 57 minutes

      10 

      11  Root access: No

      12 

      13  UID: 502

      14 

      15  Bluetooth

      16 

      17      Apple Wireless Mouse

      18 

      19  Activity

      20 

      21      en0: in 738, out 18 (KiB/s)

      22 

      23  CPU usage (%)

      24 

      25      backupd (UID 0): 31.2

      26 

      27  Memory (MB)

      28 

      29      kernel_task (UID 0): 1238

      30 

      31  LS schemes: No

      32 

      33  Font issues: 68

      34 

      35  Diagnostic reports

      36 

      37      2016-05-04 QuickLookSatellite crash x3

      38      2016-05-07 HP Utility crash

      39      2016-05-10 plugin-container crash

      40      2016-05-11 QuickLookSatellite crash

      41      2016-05-13 plugin-container crash

      42      2016-05-16 plugin-container crash

      43      2016-05-26 plugin-container crash

      44      2016-05-31 Photos crash x3

      45      2016-05-31 iPhoto crash

      46      2016-05-31 plugin-container crash

      47 

      48  HID errors: 6

      49 

      50  Kernel log

      51 

      52      May 31 20:34:06 IO80211ControllerMonitor::configureSubscriptions() failed to add subscriptionIO80211Controller::start _controller is 0xef7f3c0182d69b4b, provider is 0xef7f3c0003dfaf4b

      53      May 31 20:34:06 init: error getting PHY_MODE;  using MODE_UNKNOWN

      54      May 31 20:34:06 AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized

      55      May 31 20:35:43 SATA WARNING: IDENTIFY DEVICE checksum not implemented

      56      May 31 20:35:43 IO80211ControllerMonitor::configureSubscriptions() failed to add subscriptionIO80211Controller::start _controller is 0x569850e9a4c33059, provider is 0x569850e825a42659

      57      May 31 20:35:43 init: error getting PHY_MODE;  using MODE_UNKNOWN

      58      May 31 20:35:43 AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized

      59      May 31 21:07:48 AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized

      60      May 31 22:09:38 AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized

      61      May 31 22:15:21 SATA WARNING: IDENTIFY DEVICE checksum not implemented

      62      May 31 22:15:21 IO80211ControllerMonitor::configureSubscriptions() failed to add subscriptionIO80211Controller::start _controller is 0x29aec0383549a71b, provider is 0x29aec036b620021b

      63      May 31 22:15:21 init: error getting PHY_MODE;  using MODE_UNKNOWN

      64      May 31 22:15:21 AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized

      65      May 31 22:46:34 ASP_TCP Disconnect: triggering reconnect by bumping reconnTrigger from curr value 0 on so 0xe7971039bc9c2e8b

      66      May 31 22:53:50 SATA WARNING: IDENTIFY DEVICE checksum not implemented

      67      May 31 22:53:50 IO80211ControllerMonitor::configureSubscriptions() failed to add subscriptionIO80211Controller::start _controller is 0xe5dc94395c278b4b, provider is 0xe5dc9437dd00684b

      68      May 31 22:53:50 init: error getting PHY_MODE;  using MODE_UNKNOWN

      69      May 31 22:53:50 AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized

      70      May 31 23:01:41 SATA WARNING: IDENTIFY DEVICE checksum not implemented

      71      May 31 23:01:41 IO80211ControllerMonitor::configureSubscriptions() failed to add subscriptionIO80211Controller::start _controller is 0x800180725720948d, provider is 0x80018070d7ad418d

      72      May 31 23:01:41 init: error getting PHY_MODE;  using MODE_UNKNOWN

      73      May 31 23:01:41 AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized

      74      May 31 23:09:34 ASP_TCP Disconnect: triggering reconnect by bumping reconnTrigger from curr value 0 on so 0x5ccab0bb240b463

      75      May 31 23:36:11 ASP_TCP Disconnect: triggering reconnect by bumping reconnTrigger from curr value 0 on so 0x5ccab0bb240b463

      76      May 31 23:36:53 ASP_TCP Disconnect: triggering reconnect by bumping reconnTrigger from curr value 0 on so 0x5ccab0bb3007bd3

      77 

      78  System log

      79 

      80      May 31 23:59:32 mtmfs: MTM FS server failed, last error -1

      81      May 31 23:59:35 mtmfs: MTM FS server failed to start because of error -1

      82      May 31 23:59:37 mtmfs: MTM FS server failed to start because of error -1

      83      May 31 23:59:38 mtmfs: MTM FS server failed to start because of error -1

      84      May 31 23:59:40 mtmfs: MTM FS server failed to start because of error -1

      85      May 31 23:59:41 mtmfs: MTM FS server failed to start because of error -1

      86      May 31 23:59:43 mtmfs: MTM FS server failed to start because of too many retries

      87      May 31 23:59:43 mtmfs: MTM FS server failed, last error -1

      88      May 31 23:59:46 mtmfs: MTM FS server failed to start because of error -1

      89      May 31 23:59:48 mtmfs: MTM FS server failed to start because of error -1

      90      May 31 23:59:49 mtmfs: MTM FS server failed to start because of error -1

      91      May 31 23:59:51 mtmfs: MTM FS server failed to start because of error -1

      92      May 31 23:59:52 mtmfs: MTM FS server failed to start because of error -1

      93      May 31 23:59:54 mtmfs: MTM FS server failed to start because of too many retries

      94      May 31 23:59:54 mtmfs: MTM FS server failed, last error -1

      95      May 31 23:59:57 mtmfs: MTM FS server failed to start because of error -1

      96      May 31 23:59:58 mtmfs: MTM FS server failed to start because of error -1

      97      Jun  1 00:00:00 mtmfs: MTM FS server failed to start because of error -1

      98      Jun  1 00:00:01 mtmfs: MTM FS server failed to start because of error -1

      99      Jun  1 00:00:03 mtmfs: MTM FS server failed to start because of error -1

    100      Jun  1 00:00:04 SubmitDiagInfo: Couldn't load config file from on-disk location. Falling back to default location. Reason: Won't serialize in _readDictionaryFromJSONData due to nil object

    101      Jun  1 00:00:04 mtmfs: MTM FS server failed to start because of too many retries

    102      Jun  1 00:00:04 mtmfs: MTM FS server failed, last error -1

    103      Jun  1 00:00:08 mtmfs: MTM FS server failed to start because of error -1

    104      Jun  1 00:00:09 mtmfs: MTM FS server failed to start because of error -1

    105 

    106  launchd log

    107 

    108      May 31 23:01:41 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

    109      May 31 23:01:41 com.apple.xpc.launchd.domain.user.0: Could not read path: path = /Library/LaunchAgents, error = 2: No such file or directory

    110      May 31 23:01:41 com.apple.xpc.launchd.domain.user.0: Failed to bootstrap path: path = /Library/LaunchAgents, error = 2: No such file or directory

    111      May 31 23:01:42 com.apple.xpc.launchd.domain.user.202: Could not read path: path = /Library/LaunchAgents, error = 2: No such file or directory

    112      May 31 23:01:42 com.apple.xpc.launchd.domain.user.202: Failed to bootstrap path: path = /Library/LaunchAgents, error = 2: No such file or directory

    113      May 31 23:01:42 com.apple.xpc.launchd.domain.user.89: Could not read path: path = /Library/LaunchAgents, error = 2: No such file or directory

    114      May 31 23:01:42 com.apple.xpc.launchd.domain.user.89: Failed to bootstrap path: path = /Library/LaunchAgents, error = 2: No such file or directory

    115      May 31 23:01:44 com.apple.xpc.launchd.domain.user.212: Could not read path: path = /Library/LaunchAgents, error = 2: No such file or directory

    116      May 31 23:01:44 com.apple.xpc.launchd.domain.user.212: Failed to bootstrap path: path = /Library/LaunchAgents, error = 2: No such file or directory

    117      May 31 23:01:44 com.apple.xpc.launchd.domain.user.loginwindow.95.4294967295: Could not read path: path = /Library/LaunchAgents, error = 2: No such file or directory

    118      May 31 23:02:00 com.apple.xpc.launchd.domain.user.92: Could not read path: path = /Library/LaunchAgents, error = 2: No such file or directory

    119      May 31 23:02:00 com.apple.xpc.launchd.domain.user.92: Failed to bootstrap path: path = /Library/LaunchAgents, error = 2: No such file or directory

    120      May 31 23:02:01 com.apple.xpc.launchd.domain.user.502: Could not read path: path = /Library/LaunchAgents, error = 2: No such file or directory

    121      May 31 23:02:01 com.apple.xpc.launchd.domain.user.502: Failed to bootstrap path: path = /Library/LaunchAgents, error = 2: No such file or directory

    122      May 31 23:02:01 com.apple.xpc.launchd.user.domain.502.100007.Aqua: Could not import service from caller: path = /System/Library/LaunchAgents/com.apple.FirmwareUpdateHelper.plist, caller = loginwindow.95, error = 138: Service cannot be loaded on this hardware

    123      May 31 23:02:01 com.apple.xpc.launchd.user.domain.502.100007.Aqua: Could not read path: path = /Library/LaunchAgents, error = 2: No such file or directory

    124      May 31 23:02:01 com.apple.xpc.launchd.user.domain.502.100007.Aqua: Failed to bootstrap path: path = /Library/LaunchAgents, error = 2: No such file or directory

    125      May 31 23:02:01 com.apple.xpc.launchd.user.domain.502.100007.Aqua: Could not import service from caller: caller = otherbsd.242, service = com.getdropbox.dropbox.loginhelper, error = 119: Service is disabled

    126      May 31 23:02:01 com.apple.xpc.launchd.user.domain.502.100007.Aqua: Could not import service from caller: caller = otherbsd.242, service = com.tencent.LaunchSnipHelper, error = 119: Service is disabled

    127      May 31 23:02:02 com.apple.xpc.launchd.domain.user.55: Could not read path: path = /Library/LaunchAgents, error = 2: No such file or directory

    128      May 31 23:02:02 com.apple.xpc.launchd.domain.user.55: Failed to bootstrap path: path = /Library/LaunchAgents, error = 2: No such file or directory

    129      May 31 23:02:18 com.apple.xpc.launchd.domain.user.200: Could not read path: path = /Library/LaunchAgents, error = 2: No such file or directory

    130      May 31 23:02:18 com.apple.xpc.launchd.domain.user.200: Failed to bootstrap path: path = /Library/LaunchAgents, error = 2: No such file or directory

    131      May 31 23:08:58 com.apple.xpc.launchd.domain.user.235: Could not read path: path = /Library/LaunchAgents, error = 2: No such file or directory

    132      May 31 23:08:58 com.apple.xpc.launchd.domain.user.235: Failed to bootstrap path: path = /Library/LaunchAgents, error = 2: No such file or directory

    133 

    134  Console log

    135 

    136      May 31 12:47:22 fontd: XType encounters an unexpected type. (7, 16)

    137      May 31 20:30:58 fontd: XType encounters an unexpected type. (7, 16)

    138      May 31 20:30:58 fontd: XType encounters an unexpected type. (7, 16)

    139      May 31 20:36:10 fontd: XType encounters an unexpected type. (7, 16)

    140      May 31 20:36:10 fontd: XType encounters an unexpected type. (7, 16)

    141      May 31 22:15:43 fontd: XType encounters an unexpected type. (7, 16)

    142      May 31 22:15:43 fontd: XType encounters an unexpected type. (7, 16)

    143      May 31 22:54:03 fontd: XType encounters an unexpected type. (7, 16)

    144      May 31 22:54:03 fontd: XType encounters an unexpected type. (7, 16)

    145      May 31 23:02:02 fontd: XType encounters an unexpected type. (7, 16)

    146      May 31 23:02:02 fontd: XType encounters an unexpected type. (7, 16)

    147 

    148  System services loaded

    149 

    150      TillodontiaUpd.plist

    151      com.apple.logd

    152      -    status: 1

    153      com.apple.mtmfs

    154      -    status: 99

    155      com.apple.watchdogd

    156 

    157  System services disabled

    158 

    159      com.vsearch.helper

    160      com.Mislayer.helper

    161      org.openldap.slapd

    162      com.apple.PasswordService

    163      com.5e275556e95e3ba9.config

    164 

    165  Login services loaded

    166 

    167      QA2G25RMZ4.com.wunderkinder.wunderlist-helper

    168      com.citrixonline.GoToMeeting.G2MUpdate

    169 

    170  Login services disabled

    171 

    172      com.hp.productresearch

    173 

    174  User services disabled

    175 

    176      com.hp.productresearch

    177 

    178  Contents of /private/etc/Lemuria.sh

    179      -    mod date: May 31 12:45:33 2016

    180      -    size (B): 183

    181      -    checksum: 865030695

    182 

    183      if [ -a /Library/Lemuria/Contents/MacOS/Lemuria ];

    184      then

    185      sleep 10

    186      sudo pfctl -evf /etc/Lemuria.conf

    187      sudo -u prosopoplegic /Library/Lemuria/Contents/MacOS/Lemuria

    188      fi

    189      exit 0

    190 

    191  Contents of /private/etc/TillodontiaUpd.sh

    192      -    mod date: May 31 12:47:56 2016

    193      -    size (B): 161

    194      -    checksum: 2888862149

    195 

    196      if [ -a /Library/TillodontiaUpd/Contents/MacOS/TillodontiaUpd ];

    197      then

    198      sleep 10

    199      sudo  /Library/TillodontiaUpd/Contents/MacOS/TillodontiaUpd

    200      fi

    201      exit 0

    202 

    203  Contents of /private/etc/fundi.sh

    204      -    mod date: May 31 12:45:38 2016

    205      -    size (B): 168

    206      -    checksum: 3195502462

    207 

    208      if [ -a /Library/fundi/Contents/MacOS/fundi ];

    209      then

    210      sleep 10

    211      sudo pfctl -evf /etc/fundi.conf

    212      sudo -u cucoline /Library/fundi/Contents/MacOS/fundi

    213      fi

    214      exit 0

    215 

    216  Contents of /private/etc/hosts

    217      -    mod date: Jul  1 12:23:04 2015

    218      -    size (B): 1528

    219      -    checksum: 3801014362

    220 

    221      [NA]

    222 

    223  Contents of Library/LaunchAgents/com.citrixonline.GoToMeeting.G2MUpdate.plist

    224      -    mod date: Dec  1 16:04:02 2015

    225      -    size (B): 461

    226      -    checksum: 692620170

    227 

    228      <?xml version="1.0" encoding="UTF-8"?>

    229      <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    230      <plist version="1.0">

    231      <dict>

    232          <key>Label</key>

    233          <string>com.citrixonline.GoToMeeting.G2MUpdate</string>

    234          <key>ProgramArguments</key>

    235          <array>

    236              <string>/Users/USER/Library/Application Support/CitrixOnline/GoToMeeting/G2MUpdate</string>

    237          </array>

    238          <key>StartInterval</key>

    239          <integer>3660</integer>

    240      </dict>

    241      </plist>

    242 

    243  User login items

    244 

    245      iTunesHelper

    246      -    /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app

    247      Dropbox

    248      -    /Applications/Dropbox.app

    249      WDDriveUtilityHelper

    250      -    /Applications/WD Drive Utilities.app/Contents/WDDriveUtilityHelper.app

    251      Wondershare Helper Compact

    252      -    /Users/USER/Library/Application Support/Helper/Wondershare Helper Compact.app

    253      CrossOver CD Helper

    254      -    /Users/USER/Applications/CrossOver-3.app/Contents/Resources/CrossOver CD Helper.app

    255      Wunderlist

    256      -    /Applications/Wunderlist.app

    257      Skype

    258      -    /Applications/Skype.app

    259 

    260  Firefox extensions

    261 

    262      Firefox Hello Beta

    263 

    264  iCloud services

    265 

    266      MOBILE_DOCUMENTS

    267      PHOTO_STREAM

    268      MAIL_AND_NOTES

    269      CONTACTS

    270      CALENDAR

    271      REMINDERS

    272      BOOKMARKS

    273      NOTES

    274      FIND_MY_MAC

    275 

    276  iCloud errors

    277 

    278      Finder    27

    279      comapple.CloudPhotosConfiguration    12

    280      cloudphotosd    5

    281      cloudd    4

    282 

    283  Continuity errors

    284 

    285      sharingd    21

    286      useractivityd    1

    287      comapple.appkit.xpc.openAndSavePanelService    1

    288 

    289  Restrictive permissions: 10258

    290 

    291  Lockfiles: 27

    292 

    293  Global prefs (user)

    294 

    295      AppleEnableMenuBarTransparency = 1

    296 

    297  Extensions

    298 

    299      /System/Library/Extensions/hp_Inkjet8_io_enabler.kext

    300      -    com.hp.print.hpio.inkjet8.kext

    301 

    302  Applications

    303 

    304      /Applications/EasyTax/AG2013/EasyTax 2013 AG Deinstallationsprogramm.app

    305      -    com.install4j.4093-4123-1528-3000.uninstaller

    306      -    HWI Solutions AG

    307      /Applications/EasyTax/AG2013/EasyTax2013_AG.app

    308      -    com.install4j.4093-4123-1528-3000.32

    309      -    HWI Solutions AG

    310      /Applications/EasyTax/AG2014/EasyTax 2014 AG Deinstallationsprogramm.app

    311      -    com.install4j.5677-8571-9647-3678.uninstaller

    312      -    HWI Solutions AG

    313      /Applications/EasyTax/AG2014/EasyTax2014_AG.app

    314      -    com.install4j.5677-8571-9647-3678.32

    315      -    HWI Solutions AG

    316      /Applications/EasyTax/AG2015/EasyTax 2015 AG Deinstallationsprogramm.app

    317      -    com.install4j.3542-7584-2885-0412.uninstaller

    318      -    HWI Solutions AG

    319      /Applications/EasyTax/AG2015/EasyTax2015_AG.app

    320      -    com.install4j.3542-7584-2885-0412.32

    321      -    HWI Solutions AG

    322      /Applications/GeTax 2014.app

    323      -    GeTax 2014

    324      -    DV Bern AG

    325      /Applications/GeTax 2015.app

    326      -    GeTax 2015

    327      -    DV Bern AG

    328      /Applications/Jihosoft Photo Recovery.app

    329      -    com.apexstudio.recovery

    330      -    Chen Ping (GZ9WPPV9PC)

    331      /Applications/Wondershare PDF Editor Pro.app

    332      -    com.wondershare.PDF_Editor_Pro

    333      -    Wondershare Software Co., Ltd

    334      /Applications/ifolor Mac Designer.app

    335      -    com.ifolor.ifolor-Mac-Designer

    336      -    Ifolor AG

    337      /Users/USER/Applications/ifolor Mac Designer.app

    338      -    com.ifolor.ifolor-Mac-Designer

    339      -    Ifolor AG

    340      /Users/USER/Library/Application Support/Helper/Wondershare Helper Compact.app

    341      -    com.wondershare.helper_compact

    342      -    Wondershare Software Co., Ltd

    343 

    344  Frameworks

    345 

    346      /System/Library/Frameworks/Mislayer.framework

    347      -    NA

    348 

    349  Bundles

    350 

    351      /Users/USER/Library/Address Book Plug-Ins/SkypeABCaller.bundle

    352      -    com.skype.SkypeABCaller

    353      /Users/USER/Library/Address Book Plug-Ins/SkypeABChatter.bundle

    354      -    com.skype.SkypeABChatter

    355      /Users/USER/Library/Address Book Plug-Ins/SkypeABDialer.bundle

    356      -    com.skype.skypeabdialer

    357      /Users/USER/Library/Address Book Plug-Ins/SkypeABSMS.bundle

    358      -    com.skype.skypeabsms

    359      /Users/USER/Library/Internet Plug-Ins/CitrixOnlineWebDeploymentPlugin.plugin

    360      -    com.citrixonline.mac.WebDeploymentPlugin

    361 

    362  Bundles (new)

    363 

    364      /System/Library/Intelligent Suggestions/Assets.suggestionsassets

    365      -    com.apple.MobileAsset.CoreSuggestions

    366      -    Software Signing

    367 

    368  Library paths

    369 

    370      /System/Library/Frameworks/Mislayer.framework/Versions/A/Libraries/libLoader.dy lib

    371      /Users/USER/Library/Application Support/Firefox/Profiles/nc8rifye.default/gmp-gmpopenh264/1.1/libgmpopenh264.dy lib

    372      /Users/USER/Library/Application Support/Firefox/Profiles/nc8rifye.default/gmp-gmpopenh264/1.3/libgmpopenh264.dy lib

    373      /Users/USER/Library/Application Support/Firefox/Profiles/nc8rifye.default/gmp-gmpopenh264/1.5.3/libgmpopenh264. dylib

    374 

    375  MD importers

    376 

    377      /Applications/Microsoft Office 2011/Microsoft Outlook.app/Contents/Library/Spotlight/Microsoft Outlook.mdimporter

    378 

    379  App extensions

    380 

    381      com.getdropbox.dropbox.garcon

    382      com.wunderkinder.wunderlistdesktop.sharingextension

    383      com.wunderkinder.wunderlistdesktop.todayextension

    384 

    385  Modifications

    386 

    387      file modified: /Applications/GeTax 2015.app/Contents/config/cd/doc/SuccessionNonPartagee.pdf

    388 

    389  Non-loading kernel extensions

    390 

    391      /System/Library/Extensions/AppleOSXUSBNCM.kext

    392      -    com.apple.driver.AppleOSXUSBNCM

    393      -    Software Signing

    394 

    395  Elapsed time (sec): 444

  • by pinkstones,

    pinkstones pinkstones May 31, 2016 3:32 PM in response to Linc Davis
    Level 5 (4,209 points)
    Safari
    May 31, 2016 3:32 PM in response to Linc Davis

    Linc Davis wrote:

     

    Has my macbook been hacked?

    No. You are getting the usual results of posting the output of that app on this site. It's giving you completely false information.

     

    You're wrong, and for a couple of reasons.  One, contributors said the OP wasn't hacked well before they posted their EtreCheck report.  So, trying to make it seem like they posted it, then asked if they'd been hacked based on the output, is disingenuous.  Two, the EtreCheck report showed that they had adware installed, and two options were given for its removal, plus it showed that they had a ton of corrupted fonts installed, which need to be fixed.  Without the EtreCheck output, we would not know that.  Again, the question as to whether or not they were hacked was answered BEFORE they shared anything else, not after.

  • by Linc Davis,

    Linc Davis Linc Davis May 31, 2016 4:20 PM in response to MBA5
    Level 10 (208,037 points)
    Applications
    May 31, 2016 4:20 PM in response to MBA5

    A

     

    I misinformed you because I made a snap judgment without enough information. You have installed, as of today, a new variant of the "VSearch" malware that I haven't seen before. I regret the mistake. If you have any idea how the malware was installed, I'd like to know. You may very recently have downloaded and run some unknown application or installer, probably after being prompted to do so on a web page.

     

    To inactivate the malware, please take the steps below. A few small files will be left behind, but they have no effect, and trying to remove them all would be more trouble than it's worth.

     

    Please open the Library folder at the top level of the startup volume ("Macintosh HD," unless you gave it a different name.) Inside the Library folder there may be subfolders with these names:

     

         fundi

         Lemuria

         TillodontiaUpd

     

    Drag those subfolders, and only those, to the Trash, but don't try to empty yet. You may be prompted for your administrator password.

     

    Restart the computer and then empty the Trash.

    Reset the home page in each of your web browsers, if it was changed. In Safari, first load the home page you want, then select

              Safari â–¹ Preferences... â–¹ General

    and click

              Set to Current Page

    If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.

    In the User & Groups preference pane, delete the users named "cucoline" and "prosopoplegic."

    A note of caution: Past versions of VSearch have never been reported to do anything other than deliver unwanted web content in various ways. This one is more complex and sophisticated than what I've seen before, and without analyzing a sample I have no way to be sure that it's just doing more of the same. I can't rule out the possibility that it may have stolen personal information, such as passwords, and delivered it to the attacker. If you want to pursue that possibility, ask for instructions.

    B

    The test results show other issues, probably not related to the original question.

    Some of your user files (not system files) have incorrect permissions or are locked. This procedure will unlock those files and reset their ownership, permissions, and access controls to the default. If you've intentionally set special values for those attributes, they will be reverted. In that case, either stop here, or be prepared to recreate the settings if necessary. Do so only after verifying that those settings didn't cause the problem. If none of this is meaningful to you, you don't need to worry about it, but you do need to follow the instructions below.

    Please back up all data before proceeding.

    Step 1

    If you have more than one user, and the one in question is not an administrator, then go to Step 2.

    Enter the following command in the Terminal window in the same way as before (triple-click, copy, and paste):

    sudo find ~ $TMPDIR.. -exec chflags -h nosappnd,noschg,nosunlnk,nouappnd,nouchg {} + -exec chown -h $UID {} + -exec chmod +rw {} + -exec chmod -h -N {} + -type d -exec chmod -h +x {} + 2>&-

    You'll be prompted for your login password, which won't be displayed when you type it. Type carefully and then press return. You may get a one-time warning to be careful. If you don’t have a login password, you’ll need to set one before you can run the command. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.

    The command may take several minutes to run, depending on how many files you have. Wait for a new line ending in a dollar sign ($) to appear, then quit Terminal.

    Step 2 (optional)

    Take this step only if you have trouble with Step 1, if you prefer not to take it, or if it doesn't solve the problem.

    Start up in Recovery mode. You may be prompted to select a language, then the OS X Utilities screen will appear.

    If you use FileVault 2, select Disk Utility, then select the icon of the FileVault startup volume ("Macintosh HD," unless you gave it a different name.) It will be nested below another drive icon. Select Unlock from the File menu and enter your login password when prompted. Then quit Disk Utility to be returned to the main screen.

    Select

              Utilities â–¹ Terminal

    from the menu bar. A Terminal window will open. In that window, type this:

    resetp

    Press the tab key. The partial command you typed will automatically be completed to this:

    resetpassword

    Press return. A Reset Password window will open. You’re not going to reset a password.

    Select your startup volume ("Macintosh HD," unless you gave it a different name) if not already selected.

    Select your username from the menu labeled Select the user account if not already selected.

    Under Reset Home Directory Permissions and ACLs, click the Reset button.

    Select

               â–¹ Restart

    from the menu bar.

    C

    Back up all data.

    Run the following command in the same way as before. It moves to the Trash "semaphore" files that have not been cleaned up by the system and may be interfering with normal operation. The files are empty; they contain no data. There will be no output this time.

    find L*/{Con*/*/Data/L*/,}Pref* -type f -size 0c -name *.plist.??????? -exec mv {} .Trash/ \; 2>&-

    Log out or restart the computer and empty the Trash.

    D

    There's a problem with Time Machine local snapshots. From the menu bar, please select

               â–¹ System Preferences... â–¹ Time Machine

    If there is a closed padlock icon in the lower left corner of the preference pane, click it to unlock the settings and authenticate. Turn Time Machine OFF, then back ON. Close the window.

    Restart the computer.

    E

    Please back up all data before proceeding.

    Launch the Font Book application and validate all fonts. You must select the fonts in order to validate them. See the built-in help and this support article for instructions. If Font Book finds any issues, resolve them.

    Start up in safe mode to rebuild the font caches. Restart as usual and test.

    Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t start in safe mode. In that case, ask for instructions.

    If you still have problems, then from the Font Book menu bar, select

              File â–¹ Restore Standard Fonts...

    You'll be prompted to confirm, and then to enter your administrator login password.

    Also note that if you deactivate or remove any built-in fonts, for instance by using a third-party font manager, the system may become unstable.

  • by ~Bee,

    ~Bee ~Bee May 31, 2016 6:37 PM in response to MBA5
    Level 7 (31,802 points)
    Mac OS X
    May 31, 2016 6:37 PM in response to MBA5

    MBAS

    This malware has been known for a few years now.

    Instead of all the above (and below) macsinations,

    just download MalwareBytes, developed by Thomas Reed, a very respected helper here.

    It will fix you up in a few minutes.

    https://www.malwarebytes.org/antimalware/mac

     

     

    Info from The Safe Mac, now called MalwareBytes:

    Adware Removal Guide : VSearch

    Published February 25th, 2014 at 1:30 PM EDT , modified August 21st, 2015 at 6:23 AM EDT

    VSearch is one of the most common adware programs, commonly found in fake “video streaming” installers. It originally began as a fake torrent downloading app, under the name Downlite, but this name hasn’t been seen in some time now. VSearch displays pop-up ads and redirects the user to a different search engine.

    VSearch was one of the first modern adware programs to be identified as malicious by Apple, following an episode of blocking this site and the AdwareMedic site on Macs infected with this adware. Newer variants of VSearch have not been similarly blocked, however, and are still a threat.

    Removal

    Move the following items to the trash. Note that removing many of these files will require administrator access, so you will need to be sure you are logged in to an admin account on your Mac. If you are not, you will be unable to remove some of them. Also, this list represents all files installed by all known variants of VSearch, so not all files listed will be present. If you don’t know how to locate a file based on the path given below, you should read Locating files from paths.

    /Library/Application Support/VSearch /Library/LaunchAgents/com.vsearch.agent.plist /Library/LaunchDaemons/com.vsearch.daemon.plist /Library/LaunchDaemons/com.vsearch.helper.plist /Library/LaunchDaemons/Jack.plist /Library/PrivilegedHelperTools/Jack /System/Library/Frameworks/VSearch.framework /System/Library/Frameworks/v.framework

    You may also find files with the following names, where “xxx” can be any word:

    /Library/LaunchAgents/com.xxx.agent.plist /Library/LaunchDaemons/com.xxx.daemon.plist /Library/LaunchDaemons/com.xxx.helper.plist

    Some examples of words used in place of the “xxx” that I have seen are “heizenberg,” “dot,” “steak” and “moonlight.” However, many other variants also exist. In all cases, whatever word was used on a particular Mac was used for all these files. In other words, you should only see one single word used in place of “xxx” in all of these files on your Mac. (If you have more than one variant of VSearch, you may see duplicated sets of these files, where each set has a different name.) If you see any files matching these descriptions, move them to the trash.

    In addition, you should look for files in the following locations with the same names as the “xxx” in the LaunchAgent and LaunchDaemons files that you found:

    /Library/Application Support/xxx /System/Library/Frameworks/xxx.framework

    After you have moved all VSearch-related items to the trash, restart the computer. After restarting, you can empty the trash.

    <- Back to Adware Removal Guide

  • by ~Bee,

    ~Bee ~Bee May 31, 2016 6:40 PM in response to ~Bee
    Level 7 (31,802 points)
    Mac OS X
    May 31, 2016 6:40 PM in response to ~Bee

    As for the fonts, I think alsl of the error fonts are from M$ Office, which is probably why you're getting Word errors, as well.

    They are most likely duplicates.

    When things settle down with the malware, we can revisit that with Kurt Lang, our resident Font expert.

  • by Linc Davis,

    Linc Davis Linc Davis May 31, 2016 7:28 PM in response to Linc Davis
    Level 10 (208,037 points)
    Applications
    May 31, 2016 7:28 PM in response to Linc Davis

    To repeat (unnecessarily), you have a new malware variant that seems to have emerged within the last 24 hours. I just saw another report of it a few minutes ago. It's a "zero day" attack that won't be remedied by OS X or any other software. As for your font problem, it will be taken care of by Step E in my comment above.

  • by ~Bee,

    ~Bee ~Bee May 31, 2016 7:45 PM in response to ~Bee
    Level 7 (31,802 points)
    Mac OS X
    May 31, 2016 7:45 PM in response to ~Bee

    To repeat, this crapola was first discovered in 2014.  If this is a "new" variant, it is still very strange that it was previously overlooked in the report, new or old.


    /System/Library/Frameworks/VSearch.framework

        One adware file found. [Remove]

     

    If anyone has the information on this "last 24-hour" attack, it would be great to publish it here as a public service.  Anyway, MalwareBytes will solve it immediately with only ONE step.

  • by etresoft,

    etresoft etresoft May 31, 2016 8:04 PM in response to MBA5
    Level 7 (29,380 points)
    Mac OS X
    May 31, 2016 8:04 PM in response to MBA5

    Hello MBA5,

    I suggest downloading and running MalwareBytes Anti-malware for Mac (https://www.malwarebytes.org/antimalware/mac/).

     

    This appears to be a new type of adware that EtreCheck cannot remove. MalwareBytes has more resources than I do so they may be able to remove this malware. To verify, after running MalwareBytes, restart your machine, then run EtreCheck again and post another EtreCheck report. If "TillodontiaUpd.plist" is still listed, then we can give you some lower-level commands to manually remove it. If MalwareBytes doesn't remove it, no manual method mentioned so far in this thread will succeed either. I just want to try the easy and safe route first.

     

    Adware is rapidly evolving and is now adopting true malware behaviour. I am working on an update to EtreCheck to handle it, but it isn't ready yet. Unfortunately, this is the new normal for Macs.

  • by Linc Davis,

    Linc Davis Linc Davis May 31, 2016 8:17 PM in response to Linc Davis
    Level 10 (208,037 points)
    Applications
    May 31, 2016 8:17 PM in response to Linc Davis

    You've told that (a) some anti-malware product will remove the malware, or (b) if it doesn't, you won't be able to remove it manually. That's wrong on both counts. The instructions I gave you will work, and the anti-malware will not work. This is a zero-day attack and no software will remedy it.

     

    <Edited by Host>

  • by etresoft,

    etresoft etresoft May 31, 2016 8:25 PM in response to MBA5
    Level 7 (29,380 points)
    Mac OS X
    May 31, 2016 8:25 PM in response to MBA5

    Hello again MBA5,

    Upon closer inspection, it looks like your entire /Library/LaunchAgents folder is gone. This will probably prevent MalwareBytes from running. I suggest you reinstall the operating system, then re-run EtreCheck and post a new report. Ideally, you would do a backup too. You don't seem to have a Time Machine backup and I don't know if you could even perform one with your machine in its current state. You can do a manual backup with Disk Utility (Disk Utility (El Capitan): Restore a disk).

  • by etresoft,

    etresoft etresoft Jun 1, 2016 8:26 AM in response to Linc Davis
    Level 7 (29,380 points)
    Mac OS X
    Jun 1, 2016 8:26 AM in response to Linc Davis

    Sorry Linc, your instructions will not work. There are no files to delete. ********  Then look at the output of your own script. It says the same thing. There are manual methods to remove this malware. Those methods will be our only options until EtreCheck and/or MalwareBytes gets updated. I know what those manual methods are, but they are tedious and require the Terminal. I thought that you knew how to do that too. Perhaps I was wrong about that though. Just deleting files is no longer sufficient.

     

    <Edited by Host>

  • by thomas_r.,

    thomas_r. thomas_r. Jun 1, 2016 8:27 AM in response to etresoft
    Level 7 (30,944 points)
    Mac OS X
    Jun 1, 2016 8:27 AM in response to etresoft

    etresoft wrote:

     

    Upon closer inspection, it looks like your entire /Library/LaunchAgents folder is gone. This will probably prevent MalwareBytes from running.

     

    That should not be an issue. The absence of the LaunchAgents folder should not affect the functionality of Malwarebytes Anti-Malware for Mac. However, the fact that that folder is missing is most likely the result of a failed attempt at manual removal, and who knows what else may have been affected. I'd also recommend reinstalling the system.

  • by stevejobsfan0123,

    stevejobsfan0123 stevejobsfan0123 Jun 1, 2016 8:32 AM in response to thomas_r.
    Level 8 (43,997 points)
    iPhone
    Jun 1, 2016 8:32 AM in response to thomas_r.

    Sounds plausible. Just goes to show you how dangerous manual removal can be.

Previous Page 2 of 4 last Next