MBA5 wrote:
I downloaded the anti-malware and run it. The latest EtreCheck still shows TillodontiaUpd.plist as loaded. Don't know if I need to do something.
That is part of the malware (VSearch) that is installed. Malwarebytes Anti-Malware for Mac should delete that at this point. You may have to run it twice, with a restart of your computer between scans, to get rid of it entirely. Alternately, you can try deleting it manually. However, some variants of VSearch will re-create that launch daemon file if it is deleted. In order to ensure it stays gone, you will also need to find a TillodontiaUpd folder in the Library folder (the one at the root of your hard drive, in the same place as the Applications and System folders) and delete that. Then restart. If the TillodontiaUpd.plist file comes back after the restart, delete it again. It shouldn't come back after that, because you trashed the executable that was replacing the file.
In addition, this particular malware may create one or more hidden users on your computer. Run the following command in the Terminal:
dscl . -list /Users UniqueID | grep 401
(Note that you should be cautious about pasting commands into the Terminal. If someone were to figure out a way to hack this site, they could cause a malicious command to replace the command that you thought you copied, and you'd end up with a malicious command auto-executing in the Terminal. What I recommend is to copy that command, then choose Show Clipboard from the Edit menu in the Finder to review what was copied. If it looks the same, it's okay to paste.)
The output of that command should be something like this:
dynast 401
This shows the username and the user ID. There may be multiple hidden usernames mapped to ID 401. All of them were probably created by VSearch.
To delete these hidden users, enter the following command in the Terminal, making sure to replace "dynast" with a name that you found using the previous command:
sudo dscl . -delete /Users/dynast
Repeat this process for each user having an ID of 401.
In addition, there will be a user folder of the same name in a hidden folder. In the Finder, choose Go to Folder from the Go menu. In the window that opens, paste the following path:
/private/var/
Then click the Go button. Any folder having the same name as one of the users you just deleted can be moved to the trash.