You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Adwaremedic is it safe ?

Hello everyone .. I would like to ask if the adwaremedic program is the safest way to remove adware from the mac. Lately I m having some pop up advertisements from a specific site called mac keeper. I have no idea how this ad came up since I am not downloading torrents nor visiting any suspicious site .

So is this the only way to permanently remove the adware? Is it safe , since this is a third party program? Thanks in advance everyone

Posted on Nov 16, 2014 3:22 AM

Reply
240 replies

Jul 11, 2015 10:00 AM in response to Linc Davis

Thanks, Linc.


So I bought this computer in... 2013? How can I have gotten this malware that circulated in '08/'09 that is no longer even active? Could it have come from my back-ups from my old laptop?


If I erase and install OS X now, and then use my back ups from before I downloaded the most recent malware a week ago, won't I still be putting the MacAccess malware back on again? And again, does that even matter?


I use a time machine that just backs up my computer every day on a schedule. Do you know if that is backing up my husband's account, as well? I'm afraid to start over unless I can get both of our accounts back up.


Thanks again for all of your help.

Jul 11, 2015 10:47 AM in response to Jules237

Could it have come from my back-ups from my old laptop?

Yes.

If I erase and install OS X now, and then use my back ups from before I downloaded the most recent malware a week ago, won't I still be putting the MacAccess malware back on again?

Not if you do what I suggested. If you restore everything, yes.

And again, does that even matter?

Answered in my last comment. If I were in your place, I'd follow the removal instructions rather than erasing the volume. I doubt that the malware could ever have been active on this system.

Do you know if that is backing up my husband's account, as well?

Unless you did something to prevent it, yes.

Jul 11, 2015 4:12 PM in response to Linc Davis

Hi Linc,


I would prefer to just remove the dead malware than start over again, but that link you sent explaining how to remove it is like a foreign language to me. Your instructions have been easy to follow, and I have successfully removed a lot over the past couple of days. Can you translate those directions into something I can follow?

Jul 11, 2015 6:19 PM in response to Jules237

We're getting far afield from the original topic of this thread. The instructions I linked to for removing "MacAccess" include a list of files to be removed, which you can do by the same method I posted higher on this page. They also include a shell command, which you can run, again, using the method I've already posted. I don't know of a way to make the procedure any simpler. If you don't feel comfortable with the removal instructions, your options are to do a full erase and install, to get someone more experienced to help you (such as an Apple "Genius"), or to start a new discussion of your own. Good luck.

Jul 12, 2015 7:55 AM in response to Jules237

Jules237 wrote:


I have everything backed up on a time machine, but if I use that once I restart, won't I just be putting the bad stuff back on? If the malware you mentioned is dead, shouldn't I be safe? You said "who knows what else is going on," but can't you tell from looking at the diagnostic I posted above?


Yes, restoring everything from a backup would restore everything, so that's not a viable option. If you choose to erase and reinstall, you'll need to follow the procedures outlined here:


How to reinstall Mac OS X from scratch


(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com.)


You certainly are safe from this malware at this point. The FBI seized the malicious DNS servers, which the malware used to do its dirty work, years ago. If you manage to remove the last remaining traces of this malware and your computer is running fine, that's probably all you need to do. If you're having trouble with the instructions Linc directed you to, try the DNSChanger Removal Tool here:


http://www.dnschanger.com


Although I don't know if this will still work on modern versions of OS X, it was a reputable tool back when RSPlug was still active. Do not download any of the other things linked from that page, though! MacScan, McAfee and Norton should all be avoided.


However, if your Mac has such old malware on it, carried over from old backups, it's in an uncertain state. Although this particular malware is not a threat any longer, there's no way of knowing what other issues may have been carried over. It is probably unnecessary to erase the hard drive and reinstall from scratch, but that is the only way to put your Mac back into a known good state. The results of Linc's script are not adequate to identify all possible issues that could be present.


Incidentally, you will not find many people calling this malware "MacAccess." That is not one of the commonly accepted names. It was a name used in the installer for one particular variant. If you wish to learn more about this malware, you will get better results by looking for information by one of its accepted names: RSPlug, DNSChanger, Jahlav (or Jahlev) and Puper. (Security companies often come up with different names for the same malware.) Googling for information about MacAccess comes up with very little useful information. Interestingly, Googling for the traces of the malware found in your report will come up with the name MacAccess and the removal instructions Linc gave you. 😉

Jul 13, 2015 10:56 AM in response to Jules237

Jules237 wrote:


Thanks for taking the time to help me out on this. I really appreciate it. 🙂

Jules


You received help from the two top authorities on malware removal in all of ASC. In better hands you could not have been.


TIPS for future reference...

  • if your issue does lead you to a thread that applies to your issue

    only use a reply in that thread IF:

    • it is SHORT - these long ones get really hard to follow an add-on conversation sometimes,
  • If you cannot use instructions already in a LONG thread

    Start your own New Question - everyone's "sickness" is pretty much unique anyway

Either way, it is very likely someone with experience will see it and help


"Let's be safe out there" - NYPD Blue Sergeant reminded his officers every day

Jul 13, 2015 6:13 PM in response to AggelakasK

Start time: 21:02:31 07/13/15



Model Identifier: MacBookPro9,2

System Version: OS X 10.10.2 (14C1514)

Kernel Version: Darwin 14.1.0

Time since boot: 39 minutes



Diagnostic reports



2015-06-22 AntiMalwareUpdate crash

2015-06-24 AntiMalwareUpdate crash

2015-06-29 AntiMalwareUpdate crash x2

2015-06-30 VerizonUpdateCenter crash

2015-07-01 AntiMalwareUpdate crash

2015-07-02 AppAS crash

2015-07-02 AppBS crash

2015-07-04 AntiMalwareUpdate crash

2015-07-04 VerizonUpdateCenter crash

2015-07-05 AntiMalwareUpdate crash

2015-07-06 AntiMalwareUpdate crash

2015-07-06 VerizonUpdateCenter crash

2015-07-07 AntiMalwareUpdate crash

2015-07-07 com.apple.WebKit.Plugin.64 crash

2015-07-08 AntiMalwareUpdate crash

2015-07-10 AntiMalwareUpdate crash

2015-07-11 AntiMalwareUpdate crash

2015-07-11 LegacyFileVaultMessageTracer crash

2015-07-12 AntiMalwareUpdate crash

2015-07-12 AppAS crash

2015-07-12 AppBS crash

2015-07-12 com.apple.WebKit.Networking crash

2015-07-13 AntiMalwareUpdate crash

2015-07-13 VerizonUpdateCenter crash



Log



Jul 13 00:01:36 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 13 00:30:32 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 13 01:06:55 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 13 01:06:58 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1

Jul 13 01:07:01 com.apple.iTunesHelper.43200: Service exited with abnormal code: 1

Jul 13 01:37:56 com.apple.spindump: Service exited with abnormal code: 75

Jul 13 01:38:06 com.apple.spindump: Service exited with abnormal code: 75

Jul 13 01:38:34 process Mail[912] caught causing excessive wakeups. Observed wakeups rate (per sec): 873; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 45001

Jul 13 18:54:48 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 13 19:13:20 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 13 19:15:24 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 13 19:15:31 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 13 19:15:32 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1

Jul 13 19:23:15 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 13 19:27:12 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 13 19:35:25 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 13 19:38:00 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1

Jul 13 19:38:04 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 13 19:41:36 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 13 20:13:18 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1

Jul 13 20:13:21 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 13 20:13:21 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 13 20:13:21 com.apple.iTunesHelper.43200: Service exited with abnormal code: 1

Jul 13 20:17:19 com.apple.iTunesHelper.43200: Service exited with abnormal code: 1

Jul 13 20:23:48 com.apple.iTunesHelper.43200: Service exited with abnormal code: 1



kexts



com.McAfee.SFKext (1)

com.McAfee.kext.AppProtection (3.3)

com.mcafee.kext.Virex (1.1.0d1)



Daemons



com.mcafee.virusscan.ssm.ScanFactory

com.apple.installer.osmessagetracing

com.microsoft.office.licensing.helper

com.google.keystone.daemon

com.mcafee.virusscan.fmpd

com.apple.xprotectupdater

com.adobe.fpsaud

com.mcafee.ssm.ScanManager



Agents



Listchack.update

com.Installer.completer.update

Texiday.ltvbit

com.adobe.AdobeCreativeCloud

com.google.keystone.system.agent

Listchack.download

com.Installer.completer.download

com.adobe.acc.AdobeDesktopService.151120.UUID

Listchack.ltvbit

com.Installer.completer.ltvbit

com.mcafee.reporter

Texiday.update

com.mcafee.menulet

Texiday.download

com.apple.AirPortBaseStationAgent



Bundles



/System/Library/Extensions/JMicronATA.kext

- com.jmicron.JMicronATA

/Library/Internet Plug-Ins/AdobeAAMDetect.plugin

- com.AdobeAAMDetectLib.AdobeAAMDetect

/Library/Internet Plug-Ins/Flash Player.plugin

- N/A

/Library/Internet Plug-Ins/NP_2020Player_IKEA.plugin

- com.2020technologies.2020Player-IKEA.NP

/Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin

- com.microsoft.sharepoint.browserplugin

/Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin

- com.microsoft.sharepoint.webkitplugin

/Library/Internet Plug-Ins/Silverlight.plugin

- com.microsoft.SilverlightPlugin

/Library/Internet Plug-Ins/SiteAdvisor.plugin

- com.mcafee.siteadvisor

/Library/Internet Plug-Ins/Unity Web Player.plugin

- com.unity.UnityWebPlayer

/Library/PreferencePanes/Flash Player.prefPane

- com.adobe.flashplayerpreferences



Contents of /etc/syslog.conf (checksum 3920907068)



install.* @127.0.0.1:32376

local7.info /var/log/McAfeeInternetSecurity.log



Contents of /etc/periodic/daily/555.siteadvisor (checksum 653940657)



/usr/local/McAfee/SiteAdvisor/saupkeep -su



Contents of /System/Library/LaunchDaemons/com.apple.xprotectupdater.plist (checksum 1520599159)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.apple.xprotectupdater</string>

<key>ProgramArguments</key>

<array>

<string>/usr/libexec/XProtectUpdater</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartCalendarInterval</key>

<dict>

<key>Hour</key>

<integer>17</integer>

<key>Minute</key>

<integer>33</integer>

</dict>

</dict>

</plist>



Contents of /Library/LaunchAgents/com.mcafee.menulet.plist (checksum 1852533552)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.mcafee.menulet</string>

<key>GroupName</key>

<string>Virex</string>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/McAfee/MSS/Applications/Menulet.app/Contents/MacOS/Menulet</string>

</array>

<key>KeepAlive</key>

<true/>

</dict>

</plist>



Contents of /Library/LaunchAgents/com.mcafee.reporter.plist (checksum 1074323989)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.mcafee.reporter</string>

<key>GroupName</key>

<string>Virex</string>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/McAfee/MSS/Applications/McAfee Reporter.app/Contents/MacOS/McAfee Reporter</string>

</array>

<key>KeepAlive</key>

<true/>

</dict>

</plist>



Contents of /Library/LaunchDaemons/com.mcafee.virusscan.fmpd.plist (checksum 902982707)



<?xml version="1.0" encoding="UTF-8"?>

<!-- Copyright (C) 2011 McAfee, Inc. All rights reserved. -->

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>EnvironmentVariables</key>

<dict>

<key>DYLD_LIBRARY_PATH</key>

<string>/usr/local/McAfee/fmp/lib</string>

</dict>

<key>GroupName</key>

<string>Virex</string>

<key>InitGroups</key>

<false/>

<key>Label</key>

<string>com.mcafee.virusscan.fmpd</string>

<key>OnDemand</key>

<false/>

<key>ProgramArguments</key>

<array>

<string>/usr/local/McAfee/fmp/bin/fmpd</string>

</array>

</dict>

</plist>



Contents of Library/LaunchAgents/Listchack.download.plist (checksum 401896494)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>Listchack.download</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Application Support/Listchack/Listchack.app/Contents/MacOS/AppBS</string>

<string>-trigger</string>

<string>download</string>

<string>-isDev</string>

<string>0</string>

<string>-installVersion</string>

<string>18324</string>

<string>-firstAppId</string>

<string>730980002</string>

<string>-identity</string>

<string>Listchack</string>

</array>

<key>WatchPaths</key>

<array>

<string>/Users/USER/Downloads</string>

</array>

<key>isAllowToSuggest</key>



...and 3 more line(s)



Contents of Library/LaunchAgents/Listchack.ltvbit.plist (checksum 2044903133)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>Listchack.ltvbit</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Application Support/Listchack/Listchack.app/Contents/MacOS/AppBS</string>

<string>-trigger</string>

<string>ltvbit</string>

<string>-isDev</string>

<string>0</string>

<string>-installVersion</string>

<string>18324</string>

<string>-firstAppId</string>

<string>730980002</string>

<string>-identity</string>

<string>Listchack</string>

</array>

<key>StartCalendarInterval</key>

<dict>

<key>Hour</key>

<integer>4</integer>

<key>Minute</key>



...and 4 more line(s)



Contents of Library/LaunchAgents/Listchack.update.plist (checksum 3919989154)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>Listchack.update</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Application Support/Listchack/Listchack.app/Contents/MacOS/AppBS</string>

<string>-trigger</string>

<string>update</string>

<string>-isDev</string>

<string>0</string>

<string>-installVersion</string>

<string>18324</string>

<string>-firstAppId</string>

<string>730980002</string>

<string>-identity</string>

<string>Listchack</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartCalendarInterval</key>

<dict>

<key>Hour</key>



...and 6 more line(s)



Contents of Library/LaunchAgents/Texiday.download.plist (checksum 4114670599)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>Texiday.download</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Application Support/Texiday/Texiday.app/Contents/MacOS/AppAS</string>

<string>-trigger</string>

<string>download</string>

<string>-isDev</string>

<string>0</string>

<string>-installVersion</string>

<string>18324</string>

<string>-firstAppId</string>

<string>730980002</string>

<string>-identity</string>

<string>Texiday</string>

</array>

<key>WatchPaths</key>

<array>

<string>/Users/USER/Downloads</string>

</array>

<key>isAllowToSuggest</key>



...and 3 more line(s)



Contents of Library/LaunchAgents/Texiday.ltvbit.plist (checksum 3053726906)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>Texiday.ltvbit</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Application Support/Texiday/Texiday.app/Contents/MacOS/AppAS</string>

<string>-trigger</string>

<string>ltvbit</string>

<string>-isDev</string>

<string>0</string>

<string>-installVersion</string>

<string>18324</string>

<string>-firstAppId</string>

<string>730980002</string>

<string>-identity</string>

<string>Texiday</string>

</array>

<key>StartCalendarInterval</key>

<dict>

<key>Hour</key>

<integer>4</integer>

<key>Minute</key>



...and 4 more line(s)



Contents of Library/LaunchAgents/Texiday.update.plist (checksum 1560399178)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>Texiday.update</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Application Support/Texiday/Texiday.app/Contents/MacOS/AppAS</string>

<string>-trigger</string>

<string>update</string>

<string>-isDev</string>

<string>0</string>

<string>-installVersion</string>

<string>18324</string>

<string>-firstAppId</string>

<string>730980002</string>

<string>-identity</string>

<string>Texiday</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartCalendarInterval</key>

<dict>

<key>Hour</key>



...and 6 more line(s)



Contents of Library/LaunchAgents/com.Installer.completer.download.plist (checksum 1897396633)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.Installer.completer.download</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Application Support/IM.Installer/Completer.app/Contents/MacOS/InstallerT</string>

<string>-trigger</string>

<string>download</string>

<string>-isDev</string>

<string>0</string>

<string>-installVersion</string>

<string>1</string>

<string>-firstAppId</string>

<string>730980002</string>

</array>

<key>WatchPaths</key>

<array>

<string>/Users/USER/Downloads</string>

</array>

<key>isAllowToSuggest</key>

<string>false</string>

</dict>



...and 1 more line(s)



Contents of Library/LaunchAgents/com.Installer.completer.ltvbit.plist (checksum 3883569369)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.Installer.completer.ltvbit</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Application Support/IM.Installer/Completer.app/Contents/MacOS/InstallerT</string>

<string>-trigger</string>

<string>ltvbit</string>

<string>-isDev</string>

<string>0</string>

<string>-installVersion</string>

<string>1</string>

<string>-firstAppId</string>

<string>730980002</string>

</array>

<key>StartCalendarInterval</key>

<dict>

<key>Hour</key>

<integer>4</integer>

<key>Minute</key>

<integer>36</integer>

</dict>



...and 2 more line(s)



Contents of Library/LaunchAgents/com.Installer.completer.update.plist (checksum 2743594649)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.Installer.completer.update</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Application Support/IM.Installer/Completer.app/Contents/MacOS/InstallerT</string>

<string>-trigger</string>

<string>update</string>

<string>-isDev</string>

<string>0</string>

<string>-installVersion</string>

<string>1</string>

<string>-firstAppId</string>

<string>730980002</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartCalendarInterval</key>

<dict>

<key>Hour</key>

<integer>19</integer>

<key>Minute</key>



...and 4 more line(s)



Contents of Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist (checksum 4071182229)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.adobe.AAM.Scheduler-1.0</string>

<key>Program</key>

<string>/Library/Application Support/Adobe/OOBE/PDApp/UWA/UpdaterStartupUtility</string>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/Adobe/OOBE/PDApp/UWA/UpdaterStartupUtility</string>

<string>-mode=scheduled</string>

</array>

<key>StartCalendarInterval</key>

<dict>

<key>Minute</key>

<integer>0</integer>

<key>Hour</key>

<integer>2</integer>

</dict>

</dict>

</plist>



Root crontab



0 */4 * * * /usr/local/McAfee/fmp/bin/UpdateHelper update >> /dev/null 2>&1

46 22 * * * /usr/local/McAfee/fmp/bin/GenUtility 5 >> /dev/null 2>&1

0 4 * * 2 /usr/local/McAfee/AntiMalware/VShieldTaskManager 4 >> /dev/null 2>&1



TCP/IP



IPv6: Off



User login items



iTunesHelper

- /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app

Genieo

- /Users/USER/.Trash/Genieo.app

Genieo

- /Users/USER/.Trash/Genieo.app

Genieo

- /Users/USER/.Trash/Genieo.app

Android File Transfer Agent

- /Users/USER/Library/Application Support/Google/Android File Transfer/Android File Transfer Agent.app

VerizonUpdateCenter

- /Applications/VerizonUpdateCenter.app



Hidden apps



.magicJack/Softphone/magicJack.app

.magicJack/Softphone/splash.app



Restricted files: 137



Lockfiles: 8



Elapsed time (s): 242

Jul 16, 2015 7:31 AM in response to Linc Davis

Start time: 10:18:54 07/16/15



Model Identifier: MacBookAir5,2

System Version: OS X 10.10.4 (14E46)

Kernel Version: Darwin 14.4.0

Time since boot: 43 minutes



Diagnostic reports



2015-07-01 Kernel panic

2015-07-15 Kernel panic



Log



Jul 16 09:33:27 com.apple.WebKit.Plugin.32.UUID: Service exited with abnormal code: 1

Jul 16 09:34:33 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1

Jul 16 09:34:57 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 16 09:34:57 com.apple.WebKit.Plugin.64.UUID: Service exited with abnormal code: 1

Jul 16 09:34:57 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1

Jul 16 09:34:57 com.apple.WebKit.Databases.UUID: Service exited with abnormal code: 1

Jul 16 09:35:19 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1

Jul 16 09:35:19 com.apple.WebKit.WebContent.UUID: Service exited with abnormal code: 1

Jul 16 09:35:19 com.apple.WebKit.Plugin.64.UUID: Service exited with abnormal code: 1

Jul 16 09:35:19 com.apple.WebKit.Plugin.32.UUID: Service exited with abnormal code: 1

Jul 16 09:35:19 com.apple.WebKit.Plugin.64.UUID: Service exited with abnormal code: 1

Jul 16 09:35:19 com.apple.WebKit.Plugin.64.UUID: Service exited with abnormal code: 1

Jul 16 09:35:19 com.apple.WebKit.Plugin.64.UUID: Service exited with abnormal code: 1

Jul 16 09:35:19 com.apple.WebKit.Databases.UUID: Service exited with abnormal code: 1

Jul 16 09:35:25 com.apple.iTunesHelper.13380: Service exited with abnormal code: 1

Jul 16 09:36:16 [SendRawHCICommand] ### ERROR: EnqueueRequestForController failed (err=e00002d8)

Jul 16 09:36:30 utun_start: ifnet_disable_output returned error 12

Jul 16 09:36:37 OSUnserializeXML: syntax error near line 1

Jul 16 09:36:38 OSUnserializeXML: syntax error near line 1

Jul 16 09:36:40 OSUnserializeXML: syntax error near line 1

Jul 16 09:46:49 com.apple.WebKit.Plugin.64.UUID: Service exited with abnormal code: 1

Jul 16 09:46:49 com.apple.WebKit.Networking.UUID: Service exited with abnormal code: 1

Jul 16 09:46:49 com.apple.WebKit.Databases.UUID: Service exited with abnormal code: 1

Jul 16 09:46:49 com.apple.WebKit.Plugin.32.UUID: Service exited with abnormal code: 1

Jul 16 10:03:38 process com.apple.WebKit[571] caught causing excessive wakeups. Observed wakeups rate (per sec): 252; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 45024



Activity



CPU: user 23%, system 3%



CPU per process: clamscan (UID 501) is using 95.1 %



I/O per process: clamscan (UID 501) is using 3 MB/s



Daemons



com.oracle.java.JavaUpdateHelper

com.apple.installer.osmessagetracing

com.microsoft.office.licensing.helper

com.oracle.java.Helper-Tool

com.Undiminutive.helper

com.adobe.fpsaud

com.examsoft.softest.service



Agents



com.examsoft.softest

uk.co.markallan.clamxav.freshclam

com.Undiminutive.agent

com.microsoft.OneDriveLauncher

com.oracle.java.Java-Updater

com.amazon.music

com.apple.CSConfigDotMacCert-EMAIL-SharedServices

com.apple.PTPCamera.63364.UUID

com.google.keystone.user.agent

com.apple.AirPortBaseStationAgent



Bundles



/System/Library/Extensions/EPSONUSBPrintClass.kext

- com.epson.print.kext.USBPrintClass

/System/Library/Extensions/JMicronATA.kext

- com.jmicron.JMicronATA

/Library/Internet Plug-Ins/Flash Player.plugin

- N/A

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin

- com.oracle.java.JavaAppletPlugin

/Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin

- com.microsoft.sharepoint.browserplugin

/Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin

- com.microsoft.sharepoint.webkitplugin

/Library/Internet Plug-Ins/Silverlight.plugin

- com.microsoft.SilverlightPlugin

/Library/PreferencePanes/Flash Player.prefPane

- com.adobe.flashplayerpreferences

/Library/PreferencePanes/JavaControlPanel.prefPane

- com.oracle.java.JavaControlPanel

Library/Address Book Plug-Ins/SkypeABDialer.bundle

- com.skype.skypeabdialer

Library/Address Book Plug-Ins/SkypeABSMS.bundle

- com.skype.skypeabsms



Contents of /System/Library/LaunchDaemons/org.apache.httpd.plist (checksum 3012644940)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Disabled</key>

<true/>

<key>Label</key>

<string>org.apache.httpd</string>

<key>EnvironmentVariables</key>

<dict>

<key>XPC_SERVICES_UNAVAILABLE</key>

<string>1</string>

</dict>

<key>ProgramArguments</key>

<array>

<string>/usr/sbin/httpd-wrapper</string>

<string>-D</string>

<string>FOREGROUND</string>

</array>

<key>OnDemand</key>

<false/>

</dict>

</plist>



Contents of /Library/LaunchAgents/com.examsoft.softest.plist (checksum 574561436)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Umask</key>

<integer>0</integer>

<key>Label</key>

<string>com.examsoft.softest</string>

<key>ProgramArguments</key>

<array>

<string>/Applications/SofTest.app/Contents/MacOS/SofTest</string>

<string>-launchd</string>

</array>

<key>QueueDirectories</key>

<array>

<string>/Library/Application Support/SofTest/.q</string>

</array>

</dict>

</plist>



Contents of /Library/LaunchAgents/com.oracle.java.Java-Updater.plist (checksum 3409472972)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.oracle.java.Java-Updater</string>

<key>ProgramArguments</key>

<array>

<string>/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater</string>

<string>-bgcheck</string>

</array>

<key>StandardErrorPath</key>

<string>/dev/null</string>

<key>StandardOutPath</key>

<string>/dev/null</string>

<key>StartCalendarInterval</key>

<dict>

<key>Hour</key>

<integer>14</integer>

<key>Minute</key>

<integer>30</integer>

<key>Weekday</key>

<integer>7</integer>

</dict>

</dict>



...and 1 more line(s)



Contents of /Library/LaunchAgents/com.undiminutive.agent.plist (checksum 3494481861)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.Undiminutive.agent</string>

<key>OnDemand</key>

<false/>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/Undiminutive/Agent/agent.app/Contents/MacOS/agent</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>KeepAlive</key>

<true/>

<key>LimitLoadToSessionType</key>

<string>Aqua</string>

<key>ThrottleInterval</key>

<integer>10</integer>

</dict>

</plist>



Contents of /Library/LaunchDaemons/com.examsoft.softest.service.plist (checksum 1932046632)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>StandardOutPath</key>

<string>/Library/Application Support/SofTest/.svclog</string>

<key>StandardErrorPath</key>

<string>/Library/Application Support/SofTest/.svcerr</string>

<key>Label</key>

<string>com.examsoft.softest.service</string>

<key>OnDemand</key>

<false/>

<key>RunAtLoad</key>

<true/>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/SofTest/Service</string>

</array>

</dict>

</plist>



Contents of /Library/LaunchDaemons/com.undiminutive.daemon.plist (checksum 2115058870)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Disabled</key>

<true/>

<key>Label</key>

<string>com.Undiminutive.daemon</string>

<key>OnDemand</key>

<true/>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/Undiminutive/Agent/agent.app/Contents/MacOS/agent</string>

<string>-update</string>

</array>

<key>KeepAlive</key>

<true/>

<key>RunAtLoad</key>

<true/>

<key>ThrottleInterval</key>

<integer>10</integer>

</dict>

</plist>



Contents of /Library/LaunchDaemons/com.undiminutive.helper.plist (checksum 3112399865)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.Undiminutive.helper</string>

<key>OnDemand</key>

<true/>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/Undiminutive/Agent/agent.app/Contents/MacOS/agent</string>

<string>-helper</string>

</array>

<key>KeepAlive</key>

<true/>

<key>RunAtLoad</key>

<true/>

<key>ThrottleInterval</key>

<integer>10</integer>

</dict>

</plist>



Contents of Library/LaunchAgents/com.amazon.music.plist (checksum 3668832669)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>EnableTransactions</key>

<false/>

<key>KeepAlive</key>

<true/>

<key>Label</key>

<string>com.amazon.music</string>

<key>Program</key>

<string>/Applications/Amazon Music.app/Contents/MacOS/Amazon Music Helper</string>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>



Contents of Library/LaunchAgents/com.apple.CSConfigDotMacCert-EMAIL-SharedServices.Agent.pl ist (checksum 3852890399)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>KeepAlive</key>

<false/>

<key>Label</key>

<string>com.apple.CSConfigDotMacCert-EMAIL-SharedServices</string>

<key>LimitLoadToSessionType</key>

<string>Aqua</string>

<key>LowPriorityIO</key>

<true/>

<key>Nice</key>

<integer>10</integer>

<key>ProgramArguments</key>

<array>

<string>/System/Library/Frameworks/CoreServices.framework/Frameworks/OSServices .framework/Versions/A/Support/CSConfigDotMacCert</string>

<string>-l</string>

<string>/Users/USER/Library/Logs/CSConfigDotMacCert.log</string>

<string>-u</string>

<string>EMAIL</string>

<string>-t</string>

<string>SharedServices</string>

<string>-s</string>

</array>



...and 4 more line(s)



Contents of Library/LaunchAgents/com.google.keystone.agent.plist (checksum 2392449207)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>com.google.keystone.user.agent</string>

<key>LimitLoadToSessionType</key>

<string>Aqua</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bu ndle/Contents/Resources/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftw areUpdateAgent</string>

<string>-runMode</string>

<string>ifneeded</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

<integer>3523</integer>

<key>StandardErrorPath</key>

<string>/dev/null</string>

<key>StandardOutPath</key>

<string>/dev/null</string>

</dict>

</plist>



Contents of Library/LaunchAgents/uk.co.markallan.clamxav.freshclam.plist (checksum 1224648829)



<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>Label</key>

<string>uk.co.markallan.clamxav.freshclam</string>

<key>OnDemand</key>

<true/>

<key>ProgramArguments</key>

<array>

<string>/Applications/ClamXav.app/Contents/Resources/ScheduleHelper</string>

<string>update</string>

</array>

<key>RunAtLoad</key>

<false/>

<key>StartCalendarInterval</key>

<array>

<dict>

<key>Hour</key>

<integer>6</integer>

<key>Minute</key>

<integer>45</integer>

</dict>

</array>

</dict>



...and 1 more line(s)



Bad plists



Library/Preferences/com.solidstatenetworks.host.plist



Listeners



kdc: kerberos

launchd: ssh



User login items



iTunesHelper

- /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app

Box Sync

- /Applications/Box Sync.app

Dropbox

- missing value



Restricted files: 60



Lockfiles: 16



Elapsed time (s): 259

Jul 16, 2015 11:39 AM in response to jfras311

You haven't asked a question, but I assume you ran that now long-obsolete script because of an adware problem. I've probably posted the instructions below already in this thread, but here they are again. In your case, "something" is "Undiminutive".

You installed a variant of the "VSearch" ad-injection malware. Follow Apple Support's instructions to remove it.

If you have trouble following those instructions, see below.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

The VSearch malware tries to hide itself by varying the names of the files it installs. To remove it, you must first identify the naming pattern.

Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

/Library/LaunchDaemons

In the Finder, select

Go Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" may open. Look inside it for two files with names of the form

com.something.daemon.plist

and

com.something.helper.plist

Here something is a variable string of characters, which can be different in each VSearch infection. So far it has always been an alphanumeric string without punctuation, such as "cloud," "dot," "highway," "submarine," or "trusteddownloads." Sometimes it's a meaningless string such as "e8dec5ae7fc75c28" rather than a word. Sometimes the string is "apple," and then you must be especially careful not to delete the wrong files, because many built-in OS X files have similar names.

If you find these files, leave the LaunchDaemons folder open, and open the following folder in the same way:

/Library/LaunchAgents

In this folder, there may be a file named

com.something.agent.plist

where the string something is the same as before.

If you feel confident that you've identified the above files, back up all data, then drag just those three files—nothing else—to the Trash. You may be prompted for your administrator login password. Close the Finder windows and restart the computer.

Don't delete the "LaunchAgents" or "LaunchDaemons" folder or anything else inside either one.

The malware is now permanently inactivated, as long as you never reinstall it. You can stop here if you like, or you can remove two remaining components for the sake of completeness.

Open this folder:

/Library/Application Support

If it has a subfolder named just

something

where something is the same string you saw before, drag that subfolder to the Trash and close the window.

Don't delete the "Application Support" folder or anything else inside it.

Finally, in this folder:

/System/Library/Frameworks

there may be an item named exactly

v.framework

It's actually a folder, though it has a different icon than usual. This item always has the above name; it doesn't vary. Drag it to the Trash and close the window.

Don't delete the "Frameworks" folder or anything else inside it.

If you didn't find the files or you're not sure about the identification, post what you found.

If in doubt, or if you have no backups, change nothing at all.

The trouble may have started when you downloaded and ran an application called "MPlayerX." That's the name of a legitimate free movie player, but the name is also used fraudulently to distribute VSearch. If there is an item with that name in the Applications folder, delete it. I don't recommend that you install the genuine "MPlayerX," because it's hosted on the rogue "SourceForge" website and is bundled with other malware.

This trojan is often found on illegal websites that traffic in pirated content such as movies. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect more of the same, and worse, to follow. Never install any software that you downloaded from a bittorrent, or that was downloaded by someone else from an unknown source.

In the Security & Privacy pane of System Preferences, select the General tab. The radio button marked Anywhere should not be selected. If it is, click the lock icon to unlock the settings, then select one of the other buttons. After that, don't ignore a warning that you are about to run or install an application from an unknown developer.

Then, still in System Preferences, open the App Store or Software Update pane and check the box marked

Install system data files and security updates (OS X 10.10 or later)

or

Download updates automatically (OS X 10.9 or earlier)

if it's not already checked.

Adwaremedic is it safe ?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.