Apple Event: May 7th at 7 am PT

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Level 1

9 points

Accidentally downloaded a virus/malware (?) - please help

I was trying to download the Flip4Mac app from a site that was dubious, but under the assumption that my Mac would protect itself from any file that could harm it. Yes, very naive. This was on August 7th, around 12:20-12:30 sometime. I've tried to run a variety of anti-virus software, and Avast seemed to initially catch the viruses, but I deleted them before moving to the Virus Chest, and after reading more, found out that may've been a mistake. However, after running scans a few more times, I can no longer find those viruses.

Basically, I want to know that they're permanently gone, and off my Mac, and if not, how to resolve the issue. I can give more details, but don't want to bludgeon any more than I already have, especially if the information is useless to the cause. I originally posted three days ago, but perhaps posted to the wrong forum, the original one is here: Please help undo damage done by bad software download

I ran a script as directed by Linc Davis in response to another similar issue (Utilities->Terminal), and the results are pasted below. I also ran EtreCheck, and can follow up with the data received from running that program.

Google Chrome, Safari, and my Library/Preferences folders are screwed up, and that's only what I've found so far. I've re-set my internet, and dumped some of the files I think were causing the damage, but today I tried to open folders in Finder, and they show nothing in there. This has never happened before, and am guessing it might be related.

Thank you so much in advance, I really don't know what else to do.

Andrea

Start time: 13:48:15 08/10/14

Model Identifier: MacBookAir4,2

System Version: Mac OS X 10.7.5 (11G63)

Kernel Version: Darwin 11.4.2

Boot Mode: Normal

64-bit Kernel and Extensions: Yes

Time since boot: 6 days 5:05

Log

Aug 4 08:43:34 Sleep failure code 0x00000000 0x31000000

Aug 4 08:43:34 jnl: unknown-dev: replay_journal: from: 16551424 to: 18159616 (joffset 0xd502000)

Aug 4 08:43:35 jnl: unknown-dev: journal replay done.

Aug 4 08:43:38 Previous Shutdown Cause: -60

Aug 4 13:08:35 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 4 13:19:01 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 5 00:19:54 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 5 00:21:37 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 5 07:33:52 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 5 13:33:08 jnl: disk0s3: replay_journal: from: 1334784 to: 1577984 (joffset 0x7000)

Aug 5 13:33:08 jnl: disk0s3: journal replay done.

Aug 7 03:46:55 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 7 09:00:20 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 7 09:44:07 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 7 11:10:07 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 7 11:56:23 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 7 12:25:27 New Power Throttle state:1 Old state:0

Aug 7 12:25:28 New Power Throttle state:0 Old state:1

Aug 7 19:52:25 ALF: ifnet_get_address_list_family error 12

kexts

com.avast.PacketForwarder (1.4)

com.avast.AvastFileShield (2.1.0)

com.sophos.nke.swi (9.0.0)

com.sophos.kext.sav (9.0.0)

Daemons

com.sophos.intercheck

com.sophos.sxld

com.sophos.webd

com.sophos.configuration

com.sophos.notification

com.sophos.autoupdate

com.sophos.scan

com.avast.crashreport

com.avast.account

com.avast.fileshield

com.avast.proxy

com.avast.service

com.avast.update

com.avast.daemon

com.avast.uninstall

com.avast.init

jp.co.canon.MasterInstaller

com.microsoft.office.licensing.helper

com.adobe.fpsaud

Agents

com.sophos.uiserver

com.avast.helper

com.avast.userinit

com.genieo.completer.update

com.genieo.completer.download

com.hp.help.tocgenerator

com.google.keystone.user.agent

com.adobe.ARM.UUID

launchd

/Library/LaunchAgents/com.avast.userinit.plist

- com.avast.userinit

/Library/LaunchAgents/com.hp.help.tocgenerator.plist

- com.hp.help.tocgenerator

/Library/LaunchAgents/com.sophos.uiserver.plist

- com.sophos.uiserver

/Library/LaunchDaemons/com.adobe.fpsaud.plist

- com.adobe.fpsaud

/Library/LaunchDaemons/com.avast.init.plist

- com.avast.init

/Library/LaunchDaemons/com.avast.uninstall.plist

- com.avast.uninstall

/Library/LaunchDaemons/com.avast.update.plist

- com.avast.update

/Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist

- com.microsoft.office.licensing.helper

/Library/LaunchDaemons/com.sophos.autoupdate.plist

- com.sophos.autoupdate

/Library/LaunchDaemons/com.sophos.configuration.plist

- com.sophos.configuration

/Library/LaunchDaemons/com.sophos.intercheck.plist

- com.sophos.intercheck

/Library/LaunchDaemons/com.sophos.notification.plist

- com.sophos.notification

/Library/LaunchDaemons/com.sophos.scan.plist

- com.sophos.scan

/Library/LaunchDaemons/com.sophos.sxld.plist

- com.sophos.sxld

/Library/LaunchDaemons/com.sophos.webd.plist

- com.sophos.webd

/Library/LaunchDaemons/jp.co.canon.MasterInstaller.plist

- jp.co.canon.MasterInstaller

Library/LaunchAgents/com.adobe.ARM.UUID.plist

- com.adobe.ARM.UUID

Library/LaunchAgents/com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID. plist

- com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID

Library/LaunchAgents/com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID. plist

- com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID

Library/LaunchAgents/com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID. plist

- com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID

Library/LaunchAgents/com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID. plist

- com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID

Library/LaunchAgents/com.apple.FolderActions.enabled.plist

- com.apple.FolderActions.enabled

Library/LaunchAgents/com.apple.FolderActions.folders.plist

- com.apple.FolderActions.folders

Library/LaunchAgents/com.avast.home.userinit.plist

- com.avast.home.userinit

Library/LaunchAgents/com.genieo.completer.download.plist

- com.genieo.completer.download

Library/LaunchAgents/com.genieo.completer.update.plist

- com.genieo.completer.update

Library/LaunchAgents/com.google.keystone.agent.plist

- com.google.keystone.user.agent

Library/LaunchAgents/jp.co.canon.Inkjet_Extended_Survey_Agent.plist

- jp.co.canon.Inkjet_Extended_Survey_Agent

Startup items

/Library/StartupItems/HP Trap Monitor/HP Trap Monitor

/Library/StartupItems/HP Trap Monitor/StartupParameters.plist

Bundles

/Library/Internet Plug-Ins/AdobePDFViewer.plugin

- com.adobe.acrobat.pdfviewer

/Library/Internet Plug-Ins/AdobePDFViewerNPAPI.plugin

- com.adobe.acrobat.pdfviewerNPAPI

/Library/Internet Plug-Ins/EPPEX Plugin.plugin

- N/A

/Library/Internet Plug-Ins/Flash Player.plugin

- N/A

/Library/Internet Plug-Ins/Flip4Mac WMV Plugin.plugin

- net.telestream.wmv.plugin

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin

- com.apple.java.JavaAppletPlugin

/Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin

- com.microsoft.sharepoint.browserplugin

/Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin

- com.microsoft.sharepoint.webkitplugin

/Library/Internet Plug-Ins/Silverlight.plugin

- com.microsoft.SilverlightPlugin

/Library/PreferencePanes/Flash Player.prefPane

- com.adobe.flashplayerpreferences

/Library/PreferencePanes/Flip4Mac WMV.prefPane

- net.telestream.wmv.prefpane

/Library/QuickTime/Flip4Mac WMV Advanced.component

- net.telestream.wmv.advanced

/Library/QuickTime/Flip4Mac WMV Export.component

- net.telestream.wmv.export

/Library/QuickTime/Flip4Mac WMV Import.component

- net.telestream.wmv.import

Library/Mail/Bundles/TruePreview.mailbundle

- org.christianserving.mac.mail.plugin.TruePreview

Library/Widgets/HP Ink Widget.wdgt

- com.hp.widget.inkwidget

Apps

/Applications/Dropbox.app

Contents of /System/Library/LaunchAgents/com.apple.SafariNotificationAgent.plist (XML document text)

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.apple.SafariNotificationAgent</string>

<key>LaunchEvents</key>

<dict>

<key>com.apple.usernotificationcenter.matching</key>

<dict>

<key>com.apple.SafariNotificationAgent</key>

<dict>

<key>events</key>

<array>

<string>didDeliverNotification</string>

<string>didActivateNotification</string>

</array>

<key>webcenter</key>

<true/>

</dict>

<key>KeepAlive</key>

<key>MachServices</key>

...and 8 more line(s)

Contents of /System/Library/LaunchAgents/com.apple.iCalPush.plist (XML document text)

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.apple.iCalPush</string>

<key>LimitLoadToSessionType</key>

<array>

<string>LoginWindow</string>

</array>

<key>MachServices</key>

<dict>

<key>com.apple.iCalPush</key>

<true/>

</dict>

<key>ProgramArguments</key>

<array>

<string>/Applications/iCal.app/Contents/Resources/iCalPush</string>

</array>

</dict>

</plist>

Contents of /System/Library/LaunchAgents/org.x.startx.plist (XML document text)

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>org.x.startx</string>

<key>ProgramArguments</key>

<array>

<string>/usr/X11/bin/startx</string>

</array>

<key>Sockets</key>

<dict>

<dict>

<key>SecureSocketWithKey</key>

<string>DISPLAY</string>

</dict>

<key>ServiceIPC</key>

<true/>

<key>EnableTransactions</key>

<true/>

</dict>

</plist>

Contents of /System/Library/LaunchDaemons/com.apple.usbmuxd.plist (XML document text)

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>KeepAlive</key>

<true/>

<key>RunAtLoad</key>

<true/>

<key>Label</key>

<string>com.apple.usbmuxd</string>

<key>ProgramArguments</key>

<array>

<string>/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Res ources/usbmuxd</string>

<string>-launchd</string>

</array>

<key>UserName</key>

<string>_usbmuxd</string>

<key>GroupName</key>

<string>_usbmuxd</string>

<key>Sockets</key>

<dict>

<key>Listeners</key>

<dict>

<key>SockFamily</key>

...and 12 more line(s)

Contents of /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist (XML document text)

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.apple.xprotectupdater</string>

<key>ProgramArguments</key>

<array>

<string>/usr/libexec/XProtectUpdater</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartCalendarInterval</key>

<dict>

<key>Minute</key>

</dict>

</plist>

Contents of /System/Library/LaunchDaemons/org.apache.httpd.plist (XML document text)

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Disabled</key>

<true/>

<key>Label</key>

<string>org.apache.httpd</string>

<key>OnDemand</key>

<key>ProgramArguments</key>

<array>

<string>/usr/sbin/httpd</string>

<string>FOREGROUND</string>

<string>WEBSHARING_ON</string>

</array>

<key>SHAuthorizationRight</key>

<string>system.preferences</string>

</dict>

</plist>

Font issues: 20

Bad plists

Library/Preferences/com.solidstatenetworks.awkhost.plist

Firewall: On

Proxies

ProxyAutoConfigEnable : 1

ProxyAutoConfigURLString : http://wpad/wpad.dat

ProxyAutoDiscoveryEnable : 1

Listeners

launchd: afpovertcp

cupsd: ipp

kdc: kerberos

httpd: http

Wi-Fi

link auth: wpa-psk

Restricted files: 895

Elapsed time (s): 163

MacBook Air, Mac OS X (10.7.5)

Posted on Aug 10, 2014 3:30 PM

Best reply

MadMacs0

Level 5

5,221 points

Posted on Aug 10, 2014 4:13 PM

I was hoping that you would have run the Adware Removal Tool and removed either Sophos or Avast! or both before reposting.

Please do that and post the results of EtreCheck after (even though Linc doesn't like it) as most of us are used to troubleshooting using it.

I'll have more time later to do a more thorough analysis of the above.

View in context

17 replies

ac96822 Author

Level 1

9 points

Aug 12, 2014 6:05 AM in response to MadMacs0

I ran the TSM Adware Removal Tool - it found TWO MORE Genieo items; one folder (com.genieoinnovation.installer), and one file (my-homepage.xml). Actually, I don't know for sure that the file is related to Genieo, but it seems to be the root of all evil on my computer.

It also found Spigot and removed that.

This was a great script Should I install an anti-virus/-malware/-adware/-trojan software of some type? Any recommendations? Or just occasionally run the script?

Thank you so very much, I genuinely have appreciated all the help.

thomas_r.

Level 7

31,989 points

Aug 12, 2014 9:36 AM in response to ac96822

There's no need to run that script repeatedly. You only need to use it if you're having symptoms of adware (ie, ads in your web browser that shouldn't be there). It won't hurt anything if you run it repeatedly, of course. But be aware that if you are frequently finding adware, you need to make some serious changes to your web browsing and downloading habits.

Also, note that there is no anti-virus software that is capable of protecting you against all adware. So there's not much point in installing it.

Accidentally downloaded a virus/malware (?) - please help