Accidentally downloaded a virus/malware (?) - please help

Hi,

Will the Adware Removal Tool remove trojans? Pardon my ignorance.

Here's the status; most are resolved, or resolvable soon. I'm rather confused about what's going on with E.

At the bottom I've pasted EtreCheck and results from the diagnostic script run in Terminal.

A. The folder can't be found. I have backed up all of my files.

B. Done.

C. Will talk with Verizon tomorrow.

D. This is all that happens in Step 1:

Last login: Mon Aug 11 10:14:08 on ttys000

new-host-2:~ [username]$ sudo find ~ $TMPDIR.. -exec chflags -h nouchg,nouappnd,noschg,nosappnd {} + -exec chown -h $UID {} + -exec chmod +rw {} + -exec chmod -h -N {} + -type d -exec chmod -h +x {} + 2>&-

Password:

new-host-2:~ [username]$

…Then, when I try again, I get this:

wtmp begins Thu Sep 19 10:54

new-host-2:~ [username]$ new-host-2:~ [username]$ sudo find ~ $TMPDIR.. -exec chflags -h nouchg,nouappnd,noschg,nosappnd {} + -exec chown -h $UID {} + -exec chmod +rw {} + -exec chmod -h -N {} + -type d -exec chmod -h +x {} + 2>&-

new-host-2:~ [username]$ Password:

-bash: Password:: command not found

new-host-2:~ [username]$ new-host-2:~ [username]$

Maybe it already ran, and I tried to re-run it?

I also went through Step 2, restarted. At some point, it wanted a password, so had to set it again in System Preferences > Users & Groups. Should I not have done this?

E. The steps I've followed per instructions of the support article do not seem to be working; or, most likely, I've done something wrong in trying to resolve the issues. There are 21 issues with font duplication, apparently. How does that even happen? Diagnostic script in Terminal reports 20 font issues, but Font Book says 21...

I validated fonts, filtered for ones with warnings or errors, and then checked all 21, then selected for them to be removed. That seemed OK, there were a ton of duplicated files (duplicates of duplicates, it appeared) in the Recycle Bin. Then, I ran the validation again, and there all 21 warnings were again. Should I have re-started before trying to validate again?

Also, this is weird, but a delayed prompt for my password appears (long after I've removed duplicates, and they're visibly present in the Recycle Bin). When I put my password in, which works for everything else, it won't budge; it basically acts as if I typed in my password incorrectly (password field/box blanks out after I press "Remove" to continue). After several attempts, and I'm positive I've typed it in properly, I hit "Cancel" to make the prompt disappear. Then, after a minute or two, it reappears! It won't take No for an answer... I finally Forced Quit Font Book, and found that 10+ prompt boxes were lined up behind it. Was I supposed to put in my password in all of the prompt boxes (as in, there's one prompt box per font issue)? That doesn't seem to make sense, but neither does battling Font Book.

Finally, I followed directions found via Font Book Help section by going to Edit > Look for Enabled Duplicates. None found. Then, I re-ran the font validation once again, and those 21 duplicates still exist.

The kicker? I went to File > Restore Standard Fonts… and "Standard font check complete. No problems encountered. Your system already contains the standard system fonts and no others. No changes made."

Thank you so much for your patience, and willingness to help. I would like to know that this trojan is off of my Mac, and to please tell me, for the love of Elvis, what the **** is happening with my fonts??

And here is the latest from EtreCheck:

EtreCheck version: 1.9.13 (49)

Report generated August 11, 2014 6:32:04 PM EDT

Hardware Information: ?

MacBook Air (13-inch, Mid 2011) (Verified)

MacBook Air - model: MacBookAir4,2

1 1.8 GHz Intel Core i7 CPU: 2 cores

4 GB RAM

Video Information: ?

Intel HD Graphics 3000 - VRAM: 384 MB

Color LCD 1440 x 900

DELL 1707FP 1280 x 1024 @ 60 Hz

System Software: ?

Mac OS X 10.7.5 (11G63) - Uptime: 0 days 7:57:47

Disk Information: ?

APPLE SSD SM256C disk0 : (251 GB)

S.M.A.R.T. Status: Verified

disk0s1 (disk0s1) <not mounted>: 209.7 MB

disk0s2 (disk0s2) <not mounted>: 250.14 GB

Recovery HD (disk0s3) /Volumes/Recovery HD: 650 MB (99.4 MB free)

USB Information: ?

Apple, Inc. Keyboard Hub

Apple, Inc Apple Keyboard

Apple Inc. Apple Internal Keyboard / Trackpad

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

Apple Inc. FaceTime Camera (Built-in)

Apple Inc. MacBook Air SuperDrive

Apple Internal Memory Card Reader

Thunderbolt Information: ?

Apple, Inc. MacBook Air

Startup Items: ?

HP Trap Monitor: Path: /Library/StartupItems/HP Trap Monitor

Launch Daemons: ?

[loaded] com.adobe.fpsaud.plist Support

[loaded] com.microsoft.office.licensing.helper.plist Support

[loaded] jp.co.canon.MasterInstaller.plist Support

Launch Agents: ?

[loaded] com.hp.help.tocgenerator.plist Support

User Launch Agents: ?

[loaded] com.adobe.ARM.[...].plist Support

[loaded] com.genieo.completer.download.plist Support

[loaded] com.genieo.completer.update.plist Support

[loaded] com.google.keystone.agent.plist Support

[not loaded] jp.co.canon.Inkjet_Extended_Survey_Agent.plist Support

User Login Items: ?

iTunesHelper

AdobeResourceSynchronizer

Canon IJ Network Scanner Selector EX

ScanSnap Manager

Dropbox

AOUMonitor

HP Product Research

HPEventHandler

Internet Plug-ins: ?

Flip4Mac WMV Plugin: Version: 2.4.4.2 Support

FlashPlayer-10.6: Version: 14.0.0.145 - SDK 10.6 Support

EPPEX Plugin: Version: 10.0 Support

AdobePDFViewerNPAPI: Version: 11.0.07 - SDK 10.6 Support

AdobePDFViewer: Version: 11.0.07 - SDK 10.6 Support

Flash Player: Version: 14.0.0.145 - SDK 10.6 Support

QuickTime Plugin: Version: 7.7.1

SharePointBrowserPlugin: Version: 14.4.3 - SDK 10.6 Support

Silverlight: Version: 5.1.30317.0 - SDK 10.6 Support

JavaAppletPlugin: Version: 15.0.0 - SDK 10.7 Check version

Audio Plug-ins: ?

iSightAudio: Version: 7.7.1 - SDK 10.7

iTunes Plug-ins: ?

Quartz Composer Visualizer: Version: 1.3 - SDK 10.7

3rd Party Preference Panes: ?

Flash Player Support

Flip4Mac WMV Support

Time Machine: ?

Time Machine not configured!

Top Processes by CPU: ?

6% Google Chrome

5% WindowServer

5% WebProcess

1% JavaApplicationStub

1% hidd

Top Processes by Memory: ?

242 MB JavaApplicationStub

221 MB WebProcess

172 MB System Preferences

139 MB Safari

119 MB Finder

Virtual Memory Information: ?

186 MB Free RAM

2.04 GB Active RAM

881 MB Inactive RAM

942 MB Wired RAM

2.98 GB Page-ins

261 MB Page-outs

________________________________________

Diagnostic Script run in Terminal:

Start time: 18:37:17 08/11/14

Model Identifier: MacBookAir4,2

System Version: Mac OS X 10.7.5 (11G63)

Kernel Version: Darwin 11.4.2

Boot Mode: Normal

64-bit Kernel and Extensions: Yes

Time since boot: 8:02

Log

Aug 5 00:19:54 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 5 00:21:37 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 5 07:33:52 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 5 13:33:08 jnl: disk0s3: replay_journal: from: 1334784 to: 1577984 (joffset 0x7000)

Aug 5 13:33:08 jnl: disk0s3: journal replay done.

Aug 7 03:46:55 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 7 09:00:20 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 7 09:44:07 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 7 11:10:07 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 7 11:56:23 wl0: Roamed or switched channel, reason #8, bssid f8

Aug 7 12:25:27 New Power Throttle state:1 Old state:0

Aug 7 12:25:28 New Power Throttle state:0 Old state:1

Aug 7 19:52:25 ALF: ifnet_get_address_list_family error 12

Aug 11 10:35:10 Previous Shutdown Cause: -60

Aug 11 10:35:07 wl0: Roamed or switched channel, reason #8, bssid f8

Daemons

jp.co.canon.MasterInstaller

com.microsoft.office.licensing.helper

com.adobe.fpsaud

Agents

com.hp.help.tocgenerator

com.google.keystone.user.agent

com.genieo.completer.update

com.genieo.completer.download

com.adobe.ARM.UUID

launchd

/Library/LaunchAgents/com.hp.help.tocgenerator.plist

- com.hp.help.tocgenerator

/Library/LaunchDaemons/com.adobe.fpsaud.plist

- com.adobe.fpsaud

/Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist

- com.microsoft.office.licensing.helper

/Library/LaunchDaemons/jp.co.canon.MasterInstaller.plist

- jp.co.canon.MasterInstaller

Library/LaunchAgents/com.adobe.ARM.UUID.plist

- com.adobe.ARM.UUID

Library/LaunchAgents/com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID. plist

- com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID

Library/LaunchAgents/com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID. plist

- com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID

Library/LaunchAgents/com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID. plist

- com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID

Library/LaunchAgents/com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID. plist

- com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.UUID

Library/LaunchAgents/com.apple.FolderActions.enabled.plist

- com.apple.FolderActions.enabled

Library/LaunchAgents/com.apple.FolderActions.folders.plist

- com.apple.FolderActions.folders

Library/LaunchAgents/com.genieo.completer.download.plist

- com.genieo.completer.download

Library/LaunchAgents/com.genieo.completer.update.plist

- com.genieo.completer.update

Library/LaunchAgents/com.google.keystone.agent.plist

- com.google.keystone.user.agent

Library/LaunchAgents/jp.co.canon.Inkjet_Extended_Survey_Agent.plist

- jp.co.canon.Inkjet_Extended_Survey_Agent

Startup items

/Library/StartupItems/HP Trap Monitor/HP Trap Monitor

/Library/StartupItems/HP Trap Monitor/StartupParameters.plist

Bundles

/Library/Internet Plug-Ins/AdobePDFViewer.plugin

- com.adobe.acrobat.pdfviewer

/Library/Internet Plug-Ins/AdobePDFViewerNPAPI.plugin

- com.adobe.acrobat.pdfviewerNPAPI

/Library/Internet Plug-Ins/EPPEX Plugin.plugin

- N/A

/Library/Internet Plug-Ins/Flash Player.plugin

- N/A

/Library/Internet Plug-Ins/Flip4Mac WMV Plugin.plugin

- net.telestream.wmv.plugin

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin

- com.apple.java.JavaAppletPlugin

/Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin

- com.microsoft.sharepoint.browserplugin

/Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin

- com.microsoft.sharepoint.webkitplugin

/Library/Internet Plug-Ins/Silverlight.plugin

- com.microsoft.SilverlightPlugin

/Library/PreferencePanes/Flash Player.prefPane

- com.adobe.flashplayerpreferences

/Library/PreferencePanes/Flip4Mac WMV.prefPane

- net.telestream.wmv.prefpane

/Library/QuickTime/Flip4Mac WMV Advanced.component

- net.telestream.wmv.advanced

/Library/QuickTime/Flip4Mac WMV Export.component

- net.telestream.wmv.export

/Library/QuickTime/Flip4Mac WMV Import.component

- net.telestream.wmv.import

Library/Caches/com.apple.Safari/Extensions/wrc.safariextension

- com.avast.wrc

Library/Mail/Bundles/TruePreview.mailbundle

- org.christianserving.mac.mail.plugin.TruePreview

Library/Widgets/HP Ink Widget.wdgt

- com.hp.widget.inkwidget

Apps

/Applications/Dropbox.app

Contents of /System/Library/LaunchAgents/com.apple.SafariNotificationAgent.plist (XML document text)

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.apple.SafariNotificationAgent</string>

<key>LaunchEvents</key>

<dict>

<key>com.apple.usernotificationcenter.matching</key>

<dict>

<key>com.apple.SafariNotificationAgent</key>

<dict>

<key>events</key>

<array>

<string>didDeliverNotification</string>

<string>didActivateNotification</string>

</array>

<key>webcenter</key>

<true/>

</dict>

</dict>

</dict>

<key>KeepAlive</key>

<false/>

<key>MachServices</key>

...and 8 more line(s)

Contents of /System/Library/LaunchAgents/com.apple.iCalPush.plist (XML document text)

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.apple.iCalPush</string>

<key>LimitLoadToSessionType</key>

<array>

<string>LoginWindow</string>

<string>Aqua</string>

</array>

<key>MachServices</key>

<dict>

<key>com.apple.iCalPush</key>

<true/>

</dict>

<key>ProgramArguments</key>

<array>

<string>/Applications/iCal.app/Contents/Resources/iCalPush</string>

</array>

</dict>

</plist>

Contents of /System/Library/LaunchAgents/org.x.startx.plist (XML document text)

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>org.x.startx</string>

<key>ProgramArguments</key>

<array>

<string>/usr/X11/bin/startx</string>

</array>

<key>Sockets</key>

<dict>

<key>org.x:0</key>

<dict>

<key>SecureSocketWithKey</key>

<string>DISPLAY</string>

</dict>

</dict>

<key>ServiceIPC</key>

<true/>

<key>EnableTransactions</key>

<true/>

</dict>

</plist>

Contents of /System/Library/LaunchDaemons/com.apple.usbmuxd.plist (XML document text)

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>KeepAlive</key>

<true/>

<key>RunAtLoad</key>

<true/>

<key>Label</key>

<string>com.apple.usbmuxd</string>

<key>ProgramArguments</key>

<array>

<string>/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Res ources/usbmuxd</string>

<string>-launchd</string>

</array>

<key>UserName</key>

<string>_usbmuxd</string>

<key>GroupName</key>

<string>_usbmuxd</string>

<key>Sockets</key>

<dict>

<key>Listeners</key>

<dict>

<key>SockFamily</key>

<string>Unix</string>

...and 12 more line(s)

Contents of /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist (XML document text)

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.apple.xprotectupdater</string>

<key>ProgramArguments</key>

<array>

<string>/usr/libexec/XProtectUpdater</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartCalendarInterval</key>

<dict>

<key>Hour</key>

<integer>0</integer>

<key>Minute</key>

<integer>53</integer>

</dict>

</dict>

</plist>

Contents of /System/Library/LaunchDaemons/org.apache.httpd.plist (XML document text)

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Disabled</key>

<true/>

<key>Label</key>

<string>org.apache.httpd</string>

<key>OnDemand</key>

<false/>

<key>ProgramArguments</key>

<array>

<string>/usr/sbin/httpd</string>

<string>-D</string>

<string>FOREGROUND</string>

<string>-D</string>

<string>WEBSHARING_ON</string>

</array>

<key>SHAuthorizationRight</key>

<string>system.preferences</string>

</dict>

</plist>

Font issues: 20

Firewall: On

Proxies

ProxyAutoConfigEnable : 1

ProxyAutoConfigURLString : http://wpad/wpad.dat

ProxyAutoDiscoveryEnable : 1

Listeners

launchd: afpovertcp

cupsd: ipp

kdc: kerberos

httpd: http

httpd: http

Wi-Fi

link auth: wpa-psk

Safari extensions

avast! Online Security

Restricted files: 58

Elapsed time (s): 161

Oh I'm sorry, I don't actually know, I was going off of what Linc said (in part A. of his response).

What's troubling is that, related to A., although I've gone through the steps and deleted the Genieo files, they still show up in the Launch Agents section of the diagnostics run in Terminal.

They're physically gone; out of the LaunchAgents folder, and not in my Recycle Bin anymore, either.

These are the only files left in my LaunchAgents folder:

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.9D581C21-34DB-4E56-BD74-372 90A3CB9BE.plist

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.0338D950-1FF1-41B5-9F11-B00 8C382FD99.plist

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.423A8C3F-BEEC-4B4F-9198-591 1F500D702.plist

com.apple.AddressBook.ScheduledSync.PHXCardDAVSource.F795D957-ACEA-4F99-BD12-87F ADAEEBD44.plist

com.apple.FolderActions.enabled.plist

com.apple.FolderActions.folders.plist

com.google.keystone.agent.plist

jp.co.canon.Inkjet_Extended_Survey_Agent.plist

I believe you, I was just replying to MadMacs0. I know little (if nothing) about malware, adware, trojans, viruses - only what I've read about them on the 'net.

What is strange, and if you would let me know what you think, why would the diagnostics say Genieo is still on my computer as a launch agent, but it's no longer in my LaunchAgents folder? Is it lurking in another LaunchAgents folder someplace? I've gone through my Library > LaunchAgents folder repeatedly, but it isn't there.

Went into Cache, and then in Library (found more Avast files).

How do I find out whether that trojan has been completely removed? Do you suggest software? Any recommendations?

Hi Thomas,

I am fairly computer literate, am an engineer and mostly on PCs for work, and not as fluent of course as you, Linc, MadMacs0 on a Mac... But I needed help to find the trojan, and wipe it from my system completely. Naive as it may sound, I was too san souci about using my Mac to download everything, since they have a reputation for being immune to threats that have infected the PC world for decades.

Linc's directions were not difficult at all; I ran into problems when the results weren't what he had delineated, or I'd thought they should be. For example, I had removed the files in LaunchAgents, re-ran the script, then he said they was still in the folder. I did it again, no restart of my computer in between, and then it wasn't. Mac's aren't new to me, but at this level they certainly are. All of the directions he gave were followed, or at least addressed; I'm very grateful for the advice given. The only thing I became too frustrated with was the font issue; I'm doing something wrong, and I don't know what. That aside, I liked the script, and had no problems with it. My only hope is that there aren't any footprints or anything at all left by Genieo.

And you're absolutely right; I was/am gun-shy about downloading new apps from strangers. Avast!, Sophos, and whatever other anti-virus software I'd downloaded had been recommended by PCworld - I know, I know... But for as much junk as I've put on this computer, coupled with my dependency on its content, I will give your app a whirl. Could it diagnose and fix my font problem? 🙂

Thank you guys for your patience, and for your time - I really was at my wits end about this, and did not want to take it in to the Apple Store. I will have to take care of the WPA issue, too, as this experience made me realize how much I faced to lose. It's a first world problem, yes, but would've been horrible.

Thanks again.

Andrea