-
All replies
-
Helpful answers
-
Nov 16, 2014 4:17 AM in response to AggelakasKby thomas_r.,★HelpfulI'm the developer of AdwareMedic, and I'd say it's safe, though you could easily make the claim that I'm slightly biased!
You can search for other opinions here (search for "AdwareMedic" using the search link at the top of this page), but in the end, if downloading an app like AdwareMedic makes you nervous, that's probably a good thing. If you are unable to satisfy yourself that it is legit, I've also got a set of manual removal instructions that will remove anything that AdwareMedic does:
This can be a bit more difficult - and can result in damage to your system if you delete the wrong thing in some cases - but it is an option if you are comfortable with such things. (Not everyone is, which is why I created AdwareMedic.)
(Fair disclosure: I may receive compensation from links to my sites, TheSafeMac.com and AdwareMedic.com, in the form of buttons allowing for donations. Donations are not required to use my site or software.)
-
Nov 17, 2014 5:32 AM in response to AggelakasKby AggelakasK,Thank you both for the replies! About the second solution , I followed. exactly the steps that you provide me and in safari I didn't find any extensions at all! At step 2 also the finder didn't reveal to me anything, but the annoying advertisement of mackeeper is still here! Perhaps is something else here and probably I will use the adwaremedic to see if anything happens !
-
Nov 17, 2014 5:40 AM in response to AggelakasKby thomas_r.,AggelakasK wrote:
About the second solution , I followed. exactly the steps that you provide me and in safari I didn't find any extensions at all! At step 2 also the finder didn't reveal to me anything, but the annoying advertisement of mackeeper is still here!
Yes, Linc's instructions are really only applicable to one particular adware program: Downlite, aka VSearch. (Although it mentions others, such as Spigot, Conduit and Trovi, his instructions do not actually provide workable removal instructions for those.) If you had Downlite, his instructions would work. However, there are almost two dozen others I'm aware of that you could be infected with, and Downlite is certainly not the only one to show MacKeeper ads.
In addition, it's possible this isn't due to adware at all. There are other possibilities, such as network-related problems. You can work your way through all these issues with either AdwareMedic or my Adware Removal Guide, mentioned in my previous post.
-
Nov 17, 2014 6:57 AM in response to AggelakasKby ~Bee,AggelakasK
Yes, AdwareMedic is safe. It has tons of very positive reviews and posts of appreciation here.
Tom is a LONG-time volunteer helper here, and has worked very hard to find solutions to adware and malware.
You can use it with confidence.
--Another volunteer here,
Bee
-
Nov 17, 2014 7:26 AM in response to AggelakasKby Linc Davis,★Helpful1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.
Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.
2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.
There are ways to back up a computer that isn't fully functional. Ask if you need guidance.
3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.
You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.
In this case, however, there are a couple of ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the necessary skill can verify what it does.
You may not be able to understand the script yourself. But variations of the script have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message.
Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.
4. Here's a summary of what you need to do, if you choose to proceed:
☞ Copy a line of text in this window to the Clipboard.
☞ Paste into the window of another application.
☞ Wait for the test to run. It usually takes a few minutes.
☞ Paste the results, which will have been copied automatically, back into a reply on this page.
The sequence is: copy, paste, wait, paste again. You don't need to copy a second time. Details follow.
5. You may have started the computer in "safe" mode. Preferably, these steps should be taken in “normal” mode, under the conditions in which the problem is reproduced. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.
6. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.
7. The script is a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, though you may not see all of it in the browser window, and you can then copy it. If you try to select the line by dragging across the part you can see, you won't get all of it.
Triple-click anywhere in the line of text below on this page to select it:
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/libexec;clear;cd;p=(Software Hardware Memory Diagnostics Power FireWire Thunderbolt USB Fonts SerialATA 4 1000 25 5120 KiB/s 1024 85 \\b%% 20480 1 MB/s 25000 ports ' com.clark.\* \*dropbox \*genieo\* \*GoogleDr\* \*k.AutoCAD\* \*k.Maya\* vidinst\* ' DYLD_INSERT_LIBRARIES\ DYLD_LIBRARY_PATH -86 "` route -n get default|awk '/e:/{print $2}' `" 25 N\\/A down up 102400 25600 recvfrom sendto CFBundleIdentifier 25 25 25 1000 MB ' com.adobe.AAM.Updater-1.0 com.adobe.AdobeCreativeCloud com.adobe.CS4ServiceManager com.adobe.CS5ServiceManager com.adobe.fpsaud com.adobe.SwitchBoard com.adobe.SwitchBoard com.apple.aelwriter com.apple.AirPortBaseStationAgent com.apple.FolderActions.enabled com.apple.FolderActions.folders com.apple.FolderActions.folders com.apple.installer.osmessagetracing com.apple.mrt.uiagent com.apple.ReportCrash.Self com.apple.rpmuxd com.apple.SafariNotificationAgent com.apple.usbmuxd com.google.keystone.agent com.google.keystone.daemon com.microsoft.office.licensing.helper com.oracle.java.Helper-Tool com.oracle.java.JavaUpdateHelper com.oracle.java.JavaUpdateHelper org.macosforge.xquartz.privileged_startx org.macosforge.xquartz.startx ' ' 879294308 461455494 3627668074 1083382502 1274181950 1855907737 2758863019 1848501757 464843899 3694147963 1417519526 1189540302 1233118628 2456546649 2806998573 2778718105 2636415542 842973933 3301885676 891055588 998894468 695903914 1443423563 4136085286 523110921 3873345487 ' 51 5120 files );N5=${#p[@]};p[N5]=` networksetup -listnetworkserviceorder|awk ' NR>1 { sub(/^\([0-9]+\) /,"");n=$0;getline;} $NF=="'${p[26]}')" { sub(/.$/,"",$NF);print n;exit;} ' `;f=('\n%s: %s\n' '\n%s\n\n%s\n' '\nRAM details\n%s\n' %s\ %s '%s\n-\t%s\n' );S0() { echo ' { q=$NF+0;$NF="";u=$(NF-1);$(NF-1)="";gsub(/^ +| +$/,"");if(q>='${p[$1]}') printf("%s (UID %s) is using %s '${p[$2]}'",$0,u,q);} ';};s=(' s/[0-9A-Za-z._]+@[0-9A-Za-z.]+\.[0-9A-Za-z]{2,4}/EMAIL/g;/faceb/s/(at\.)[^.]+/\1NAME/g;/\/Shared/!s/(\/Users\/)[^ /]+/\1USER/g;s/[-0-9A-Fa-f]{22,}/UUID/g;' ' s/^ +//;/de: S|[nst]:/p;' ' {sub(/^ +/,"")};/er:/;/y:/&&$2<'${p[10]} ' 1s/://;3,6d;/[my].+:/d;s/^ {4}//;H;${ g;s/\n$//;/s: (E[^m]|[^EO])|x([^08]|02[^F]|8[^0])/p;} ' ' 5h;6{ H;g;/P/!p;} ' ' ($1~/^Cy/&&$3>'${p[11]}')||($1~/^Cond/&&$2!~/^N/) ' ' /:$/{ N;/:.+:/d;s/ *://;b0'$'\n'' };/^ *(V.+ [0N]|Man).+ /{ s/ 0x.... //;s/[()]//g;s/(.+: )(.+)/ (\2)/;H;};$b0'$'\n'' d;:0'$'\n'' x;s/\n\n//;/Apple[ ,]|Genesy|Intel|SMSC/d;s/\n.*//;/\)$/p;' ' s/^.*C/C/;H;${ g;/No th|pms/!p;} ' '/= [^GO]/p' '{$1=""};1' ' /Of/!{ s/^.+is |\.//g;p;} ' ' $0&&!/ / { n++;print;} END { if(n<10) print "com.apple.";} ' ' { sub(/ :/,"");print|"tail -n'${p[12]}'";} ' ' NR==2&&$4<='${p[13]}' { print $4;} ' ' END { $2/=256;if($2>='${p[15]}') print int($2) } ' ' NR!=13{next};{sub(/[+-]$/,"",$NF)};'"`S0 21 22`" 'NR!=2{next}'"`S0 37 17`" ' NR!=5||$8!~/[RW]/{next};{ $(NF-1)=$1;$NF=int($NF/10000000);for(i=1;i<=3;i++){$i="";$(NF-1-i)="";};};'"`S0 19 20`" 's:^:/:p' '/\.kext\/(Contents\/)?Info\.plist$/p' 's/^.{52}(.+) <.+/\1/p' ' /Launch[AD].+\.plist$/ { n++;print;} END { if(n<200) print "/System/";} ' '/\.xpc\/(Contents\/)?Info\.plist$/p' ' NR>1&&!/0x|\.[0-9]+$|com\.apple\.launchctl\.(Aqua|Background|System)$/ { print $3;} ' ' /\.(framew|lproj)|\):/d;/plist:|:.+(Mach|scrip)/s/:[^:]+//p ' '/^root$/p' ' !/\/Contents\/.+\/Contents|Applic|Autom|Frameworks/&&/Lib.+\/Info.plist$/ { n++;print;} END { if(n<1100) print "/System/";} ' '/^\/usr\/lib\/.+dylib$/p' ' /Temp|emac/{next};/(etc|Preferences|Launch[AD].+)\// { sub(".(/private)?","");n++;print;} END { split("'"${p[41]}"'",b);split("'"${p[42]}"'",c);for(i in b) print b[i]".plist\t"c[i];if(n<500) print "Launch";} ' ' /\/(Contents\/.+\/Contents|Frameworks)\/|\.wdgt\/.+\.([bw]|plu)/d;p;' 's/\/(Contents\/)?Info.plist$//;p' ' { gsub("^| |\n","\\|\\|kMDItem'${p[35]}'=");sub("^...."," ") };1 ' p '{print $3"\t"$1}' 's/\'$'\t''.+//p' 's/1/On/p' '/Prox.+: [^0]/p' '$2>'${p[43]}'{$2=$2-1;print}' ' BEGIN { i="'${p[26]}'";M1='${p[16]}';M2='${p[18]}';M3='${p[31]}';M4='${p[32]}';} !/^A/{next};/%/ { getline;if($5<M1) a="user "$2"%, system "$4"%";} /disk0/&&$4>M2 { b=$3" ops/s, "$4" blocks/s";} $2==i { if(c) { d=$3+$4+$5+$6;next;};if($4>M3||$6>M4) c=int($4/1024)" in, "int($6/1024)" out";} END { if(a) print "CPU: "a;if(b) print "I/O: "b;if(c) print "Net: "c" (KiB/s)";if(d) print "Net errors: "d" packets/s";} ' ' /r\[0\] /&&$NF!~/^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./ { print $NF;exit;} ' ' !/^T/ { printf "(static)";exit;} ' '/apsd|BKAg|OpenD/!s/:.+//p' ' (/k:/&&$3!~/(255\.){3}0/ )||(/v6:/&&$2!~/A/ ) ' ' $1~"lR"&&$2<='${p[25]}';$1~"li"&&$3!~"wpa2";' ' BEGIN { FS=":";p="uniq -c|sed -E '"'s/ +\\([0-9]+\\)\\(.+\\)/\\\2 x\\\1/;s/x1$//'"'";} { n=split($3,a,".");sub(/_2[01].+/,"",$3);print $2" "$3" "a[n]$1|p;b=b$1;} END { close(p);if(b) print("\n\t* Code injection");} ' ' NR!=4{next} {$NF/=10240} '"`S0 27 14`" ' END { if($3~/[0-9]/)print$3;} ' ' BEGIN { L='${p[36]}';} !/^[[:space:]]*(#.*)?$/ { l++;if(l<=L) f=f"\n "$0;} END { F=FILENAME;if(!F) exit;if(!f) f="\n [N/A]";"cksum "F|getline C;split(C, A);C="checksum "A[1];"file -b "F|getline T;if(T!~/^(AS.+ (En.+ )?text(, with v.+)?$|(Bo|PO).+ sh.+ text ex|XM)/) F=F" ("T", "C")";else F=F" ("C")";printf("\nContents of %s\n%s\n",F,f);if(l>L) printf("\n ...and %s more line(s)\n",l-L);} ' ' s/^ ?n...://p;s/^ ?p...:/-'$'\t''/p;' 's/0/Off/p' ' END{print NR} ' ' /id: N|te: Y/{i++} END{print i} ' ' / / { print "'"${p[28]}"'";exit;};1;' '/ en/!s/\.//p' ' NR!=13{next};{sub(/[+-M]$/,"",$NF)};'"`S0 39 40`" ' $10~/\(L/&&$9!~"localhost" { sub(/.+:/,"",$9);print $1": "$9|"sort|uniq";} ' '/^ +r/s/.+"(.+)".+/\1/p' 's/(.+\.wdgt)\/(Contents\/)?Info\.plist$/\1/p' 's/^.+\/(.+)\.wdgt$/\1/p' ' /l: /{ /DVD/d;s/.+: //;b0'$'\n'' };/s: /{ /V/d;s/^ */- /;H;};$b0'$'\n'' d;:0'$'\n'' x;/APPLE [^:]+$/d;p;' ' /^find: /d;p;' "`S0 44 45`" ' BEGIN{FS="= "} /Path/{print $2} ' ' /^ *$/d;s/^ */ /;' ' s/^.+ |\(.+\)$//g;p ' '/\.(appex|pluginkit)\/Contents\/Info\.plist$/p' ' /2/{print "WARN"};/4/{print "CRITICAL"};' ' /EVHF|MACR/d;s/^.+: //p;' );c1=(system_profiler pmset\ -g nvram fdesetup find syslog df vm_stat sar ps crontab iotop top pkgutil 'PlistBuddy 2>&1 -c "Print' whoami cksum kextstat launchctl smcDiagnose sysctl\ -n defaults\ read stat lsbom mdfind ' for i in ${p[24]};do ${c1[18]} ${c2[27]} $i;done;' pluginkit scutil dtrace profiles sed\ -En awk /S*/*/P*/*/*/C*/*/airport networksetup mdutil lsof test osascript\ -e );c2=(com.apple.loginwindow\ LoginHook '" /L*/P*/loginw*' "'tell app \"System Events\" to get properties of login items'|tr , \\\n" 'L*/Ca*/com.ap*.Saf*/E*/* -d 1 -name In*t -exec '"${c1[14]}"' :CFBundleDisplayName" {} \;|sort|uniq' '~ $TMPDIR.. \( -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 \)' '.??* -path .Trash -prune -o -type d -name *.app -print -prune' :${p[35]}\" :Label\" '{/,}L*/{Con,Pref}* -type f ! -size 0 -name *.plist -exec plutil -s {} \;' "-f'%N: %l' Desktop L*/Keyc*" therm sysload boot-args status " -F '\$Time \$(RefProc): \$Message' -k Sender kernel -k Message Req 'bad |Beac|caug|corru|dead[^bl]|FAIL|fail|GPU |hfs: Ru|inval|jnl:|last value [1-9]|n Cause: -|NVDA\(|pagin|proc: t|Roamed|rror|ssert|Thrott|tim(ed? ?|ing )o|WARN' -k Message Rne 'Goog|ksadm|Roame|SMC:|suhel| VALI|ver-r|xpma' -o -o -k Sender fseventsd -k Message Req SL -o -k Sender Req launchd -k Message Req de: " '-du -n DEV -n EDEV 1 10' 'acrx -o comm,ruid,%cpu' '-t1 10 1' '-f -pfc /var/db/r*/com.apple.*.{BS,Bas,Es,J,OSXU,Rem,up}*.bom' '{/,}L*/Lo*/Diag* -type f -regex .\*[cght] ! -name .?\* ! -name \*ag \( -exec grep -lq "^Thread c" {} \; -exec printf \* \; -o -true \) -execdir stat -f:%Sc:%N -t%F {} \;|sort -t: -k2 |tail -n'${p[38]} '/S*/*/Ca*/*xpc* >&- ||echo No' '-L /{S*/,}L*/StartupItems -type f -exec file {} +' '-L /S*/L*/{C*/Sec*A,Ex}* {/,}L*/{A*d,Ca*/*/Ex,Co{mpon,reM},Ex,In{p,ter},iTu*/*P,Keyb,Mail/B,Pr*P,Qu*T,Scripti,Sec,Servi,Spo,Widg}* -path \\*s/Resources -prune -o -type f -name Info.plist' '/usr/lib -type f -name *.dylib' `awk "${s[31]}"<<<${p[23]}` "/e*/{auto,{cron,fs}tab,hosts,{[lp],sy}*.conf,mach_i*/*,pam.d/*,ssh{,d}_config,*.local} {,/usr/local}/etc/periodic/*/* /L*/P*{,/*}/com.a*.{Bo,sec*.ap}*t {/S*/,/,}L*/Lau*/*t .launchd.conf" list getenv /Library/Preferences/com.apple.alf\ globalstate --proxy '-n get default' -I --dns -getdnsservers\ "${p[N5]}" -getinfo\ "${p[N5]}" -P -m\ / '' -n1 '-R -l1 -n1 -o prt -stats command,uid,prt' '--regexp --only-files --files com.apple.pkg.*|sort|uniq' -kl -l -s\ / '-R -l1 -n1 -o mem -stats command,uid,mem' '+c0 -i4TCP:0-1023' com.apple.dashboard\ layer-gadgets '-d /L*/Mana*/$USER&&echo On' '-app Safari WebKitDNSPrefetchingEnabled' "+c0 -l|awk '{print(\$1,\$3)}'|sort|uniq -c|sort -n|tail -1|awk '{print(\$2,\$3,\$1)}'" -m 'L*/{Con*/*/Data/L*/,}Pref* -type f -size 0c -name *.plist.???????|wc -l' kern.memorystatus_vm_pressure_level '3>&1 >&- 2>&3' );N1=${#c2[@]};for j in {0..9};do c2[N1+j]=SP${p[j]}DataType;done;N2=${#c2[@]};for j in 0 1;do c2[N2+j]="-n ' syscall::'${p[33+j]}':return { @out[execname,uid]=sum(arg0) } tick-10sec { trunc(@out,1);exit(0);} '";done;l=(Restricted\ files Hidden\ apps 'Elapsed time (s)' POST Battery Safari\ extensions Bad\ plists 'High file counts' User Heat System\ load boot\ args FileVault Diagnostic\ reports Log 'Free space (MiB)' 'Swap (MiB)' Activity 'CPU per process' Login\ hook 'I/O per process' Mach\ ports kexts Daemons Agents XPC\ cache Startup\ items Admin\ access Root\ access Bundles dylibs Apps Font\ issues Inserted\ dylibs Firewall Proxies DNS TCP/IP Wi-Fi Profiles Root\ crontab User\ crontab 'Global login items' 'User login items' Spotlight Memory Listeners Widgets Parental\ Controls Prefetching SATA Descriptors App\ extensions Lockfiles Memory\ pressure SMC );N3=${#l[@]};for i in 0 1 2;do l[N3+i]=${p[5+i]};done;N4=${#l[@]};for j in 0 1;do l[N4+j]="Current ${p[29+j]}stream data";done;A0() { id -G|grep -qw 80;v[1]=$?;((v[1]==0))&&sudo true;v[2]=$?;v[3]=`date +%s`;clear >&-;date '+Start time: %T %D%n';};for i in 0 1;do eval ' A'$((1+i))'() { v=` eval "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};A'$((3+i))'() { v=` while read i;do [[ "$i" ]]&&eval "${c1[$1]} ${c2[$2]}" \"$i\"|'${c1[30+i]}' "${s[$3]}";done<<<"${v[$4]}" `;[[ "$v" ]];};A'$((5+i))'() { v=` while read i;do '${c1[30+i]}' "${s[$1]}" "$i";done<<<"${v[$2]}" `;[[ "$v" ]];};A'$((7+i))'() { v=` eval sudo "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};';done;A9(){ v=$((`date +%s`-v[3]));};B2(){ v[$1]="$v";};for i in 0 1;do eval ' B'$i'() { v=;((v['$((i+1))']==0))||{ v=No;false;};};B'$((3+i))'() { v[$2]=`'${c1[30+i]}' "${s[$3]}"<<<"${v[$1]}"`;} ';done;B5(){ v[$1]="${v[$1]}"$'\n'"${v[$2]}";};B6() { v=` paste -d: <(printf "${v[$1]}") <(printf "${v[$2]}")|awk -F: ' {printf("'"${f[$3]}"'",$1,$2)} ' `;};B7(){ v=`grep -Fv "${v[$1]}"<<<"$v"`;};C0() { [[ "$v" ]]&&sed -E "$s"<<<"$v";};C1() { [[ "$v" ]]&&printf "${f[$1]}" "${l[$2]}" "$v"|sed -E "$s";};C2() { v=`echo $v`;[[ "$v" != 0 ]]&&C1 0 $1;};C3() { v=`sed -E "${s[63]}"<<<"$v"`&&C1 1 $1;};for i in 1 2 7 8;do for j in 0 2 3;do eval D$i$j'(){ A'$i' $1 $2 $3; C'$j' $4;};';done;done;{ A0;D20 0 $((N1+1)) 2;D10 0 $N1 1;B0;C2 27;B0&&! B1&&C2 28;D12 15 37 25 8;A1 0 $((N1+2)) 3;C0;D13 0 $((N1+3)) 4 3;D23 0 $((N1+4)) 5 4;D13 0 $((N1+9)) 59 50;for i in 0 1 2;do D13 0 $((N1+5+i)) 6 $((N3+i));done;D13 1 10 7 9;D13 1 11 8 10;B1&&D73 19 53 67 55;D22 2 12 9 11;D12 3 13 10 12;D23 4 19 44 13;D23 5 14 12 14;D22 6 36 13 15;D22 20 52 66 54;D22 7 37 14 16;D23 8 15 38 17;D22 9 16 16 18;B1&&{ D82 35 49 61 51;D82 11 17 17 20;for i in 0 1;do D82 28 $((N2+i)) 45 $((N4+i));done;};D22 12 44 54 45;D22 12 39 15 21;A1 13 40 18;B2 4;B3 4 0 19;A3 14 6 32 0;B4 0 5 11;A1 17 41 20;B7 5;C3 22;B4 4 6 21;A3 14 7 32 6;B4 0 7 11;B3 4 0 22;A3 14 6 32 0;B4 0 8 11;B5 7 8;B1&&{ A8 18 26 23;B7 7;C3 23;};A2 18 26 23;B7 7;C3 24;D13 4 21 24 26;B4 4 12 26;B3 4 13 27;A1 4 22 29;B7 12;B2 14;A4 14 6 52 14;B2 15;B6 14 15 4;B3 0 0 30;C3 29;A1 4 23 27;B7 13;C3 30;B3 4 0 65;A3 14 6 32 0;B4 0 16 11;A1 26 50 64;B7 16;C3 52;D13 24 24 32 31;D13 25 37 32 33;A2 23 18 28;B2 16;A2 16 25 33;B7 16;B3 0 0 34;B2 21;A6 47 21&&C0;B1&&{ D73 21 0 32 19;D73 10 42 32 40;D82 29 35 46 39;};D23 14 1 62 42;D12 34 43 53 44;D12 22 20 32 25;D22 0 $((N1+8)) 51 32;D13 4 8 41 6;D12 21 28 35 34;D13 27 29 36 35;A2 27 32 39&&{ B2 19;A2 33 33 40;B2 20;B6 19 20 3;};C2 36;D23 33 34 42 37;B1&&D83 35 45 55 46;D23 32 31 43 38;D12 36 47 32 48;D13 10 42 32 41;D13 37 2 48 43;D13 4 5 32 1;D13 4 3 60 5;D12 21 48 49 49;B3 4 22 57;A1 21 46 56;B7 22;B3 0 0 58;C3 47;D22 4 4 50 0;D12 4 51 32 53;D23 22 9 37 7;A9;C2 2;} 2>/dev/null|pbcopy;exit 2>&-Copy the selected text to the Clipboard by pressing the key combination command-C.
8. Launch the built-in Terminal application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
Click anywhere in the Terminal window and paste by pressing command-V. The text you pasted should vanish immediately. If it doesn't, press the return key.
9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter
exec bash
and press return. Then paste the script again.
10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. In most cases, the difference is not important. If you don't know the password, or if you prefer not to enter it, press the key combination control-C or just press return three times at the password prompt. Again, the script will still run.
If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.
11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, there will be nothing in the Terminal window and no indication of progress. Wait for the line
[Process completed]
to appear. If you don't see it within half an hour or so, the test probably won't complete in a reasonable time. In that case, close the Terminal window and report what happened. No harm will be done.
12. When the test is complete, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.
At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.
If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.
13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "You are not authorized to post." That's a bug in the forum software. Please post the test results on Pastebin, then post a link here to the page you created.
14. This is a public forum, and others may give you advice based on the results of the test. They speak only for themselves, and I don't necessarily agree with them.
______________________________________________________________
Copyright © 2014 by Linc Davis. As the sole author of this work, I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.
-
Nov 17, 2014 11:39 AM in response to Linc Davisby AggelakasK,Dear Linc
i appreciate your efford , trying to find me a solution and I really want to thank you about it . I read carefully the procedure that you post but I find it very difficult to follow. You see my experience in macs is very small , (switcher from pc to Mac ). This is my the first time in Mac interface and typing in terminal makes me really nervous because there is always a possibility to make another mistake . Of course I admit that it is my mistake the hole thing ....i think that responsible for the adware is mp3fiber , since I don't use any torrent client, I don't watch online films nor visiting any suspicious sites .... The only programs that running on Mac is vdj8 ( i have payed it) , tractor ( also) , easyfind (AppStore) and NTfs paragon( also payed it) . I hope these new informations may help you provide me a simplest way of finding the adware ! If no I would like to thank once more and probably I will try Thomas's adwaremedic app
Thomas you said before that if I want to remove completely the app I had to do it only manually?
-
Nov 17, 2014 11:46 AM in response to AggelakasKby thomas_r.,AggelakasK wrote:
Thomas you said before that if I want to remove completely the app I had to do it only manually?
I'm not sure I understand the question... what app?
If you're referring to whatever adware you may have, then manual removal is using my Adware Removal Guide is one option, as I mentioned earlier. AdwareMedic is another. If you are not comfortable with directions like Linc's, you should give some consideration to using AdwareMedic, but only if you can satisfy yourself that it is legit. I can tell you that it is, but as its author, my opinion is biased.
If you are referring to removal of AdwareMedic after using it, you would simply need to drag it to the trash. It installs nothing that runs in the background, and will leave behind only a few small files (a log file, adware signature files and settings files) that I can tell you how to remove if you want to save a few K of hard drive space.
-
Nov 17, 2014 12:45 PM in response to AggelakasKby Linc Davis,This is my the first time in Mac interface and typing in terminal makes me really nervous because there is always a possibility to make another mistake
That's fine, but I would like to point out a couple of things. First, the instructions I gave above don't require you to type anything in a Terminal window except your password, which is no different from typing it in a login window. Even that is optional. Second, running an unknown application is in general no safer than running a shell script; in fact, it's less safe, because there is inherently no way of knowing what an application is going to do. I have no opinion as to whether you should run "adwaremedic," but I do have an opinion about running any software merely because strangers on a public website tell you to: you shouldn't. You must do your own research to satisfy yourself that the advice they are giving you is valid. At a minimum, that would involve searching this site for discussions in which others have followed the advice you're being given now, and making sure that there are no reports of harm done. Don't just blithely assume that because someone on this site tells you to do something, it must be a good idea.
-
Nov 17, 2014 1:06 PM in response to Linc Davisby thomas_r.,Linc Davis wrote:
in fact, it's less safe, because there is inherently no way of knowing what an application is going to do.
From a practical standpoint, there's also no way of knowing what your highly obfuscated shell script will do. Either way, the average user is reliant on reports from other users who have tried it as to whether or not the program can be trusted.
-
Nov 17, 2014 1:45 PM in response to Linc Davisby Linc Davis,You have been told that my shell script is "obfuscated," meaning that I am trying to conceal something in it. That's false, and it wouldn't be too strong to call the statement a lie. The truth is that the person who made that statement lacks the ability to understand the script. Although he lacks that ability, others among the millions of registered users of this site do not, and as I wrote earlier, any one of them could raise the alarm if the script was harmful.
On the other hand, apart from its developers, not a single person anywhere knows what "adwaremedic" does, or has any way of knowing without thoroughly testing it, which would not be an easy task. It is truly obfuscated, because the developer has not released the source code. He has chosen not to release the code because he does not want anyone else to know how the program works. He is falsely accusing me of doing what he himself has done.
-
Nov 17, 2014 2:50 PM in response to Linc Davisby thomas_r.,Linc Davis wrote:
You have been told that my shell script is "obfuscated," meaning that I am trying to conceal something in it. That's false, and it wouldn't be too strong to call the statement a lie.
I didn't say you were trying to conceal anything. I don't know whether you are or you aren't. What I do know is that your script uses some similar techniques as those used to "obfuscate" or "minify" a JavaScript to make it smaller or harder to read. This can be done for good or evil purposes, and I make no claims either way about the intentions of your script.
-
Nov 17, 2014 4:49 PM in response to thomas_r.by ~Bee,Thomas & AggelaskaK . . .
I have personally witnessed tons of happy reports that the adwaremedic app that Thomas developed, worked perfectly and easily.
For the people who understand Linc's advice, there are also happy reports. But some are very intimated by Linc's advice.
They both apparently work.
So choose the one you are more comfortable with, AggleaskaK.
-
Nov 18, 2014 6:14 AM in response to AggelakasKby AggelakasK,I must admit that reading all of the above I feltEd a little embarrassment.. I would like to thank you all for the replies . I will be completly honest to both you . If I was more capable (at least for now) understanding Linc's guide I would follow his procedure because you don't have to install something in to the Mac ... Since I cant do anything like that and after I read several posts about Thomas's adwaremedic i will try and run the app to see if it does what it says . I'm finding more simple. Another think that I would like to share is , that if you 2 somehow could work together you could make a lot of Apple's consumers through the world very happy ! I understand that you approach with different ways and procedures the same problems but there is always space for new ones ! Thank you very much both of you !
-
Nov 18, 2014 6:29 AM in response to AggelakasKby AggelakasK,Start time: 16:21:00 11/18/14
Model Identifier: MacBookPro11,1
System Version: OS X 10.9.5 (13F34)
Kernel Version: Darwin 13.4.0
Time since boot: 3 minutes
Diagnostic reports
2014-11-01 Finder hang
2014-11-01 iTunes hang
Log
Nov 18 16:19:08 unlink of file /Users/USER/Library/Caches/com.apple.Safari/fsCachedData/UUID failed. Errno=2
Nov 18 16:19:08 unlink of file /Users/USER/Library/Caches/com.apple.Safari/fsCachedData/UUID failed. Errno=2
Nov 18 16:19:08 unlink of file /Users/USER/Library/Caches/com.apple.Safari/fsCachedData/UUID failed. Errno=2
Nov 18 16:19:08 unlink of file /Users/USER/Library/Caches/com.apple.Safari/fsCachedData/UUID failed. Errno=2
Nov 18 16:19:08 unlink of file /Users/USER/Library/Caches/com.apple.Safari/fsCachedData/UUID failed. Errno=2
Nov 18 16:19:08 unlink of file /Users/USER/Library/Caches/com.apple.Safari/fsCachedData/UUID failed. Errno=2
Nov 18 16:19:08 ERROR: __CFURLCache:CreateTablesAndIndexes version create - database is locked. ErrCode: 5.
Nov 18 16:19:08 __CFURLCache:RecreateEmptyPersistentStoreOnDiskAndOpen: create tables and index failed.
Nov 18 16:19:12 CoreText CopyFontsForRequest received mig IPC error (FFFFFFFFFFFFFECC) from font server
Nov 18 16:19:12 BUG in libdispatch client: dispatch_mig_server: mach_msg() failed (ipc/send) invalid memory - 0x1000000c
Nov 18 16:19:12 CoreText CopyFontsForRequest received mig IPC error (FFFFFFFFFFFFFECC) from font server
Nov 18 16:19:13 Could not load x-msg URL
Nov 18 16:19:13 CoreText CopyFontsForRequest received mig IPC error (FFFFFFFFFFFFFECC) from font server
Nov 18 16:19:13 CoreText CopyFontsForRequest received mig IPC error (FFFFFFFFFFFFFECC) from font server
Nov 18 16:19:16 The USB device Apple Internal Keyboard / Trackpad (Port 5 of Hub at 0x14000000) may have caused a wake by issuing a remote wakeup (2)
Nov 18 16:19:44 USER_PROCESS: 277 ttys000
Nov 18 16:19:57 **** globally delaying apps from syncing, next sync will be in 28s
Nov 18 16:20:02 The USB device Apple Internal Keyboard / Trackpad (Port 5 of Hub at 0x14000000) may have caused a wake by issuing a remote wakeup (2)
Nov 18 16:20:11 The USB device Apple Internal Keyboard / Trackpad (Port 5 of Hub at 0x14000000) may have caused a wake by issuing a remote wakeup (2)
Nov 18 16:20:18 Session 100018 created
Nov 18 16:20:44 considerRebuildOfPrelinkedKernel com.apple.driver.AppleHWSensor triggered rebuild
Nov 18 16:20:51 The USB device Apple Internal Keyboard / Trackpad (Port 5 of Hub at 0x14000000) may have caused a wake by issuing a remote wakeup (2)
Nov 18 16:21:00 costadinosaggelakis : TTY=ttys000 ; PWD=/Users/USER ; USER=root ; COMMAND=/usr/bin/true
Nov 18 16:21:02 costadinosaggelakis : TTY=ttys000 ; PWD=/Users/USER ; USER=root ; COMMAND=/usr/libexec/smcDiagnose
Nov 18 16:21:02 SMC::smcReadKeyAction ERROR MACR kSMCKeyNotReadable(0x85) fKeyHashTable=0x0xffffff80de21e000
Daemons
com.adobe.fpsaud
Agents
com.apple.photostream-agent
com.paragon.ntfs.upd
com.paragon.ntfs.trial
com.apple.AirPortBaseStationAgent
Bundles
/Library/Internet Plug-Ins/Flash Player.plugin
- N/A
/Library/PreferencePanes/Flash Player.prefPane
- com.adobe.flashplayerpreferences
/Library/PreferencePanes/NTFSforMacOSX.prefPane
- com.paragon-software.filesystems.ntfs.prefpanel
dylibs
/usr/lib/libUFSDNTFS.dylib
Contents of /System/Library/LaunchAgents/com.paragon.NTFS.trial.plist (checksum 3466880614)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.paragon.ntfs.trial</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/Paragon NTFS for Mac OS X/NTFS for Mac OS X.app/Contents/MacOS/NTFS for Mac OS X</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>LimitLoadToSessionType</key>
<string>Aqua</string>
</dict>
</plist>
Contents of /System/Library/LaunchAgents/com.paragon.NTFS.upd.plist (checksum 1029391047)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.paragon.ntfs.upd</string>
<key>ProgramArguments</key>
<array>
<string>/Applications/Paragon NTFS for Mac OS X/ParagonUpdateChecker.app/Contents/MacOS/ParagonUpdateChecker</string>
<string>service</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>LimitLoadToSessionType</key>
<string>Aqua</string>
</dict>
</plist>
Firewall: On
Wi-Fi
link auth: wpa-psk
User login items
iTunesHelper
- /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app
NIHardwareAgent
- /Library/Application Support/Native Instruments/Hardware/NIHardwareAgent.app
Restricted files: 77
Lockfiles: 1
High file counts
Desktop: 53
Elapsed time (s): 159