Wierd .plist preference files getting corrupt?

What happens if you search for any of those names, together or separately, not just the specific .plists, using EasyFind?

http://www.devontechnologies.com/products/freeware/

Have you got these .plist files?

Nope. Very weird.

Interesting that it appears somewhere else in the world and that it seems to be the same message, but with SuperMax (nothing clearly relevant found for that*) not Stomatic. Just a discussion of whether it's OK to trash it or not, but zero information about the file itself.

*http://www.macintouch.com/reviews/supermax/

Probably nothing, but I think I'd be getting a bit paranoid if those files showed up on my computer. I might do a scan with ClamXav or Sophos Home.

What I recommend you do is again use EasyFind to do four searches on the words Incoradial, Stomatic, Datawise, Mousquetaire but this time also search package contents and invisibles.

Frankly ignore all malware reported by these so called virus detectors. They are simply reporting false hits with their heuristics and pattern matchers matching on binary data. That's why I think they are all useless and a waste of time. And don't let them "quarantine" (move) anything automatically or you may end up breaking something (e.g., especially mail when it thinks it has a match in a mail message--you will break the mail message database).

Look, this all started because you said there are two plists that you remove and then get automatically recreated (forget that they may have some garbage at the end of them). There's no magic here. There are two processes that create them. So they are in your system somewhere. They are not apple plists. So they are something you installed implicitly or explicitly.

Remove the plists again now. Do they reappear? No? Then log out and log back in? Do they reappear?

If yes, then look in your login items and ~/Library/LaunchAgents in your home directory).

If no, then reboot. Do they appear now? I assume they would. So if yes, look in the following places:

/Library/LaunchAgents

/Library/LaunchDaemons

/Library/StartupItems

Post the files you see in these and your login items and ~/Library/LaunchAgents if it isn't obvious who is spawing the processes creating those plists.

edgemusic wrote:

About 100 emails came up as being various types of "spoofdomian" or "phishing" etc. I foolishly binned these straight away, only later checking some of the emails out on a second CX sweep of my Mail folder - seems the checker in CX is pretty sensitive on the email front - lots of emails from sources I trust were moved into the Quarantine folder! God knows what I've trashed out of my email account the previous time! Ooops!

You should rebuild all your mailboxes as the mailbox indexes were corrupted when you quarantined those emails.

Any time you see the word "Heuristics" in an infection name you should always read the message first. Heuristics means that no actual signature was found, but something about url formatting looked suspicious enough to warn you about it. After you've read it in your e-mail client, then use the delete function there to prevent damage and to make certain the message is removed from both your hard drive and your e-mail ISP's server.

I too have been experiencing this. The only two file names that come up consistently are:

com.Incoradial.Insist.plist

com.Utterlus.Erythrocyte.plist

Like you, these come up periodically but with no apparent pattern; and I'm not experiencing anything odd, as far as I know ⚠. Also, web searches produced no results except this thread for the "Incoradial" search.

It seems strange to me that no one out in the ether has documented this experience.

Like you, the only place I got an alert was from Drive Genius 3 to Verify Preferences listed.

Running a full Sophos scan now just to see what it picks up. I'll chime back in with the results in a couple of days.

Thanks everyone!

low_notes wrote:

I too have been experiencing this. The only two file names that come up consistently are:

com.Incoradial.Insist.plist

com.Utterlus.Erythrocyte.plist

Although preferences are supposed to be formatted as XML files, I have run across exceptions several times. I don't know exactly what Drive Genius 3 is looking for, but I suspect they are simply verifying that the file has properly followed XML formatting rules. If the developer chooses to use their .plist for a different reason, they can do so at their own peril. The ones I have found have been plain text files, so you might want to try to open them with your favorite text editor and see if they contain any clues. I am not aware of any way to use such a file in a malicious way, if that's a concern.