Install files randomly created on MacBook Pro 16”, 2019

Do they all have the same title?

Are you downloading things before they occur?

Download and run this app so we can find more information about your installation.

https://etrecheck.com/upgrade

It shows what is launched and other information and is very useful in finding causes of problems. After you first launch the app make sure you check Enable full disk access in the box in lower left.

After running the app use the app's feature to paste to clipboard. Then paste it in the text box for a reply in this forum click on the addition text icon. This is because the normal reply text box limits how much you can type.

No personal identifiable information is contained if the app output. The app was written for a person who is contributor to these Apple Support Communities

Finding: More than one antivirus app - This computer has multiple antivirus apps installed.

CleanMyMac, Symantec, Apple, and Malwarebytes

System Extensions:

[Running] Avast Antivirus System Extension - version 4.1.103 (AVAST Software a.s. - 2022-02-21)

Application: /Applications/Avast.app - version 4.1.103

Action: Uninstall CleanMyMac and Symantec using using instructions provided by the developers. MalwareBytes is OK but only ru it manually. Have on extra antivirus app is bad enough two is asking for problems.

Finding: Unsigned Files:

Launchd: ~/Library/LaunchAgents/com.wqmyugdlgzqedafpoqrjbyenhxousi.plist.plist

Executable: /bin/bash -c 'sudo /tmp/LjJAsTQYXB1K pkgsh && rm /tmp/LjJAsTQYXB1K && /bin/launchctl bootout gui/501/com.wqmyugdlgzqedafpoqrjbyenhxousi.plist'

Details: Domain name invalid - possibly adware

Launchd: ~/Library/LaunchAgents/com.mgtdxwjjjgedfbvtxpajrnonbhcorf.plist.plist

Executable: /bin/bash -c 'sudo /tmp/bbt9xMGsY9zd pkgsh && rm /tmp/bbt9xMGsY9zd && /bin/launchctl bootout gui/501/com.mgtdxwjjjgedfbvtxpajrnonbhcorf.plist'

Details: Domain name invalid - possibly adware

Launchd: ~/Library/LaunchAgents/com.vtzyrrmjriroqinjxarkytxrbalbzc.plist.plist

Executable: /bin/bash -c 'sudo /tmp/taFZrJCclOPz pkgsh && rm /tmp/taFZrJCclOPz && /bin/launchctl bootout gui/501/com.vtzyrrmjriroqinjxarkytxrbalbzc.plist'

Details: Domain name invalid - possibly adware

Launchd: ~/Library/LaunchAgents/com.bkxghlwalclgunnsjwjpxjtezqbeqd.plist.plist

Executable: /bin/bash -c 'sudo /tmp/RMf94Q5boRCg pkgsh && rm /tmp/RMf94Q5boRCg && /bin/launchctl bootout gui/501/com.bkxghlwalclgunnsjwjpxjtezqbeqd.plist'

Details: Domain name invalid - possibly adware

Action: Remove these items. I think EtreCheck says how to do this.

Well, that's the nature of malware. It doesn't want to give up so easily. Just keep going. When you've deleted all you can delete, restart your Mac, generate a new EtreCheck report, and do it all over again. Hopefully you get to a point where they are all gone.

You have a couple of malware files that weren't mentioned above. Here are then files you need to delete:

Unsigned Files:

Launchd: ~/Library/LaunchAgents/com.wqmyugdlgzqedafpoqrjbyenhxousi.plist.plist

Launchd: ~/Library/LaunchAgents/com.mgtdxwjjjgedfbvtxpajrnonbhcorf.plist.plist

Launchd: /Library/LaunchDaemons/com.buffer.system.plist

Executable: /Library/Application Support/System/SystemBuffer

Launchd: ~/Library/LaunchAgents/com.epxlxsggsygaerbzxgylfnvxtsudyd.plist.plist

Launchd: ~/Library/LaunchAgents/com.vtzyrrmjriroqinjxarkytxrbalbzc.plist.plist

Launchd: ~/Library/LaunchAgents/com.bkxghlwalclgunnsjwjpxjtezqbeqd.plist.plist

These are unusual files. I haven't seen any like most of these before. That explains why EtreCheck is a bit confused about them.

Please do NOT attempt to use EtreCheck to remove your antivirus apps. Clearly, they aren't protecting you from this malware. But they will be much more difficult to remove.

The only way to remove these files is with official uninstallers or uninstallation instructions provided directly by the developer. Never use an “app zapper” or “clean up” tool to uninstall software. Never try to manually delete files in these hidden directories by hand. Do not use EtreCheck’s “Remove” buttons either. Those are only designed for adware and malware.

I am NOT kidding about this. It looks like you've already attempted to uninstall Avast and left if running an undefined state. There wasn't enough of it left for EtreCheck to recognize as an Antivirus. You will need to reinstall Avast and then uninstall it using the proper procedure.

Sorry, but you probably should have checked first. Time Machine is probably not going to help you. It backs up all data, including malware, and reinstalls it.

If you haven't reinstalled any data yet, then you don't have to worry about the malware reinstalling itself. Malware never installs itself. Malware gets installed by tricking the user into installing it.

Unless you manually drag your documents over from your backup, you have a very good chance of reinstalling the malware. However, malware is relatively easy to remove. Just use the list of files I posted above. If you get any new ones, EtreCheck will usually identify them as "probably adware".

I wouldn't really recommend a manual reinstall like this. It's a lot of work. But if you've already erased, it is at least an easy way to remove the antivirus apps that weren't working. Those are much more difficult to remove than malware. Funny that.

PS: Thanks for posting your EtreCheck report. Your malware files are quite unusual. I'm going to make some changes to try to better handle these kinds of things.