You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

How do I know if my MacBook Air was compromised prior to Monterey 12.5.1 software update

My MacBook Air was playing odd music and doing other strange things last night including desktop picture changed which is another question I posted earlier. OS was Monterey 12.5. When I checked for updates it said none were available but 12.5.1 was out there. I reinstalled OS over night and this AM Monterey 12.5.1 is what the OS is but my computer is still doing odd things like if I restart it messages and safari windows are both coming up even though they are not selected to open on start up in options. Avast says no issues found but I'm not thrilled with Avast. How can I tell if I'm really affected and how would I fix it?

MacBook Air

Posted on Aug 21, 2022 6:48 AM

Reply

Similar questions

33 replies

Aug 21, 2022 8:49 PM in response to BillMort4198

Hey there! To remove the files manually, I’d look for any folders/files labeled Clean My Mac or MacPaw, and delete them from these locations:


Finder > Go > Applications

Finder > Go > Macintosh HD > Library:


in the /Library check these folders and remove any associated folders/files regarding CMM/MacPaw:


Application Support

Extensions

Internet Plugins

Launch Agents

Launch Daemons

Scripting Additions

Startup Items


Once done there, open the user library:

Open Finder, while holding the Option key, on the top menu hit > Go > Library.


From this Library, remove the same associated folders/files:


Application Support

Cache

Cookies

Internet Plugins

Launch Agents

Preferences

Saved Application State


Also in both Libraries themselves, look for folders like this and remove.


Likewise in Finder > Go > Home > Applications, remove any similar files/folders here.


And finally in System Preferences > Users and Groups > Login Items. Remove any associated files by highlighting and pressing the “-“ below to remove.


Restart and test out the issue. While doing this manually, you may as well remove any suspect, old, un-needed applications, many will have the developers name as well as the app name, and malware may just have some random string of letters and numbers.plist.


Just make sure to keep a backup before removing any files in these locations. Hope all goes well! While at it, erasing and setting up as new and manually moving over files maybe a good step if it’s been a while since doing so, especially after transferring data from Mac to Mac to Mac. But isn’t always totally necessary.

Aug 22, 2022 6:04 AM in response to BillMort4198

Thanks, I think the wipe and redo is my best bet for getting this right. My computer would not recognize or let me do the update to 12.5.1 so I reinstalled the operating system to do that. The fact that I can't delete the cleanmymac folders even with rm -f, or change the permissions on them pretty much convinces me that something sinister is going on.


I manually saved all of the stuff I wanted to save yesterday, documents, photos, music and message archives but looking at restore instructions it appears I can do a time machine backup and through the finder select what I want to put back. I ordered a bigger external hard drive because I have run all my external memory devices out of space and it occurred to me that getting the stuff back where it's supposed to be is going to be a pain. Does this plan sound feasible.

Aug 22, 2022 8:31 AM in response to PRP_53

P. Phillips wrote:

Agree to disagree

This is what my computer says:


Drives:

    disk0 - APPLE SSD AP1024R 1.00 TB (Solid State - TRIM: Yes)

    Internal Apple Fabric NVM Express

        disk0s1 [APFS Container] 524 MB

            disk1 [APFS Virtual drive] 524 MB (Shared by 4 volumes)

                disk1s1 - iSCPreboot (APFS) [APFS Preboot] (8 MB used)

                disk1s2 - xART (APFS) (6 MB used)

                disk1s3 - Hardware (APFS) (2 MB used)

                disk1s4 - Recovery (APFS) [Recovery] (20 KB used)

        disk0s2 [APFS Container] 994.66 GB

            disk3 [APFS Virtual drive] 994.66 GB (Shared by 6 volumes)

                disk3s1 (APFS) [APFS Container] (15.42 GB used)

                    disk3s1s1 - Macintosh HD (APFS) [APFS Snapshot] (15.42 GB used)

                disk3s2 - Preboot (APFS) [APFS Preboot] (718 MB used)

                disk3s3 - Recovery (APFS) [Recovery] (822 MB used)

                disk3s4 - Update (APFS) (10 MB used)

                disk3s5 - Data (APFS) [APFS Virtual drive] (653.78 GB used)

                disk3s6 - VM (APFS) [APFS VM] (20 KB used)

        disk0s3 [APFS Container] 5.37 GB

            disk2 [APFS Virtual drive] 5.37 GB (Shared by 2 volumes)

                disk2s1 - Recovery (APFS) [Recovery] (1.71 GB used)

                disk2s2 - Update (APFS) (295 KB used)


Aug 22, 2022 8:35 AM in response to BillMort4198

BillMort4198 wrote:

Thanks, I think the wipe and redo is my best bet for getting this right. My computer would not recognize or let me do the update to 12.5.1 so I reinstalled the operating system to do that. The fact that I can't delete the cleanmymac folders even with rm -f, or change the permissions on them pretty much convinces me that something sinister is going on.

Nothing sinister is going on.

I manually saved all of the stuff I wanted to save yesterday, documents, photos, music and message archives but looking at restore instructions it appears I can do a time machine backup and through the finder select what I want to put back. I ordered a bigger external hard drive because I have run all my external memory devices out of space and it occurred to me that getting the stuff back where it's supposed to be is going to be a pain. Does this plan sound feasible.

A far better option would be do do nothing. Your computer was not compromised in any way. There is no problem on your computer that needs to be fixed. It would always be a good idea to have a backup. But otherwise, there is nothing you need to do.

Aug 22, 2022 8:42 AM in response to etresoft

https://eclecticlight.co/2022/05/18/how-much-free-space-does-an-apfs-disk-need/


Mac-Mini-M1 ~ % diskutil apfs list


APFS Containers (3 found)

+-- Container disk3 700BD137-794A-4752-AA66-B67FC6606651


    ====================================================


    APFS Container Reference:     disk3


    Size (Capacity Ceiling):      245107195904 B (245.1 GB)


    Capacity In Use By Volumes:   34164629504 B (34.2 GB) (13.9% used)


    Capacity Not Allocated:       210942566400 B (210.9 GB) (86.1% free)


    |


    +-< Physical Store disk0s2 BD6C28FC-DEA8-440D-9BC3-55545C0E0531


    |   -----------------------------------------------------------


    |   APFS Physical Store Disk:   disk0s2


    |   Size:                       245107195904 B (245.1 GB)


    |


    +-> Volume disk3s1 BA865CB6-0363-4DAA-9E62-BBB34002CC61


    |   ---------------------------------------------------


    |   APFS Volume Disk (Role):   disk3s1 (System)


    |   Name:                      Macintosh HD (Case-insensitive)


    |   Mount Point:               Not Mounted


    |   Capacity Consumed:         15415513088 B (15.4 GB)


    |   Sealed:                    Yes


    |   FileVault:                 No (Encrypted at rest)


    |   |


    |   Snapshot:                  1FD4ACB2-DC25-4077-A2D4-0F4B1F5E4FE4


    |   Snapshot Disk:             disk3s1s1


    |   Snapshot Mount Point:      /


    |   Snapshot Sealed:           Yes


    |


    +-> Volume disk3s2 552DE671-42B4-4373-9860-5A928A6B01E9


    |   ---------------------------------------------------


    |   APFS Volume Disk (Role):   disk3s2 (Preboot)


    |   Name:                      Preboot (Case-insensitive)


    |   Mount Point:               /System/Volumes/Preboot


    |   Capacity Consumed:         814952448 B (815.0 MB)


    |   Sealed:                    No


    |   FileVault:                 No


    |


    +-> Volume disk3s3 F489BBDF-05E3-47E2-960C-F9DB245DC360


    |   ---------------------------------------------------


    |   APFS Volume Disk (Role):   disk3s3 (Recovery)


    |   Name:                      Recovery (Case-insensitive)


    |   Mount Point:               Not Mounted


    |   Capacity Consumed:         804651008 B (804.7 MB)


    |   Sealed:                    No


    |   FileVault:                 No


    |


    +-> Volume disk3s5 1460D985-958A-4A68-9CD3-21CB0C423F02


    |   ---------------------------------------------------


    |   APFS Volume Disk (Role):   disk3s5 (Data)


    |   Name:                      Data (Case-insensitive)


    |   Mount Point:               /System/Volumes/Data


    |   Capacity Consumed:         16973053952 B (17.0 GB)


    |   Sealed:                    No


    |   FileVault:                 No (Encrypted at rest)


    |


    +-> Volume disk3s6 1D8585AD-3662-4A00-BC64-AE009704EB3F


        ---------------------------------------------------


        APFS Volume Disk (Role):   disk3s6 (VM)


        Name:                      VM (Case-insensitive)


        Mount Point:               /System/Volumes/VM


        Capacity Consumed:         20480 B (20.5 KB)


        Sealed:                    No


        FileVault:                 No


p.phillips@Ps-Mac-Mini-M1 ~ % diskutil list


/dev/disk0 (internal):


   #:                       TYPE NAME                    SIZE       IDENTIFIER


   0:      GUID_partition_scheme                         251.0 GB   disk0


   1:             Apple_APFS_ISC ⁨⁩                        524.3 MB   disk0s1


   2:                 Apple_APFS ⁨Container disk3⁩         245.1 GB   disk0s2


   3:        Apple_APFS_Recovery ⁨⁩                        5.4 GB     disk0s3




/dev/disk3 (synthesized):


   #:                       TYPE NAME                    SIZE       IDENTIFIER


   0:      APFS Container Scheme -                      +245.1 GB   disk3


                                 Physical Store disk0s2


   1:                APFS Volume ⁨Macintosh HD⁩            15.4 GB    disk3s1


   2:              APFS Snapshot ⁨com.apple.os.update-...⁩ 15.4 GB    disk3s1s1


   3:                APFS Volume ⁨Preboot⁩                 815.0 MB   disk3s2


   4:                APFS Volume ⁨Recovery⁩                804.7 MB   disk3s3


   5:                APFS Volume ⁨Data⁩                    17.0 GB    disk3s5


   6:                APFS Volume ⁨VM⁩                      20.5 KB    disk3s6



Agree the Etrecheck Check Application indicates more than on Recovery Volume


Aug 22, 2022 9:33 AM in response to PRP_53

P. Phillips wrote:

Agree the Etrecheck Check Application indicates more than on Recovery Volume

Agree about what? More than what on Recovery Volume?


You have posted a partial storage device tree. What you have posted is similar to what the OP and I have posted from EtreCheck. I'm not sure what you are trying to say with the link.

Aug 23, 2022 6:05 PM in response to etresoft

Here's where I'm at: I backed my Mac up manually and with time machine and reinstalled everything I needed. Just for grins I did FAF for cleanmymac and it showed up as a private folder in my photos library. I learned how to log in as a root user but when logged in as a root user there are no data files of any type to be found in finder. What is going on? My next plan is to delete the main photo library and my photos a bunch at a time and check for clean my Mac after each import. Does anyone have any better ideas? There absolutely was something no right with my laptop before I did all of this and it seems much better now. I will also do another etrecheck report.

Aug 23, 2022 6:35 PM in response to BillMort4198

I'm adding this because I think I have rid myself of cleanmymac and someone else might have the same issue.

I used Find Any File (great utility) and searched my external hard drive for it. I was able to remove it from there with no issues and right now it does not appear in any searches on external or internal drive. Thank you everybody for your help.

How do I know if my MacBook Air was compromised prior to Monterey 12.5.1 software update

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.