You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Strange " wZCHMDFw " process uses a lot of resources.

This process called " wZCHMDFw " runs on my mac/mojave in normal mode (in safe mode it does not run). it uses up a lot of resources and i do not know where it is coming from. Googling it gave me nothing






I am also attaching the begining of the sampling that is produced


Analysis of sampling wZCHMDFw (pid 76) every 1 millisecond
Process:         wZCHMDFw [76]
Path:            /Library/wZCHMDFw/wZCHMDFw.app/Contents/MacOS/wZCHMDFw
Load Address:    0x1072e2000
Identifier:      wZCHMDFw
Version:         ???
Code Type:       X86-64
Parent Process:  launchd [1]

Date/Time:       2019-06-04 16:45:36.621 +0300
Launch Time:     2019-06-04 16:38:31.105 +0300
OS Version:      Mac OS X 10.14.5 (18F132)
Report Version:  7
Analysis Tool:   /usr/bin/sample

Physical footprint:         3.1G
Physical footprint (peak):  3.1G
----

Call graph:
    2700 Thread_609   DispatchQueue_1: com.apple.main-thread  (serial)
      2698 start  (in libdyld.dylib) + 1  [0x7fff767a13d5]
      + 1232 main  (in wZCHMDFw) + 417  [0x1072e4a41]
      + ! 1141 writeStringToURLOrPath  (in Foundation) + 216  [0x7fff4cafc403]
      + ! : 1074 _NSWriteDataToFileWithExtendedAttributes  (in Foundation) + 224  [0x7fff4cafc8f8]
      + ! : | 683 _NSCreateTemporaryFile_Protected  (in Foundation) + 674  [0x7fff4cb32ecb]
      + ! : | + 679 __open  (in libsystem_kernel.dylib) + 10  [0x7fff768d71ee]
      + ! : | + 2 cerror  (in libsystem_kernel.dylib) + 13  [0x7fff768d642e]



Any help?!

MacBook Pro 15", macOS 10.14

Posted on Jun 4, 2019 8:15 AM

Reply
Question marked as Top-ranking reply

Posted on Jun 4, 2019 2:08 PM

First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.


  • A backup is a fundamental prerequisite regardless of whatever method you may choose uninstall adware, and would apply even if your Mac were running perfectly well. Do not overlook this fundamental requirement. It's important.


Next: This step is optional, but will preclude any related inability to use your Mac due to the adware's excessive demands imposed upon it. Restart in "Safe Mode", and log in: Use safe mode to isolate issues with your Mac. Starting in Safe Mode takes longer than usual so let it finish. The resource-demanding process will not appear while you are using your Mac in that mode.


The following files and / or folders need to be deleted:




Drag that selection of files to the Trash. You will be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.


Next: open Safari and select the Safari menu > Preferences... > Extensions. If you see any Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Repeat those equivalent actions for any other browser you may use.


There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.


Next: In an abundance of caution, examine System Preferences > Extensions. Determine if there are any Extensions that may have been installed without your knowledge. Ask if you're uncertain. While you're there, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but are also being leveraged by adware creators.


You can then restart your Mac. Confirm the rogue process no longer appears in Activity Monitor and that its operation generally returns to normal.


Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:


~/Library/Application Support


It is normal for that folder to contain many items, but anything associated with the above adware will bear identical names ("athechyer" etc). Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.


PT.updd.plist is installed by a product called "Popcorn Time". Although it may have legitimate purposes it is one of many similar products used to watch movies or other copyrighted content that is not normally available "for free" so you need to be mindful of those implications.


I am not familiar with "hdjsd.plist" but it may also be associated with something you don't need or want. I doubt its presence is causing any trouble so leave it alone for now.


Next: You also installed a scam "cleaning" product. To uninstall "CleanMyMac" follow its uninstallation instructions exactly. They require using "CleanMyMac" to uninstall itself. As far as I have been able to determine they are sufficient to deactivate it, but are somewhat incomplete in that some of its components will remain. Please review each of the folders you posted in your screenshots, and manually drag any of remaining "CleanMyMac" components to the Trash.


  • The effects of actually having used "CleanMyMac" or similarly categorized things are another subject altogether. Without knowing exactly what you did with it, it is not possible to determine the extent of damage it may have inflicted upon your Mac.


Finally: if any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.

Similar questions

12 replies
Question marked as Top-ranking reply

Jun 4, 2019 2:08 PM in response to ViBenn

First, ensure you have a reliable backup of your Mac, in case something should go wrong with continued troubleshooting. To learn how to do that, please read Back up your Mac with Time Machine.


  • A backup is a fundamental prerequisite regardless of whatever method you may choose uninstall adware, and would apply even if your Mac were running perfectly well. Do not overlook this fundamental requirement. It's important.


Next: This step is optional, but will preclude any related inability to use your Mac due to the adware's excessive demands imposed upon it. Restart in "Safe Mode", and log in: Use safe mode to isolate issues with your Mac. Starting in Safe Mode takes longer than usual so let it finish. The resource-demanding process will not appear while you are using your Mac in that mode.


The following files and / or folders need to be deleted:




Drag that selection of files to the Trash. You will be asked to authenticate. Confirm they are no longer present in that folder. Leave all the others alone for now.


Next: open Safari and select the Safari menu > Preferences... > Extensions. If you see any Extensions that you do not recognize or understand, simply click the Uninstall button and they will be gone. No Safari Extensions are required for normal operation. Then, select the General pane and review your Homepage selection. Repeat those equivalent actions for any other browser you may use.


There may also be adware-associated app icons in your Mac's Applications folder. Open it and examine its contents. Any unwanted or mysterious app icons should be obvious to you, but again please don't remove anything if you are uncertain—ask first. Identify any suspicious apps by name, or post another screenshot.


Next: In an abundance of caution, examine System Preferences > Extensions. Determine if there are any Extensions that may have been installed without your knowledge. Ask if you're uncertain. While you're there, check for the presence of any Profiles. Profiles are installed by organizations with a need to manage Macs deployed in institutional corporate or educational environments (for example), but are also being leveraged by adware creators.


You can then restart your Mac. Confirm the rogue process no longer appears in Activity Monitor and that its operation generally returns to normal.


Next: if you want to eradicate all remaining adware remnants post a screenshot of the following folder, in the same manner as you did earlier:


~/Library/Application Support


It is normal for that folder to contain many items, but anything associated with the above adware will bear identical names ("athechyer" etc). Without the files you already removed or the reintroduction of similar malware, they can do nothing but occupy space. These can be removed if you wish, but again don't remove anything if you are uncertain.


PT.updd.plist is installed by a product called "Popcorn Time". Although it may have legitimate purposes it is one of many similar products used to watch movies or other copyrighted content that is not normally available "for free" so you need to be mindful of those implications.


I am not familiar with "hdjsd.plist" but it may also be associated with something you don't need or want. I doubt its presence is causing any trouble so leave it alone for now.


Next: You also installed a scam "cleaning" product. To uninstall "CleanMyMac" follow its uninstallation instructions exactly. They require using "CleanMyMac" to uninstall itself. As far as I have been able to determine they are sufficient to deactivate it, but are somewhat incomplete in that some of its components will remain. Please review each of the folders you posted in your screenshots, and manually drag any of remaining "CleanMyMac" components to the Trash.


  • The effects of actually having used "CleanMyMac" or similarly categorized things are another subject altogether. Without knowing exactly what you did with it, it is not possible to determine the extent of damage it may have inflicted upon your Mac.


Finally: if any of the above actions result in abnormal operation or if something else stops working, the easiest way to recover would be to restore the Time Machine backup you created as a prerequisite, so the importance of that fundamental step cannot be overemphasized.

Jun 4, 2019 8:27 AM in response to ViBenn

You inadvertently installed adware. You do not need to download or install anything to fix it.


Navigate to the following folder, and post its contents in a screenshot.


~/Library/LaunchAgents


To open that folder, copy the entire line above and paste it in the Finder's Go menu > Go to Folder... field. Make it look like this:





... and click the Go button.


A Finder window will open. Take a screenshot showing all that folder's contents, and post it in a reply. To take a screenshot read the Appendix in the following User Tip: Writing an effective Apple Support Communities question.


Usually, there is nothing in that folder so don't be surprised to find it empty. The reason for starting with that folder is to eliminate other potential causes before proceeding with steps that will identify and eradicate whatever is affecting that Mac.


There will be additional instructions to follow and this is just the first step.


For a description of how this may have occurred, how to avoid it in the future, and for Apple's recommended actions read How to install adware.


Review your Gatekeeper settings: OS X : About Gatekeeper - Apple Support. Gatekeeper is designed to help prevent you from inadvertently installing garbage software.


If you get impatient and want to "read ahead" the remedy will follow the format of this Discussion: "root" process has high energy impact which drains my battery fast.

Jun 11, 2019 12:36 AM in response to John Galt

Hello,


**Disclaimer: the computer which is mentioned in this post is not one that I own or use. Any software installed and used that appears in the screenshots was done by the owner of the computer. I am simply assigned to fix the problem that they are facing.**


Sorry for the late reply. So in summary here is what I did, following all your guys suggestions. I downloaded and installed MalwareBytes and performed a check. It recommended deleting almost all the plists that you suggested.


For the ones that it did not delete, I went to each of the three directories.

~/Library/LaunchAgents

/Library/LaunchAgents

/Library/LaunchDaemons

~/Library/Application Support


and googled each plist that i did not understand. I kept the ones I wanted and knew where they were coming from.

I proceeded to uninstall Malware bytes because it was running something in the background that was also using up a lot of resources.


I downloaded EtreCheck and scanned the computer. I read the report it produced and tried to follow along to pin-point the problems. I am attaching the report.


For the extensions I deleted all of them for Safari, Chrome and Firefox as John Galt suggested. The dangers of PT.updd.plist, CleanMyMac and TeamViewer are noted. Also @John Galt, I decided to leave ~/Library/Application Support as is.


Following EtreCheck's report I run a first AID on the Macintosh HD and after getting the error that the "fsroot root tree is invalid" i followed https://discussions.apple.com/thread/8564919 and the suggestion of Mac_2456 to fix it.



The strange process is now not running and the mac seems to be working better.


I am finally posting images of the three directories as they look now.


Also I don't know what to do regarding this line of the EtreCheck report

   Launchd: ~/Library/LaunchAgents/.dat0110.000

        Executable: /usr/bin/osascript -e 'tell application "Folder Actions Dispatcher" to tick'

        Details: Launchd config file is hidden - possibly adware


Jun 4, 2019 9:08 AM in response to ViBenn

Thank you!


I did a bit of the suggested reading but I want to be sure I delete all the unwanted files. So I am attaching the following screenshots:


~/Library/LaunchAgents (i have only hidden my user name)


/Library/LaunchAgents


/Library/LaunchDaemons



To be honest under both ~/Library and /Library I cannot find a file or folder named " wZCHMDFw " but I think I had deleted that in the past hoping it would solve my problem.

Jun 4, 2019 9:53 AM in response to ViBenn

Besides likely adware, you have some serious garbage on your Mac you should remove immediately.


CleanMyMac is pure junk. It does nothing useful and is known to damage the OS with its "cleaning" attempts. Also remove all traces of Teamviewer. You should never have remote access software installed without having a very good reason for it.


Of the root Library daemons, com.wZCHMDFw.plist is the obvious one, but the three randomly named items after is are also highly likely to be adware.


As Luis noted, don't just start deleting unknown files. As he says, run EtreCheck. Post the results by using the Additional text button. It's too long otherwise to fit in one response.

Also, MalwareBytes for Mac is a highly trusted and often recommended app. It and EtreCheck are both written by longtime forum members. MalwareBytes' main function is to find and remove malware/adware.

Jun 4, 2019 8:31 AM in response to ViBenn

Your post tells you right were the offending app is:


/Library/wZCHMDFw/wZCHMDFw.app


Go the the root Library folder and put the subfolder wZCHMDFw in the trash. Restart and then empty the trash.


Per John's notes, the adware may have also install launch daemons. Check the LaunchAgents folder in your user account as he mentioned, and also the one in the root Library folder.

Jun 4, 2019 9:43 AM in response to ViBenn

You also have a lot of **** - most notoriously, "cleanmymac", which should rather be called "cripplemymac"...


But don't start deleting stuff you don't know about. This is a formula for disaster.


In the case of cleanmymac, follow their own instructions for uninstalling.


You should also run Etrecheck and post its full report here. It will give a clearer picture of your setup, including possible remaining adware.

Use the additional text button below and paste the report into the text box.

Jun 11, 2019 7:22 AM in response to ViBenn

Great! Thanks for the update.


ViBenn wrote:

Also I don't know what to do regarding this line of the EtreCheck report
   Launchd: ~/Library/LaunchAgents/.dat0110.000
        Executable: /usr/bin/osascript -e 'tell application "Folder Actions Dispatcher" to tick'
        Details: Launchd config file is hidden - possibly adware


I'd be suspicious of that file, for that reason. macOS doesn't intentionally hide things.

Strange " wZCHMDFw " process uses a lot of resources.

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.