What is FlashMail? How do I remove it from my Mac?

Question

raegan_reann Author

Level 1

0 points

What is FlashMail? How do I remove it from my Mac?

This ad keeps popping up in my safari. I am not sure how to make it go away. Help. PLEASE!

MacBook Air (11-inch, Early 2014), iOS 8

Posted on Jan 20, 2015 6:10 PM

Reply

Answer 1

Best reply

Linc Davis

Level 10

209,547 points

Jan 20, 2015 7:53 PM in response to raegan_reann

There is no need to download anything to solve this problem. You installed the "Crossrider" trojan. Take the steps below to disable it.

Malware is always changing to get around the defenses against it. These instructions are valid as of today, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

2. Inside the folder you just opened, there may be files with any of the following names:

com.crossrider.wss*.agent.plist

com.webhelper.plist

com.webtools.update.agent.plist

flashmall_updater.plist

flashmall_updater.sh

WebSocketServerApp

Here * stands for a variable six-digit number. Some of these files may be absent. Move any that you have to the Trash and close the Finder window. Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.

3. Do as in Step 1 with this line:

~/Library/Application Support

A folder named "Application Support" will open. Inside it there may be a subfolder with this name:

webHelperApp

If so, move that subfolder—not the "Application Support" folder—to the Trash.

4. Finally, open this folder in the same way as above:

~/Library

Look for a subfolder with this name:

WebTools

and move it to the Trash, if present. Finally, empty the Trash.

Reply

Answer 2

Feb 17, 2015 3:13 PM in response to Linc Davis

Thanks SO much for your knowledge! Now I need to backtrack & research how I fell for this in 1st place! Human engineering is still a viable pen tool...

(I actually thought it was an extension update when I was using Firefox & once opened, realized something was bad wrong. But how it actually appeared is what I want to figure out)

Reply

Answer 3

10thumbs

Level 1

0 points

Mar 14, 2015 8:55 PM in response to susan hendricks

Linc, you're brilliant! Just used your step-by-step to eliminate the virus on my Mac with Safari. Thanks so much!

Reply

Answer 4

Mar 20, 2015 5:09 PM in response to Linc Davis

great reply Linc, but unfortunately, I did everything you say, but as you suspected, it did not get rid of everything

what shall I do now?

Thanks

Reply

Answer 5

Mar 20, 2015 5:51 PM in response to qaisfromnew york

Download the AdwareMedic removal tool

http://www.adwaremedic.com/kb/download-redirect.php

To understand where this came from and how to avoid it in the future read John Galt's How to install adware.

https://discussions.apple.com/docs/DOC-7471

You can download AdwareMedic directly from here if you get redirected to MacKeeper.

http://www.adwaremedic.com/AdwareMedic.dmg

Reply

Answer 6

Linc Davis

Level 10

209,547 points

Mar 20, 2015 5:56 PM in response to qaisfromnew york

1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.

The test works on OS X 10.7 ("Lion") and later. I don't recommend running it on older versions of OS X. It will do no harm, but it won't do much good either.

Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.

2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.

There are ways to back up a computer that isn't fully functional. Ask if you need guidance.

3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.

You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.

In this case, however, there are a couple of ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the necessary skill can verify what it does.

You may not be able to understand the script yourself. But variations of it have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message. See, for example, this discussion.

Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.

4. Here's a summary of what you need to do, if you choose to proceed:

☞ Copy a line of text in this window to the Clipboard.

☞ Paste into the window of another application.

☞ Wait for the test to run. It usually takes a few minutes.

☞ Paste the results, which will have been copied automatically, back into a reply on this page.

The sequence is: copy, paste, wait, paste again. You don't need to copy a second time. Details follow.

5. Try to test under conditions that reproduce the problem, as far as possible. For example, if the computer is sometimes, but not always, slow, run the test during a slowdown.

You may have started up in "safe" mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.

6. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.

7. The script is a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, though you may not see all of it in the browser window, and you can then copy it. If you try to select the line by dragging across the part you can see, you won't get all of it.

Triple-click anywhere in the line of text below on this page to select it:

PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/libexec;clear;cd;p=(1296 ' 0.5 0.25 50 1000 15 5120 1000 25000 6 6 5 1 0 100 ' 51 25600 4 10 25 5120 102400 1000 25 1536 450 40 500 300 85 25 20480 262144 20 2000 524288 604800 5 1024 25 );k=({Soft,Hard}ware Memory Diagnostics Power FireWire Thunderbolt USB Bluetooth SerialATA Extensions Applications Frameworks PrefPane Fonts Displays PCI UniversalAccess InstallHistory ConfigurationProfile AirPort 'com\.apple\.' -\\t N\\/A 'AES|atr|udit|msa|dnse|ax|ensh|fami|FileS|fing|ft[pw]|gedC|kdu|etS|is\.|alk|ODSA|otp|htt|pace|pcas|ps-lp|rexe|rlo|rsh|smb|snm|teln|upd-[aw]|uuc|vix|webf' OSBundle{Require,AllowUserLoa}d 'Mb/s:Mb/s:ms/s:KiB/s:%:total:MB:total:lifetime:sampled:per sec' 'Net in:Net out:I/O wait time:I/O requests:CPU usage:Open files:Memory:Mach ports:Energy:Energy:File opens:Forks:Failed forks:System errors' 'tsA|[ST]M[HL]' PlistBuddy{,' 2>&1'}' -c Print' 'Info\.plist' CFBundleIdentifier );f=('\n%s'{': ','\n\n'}'%s\n' '\nRAM details\n%s\n' %s{' ','\n'{"${k[22]}",}}'%s\n' '%.1f GiB: %s\n' '\n ...and %s more line(s)\n' '\nContents of %s\n '"${k[22]}"'mod date: %s\n '"${k[22]}"'checksum: %s\n%s\n' );c=(879294308 4071182229 461455494 216630318 3627668074 1083382502 1274181950 1855907737 2758863019 1848501757 464843899 2636415542 3694147963 1233118628 2456546649 2806998573 2778718105 842973933 1383871077 1591517921 676087606 1445213025 2051385900 3301885676 891055588 998894468 695903914 1443423563 4136085286 3374894509 1051159591 892310726 1707497389 523110921 2883943871 3873345487 );s=(' s/[0-9A-Za-z._]+@[0-9A-Za-z.]+\.[0-9A-Za-z]{2,4}/EMAIL/g;/faceb/s/(at\.)[^.]+/\1NAME/g;/\/Shared/!s/(\/Users\/)[^ /]+/\1USER/g;s/[-0-9A-Fa-f]{22,}/UUID/g;' ' s/^ +//;/de: S|[nst]:/p;' ' {sub(/^ +/,"")};/er:/;/y:/&&$2<'${p[4]} ' s/:$//;3,6d;/[my].+:/d;s/^ {4}//;H;${ g;s/\n$//;/s: (E[^m]|[^EO])|x([^08]|02[^F]|8[^0])/p;} ' ' 5h;6{ H;g;/P/!p;} ' ' ($1~/^Cy/&&$3>'${p[9]}')||($1~/^Cond/&&$2!~/^N/) ' ' /:$/{ N;/:.+:/d;s/ *://;b0'$'\n'' };/^ *(V.+ [0N]|Man).+ /{ s/ 0x.... //;s/[()]//g;s/(.+: )(.+)/ (\2)/;H;};$b0'$'\n'' d;:0'$'\n'' x;s/\n\n//;/Apple[ ,]|Genesy|Intel|SMSC/d;s/\n.*//;/\)$/p;' ' s/^.*C/C/;H;${ g;/No th|pms/!p;} ' '/= [^GO]/p' '{$1=""};1' ' /Of|yc/!{ s/^.+is |\.//g;p;q;} ' ' BEGIN { FS="\f";if(system("A1 42 83 114")) d="^'"${k[21]}"'launch(d\.peruser\.[0-9]+|ctl\.(Aqua|Background|System))$";} { if($2~/[1-9]/) { $2="status: "$2;printf("'"${f[4]}"'",$1,$2);} else if(!d||$1!~d) print $1;} ' ' $1>1{$NF=$NF" x"$1} /\*/{if(!f)f="\n\t* Code injection"} {$1=""} 1;END{print f} ' ' NR==2&&$4<='${p[7]}'{print $4} ' ' BEGIN{FS=":"} ($1~"wir"&&$2>'${p[22]}') {printf("wired %.1f\n",$2/2^18)} ($1~/P.+ts/&&$2>'${p[19]}') {printf("paged %.1f\n",$2/2^18)} ' '/YLD/s/=/ /p' ' { q=$1;$1="";u=$NF;$NF="";gsub(/ +$/,"");print q"\f"$0"\f"u;} ' ' /^ {6}[^ ]/d;s/:$//;/([^ey]|[^n]e):/d;/e: Y/d;s/: Y.+//g;H;${ g;s/ \n (\n)/\1/g;s/\n +(M[^ ]+)[ -~]+/ (\1)/;s/\n$//;/( {8}[^ ].*){2,}/p;} ' 's:^:/:p;' ' !/, .+:/ { print;n++;} END{if(n<'{${p[12]},${p[13]}}')printf("^'"${k[21]}"'.+")} ' '|uniq' ' 1;END { print "/L.+/Scr.+/Templ.+\.app$";print "/L.+/Pri.+\.plugin$";if(NR<'{${p[14]},${p[21]}}') print "^/[Sp].+|'${k[21]}'";} ' ' /\.(framew|lproj)|\):/d;/plist:|:.+(Mach|scrip)/s/:.+//p;' '&&echo On' '/\.(bundle|component|framework|kext|mdimporter|plugin|qlgenerator|saver|wdgt)$/p' '/\.dylib$/p' ' /Temp|emac/{next};/(etc|Preferences|Launch[AD].+)\// { sub(".","");print $0"$";} END { split("'"${c[*]}"'",c);for(i in c) print "\t"c[i]"$";} ' ' /^\/(Ap|Dev|Inc|Prev)/d;/((iTu|ok).+dle|\.(component|mailbundle|mdimporter|plugin|qlgenerator|saver|wdgt))$/p;' ' BEGIN{ FS="= "} $2 { gsub(/[()"]/,"",$2);print $2;} !/:/&&!$2{print "'${k[23]}'"} ' ' /^\//!d;s/^.{5}//;s/ [^/]+\//: \//p;' '>&-||echo No' '{print $3"\t"$1}' 's/\'$'\t''.+//p' 's/1/On/p' '/Prox.+: [^0]/p' '$2>'${p[2]}'{$2=$2-1;print}' ' BEGIN { M1='${p[16]}';M2='${p[18]}';M3='${p[8]}';M4='${p[3]}';} !/^A/{next};/%/ { getline;if($5<M1) o["CPU"]="CPU: user "$2"%, system "$4"%";next;} $2~/^disk/&&$4>M2 { o[$2]=$2": "$3" ops/s, "$4" blocks/s";next;} $2~/^(en[0-9]|bridg)/ { if(o[$2]) { e=$3+$4+$5+$6;if(e) o[$2]=o[$2]"; errors "e"/s";next;};if($4>M3||$6>M4) o[$2]=$2": in "int($4/1024)", out "int($6/1024)" (KiB/s)";} END { for(i in o) print o[i];} ' ' /r\[0\] /&&$NF!~/^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./ { print $NF;exit;} ' ' !/^T/ { printf "(static)";exit;} ' '/apsd|BKAg|OpenD/!s/:.+//p' ' (/k:/&&$3!~/(255\.){3}0/)||(/v6:/&&$2!~/A/) ' ' BEGIN{FS=": "} /^ {10}O/ {exit} /^ {0,12}[^ ]/ {next} $1~"Ne"&&$2!~/^In/{print} $1~"Si" { split($2,a," ");if(a[1]-a[4]<'${p[5]}') print;};$1~"T"&&$2<'${p[20]}'{print};$1~"Se"&&$2!~"2"{print};' ' BEGIN { FS="\f";} { n=split($3,a,".");sub(/_2[01].+/,"",$3);print $2" "$3" "a[n]$1;} ' ' BEGIN { split("'"${p[1]}"'",m);FS="\f";} $2<=m[$1]{next} $1==9||$1==10 { "ps -c -ouid -p"$4"|sed 1d"|getline $4;} $1<11 { o[$1]=o[$1]"\n "$3" (UID "int($4)"): "$2;} $1==11&&$5!~"^/dev" { o[$1]=o[$1]"\n "$3" (UID "$4") => "$5" (status "$6"): "$2;} $1==12&&$5 { "ps -c -ocomm -p"$5"|sed 1d"|getline n;if(n) $5=n;o[$1]=o[$1]"\n "$5" => "$3" (UID "$4"): "$2;} $1~/1[34]/ { o[$1]=o[$1]"\n "$3" (UID "$4", error "$5"): "$2;} END { n=split("'"${k[27]}"'",u,":");for(i=n+1;i<n+4;i++)u[i]=u[n];split("'"${k[28]}"'",l,":");for(i=1;i<15;i++) if(o[i])print "\n"l[i]" ("u[i]")\n"o[i];} ' ' /^ {8}[^ ]/{print} ' ' BEGIN { L='${p[17]}';} !/^[[:space:]]*(#.*)?$/ { l++;if(l<=L) f=f"\n "$0;} END { F=FILENAME;if(!F) exit;if(!f) f="\n [N/A]";"cksum "F|getline C;split(C, A);C=A[1];"stat -f%Sm "F|getline D;"file -b "F|getline T;if(T~/^Apple b/) { f="";l=0;while("'"${k[30]}"' "F|getline g) { l++;if(l<=L) f=f"\n "g;};};if(T!~/^(AS.+ (En.+ )?text(, with v.+)?$|(Bo|PO).+ sh.+ text ex|XM)/) F=F"\n '"${k[22]}"'"T;printf("'"${f[8]}"'",F,D,C,f);if(l>L) printf("'"${f[7]}"'",l-L);} ' ' s/^ ?n...://p;s/^ ?p...:/-'$'\t''/p;' 's/0/Off/p' 's/^.{52}(.+) <.+/\1/p' ' /id: N|te: Y/{i++} END{print i} ' ' /kext:/ { split($0,a,":");p=a[1];k[S]='${k[25]}';k[U]='${k[26]}';v[S]="Safe";v[U]="true";for(i in k) { s=system("'"${k[30]}"'\\ :"k[i]" \""p"\"/*/I*|grep -qw "v[i]);if(!s) a[1]=a[1]" "i;};if(!a[2]) a[2]="'"${k[23]}"'";printf("'"${f[4]}"'",a[1],a[2]);next;} !/^ *$/ { p="'"${k[31]}"'\\ :'"${k[33]}"' \""$0"\"/*/'${k[32]}'";p|getline b;close(p);if(b~/, .+:/||b=="") b="'"${k[23]}"'";printf("'"${f[4]}"'",$0,b);} ' '/ en/!s/\.//p' ' NR>=13 { gsub(/[^0-9]/,"",$1);print;} ' ' $10~/$L/&&$9!~"localhost" { sub(/.+:/,"",$9);print $1": "$9|"sort|uniq";} ' '/^ +r/s/.+"(.+)".+/\1/p' 's/(.+\.wdgt)\/(Contents\/)?'${k[32]}'$/\1/p' 's/^.+\/(.+)\.wdgt$/\1/p' ' /l: /{ /DVD/d;s/.+: //;b0'$'\n'' };/s: /{ / [VY]/d;s/^ */- /;H;};$b0'$'\n'' d;:0'$'\n'' x;/APPLE [^:]+$/d;p;' '/^find: /!p;' ' /^p/{ s/.//g;x;s/\nu/'$'\f''/;s/(\n)c/\1'$'\f''/;s/\n\n//;p;};H;' ' BEGIN{FS="= "} /Path/{print $2} ' ' /^ *$/d;s/^ */ /;p;' ' s/^.+ |\(.+$$//g;p;' '1;END{if(NR<'${p[15]}')printf("^/(S|usr/(X|li))")}' ' /2/{print "WARN"};/4/{print "CRITICAL"};' ' /EVHF|MACR|^s/d;s/^.+: //p;' ' $3~/^[1-9][0-9]{0,2}(\.[1-9][0-9]{0,2}){2}$/ { i++;n=n"\n"$1"\t"$3;} END{ if(i>1)print n} ' s/{'\.|jnl: ','P.+:'}'//;s/ +([0-9]+)(.+)/\2'$'\t\t''\1/p' ' /^ +iP.+:$/{ s/://;b0'$'\n'' };/es: ./{ /iOS/d;s/^.+://;b0'$'\n'' };/^ +C.+ted: +[NY]/H;/:$/b0'$'\n'' d;:0'$'\n'' x;/: +N/d;s/\n.+//p;' ' 1d;/:$/b0'$'\n'' $b0'$'\n'' /(D|^ *Loc.+): /{ s/^.+: //;H;};/(B2|[my]): /H;d;:0'$'\n'' x;/[my]: [AM]|m: I.+p$|^\/Vo/d;s/(^|\n) [ -~]+//g;s/(.+)\n(.+)/\2:\1/;s/\n//g;/[ -~]/p;' 's/$/'$'\f''(0|-(4[34])?)$/p' '|sort'{'|uniq'{,\ -c},\ -nr} ' s/^/'{5,6,7,8,9,10}$'\f''/;s/ *'$'\f'' */'$'\f''/g;p;' 's/:.+$//p' '|wc -l' /{\\.{kext,xpc,'(appex|pluginkit)'}'\/(Contents\/)?'Info,'Launch[AD].+'}'\.plist$/p' 's/([-+.?])/\\\1/g;p' 's/, /\'$'\n/g;p' ' BEGIN{FS="\f"} { printf("'"${f[6]}"'",$1/2^30,$2);} ' ' /= D/&&$1!~/'{${k[24]},${k[29]}}'/ { getline d;if(d~"t") print $1;} ' ' BEGIN{FS="\t"} NR>1&&$NF!~/0x|\.([0-9]{3,}|[-0-9A-F]{36})$/ { print $NF"\f"a[split($(NF-1),a," ")];} ' '|tail -n'{${p[6]},${p[10]}} ' s/.+bus /Bus: /;s/,.+[(]/ /;s/,.+//p;' ' { $NF=$NF" Errors: "$1;$1="";} 1 ' ' 1s/^/\'$'\n''/;/^ +(([MNPRSV]|De|Li|Tu).+|Bus): .|d: Y/d;s/:$//;$d;p;' ' BEGIN { RS=",";FS=":";} $1~"name" { gsub("\"","",$2);print $2;} ' '|grep -q e:/' '/[^ .]/p' '{ print $1}' ' /^ +N.+: [1-9]/ { i++;} END { if(i) print "system: "i;} ' ' NF { print "'{admin,user}' "$NF;exit;} ' ' /se.+ =/,/[\}]/!d;/[=\}]/!p ' ' 3,4d;/^ +D|Of|Fu| [0B]/d;s/^ |:$//g;$!H;${ x;/:/p;} ' ' BEGIN { FS=": ";} NR==1 { sub(":","");h="\n"$1"\n";} /:$/ { l=$1;next;} $1~"S"&&$2!~3 { getline;next;} /^ {6}I/ { i++;L[i]=l" "$2;if(i=='${p[24]}') exit;} END { if(i) print h;for(j=0;j<i;j++) print L[i-j];} ' ' /./H;${ x;s/\n//;s/\n/, /g;/,/p;} ' ' {if(int($6)>'${p[25]}')printf("swap used %.1f\n",$6/1024)} ' ' BEGIN{FS="\""} $3~/ t/&&$2!~/'{${k[24]},${k[29]}}'/{print $2} ' ' int($1)>13 ' p ' BEGIN{FS="DB="} { sub(/\.db.*/,".db",$2);print $2;} ' {,1d\;}'/r%/,/^$/p' ' NR==1{next} NR>11||!$0{exit} {print $NF"\f"substr($0,1,32)"\f"$(NF-7)} ' '/e:/{print $2}' ' /^[(]/{ s/....//;s/$/:/;N;/: [)]$/d;s/\n.+ ([^ ]+).$/\1/;H;};${ g;p;} ' '1;END { exit "find /var/db/r*/'${k[21]}'*.{BS,Bas,Es,J,OSXU,Rem,up}*.bom -mtime -'${p[23]}'s"|getline;} ' ' NR<='${p[26]}' { o=o"\n"$0;next;} { o="";exit;} END{print o|"sed 1d"} ' );c1=(system_profiler pmset\ -g nvram fdesetup find syslog df vm_stat sar ps crontab kextfind top pkgutil "${k[30]}\\" echo cksum kextstat launchctl smcDiagnose sysctl\ -n defaults\ read stat lsbom 'mdfind -onlyin' env pluginkit scutil 'dtrace -q -x aggsortrev -n' security sed\ -En awk 'dscl . -read' networksetup mdutil lsof test osascript\ -e netstat mdls route cat uname powermetrics );c2=(${k[21]}loginwindow\ LoginHook ' /L*/P*/loginw*' "'tell app \"System Events\" to get properties of login items'" 'L*/Ca*/'${k[21]}'Saf*/E* -d 2 -name '${k[32]} '~ $TMPDIR.. $ -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 $' -i '-nl -print' '-F \$Sender -k Level Nle 3 -k Facility Req "'${k[21]}'('{'bird|.*i?clou','lsu|sha'}')"' "-f'%N: %l' Desktop {/,}L*/Keyc*" therm sysload boot-args status " -F '\$Time \$Message' -k Sender kernel -k Message CRne '0xdc008012|(allow|call)ing|Goog|(mplet|nabl)ed|ry HD|safe b|xpm' -k Message CReq 'bad |Can.t l|corru|dead|fail|GPU |hfs: Ru|inval|Limiti|v_c|NVDA[(]|pagin|Purg(ed|in)|error|Refus|TCON|tim(ed? ?|ing )o|trig|WARN' " '-du -n DEV -n EDEV 1 10' 'acrx -o%cpu,comm,ruid' "' syscall::recvfrom:return {@a[execname,uid]=sum(arg0)} syscall::sendto:return {@b[execname,uid]=sum(arg0)} syscall::open*:entry {@c[execname,uid,copyinstr(arg0),errno]=count()} syscall::execve:return, syscall::posix_spawn:return {@d[execname,uid,ppid]=count()} syscall::fork:return, syscall::vfork:return, syscall::posix_spawn:return /arg0<0/ {@e[execname,uid,arg0]=count()} syscall:::return /errno!=0/ {@f[execname,uid,errno]=count()} io:::wait-start {self->t=timestamp} io:::wait-done /self->t/ { this->T=timestamp - self->t;@g[execname,uid]=sum(this->T);self->t=0;} io:::start {@h[execname,uid]=sum(args[0]->b_bcount)} tick-10sec { normalize(@a,2560000);normalize(@b,2560000);normalize(@c,10);normalize(@d,10);normalize(@e,10);normalize(@f,10);normalize(@g,10000000);normalize(@h,10240);printa(\"1\f%@d\f%s\f%d\n\",@a);printa(\"2\f%@d\f%s\f%d\n\",@b);printa(\"11\f%@d\f%s\f%d\f%s\f%d\n\",@c);printa(\"12\f%@d\f%s\f%d\f%d\n\",@d);printa(\"13\f%@d\f%s\f%d\f%d\n\",@e);printa(\"14\f%@d\f%s\f%d\f%d\n\",@f);printa(\"3\f%@d\f%s\f%d\n\",@g);printa(\"4\f%@d\f%s\f%d\n\",@h);exit(0);} '" '-f -pfc /var/db/r*/'${k[21]}'*.{BS,Bas,Es,J,OSXU,Rem,up}*.bom' '{/,}L*/Lo*/Diag* -type f -regex .\*[cght] ! -name .?\* ! -name \*ag $ -exec grep -lq "^Thread c" {} \; -exec printf \* \; -o -true $ -execdir stat -f'$'\f''%Sc'$'\f''%N -t%F {} \;' '/S*/*/Ca*/*xpc*' '-L /{S*/,}L*/StartupItems -type f -exec file {} +' /\ kMDItemContentTypeTree=${k[21]}{bundle,mach-o-dylib} :Label "/p*/e*/{auto*,{cron,fs}tab,hosts,{[lp],sy}*.conf,mach_i*/*,pam.d/*,ssh{,d}_config,*.local} {/p*,/usr/local}/e*/periodic/*/* /L*/P*{,/*}/com.a*.{Bo,sec*.ap}*t {/S*/,/,}L*/Lau*/*t .launchd.conf" list '-F "" -k Sender hidd -k Level Nle 3' /Library/Preferences/${k[21]}alf\ globalstate --proxy '-n get default' vm.swapusage --dns -get{dnsservers,info} dump-trust-settings\ {-s,-d,} '~ "kMDItemKind=Package"' '-R -ce -l1 -n5 -o'{'prt -stats prt','mem -stats mem'}',command,uid' -kl -l -s\ / '--regexp --files '${k[21]}'pkg.*' '+c0 -i4TCP:0-1023' ${k[21]}dashboard\ layer-gadgets '-d /L*/Mana*/$USER' '-app Safari WebKitDNSPrefetchingEnabled' '-Fcu +c0 -l' -m 'L*/{Con*/*/Data/L*/,}Pref* -type f -size 0c -name *.plist.???????' kern.memorystatus_vm_pressure_level '3>&1 >&- 2>&3' '-F \$Message -k Sender kernel -k Message CReq "'{'n Cause: -','(a und|I/O |jnl_io.+)err|disk.+abo','USBF:.+bus'}'"' -name\ kMDItem${k[33]} -T\ hfs '-n get default' -listnetworkserviceorder :${k[33]} :CFBundleDisplayName $EUID {'$TMPDIR../C ','/{S*/,}'}'L*/{,Co*/*/*/L*/}{Cache,Log}s -type f -size +'${p[11]}'M -exec stat -f%z'$'\f''%N {} \;' \ /v*/d*/*/*l*d{,.*.$UID}/* '-app Safari UserStyleSheetEnabled' 'L*/A*/Fi*/P*/*/a*.json' users/$USER\ HomeDirectory '{/,}L*/{Con,Pref}* -type f ! -size 0 -name *.plist -exec plutil -s {} \;' ' -F "\$Time \$(Sender): \$Message" -k Sender Rne "launchd|nsurls" -k Level Nle 3 -k Facility R'{'ne "user|','eq "'}'console" -k Message CRne "[{}<>]|asser|commit - no t|deprec|done |ect pas|fmfd|Goog|ksho|ndum|obso|realp|rned f|/root|sandbox ex" ' getenv '/ "kMDItemDateAdded>=\$time.now(-'${p[23]}')&&kMDItem'${k[33]}'=*"' -m\ / '' ' -F "\$Time \$(RefProc): \$Message" -k Sender Req launchd -k Level Nle 3 -k Message Rne "asse|bug|File ex|hij|Ig|Jet|key is|lid t|Plea|ship" ' print{,-disabled}\ {system,{gui,user}/$UID} '-n1 --show-initial-usage --show-process-energy' -r ' -F "\$Message" -k Sender nsurlstoraged -k Time ge -1h -k Level Nle 4 -k Message Req "^(ER|IN)" ' );N1=${#c2[@]};for j in {0..20};do c2[N1+j]=SP${k[j]}DataType;done;l=({Restricted\ ,Lock,Pro}files POST Battery {Safari,App,{Bad,Loaded}\ kernel,Firefox}\ extensions System\ load boot\ args FileVault\ {2,1} {Kernel,System,Console,launchd}\ log SMC Login\ hook 'I/O per process' 'High file counts' UID {System,Login,Agent,User}' services '{load,disabl}ed {Admin,Root}\ access Font\ issues Firewall Proxies DNS TCP/IP Wi-Fi 'Elapsed time (sec)' {Root,User}\ crontab {Global,User}' login items' Spotlight Memory\ pressure Listeners Widgets Parental\ Controls Prefetching Nets Volumes {Continuity,I/O,iCloud,HID,HCI}\ errors {User,System}\ caches/logs XPC\ cache Startup\ items Shutdown\ codes Heat Diagnostic\ reports Bad\ {plist,cache}s 'VM (GiB)' Bundles{,' (new)'} Trust\ settings Activity Free\ space Stylesheet Library\ paths{,' ('{shell,launchd}\)} Data\ packages );N3=${#l[@]};for i in {0..8};do l[N3+i]=${k[5+i]};done;F() { local x="${s[$1]}";[[ "$x" =~ ^([\&\|\<\>]|$) ]]&&{ printf "$x";return;};:|${c1[30]} "$x" 2>&-;printf "%s \'%s\'" "|${c1[30+$?]}" "$x";};A0() { Q=6;v[2]=1;id -G|grep -qw 80;v[1]=$?;((v[1]))||{ Q=7;sudo -v;v[2]=$?;((v[2]))||Q=8;};v[3]=`date +%s`;date '+Start time: %T %D%n';printf '\n[Process started]\n\n'>&4;printf 'Revision: %s\n\n' ${p[0]};};A1() { local c="${c1[$1]} ${c2[$2]}";shift 2;c="$c ` while [[ "$1" ]];do F $1;shift;done`";((P2))&&{ c="sudo $c";P2=;};v=`eval "$c"`;[[ "$v" ]];};A2() { local c="${c1[$1]}";[[ "$c" =~ ^(awk|sed ) ]]&&c="$c '${s[$2]}'"||c="$c ${c2[$2]}";shift 2;local d=` while [[ "$1" ]];do F $1;shift;done`;((P2))&&{ c="sudo $c";P2=;};local a;v=` while read a;do eval "$c '$a' $d";done<<<"$v";`;[[ "$v" ]];};A3(){ v=$((`date +%s`-v[3]));};export -f A1 A2 F;B1() { v=No;! ((v[1]))&&{ v=;P1=1;};};eval "`type -a B1|sed '1d;s/1/2/'`";B3(){ v[$1]="$v";};B4() { local i=$1;local j=$2;shift 2;local c="cat` while [[ "$1" ]];do F $1;shift;done`";v[j]=`eval "{ $c;}"<<<"${v[i]}"`;};B5(){ v="${v[$1]}"$'\n'"${v[$2]}";};B6() { v=` paste -d$'\e' <(printf "${v[$1]}") <(printf "${v[$2]}")|awk -F$'\e' ' {printf("'"${f[$3]}"'",$1,$2)} ' `;};B7(){ v=`egrep -v "${v[$1]}"<<<"$v"|sort`;};eval "`type -a B7|sed '1d;s/7/8/;s/-v //'`";C0() { [[ "$v" ]]&&sed -E "$s"<<<"$v";};C1() { [[ "$v" ]]&&printf "${f[$1]}" "${l[$2]}" "$v"|sed -E "$s";};C2() { v=`echo $v`;[[ "$v" != 0 ]]&&C1 0 $1;};C3() { B4 0 0 63&&C1 1 $1;};C4() { echo $'\t'"Part $((++P)) of $Q done at $((`date +%s`-v[3])) sec">&4;};C5() { sudo -k;pbcopy<<<"$o";printf '\n\tThe test results are on the Clipboard.\n\n\tPlease close this window.\n';exit 2>&-;};for i in 1 2;do eval D$((i-1))'() { A'$i' $@;C0;};';for j in 2 3;do eval D$((i+2*j-3))'() { local x=$1;shift;A'$i' $@;C'$j' $x;};';done;done;trap C5 2;o=$({ A0;D0 0 N1+1 2;D0 0 $N1 1;B1;C2 31;B1&&! B2&&C2 32;D2 22 15 63;D0 0 N1+2 3;D0 0 N1+15 17;D4 3 0 N1+3 4;D4 4 0 N1+4 5;D4 N3+4 0 N1+9 59;D0 0 N1+16 99;for i in 0 1 2;do D4 N3+i 0 N1+5+i 6;done;D4 N3+3 0 N1+8 71;D4 62 1 10 7;D4 10 1 11 8;B2&&D4 18 19 53 67;D2 11 2 12 9;D2 12 3 13 10;D2 13 32 70 101 25;D2 71 6 76 13;D2 45 20 52 66;A1 7 77 14;B3 28;A1 20 31 111;B6 0 28 5;B4 0 0 110;C2 66;D4 70 8 15 38;D0 9 16 16 77 45;C4;B2&&D0 35 49 61 75 76 78 45;B2&&{ D0 28 17 45;C4;};B2&&{ A1 43 85 117;B3 29;B4 0 0 119 76 81 45;C0;B4 29 0 118 119 76 82 45;C0; };D0 12 40 54 16 79 45;D0 12 39 54 16 80 45;D4 74 25 77 15&&{ B4 0 8 103;B4 8 0;A2 18 74;B6 8 0 3;C3 75;};B2&&D4 19 21 0;B2&&D4 40 10 42;D2 2 0 N1+19 46 84;D2 44 34 43 53;D2 59 22 20 32;D2 33 0 N1+14 51;for i in {0..2};do A1 29 35+i 104+i;B3 25+i;done;B6 25 27 5;B6 0 26 5;B4 0 0 110;C2 69;D2 34 21 28 35;D4 35 27 29 36;A1 40 59 120;B3 18;A1 33 60 121;B8 18;B4 0 19 83;A1 27 32 39&&{ B3 20;B4 19 0;A2 33 33 40;B3 21;B6 20 21 3;};C2 36;D4 50 38 5 68;B4 19 0;D5 37 33 34 42;B2&&D4 46 35 45 55;D4 38 0 N1+20 43;B2&&D4 58 4 65 76 91;D4 63 4 19 44 75 95 12;B1&&{ D4 53 5 55 75 69&&D4 51 6 58 31;D4 56 5 56 97 75 98&&D0 0 N1+7 99;D2 55 5 27 84;D4 61 5 54 75 70;D4 14 5 14 96;D4 15 5 72 96;D4 17 5 78 96;C4;};D4 16 5 73 96;A1 13 44 74 18;C4;B3 4;B4 4 0 85;A2 14 61 89;B4 0 5 19 102;A1 17 41 50;B7 5;C3 8;B4 4 0 88;A2 14 24 89;C4;B4 0 6 19 102;B4 4 0 86;A2 14 61 89;B4 0 7 19 102;B5 6 7;B4 0 11 73 102;A1 42 86 114;j=$?;for i in 0 1 2;do ((i==2&&j==1))&&break;((! j))||((i))||B2&&A1 18 $((79+i-(i+53)*j)) 107+8*j 94 74||continue;B7 11;B4 0 0 11;C3 $((23+i*(1+i+2*j)));D4 $((24+i*(1+i+2*j))) 18-4*j 82+i-16*j $((112+((3-i)*i-40*j)/2));done;D4 60 4 21 24;D4 42 14 1 62;D4 43 37 2 90 48;D4 41 10 42;D2 48 36 47 25;A1 4 3 60&&{ B3 9;A2 14 61;B4 0 10 21;B4 9 0;A2 14 62;B4 0 0 21;B6 0 10 4;C3 5;};D4 9 41 69 100;D2 72 21 68 35;D2 49 21 48 49;B4 4 22 57 102;A1 21 46 56 74;B7 22;B4 0 0 58;C3 47;D4 54 5 7 75 76 69;D4 52 5 8 75 76 69;D4 57 4 64 76 91;D2 0 4 4 84;D2 1 4 51 84;D4 21 22 9 37;D0 0 N1+17 108;D4 76 24 38;A1 23 18 28 89;B4 0 16 22 102;A1 16 25 33;B7 16;B4 0 0 34;D1 31 47;D4 64 4 71 41;D4 65 5 87 116 74;C4;B4 4 12 26 89 23 102;for i in {0..3};do A1 0 N1+10+i 72 74;B7 12;B4 0 0 52;C3 N3+5+i;((i))||C4;done;A1 24 22 29;B7 12;B3 14;A2 39 57 30;B6 14 0 4;C3 67;A1 24 75 74;B4 1 1 122||B7 12;B4 0 0 123;B3 23;A2 39 57 30;B6 23 0 4;C3 68;B4 4 13 27 89 65;A1 24 23;B7 13;C3 73;B4 4 0 87;A2 14 61 89 20;B4 0 17;A1 26 50 64;B7 17;C3 6;D0 0 N1+18 109;D4 7 11 6;A3;C2 39;C4;} 4>&2 2>/dev/null;);C5

Copy the selected text to the Clipboard by pressing the key combination command-C.

8. Launch the built-in Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

Click anywhere in the Terminal window and paste by pressing command-V. The text you pasted should vanish immediately. If it doesn't, press the return key.

9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter

exec bash

and press return. Then paste the script again.

10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. If you don't know the password, or if you prefer not to enter it, just press return three times at the password prompt. Again, the script will still run.

If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.

11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, a series of lines will appear in the Terminal window like this:

[Process started]

Part 1 of 8 done at … sec
…
Part 8 of 8 done at … sec

The test results are on the Clipboard.

Please close this window.

[Process completed]

The intervals between parts won't be exactly equal, but they give a rough indication of progress. The total number of parts may be different from what's shown here.

Wait for the final message "Process completed" to appear. If you don't see it within about ten minutes, the test probably won't complete in a reasonable time. In that case, press the key combination control-C or command-period to stop it and go to the next step. You'll have incomplete results, but still something.

12. When the test is complete, or if you stopped it because it was taking too long, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.

At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.

If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.

13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "You are not authorized to post." That's a bug in the forum software. Please post the test results on Pastebin, then post a link here to the page you created.

14. This is a public forum, and others may give you advice based on the results of the test. They speak for themselves, not for me. The test itself is harmless, but whatever else you're told to do may not be. For others who choose to run it, I don't recommend that you post the test results on this website unless I asked you to.

______________________________________________________________

Copyright © 2014, 2015 by Linc Davis. As the sole author of this work, I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

Reply

Answer 7

Mar 21, 2015 9:18 AM in response to Linc Davis

Start time: 12:07:06 03/21/15

Revision: 1296

Model Identifier: iMac11,3

System Version: OS X 10.10.2 (14C1510)

Kernel Version: Darwin 14.1.0

Time since boot: 16:17

UID: 501

SerialATA

WDC WD1001FALS-40Y6A0

Bluetooth

Apple Wireless Keyboard

Apple Wireless Mouse

FileVault 2: On

Energy (lifetime)

kernel_task (UID 0): 10.21

Energy (sampled)

kernel_task (UID 0): 13.75

Microsoft Outlook (UID 501): 13.13

Root crontab

#SqzS VERSION = 1.0.0

#SYMANTEC SCHEDULER CRON ENTRIES. THESE ENTRIES ARE AUTOMATICALLY GENERATED

#PLEASE DO NOT EDIT.

# Enc=1 Name="Update Virus Protection" EvType1=1 EvType2=0 Sched=2

0 19 * * 5 "/Library/Application Support/Symantec/Scheduler/SymSecondaryLaunch.app/Contents/schedLauncher" 1 "/Applications/Symantec Solutions/LiveUpdate.app/Contents/MacOS/LiveUpdate" " " "oapp" "aevt" "exAG" "-update LUdf -liveupdatequiet YES -liveupdateautoquit YES"

#SqzS END SYMANTEC CRON ENTRIES

Font issues: 3

Listeners

nfsd: 1023

rpc.lockd: 1017

rpc.rquotad: garcon

rpc.statd: exp1

rpcbind: sunrpc

System caches/logs

2.3 GiB: /System/Library/Caches/com.apple.coresymbolicationd/data

Diagnostic reports

2015-03-21 LegacyFileVaultMessageTracer crash

I/O errors

disk1: I/O error 1

Volumes

disk1: /

HCI errors

Bus: 0xfa Addr: 6 Errors: 2

USB

USB Hi-Speed Bus

Host Controller Location: Built-in USB

Host Controller Driver: AppleUSBEHCI

Bus Number: 0xfa

Hub

Location ID: 0xfa100000 / 2

Current Available (mA): 500

Current Required (mA): 2

Built-In: Yes

Internal Memory Card Reader

Location ID: 0xfa120000 / 4

Current Available (mA): 500

Current Required (mA): 500

Built-In: Yes

BRCM2046 Hub

Location ID: 0xfa110000 / 3

Current Available (mA): 500

Current Required (mA): 0

Built-In: Yes

Bluetooth USB Host Controller

Location ID: 0xfa111000 / 5

Current Available (mA): 500

Current Required (mA): 0

Built-In: Yes

USB Hi-Speed Bus

Host Controller Location: Built-in USB

Host Controller Driver: AppleUSBEHCI

Bus Number: 0xfd

Hub

Location ID: 0xfd100000 / 2

Current Available (mA): 500

Current Required (mA): 2

Built-In: Yes

Built-in iSight

Location ID: 0xfd110000 / 4

Current Available (mA): 500

Current Required (mA): 500

Built-In: Yes

IR Receiver

Location ID: 0xfd120000 / 3

Current Available (mA): 500

Current Required (mA): 100

Built-In: Yes

HID errors: 4

Kernel log

Mar 15 17:48:53 ** GPU Hardware VM is disabled (multispace: disabled, page table updates with DMA: disabled)

Mar 15 18:23:09 CoreStorageGroup::completeIORequest - error 0xe00002ca detected for LVG "Macintosh HD" (UUID), pv UUID, near LV byte offset = 12967079936.

Mar 15 18:23:09 disk1: I/O error.

Mar 15 22:04:31 Failed to get hibernate image filename

Mar 16 18:37:57 ### ERROR: Exit sniff failed (probably already unsniffed) (err=10)

Mar 16 18:38:42 ### ERROR: Exit sniff failed (probably already unsniffed) (err=10)

Mar 16 19:36:50 Failed to get hibernate image filename

Mar 16 21:53:22 firefox (map: 0xffffff8021823a50) triggered DYLD shared region unnest for map: 0xffffff8021823a50, region 0x7fff8f600000->0x7fff8f800000. While not abnormal for debuggers, this increases system memory footprint until the target exits.

Mar 16 22:59:17 USBF: 24744. 92 AppleUSBEHCI::Found a transaction which hasn't moved in 1000 milliseconds on bus 0xfa, timing out! (Addr: 6, EP: 1)

Mar 16 22:59:20 USBF: 24747. 94 AppleUSBEHCI::Found a transaction which hasn't moved in 1000 milliseconds on bus 0xfa, timing out! (Addr: 6, EP: 1)

Mar 16 23:00:03 Failed to get hibernate image filename

Mar 19 21:48:24 ** GPU Hardware VM is disabled (multispace: disabled, page table updates with DMA: disabled)

Mar 19 21:58:39 firefox (map: 0xffffff80258b44b0) triggered DYLD shared region unnest for map: 0xffffff80258b44b0, region 0x7fff85200000->0x7fff85400000. While not abnormal for debuggers, this increases system memory footprint until the target exits.

Mar 19 22:03:34 firefox (map: 0xffffff8023da9690) triggered DYLD shared region unnest for map: 0xffffff8023da9690, region 0x7fff85200000->0x7fff85400000. While not abnormal for debuggers, this increases system memory footprint until the target exits.

Mar 19 23:00:27 Failed to get hibernate image filename

Mar 20 19:10:03 ** GPU Hardware VM is disabled (multispace: disabled, page table updates with DMA: disabled)

Mar 20 19:50:14 ** GPU Hardware VM is disabled (multispace: disabled, page table updates with DMA: disabled)

Mar 20 20:15:35 Failed to get hibernate image filename

System log

Mar 20 19:51:45 CallHistorySyncHelper: ApplePushService: Timed out making blocking call, failed to perform call via XPC connection to 'com.apple.apsd'

Mar 20 19:51:46 CallHistorySyncHelper: ApplePushService: Timed out making blocking call, failed to perform call via XPC connection to 'com.apple.apsd'

Mar 20 19:51:46 Service: AppleEvents: Send port for process has no send right, port=( port:32523/0x7f0b rcv:1,send:0,d:0 limit:5) (findOrCreate()/AEMachUtils.cp #526) com.apple.main-thread

Mar 20 19:51:47 askpermissiond: ApplePushService: Connection timed out trying to communicate with apsd

Mar 20 19:51:53 SocialPushAgent: ApplePushService: Connection timed out trying to communicate with apsd

Mar 20 19:51:54 AddressBookSourceSync: ApplePushService: Timed out making blocking call, failed to perform call via XPC connection to 'com.apple.apsd'

Mar 20 19:51:57 com.apple.kextd: ERROR: invalid signature for com.zeobit.kext.Firewall, will not load

Mar 20 19:51:58 com.apple.kextd: ERROR: invalid signature for com.zeobit.kext.Firewall, will not load

Mar 20 19:52:20 WindowServer: disable_update_timeout: UI updates were forcibly disabled by application "Dropbox" for over 1.00 seconds. Server has re-enabled them.

Mar 20 19:53:56 WindowServer: WSGetSurfaceInWindow : Invalid surface 642917970 for window 57

Mar 20 19:57:56 cloudd: Stream 0x7fe181c818d0 is sending an event before being opened

Mar 20 22:04:20 configd: [0x7fc22a452d80] [m]DNS query timeout (query time = 35.122213), [46TE]

Mar 20 23:53:10 configd: [0x7fc22a5267c0] [m]DNS query timeout (query time = 31.590735), [46TE]

Mar 21 01:42:02 configd: [0x7fc22a528c40] [m]DNS query timeout (query time = 31.408054), [46TE]

Mar 21 03:30:56 configd: [0x7fc22a452d80] [m]DNS query timeout (query time = 31.390972), [46TE]

Mar 21 05:19:48 configd: [0x7fc22a71dd30] [m]DNS query timeout (query time = 32.213011), [46TE]

Mar 21 07:08:42 configd: [0x7fc22a62acc0] [m]DNS query timeout (query time = 33.077746), [46TE]

Mar 21 08:57:35 configd: [0x7fc22a525520] [m]DNS query timeout (query time = 31.436688), [46TE]

Mar 21 10:46:29 configd: [0x7fc22a72ad20] [m]DNS query timeout (query time = 32.805542), [46TE]

Mar 21 11:53:45 netbiosd: __net_helper_get_connection_block_invoke_3 could not connect to networkd

Mar 21 11:54:27 cloudd: Stream 0x7fe181ed4710 is sending an event before being opened

Mar 21 11:54:36 WindowServer: disable_update_timeout: UI updates were forcibly disabled by application "Microsoft Outlook" for over 1.00 seconds. Server has re-enabled them.

launchd log

Mar 17 21:59:24 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 17 22:17:48 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 17 22:19:24 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 19 21:49:06 com.apple.xpc.launchd.user.501.100006.Aqua: Could not import service from caller: caller = otherbsd.221, service = com.apple.photostream-agent, error = 119: Service is disabled

Mar 19 22:09:03 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 19 22:09:03 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 19 22:29:03 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 19 22:29:03 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 19 22:49:03 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 19 22:49:03 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 20 14:27:18 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 20 14:27:19 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 20 18:36:53 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 20 18:36:54 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 20 18:56:53 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 20 18:56:54 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 20 19:11:08 com.apple.xpc.launchd.user.501.100007.Aqua: Could not import service from caller: caller = otherbsd.217, service = com.apple.photostream-agent, error = 119: Service is disabled

Mar 20 19:11:24 com.jdibackup.ZipCloud.autostart: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 20 19:31:05 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 20 19:31:05 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 20 19:51:16 com.apple.xpc.launchd.user.501.100005.Aqua: Could not import service from caller: caller = otherbsd.210, service = com.apple.photostream-agent, error = 119: Service is disabled

Mar 20 20:01:24 com.webtools.update.0.0.0.9.agent: Interval spawn of service failed: 139: Service cannot presently execute

Mar 20 20:11:15 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 21 12:01:20 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Mar 21 12:01:20 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd

Loaded kernel extensions

com.logmein.driver.LogMeInSoundDriver (4.1.48f85)

com.symantec.kext.SymAPComm (100.1f2)

com.symantec.kext.internetSecurity (5.2.1f2)

com.symantec.kext.ips (3.5.1f2)

com.symantec.kext.ndcengine (1.0f2)

System services loaded

com.adobe.SwitchBoard

com.adobe.fpsaud

com.apple.dpd

- status: 75

com.apple.locationd

- status: 1

com.apple.loginwindow.LFVTracer

- status: -11

com.apple.watchdogd

com.google.keystone.daemon

com.logmein.logmeinserver

com.logmein.raupdate

com.microsoft.office.licensing.helper

com.period.searchprotectd

- status: 78

com.symantec.liveupdate.daemon

- status: 1

com.symantec.liveupdate.daemon.ondemand

com.symantec.sharedsettings

com.symantec.symdaemon

com.zeobit.MacKeeper.AntiVirus

com.zeobit.MacKeeper.plugin.AntiTheft.daemon

System services disabled

com.apple.security.FDERecoveryAgent

com.logmein.logmeinblanker

org.samba.winbindd

com.apple.mrt

Login services loaded

com.adobe.AAM.Scheduler-1.0

com.adobe.ARM.UUID

com.adobe.CS5ServiceManager

com.apple.mrt.uiagent

com.cinema-plus-1-1.updater

com.citrix.AuthManager_Mac

com.citrix.ReceiverHelper

com.citrix.ServiceRecords

com.extensions.updater67619.agent.plist

- status: 78

com.flashmall.agent

com.genieo.completer.download

com.genieo.completer.ltvbit

com.genieo.completer.update

com.google.keystone.system.agent

com.hp.printerAgent

com.jdibackup.JustCloud.autostart

- status: 78

com.jdibackup.JustCloud.notify

- status: 78

com.jdibackup.ZipCloud.autostart

- status: 78

com.jdibackup.ZipCloud.backupstart

com.jdibackup.ZipCloud.notify

- status: 78

com.logmein.LMILaunchAgentFixer

- status: 78

com.logmein.logmeingui

com.logmein.logmeinguiagent

com.shopy-mate.updater

com.symantec.uiagent.application

com.webhelper

- status: 78

com.webtools.uninstaller.app

com.webtools.update.0.0.0.9.agent

- status: 78

com.zeobit.MacKeeper.Helper

Startup items

/Library/StartupItems/NortonMissedTasks/NortonMissedTasks

/Library/StartupItems/NortonMissedTasks/StartupParameters.plist

/Library/StartupItems/SymAutoProtect/SAVAPComm.kext/Contents/Info.plist

/Library/StartupItems/SymAutoProtect/SAVAPComm.kext/Contents/MacOS/SAVAPComm

/Library/StartupItems/SymAutoProtect/StartupParameters.plist

/Library/StartupItems/SymAutoProtect/SymAutoProtect

/Library/StartupItems/SymProtector/StartupParameters.plist

/Library/StartupItems/SymProtector/SymProtector

User login items

iTunesHelper

- missing value

Microsoft AU Daemon

- missing value

GrowlHelperApp

- /Library/PreferencePanes/Growl.prefPane/Contents/Resources/GrowlHelperApp.app

AirPort Base Station Agent

- /System/Library/CoreServices/AirPort Base Station Agent.app

LMILaunchAgentFixer

- /Library/Application Support/LogMeIn/LMILaunchAgentFixer.app

Dropbox

- /Applications/Dropbox.app

TuneupMyMac

- missing value

ScanNotification

- /Library/Application Support/Symantec/AntiVirus/ScanNotification.app

SAVDiskMountNotify

- /Library/Application Support/Symantec/AntiVirus/SAVDiskMountNotify.app

SymSecondaryLaunch

- missing value

SymQuickMenu

- missing value

User crontab

#SqzS VERSION = 1.0.0

#SYMANTEC SCHEDULER CRON ENTRIES. THESE ENTRIES ARE AUTOMATICALLY GENERATED

#PLEASE DO NOT EDIT.

# Enc=1 Name="Update Virus Protection" EvType1=1 EvType2=0 Sched=1

0 0 1 * * "/Library/Application Support/Symantec/Scheduler/SymSecondaryLaunch.app/Contents/schedLauncher" 2 "/Applications/Symantec Solutions/LiveUpdate.app/Contents/MacOS/LiveUpdate" " " "oapp" "aevt" "exAG" "-update LUdf"

# Enc=1 Name="My Product Update Task" EvType1=1 EvType2=0 Sched=1

0 12 1 * * "/Library/Application Support/Symantec/Scheduler/SymSecondaryLaunch.app/Contents/schedLauncher" -u 3 "/Library/Application Support/Norton Solutions Support/LiveUpdate/LiveUpdate.app/Contents/MacOS/LiveUpdate" " " "oapp" "aevt" "exAG" "-update LUal -liveupdatequiet YES -liveupdateautoquit YES"

#SqzS END SYMANTEC CRON ENTRIES

Safari extensions

defaultsearch

- com.defaultsearch.safariext

Omnibar

- com.genieo.safari

Widgets

Dictionnaire

Web Translator

eCalc

xCuts

iCloud errors

bird 93

cloudd 14

Continuity errors

sharingd 1

Restricted files: 207

Lockfiles: 72

Accessibility

Keyboard Zoom: On

Scroll Zoom: On

Contents of /Library/LaunchAgents/com.citrix.AuthManager_Mac.plist

- mod date: Nov 18 11:21:28 2014

- checksum: 1501830148

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>MachServices</key>

<dict>

<key>com.citrix.AuthManager_Mac</key>

<true/>

</dict>

<key>Label</key>

<string>com.citrix.AuthManager_Mac</string>

<key>WaitForDebugger</key>

<key>ProgramArguments</key>

<array>

<string>/usr/local/libexec/AuthManager_Mac.app/Contents/MacOS/AuthManager_Mac</ string>

</array>

<key>LimitLoadToSessionType</key>

<key>Disabled</key>

</dict>

</plist>

Contents of /Library/LaunchAgents/com.citrix.ServiceRecords.plist

- mod date: Nov 18 11:21:28 2014

- checksum: 827728504

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>MachServices</key>

<dict>

<key>com.citrix.Beacons</key>

<true/>

<key>com.citrix.ServiceRecords</key>

<true/>

</dict>

<key>Label</key>

<string>com.citrix.ServiceRecords</string>

<key>RunAtLoad</key>

<true/>

<key>KeepAlive</key>

<true/>

<key>WaitForDebugger</key>

<key>ProgramArguments</key>

<array>

<string>/usr/local/libexec/ServiceRecords.app/Contents/MacOS/ServiceRecords</st ring>

</array>

<key>LimitLoadToSessionType</key>

...and 4 more line(s)

Contents of /Library/LaunchAgents/com.logmein.LMILaunchAgentFixer.plist

- mod date: Feb 27 21:32:28 2015

- checksum: 94065829

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Debug</key>

<true/>

<key>Label</key>

<string>com.logmein.LMILaunchAgentFixer</string>

<key>OnDemand</key>

<true/>

<key>ThrottleInterval</key>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/LogMeIn/bin/LMILaunchAgentFixer.app/Contents/MacOS/LMILaunchAgentFixer< /string>

<string>fromlaunchagent</string>

</array>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>

Contents of /Library/LaunchAgents/com.logmein.logmeingui.plist

- exported SGML document text

- mod date: Feb 27 21:32:28 2015

- checksum: 2634235902

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Debug</key>

<true/>

<key>Label</key>

<string>com.logmein.logmeingui</string>

<key>KeepAlive</key>

<true/>

<key>RunAtLoad</key>

<true/>

<key>LimitLoadToSessionType</key>

<array>

</array>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/LogMeIn/bin/LogMeInGUI.app/Contents/MacOS/LogMeInGUI</string>

</array>

</dict>

</plist>

Contents of /Library/LaunchAgents/com.logmein.logmeinguiagent.plist

- exported SGML document text

- mod date: Feb 27 21:32:28 2015

- checksum: 2150548001

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Debug</key>

<true/>

<key>Label</key>

<string>com.logmein.logmeinguiagent</string>

<key>LimitLoadToSessionType</key>

<array>

</array>

<key>KeepAlive</key>

<key>RunAtLoad</key>

<key>Sockets</key>

<dict>

<key>Listeners</key>

<dict>

<key>MulticastGroup</key>

<key>SockFamily</key>

<key>SockPassive</key>

...and 17 more line(s)

Contents of /Library/LaunchAgents/com.logmein.logmeinguiagentatlogin.plist

- exported SGML document text

- mod date: Feb 27 21:32:28 2015

- checksum: 4009328751

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Debug</key>

<true/>

<key>Label</key>

<string>com.logmein.logmeinguiagentatlogin</string>

<key>LimitLoadToSessionType</key>

<array>

<string>LoginWindow</string>

</array>

<key>KeepAlive</key>

<key>RunAtLoad</key>

<key>Sockets</key>

<dict>

<key>Listeners</key>

<dict>

<key>MulticastGroup</key>

<key>SockFamily</key>

<key>SockPassive</key>

...and 17 more line(s)

Contents of /Library/LaunchAgents/com.symantec.uiagent.application.plist

- mod date: Sep 12 23:59:24 2014

- checksum: 2715641560

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>KeepAlive</key>

<true/>

<key>Label</key>

<string>com.symantec.uiagent.application</string>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/Symantec/SymUIAgent/SymUIAgent.app/Contents/MacOS/SymUIAgent</string>

</array>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>

Contents of /Library/LaunchDaemons/com.logmein.logmeinserver.plist

- exported SGML document text

- mod date: Feb 27 21:32:28 2015

- checksum: 2579610614

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Debug</key>

<true/>

<key>Label</key>

<string>com.logmein.logmeinserver</string>

<key>KeepAlive</key>

<true/>

<key>RunAtLoad</key>

<true/>

<key>ThrottleInterval</key>

<key>ProcessType</key>

<string>Interactive</string>

<key>LegacyTimers</key>

<true/>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/MacOS/LogMeIn</string>

</array>

<key>StandardErrorPath</key>

<string>/Library/Logs/LogMeIn/stderr.log</string>

<key>StandardOutPath</key>

...and 5 more line(s)

Contents of /Library/LaunchDaemons/com.logmein.raupdate.plist

- mod date: Aug 25 19:00:47 2012

- checksum: 641044797

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.logmein.raupdate</string>

<key>OnDemand</key>

<true/>

<key>RunAtLoad</key>

<key>KeepAlive</key>

<key>LaunchOnlyOnce</key>

<true/>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/LogMeIn/update/raupdate</string>

</array>

<key>StandardErrorPath</key>

<string>/Library/Application Support/LogMeIn//log/stderr.log</string>

<key>StandardOutPath</key>

<string>/Library/Application Support/LogMeIn//log/stdout.log</string>

<key>WorkingDirectory</key>

<string>/Library/Application Support/LogMeIn//bin/</string>

...and 2 more line(s)

Contents of /Library/LaunchDaemons/com.perion.searchprotectd.plist

- mod date: Oct 25 14:50:55 2014

- checksum: 1209345832

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>AbandonProcessGroup</key>

<true/>

<key>EnableTransactions</key>

<key>ProgramArguments</key>

<array>

<string>/Applications/SearchProtect/SearchProtect.app/Contents/MacOS/SearchProt ect</string>

<string>-execv_instance</string>

</array>

<key>KeepAlive</key>

<true/>

<key>RunAtLoad</key>

<true/>

<key>Label</key>

<string>com.period.searchprotectd</string>

</dict>

</plist>

Contents of /Library/LaunchDaemons/com.symantec.liveupdate.daemon.ondemand.plist

- mod date: Sep 13 00:07:03 2014

- checksum: 2394746304

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>KeepAlive</key>

<key>Label</key>

<string>com.symantec.liveupdate.daemon.ondemand</string>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/Symantec/LiveUpdate/LiveUpdateDaemon.bundle/Contents/MacOS/LiveUpdateDa emon</string>

</array>

<key>TimeOut</key>

<key>Sockets</key>

<dict>

<key>DaemonSocket</key>

<dict>

<key>SockPathMode</key>

<key>SockPathName</key>

<string>/private/tmp/com.symantec.liveupdate.daemonport</string>

</dict>

<key>EnableTransactions</key>

...and 3 more line(s)

Contents of /Library/LaunchDaemons/com.symantec.liveupdate.daemon.plist

- mod date: Sep 13 00:07:03 2014

- checksum: 3403302937

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>KeepAlive</key>

<key>RunAtLoad</key>

<true/>

<key>Label</key>

<string>com.symantec.liveupdate.daemon</string>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/Symantec/LiveUpdate/LUTool</string>

</array>

<key>TimeOut</key>

</dict>

</plist>

Contents of /Library/LaunchDaemons/com.symantec.sep.migratesettings.plist

- mod date: Mar 15 17:46:53 2015

- checksum: 3583785382

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>KeepAlive</key>

<key>Label</key>

<string>com.symantec.sep.migratesettings</string>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/Symantec/Migration/MigrateSettings</string>

<string>/Library/Application Support/Symantec/Migration/Saved Symantec Data</string>

</array>

<key>Disabled</key>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>

Contents of /Library/LaunchDaemons/com.symantec.sharedsettings.plist

- mod date: Sep 12 23:57:06 2014

- checksum: 2142494329

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>KeepAlive</key>

<key>Label</key>

<string>com.symantec.sharedsettings</string>

<key>MachServices</key>

<dict>

<key>com.symantec.sharedsettings</key>

<true/>

</dict>

<key>Program</key>

<string>/Library/PrivateFrameworks/SymSharedSettings.framework/Tools/SymSharedS ettingsd</string>

</dict>

</plist>

Contents of /Library/LaunchDaemons/com.symantec.symdaemon.plist

- mod date: Sep 12 23:57:57 2014

- checksum: 513030552

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.symantec.symdaemon</string>

<key>OnDemand</key>

<key>KeepAlive</key>

<dict>

<key>SuccessfulExit</key>

</dict>

<key>RunAtLoad</key>

<true/>

<key>ProgramArguments</key>

<array>

<string>/Library/Application Support/Symantec/Daemon/SymDaemon.bundle/Contents/MacOS/SymDaemon</string>

</array>

</dict>

</plist>

Contents of /Library/LaunchDaemons/com.zeobit.MacKeeper.AntiVirus.plist

- mod date: Feb 4 17:43:24 2013

- checksum: 4244331265

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Disabled</key>

<key>Label</key>

<string>com.zeobit.MacKeeper.AntiVirus</string>

<key>Program</key>

<string>/Library/Application Support/MacKeeper/AntiVirus.app/Contents/MacOS/AntiVirus</string>

<key>OnDemand</key>

</dict>

</plist>

Contents of /Library/LaunchDaemons/com.zeobit.MacKeeper.plugin.AntiTheft.daemon.plist

- mod date: Feb 5 19:08:27 2013

- checksum: 3798729423

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Disabled</key>

<key>Label</key>

<string>com.zeobit.MacKeeper.plugin.AntiTheft.daemon</string>

<key>Program</key>

<string>/Library/Application Support/MacKeeper/MacKeeperATd</string>

<key>OnDemand</key>

</dict>

</plist>

Contents of /private/etc/fstab

- mod date: Jan 9 19:58:30 2004

- checksum: 2310170729

[N/A]

Contents of /private/etc/liveupdate.conf

- mod date: Mar 15 17:46:53 2015

- checksum: 114118656

hosts/0/url=http://liveupdate.symantecliveupdate.com:80

hosts/1/url=http://liveupdate.symantec.com:80

hosts/2/login:ENC=UUID

hosts/2/password:ENC=UUID

hosts/2/url=ftp://update.symantec.com/opt/content/onramp

workdir=/tmp

Contents of Library/LaunchAgents/cinema-plus-1-1_updater.plist

- Apple binary property list

- mod date: Jan 4 22:34:33 2015

- checksum: 3972282463

Dict {

StartInterval = 86400

ProgramArguments = Array {

bash

/Users/USER/Library/LaunchAgents/cinema-plus-1-1_updater.sh

}

Label = com.cinema-plus-1-1.updater

}

Contents of Library/LaunchAgents/com.adobe.ARM.UUID.plist

- mod date: Aug 17 21:30:39 2010

- checksum: 2930943039

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.adobe.ARM.UUID</string>

<key>ProgramArguments</key>

<array>

<string>/Applications/Adobe Reader 9_/Adobe Reader.app/Contents/MacOS/Updater/Adobe Reader Updater Helper.app/Contents/MacOS/Adobe Reader Updater Helper</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

</dict>

</plist>

Contents of Library/LaunchAgents/com.adobe.ARM.UUID.plist

- mod date: Aug 18 18:46:56 2010

- checksum: 573770682

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.adobe.ARM.UUID</string>

<key>ProgramArguments</key>

<array>

<string>/Applications/Adobe Reader 9__/Adobe Reader.app/Contents/MacOS/Updater/Adobe Reader Updater Helper.app/Contents/MacOS/Adobe Reader Updater Helper</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

</dict>

</plist>

Contents of Library/LaunchAgents/com.apple.SafariBookmarksSyncer.plist

- mod date: Feb 12 18:22:38 2011

- checksum: 2239309128

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.apple.Safari</string>

<key>LimitLoadToSessionType</key>

<key>ProgramArguments</key>

<array>

<string>/Applications/Safari.app/Contents/SafariSyncClient.app/Contents/MacOS/S afariSyncClient</string>

<string>com.apple.Safari</string>

<string>--entitynames</string>

<string>com.apple.bookmarks.Bookmark,com.apple.bookmarks.Folder</string>

</array>

<key>RunAtLoad</key>

<key>ThrottleInterval</key>

<key>WatchPaths</key>

<array>

<string>/Users/USER/Library/Safari/Bookmarks.plist</string>

</array>

</dict>

...and 1 more line(s)

Contents of Library/LaunchAgents/com.extensions.updater67619.agent.plist

- mod date: Mar 14 00:11:27 2015

- checksum: 2057474393

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.extensions.updater67619.agent.plist</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/LaunchAgents/UpdateDownloader</string>

<string>cmpId=2498</string>

<string>verifier=UUID</string>

<string>extId=67619</string>

<string>updatejsondomain=http://update.ourinputdatastorage.com</string>

<string>statsdomain=http://stats.ourinputdatastorage.com</string>

<string>eventsdomain=http://logs.ourinputdatastorage.com</string>

<string>errorsdomain=http://errors.ourinputdatastorage.com</string>

<string>installerversion=01-27</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StartInterval</key>

</dict>

</plist>

Contents of Library/LaunchAgents/com.flashmall.agent.plist

- mod date: Mar 14 00:10:12 2015

- checksum: 2324341067

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>KeepAlive</key>

<key>Label</key>

<string>com.flashmall.agent</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/flashmall/Service.app/Contents/MacOS/Service</strin g>

<string>--service</string>

<string>--unique_id=UUID</string>

<string>--unique_data=UUID</string>

</array>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>

Contents of Library/LaunchAgents/com.genieo.completer.download.plist

- mod date: Oct 15 20:15:26 2014

- checksum: 2253391813

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.genieo.completer.download</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Application Support/com.genieoinnovation.Installer/Completer.app/Contents/MacOS/InstallerS< /string>

<string>-trigger</string>

<string>download</string>

<string>-isDev</string>

<string>-installVersion</string>

<string>-firstAppId</string>

</array>

<key>WatchPaths</key>

<array>

<string>/Users/USER/Downloads</string>

</array>

</dict>

</plist>

Contents of Library/LaunchAgents/com.genieo.completer.ltvbit.plist

- mod date: Oct 15 20:15:26 2014

- checksum: 2197012581

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.genieo.completer.ltvbit</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Application Support/com.genieoinnovation.Installer/Completer.app/Contents/MacOS/InstallerS< /string>

<string>-trigger</string>

<string>ltvbit</string>

<string>-isDev</string>

<string>-installVersion</string>

<string>-firstAppId</string>

</array>

<key>StartCalendarInterval</key>

<dict>

<key>Minute</key>

</dict>

...and 2 more line(s)

Contents of Library/LaunchAgents/com.genieo.completer.update.plist

- mod date: Oct 15 20:15:26 2014

- checksum: 1645743826

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.genieo.completer.update</string>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Application Support/com.genieoinnovation.Installer/Completer.app/Contents/MacOS/InstallerS< /string>

<string>-trigger</string>

<string>update</string>

<string>-isDev</string>

<string>-installVersion</string>

<string>-firstAppId</string>

</array>

<key>StartInterval</key>

</dict>

</plist>

Contents of Library/LaunchAgents/com.hp.printerAgent.plist

- mod date: Sep 4 21:49:50 2012

- checksum: 2038933932

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.hp.printerAgent</string>

<key>OnDemand</key>

<key>Program</key>

<string>/Library/Printers/hp/laserjet/P1100_1560_1600Series/printerAgent</strin g>

<key>ProgramArguments</key>

<array>

<string>/Library/Printers/hp/laserjet/P1100_1560_1600Series/printerAgent</strin g>

</array>

<key>RunAtLoad</key>

<true/>

<key>ServiceIPC</key>

<true/>

<key>Sockets</key>

<dict>

<key>MyListenerSocket</key>

<dict>

<key>SockServiceName</key>

</dict>

...and 3 more line(s)

Contents of Library/LaunchAgents/com.jdibackup.JustCloud.autostart.plist

- mod date: Dec 3 22:12:30 2014

- checksum: 1724258653

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.jdibackup.JustCloud.autostart</string>

<key>ProgramArguments</key>

<array>

<string>/Applications/JustCloud.app/Contents/Resources/Utility.app</string>

</array>

<key>StandardOutPath</key>

<string>/Users/USER/Library/Logs/JustCloud/lagent_out.log</string>

<key>StandardErrorPath</key>

<string>/Users/USER/Library/Logs/JustCloud/lagent_err.log</string>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>

Contents of Library/LaunchAgents/com.jdibackup.JustCloud.notify.plist

- mod date: Dec 3 22:12:30 2014

- checksum: 133499499

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.jdibackup.JustCloud.notify</string>

<key>ProgramArguments</key>

<array>

<string>/Applications/JustCloud.app/Contents/Resources/Utility.app</string>

</array>

<key>StandardOutPath</key>

<string>/Users/USER/Library/Logs/JustCloud/lagent_out.log</string>

<key>StandardErrorPath</key>

<string>/Users/USER/Library/Logs/JustCloud/lagent_err.log</string>

<key>StartInterval</key>

<key>RunAtLoad</key>

</dict>

</plist>

Contents of Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist

- mod date: Mar 15 17:50:54 2015

- checksum: 2580545789

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.jdibackup.ZipCloud.autostart</string>

<key>ProgramArguments</key>

<array>

<string>/Applications/ZipCloud.app/Contents/Resources/Utility.app</string>

</array>

<key>StandardOutPath</key>

<string>/Users/USER/Library/Logs/ZipCloud/lagent_out.log</string>

<key>StandardErrorPath</key>

<string>/Users/USER/Library/Logs/ZipCloud/lagent_err.log</string>

<key>RunAtLoad</key>

<true/>

</dict>

</plist>

Contents of Library/LaunchAgents/com.jdibackup.ZipCloud.backupstart.plist

- mod date: Mar 15 17:51:12 2015

- checksum: 2998977907

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.jdibackup.ZipCloud.backupstart</string>

<key>ProgramArguments</key>

<array>

<string>/Applications/ZipCloud.app/Contents/Resources/Utility.app</string>

</array>

<key>StandardOutPath</key>

<string>/Users/USER/Library/Logs/ZipCloud/lagent_out.log</string>

<key>StandardErrorPath</key>

<string>/Users/USER/Library/Logs/ZipCloud/lagent_err.log</string>

<key>StartCalendarInterval</key>

<dict>

<key>Minute</key>

...and 5 more line(s)

Contents of Library/LaunchAgents/com.jdibackup.ZipCloud.notify.plist

- mod date: Mar 15 17:50:49 2015

- checksum: 3596902350

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.jdibackup.ZipCloud.notify</string>

<key>ProgramArguments</key>

<array>

<string>/Applications/ZipCloud.app/Contents/Resources/Utility.app</string>

</array>

<key>StandardOutPath</key>

<string>/Users/USER/Library/Logs/ZipCloud/lagent_out.log</string>

<key>StandardErrorPath</key>

<string>/Users/USER/Library/Logs/ZipCloud/lagent_err.log</string>

<key>StartInterval</key>

<key>RunAtLoad</key>

</dict>

</plist>

Contents of Library/LaunchAgents/com.webhelper.plist

- mod date: Mar 14 00:07:52 2015

- checksum: 607497305

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.webhelper</string>

<key>EnableGlobbing</key>

<true/>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Application Support/webHelperApp/launch</string>

<string>-source</string>

<string>-brand</string>

</array>

<key>KeepAlive</key>

<true/>

<key>RunAtLoad</key>

<true/>

<key>OnDemand</key>

<true/>

<key>StandardErrorPath</key>

...and 6 more line(s)

Contents of Library/LaunchAgents/com.webtools.uninstaller.plist

- mod date: Mar 14 00:07:52 2015

- checksum: 1807829374

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>com.webtools.uninstaller.app</string>

<key>EnableGlobbing</key>

<true/>

<key>WatchPaths</key>

<array>

<string>/Applications/WebTools.app</string>

</array>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/Application Support/webHelperApp/uninstall</string>

</array>

</dict>

</plist>

Contents of Library/LaunchAgents/com.webtools.update.agent.plist

- mod date: Mar 14 00:07:54 2015

- checksum: 533367765

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>EnableGlobbing</key>

<true/>

<key>KeepAlive</key>

<true/>

<key>Label</key>

<string>com.webtools.update.0.0.0.9.agent</string>

<key>OnDemand</key>

<true/>

<key>ProgramArguments</key>

<array>

<string>/Users/USER/Library/WebTools/UpdateAgent/run_update.sh</string>

</array>

<key>RunAtLoad</key>

<true/>

<key>StandardErrorPath</key>

<key>StandardOutPath</key>

<key>StartInterval</key>

<key>ThrottleInterval</key>

...and 3 more line(s)

Contents of Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist

- mod date: Mar 15 18:47:05 2015

- checksum: 1794757485

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Disabled</key>

<key>EnvironmentVariables</key>

<dict>

<key>ZBTimeStamp</key>

</dict>

<key>Label</key>

<string>com.zeobit.MacKeeper.Helper</string>

<key>LimitLoadToSessionType</key>

<key>OnDemand</key>

<key>Program</key>

<string>/Applications/MacKeeper.app/Contents/Resources/MacKeeper Helper.app/Contents/MacOS/MacKeeper Helper</string>

</dict>

</plist>

Contents of Library/LaunchAgents/shopy-mate_updater.plist

- Apple binary property list

- mod date: Oct 24 23:41:02 2014

- checksum: 2249694903

Dict {

StartInterval = 86400

ProgramArguments = Array {

bash

/Users/USER/Library/LaunchAgents/shopy-mate_updater.sh

}

Label = com.shopy-mate.updater

}

Bad plists

Library/Preferences/com.apple.iphotomosaic.plist

Library paths

/Applications/Adobe Photoshop CS5/MATLAB/Required/psmatlab.dylib

/Applications/Microsoft Office 2011/Office/MicrosoftSetupUI.framework/Libraries/mbupgx.dylib

/Applications/Microsoft Office 2011/Office/OPF.framework/Versions/14/Resources/OPF_Common.dylib

/Applications/Microsoft Office 2011/Office/Visual Basic for Applications.framework/Versions/14/Frameworks/Fm20.dylib

/Applications/Microsoft Office 2011/Office/Visual Basic for Applications.framework/Versions/14/Frameworks/MicrosoftOLE2TypesLib.dylib

/Applications/Microsoft Office 2011/Office/Visual Basic for Applications.framework/Versions/14/Frameworks/RefEdit.dylib

/Applications/Microsoft Office 2011/Office/Visual Basic for Applications.framework/Versions/14/Frameworks/RichEdit.dylib

/Library/Application Support/Adobe/APE/3.1/adbeapecore.framework/Versions/A/Resources/WebKit.dylib

/Library/Application Support/Adobe/CS5ServiceManager/lib/CSXS-Installer-Hook.dylib

/Library/Application Support/Adobe/CS5ServiceManager/lib/ServiceManager-Launcher.dylib

/Library/Application Support/Adobe/OOBE/PDApp/DWA/DWANative.dylib

/Library/Application Support/Adobe/OOBE/PDApp/DWA/resources/libraries/ARKCmdCaps.dylib

/Library/Application Support/Adobe/OOBE/PDApp/DWA/resources/libraries/ARKCmdFS.dylib

/Library/Application Support/Adobe/OOBE/PDApp/DWA/resources/libraries/ARKEngine.dylib

/Library/Application Support/Adobe/OOBE/PDApp/DWA/resources/libraries/AdobePIM.dylib

/Library/Application Support/Adobe/OOBE/PDApp/LWA/PWANative.dylib

/Library/Application Support/Adobe/OOBE/PDApp/LWA/adobe_caps.dylib

/Library/Application Support/Adobe/OOBE/PDApp/LWA/adobe_oobelib.dylib

/Library/Application Support/Adobe/OOBE/PDApp/LWA/adobe_upgrade.dylib

/Library/Application Support/Adobe/OOBE/PDApp/UWA/UWANative.dylib

/Library/Application Support/Adobe/OOBE/PDApp/core/AdobePIM.dylib

/Library/Application Support/Symantec/AntiVirus/Engine/libecomlodr.dylib

/Library/Application Support/Symantec/AntiVirus/Engine20140902/libecomlodr.dylib

/Library/Application Support/Symantec/AntiVirus/Engine20140909/libecomlodr.dylib

/Library/Application Support/Symantec/AntiVirus/Hub/libecomlodr.dylib

/Library/Application Support/Symantec/AntiVirus/NewEngine/libecomlodr.dylib

/Library/Application Support/Symantec/LiveUpdate/LUMicroDefs2.dylib

/Library/Application Support/Symantec/LiveUpdate/LUMicroDefs25.dylib

/Library/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/WebKit.dylib

/Library/PrivateFrameworks/SymLicensing.framework/Versions/A/Resources/LMUI.dyl ib

/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libexquilla-esr17-i386.dylib

/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libexquilla-esr17-x86_64.dylib

/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libexquilla-esr24-i386.dylib

/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libexquilla-esr24-x86_64.dylib

/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libwebsrvcs-esr17-i386.dylib

/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libwebsrvcs-esr17-x86_64.dylib

/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libwebsrvcs-esr24-i386.dylib

/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libwebsrvcs-esr24-x86_64.dylib

/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/{UUID}/components/Darwin_x86-gcc3/libcalbasecomps.dylib

/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/{UUID}/components/Darwin_x86_64-gcc3/libcalbasecomps.dylib

/usr/lib/libsymsea.1.1.0.dylib

/usr/local/lib/libecomlodr.dylib

App extensions

com.getdropbox.dropbox.garcon

Installations

PlugIn: 5/12/12, 2:13 PM

Office 2011 14.2.1 Update: 4/26/12, 7:24 PM

Microsoft Error Reporting for Mac: 4/17/12, 6:09 PM

Office 2011 14.2.0 Update: 4/17/12, 5:42 PM

Office 2011 14.1.4 Update: 12/27/11, 4:22 PM

Bad kernel extensions

/System/Library/Extensions/SymEvent.kext

/System/Library/Extensions/SymOSXKernelUtilities.kext

Elapsed time (sec): 439

Reply

Answer 8

Linc Davis

Level 10

209,547 points

Mar 21, 2015 12:33 PM in response to qaisfromnew york

A

The startup drive is failing, or there is some other internal hardware fault.

Back up all data on the drive immediately if you don't already have a current backup. There are ways to back up a computer that isn't fully functional—ask if you need guidance.

Make a "Genius" appointment at an Apple Store, or go to another authorized service provider.

If privacy is a concern, erase the data partition(s) with the option to write zeros* (do this only if you have at least two complete, independent backups, and you know how to restore to an empty drive from any of them.) Don’t erase the recovery partition, if present.

Keeping your confidential data secure during hardware repair

Apple also recommends that you deauthorize a device in the iTunes Store before having it serviced.

*An SSD doesn't need to be zeroed.

I suggest you defer the remaining steps until after the hardware fault has been corrected.

B

You installed the "Crossrider" trojan. Take the steps below to disable it.

Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

Back up all data before continuing.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

2. Inside the folder you just opened, there may be files with a name beginning in any of the following ways:

com.crossrider

com.flashmall

com.webhelper

com.webtools

flashmall

WebSocketServerApp

Some of these files may be absent. Move any that you have to the Trash and close the Finder window. Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.

3. Do as in Step 1 with this line:

~/Library/Application Support

A folder named "Application Support" will open. Inside it there may be a subfolder with this name:

webHelperApp

If so, move that subfolder—not the "Application Support" folder—to the Trash.

4. Open this folder in the same way as above:

~/Library/ScriptingAdditions

and remove an item named

BrowserHelper.osax

if present.

5. Finally, open this folder:

~/Library

Look for a subfolder with this name:

WebTools

and move it to the Trash, if present. Finally, empty the Trash.

C

You also installed the "CinemaPro" trojan. Take the steps below to disable it.

1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

2. Inside the folder you just opened, there may be files with a name beginning in any of the following ways:

cinema-plus

cinemas-+-plus

com.cinemapro

com.extensions.updater

Safari Security

shopy-mate

UpdateDownloader

Move all such items to the Trash.

Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.

3. Do as in Step 1 with this line:

~/Library

A folder named "Library" will open. Inside it there may be a subfolder with a name beginning

cinemapro

If so, move that subfolder—not the Library folder—to the Trash.

4. Finally, open this folder in the same way as above:

~/Applications

This is not the usual Applications folder, but a different one inside your home folder. Look for an application with a name beginning like this:

cinemapro

and move it to the Trash, if present. Finally, empty the Trash.

D

You also installed the "Genieo" and "SearchProtect" trojans. Follow the instructions on this Apple Support page to remove those.

After removing the malware, remember to reset your home page in all the web browsers affected, if it was changed.

E

You need to become much more cautious about installing software. Until you have more experience as a Mac user, I suggest you change a setting to allow only Apple updates and software from the App Store to be installed.

Open the Security & Privacy pane in System Preferences and select the General tab. Click the lock icon in the lower left corner and enter your password to unlock the settings. Select the button marked

Mac App Store

and close the preference pane. For information about the effects of this setting, see this support article. You may need to change the setting temporarily to install some third-party software, such as Flash Player. Be especially careful with that, as malware is often distributed in the form of a fake Flash update. Never follow a link to a Flash update on any web page. Instead use the built-in updater in the Flash Player preference pane.

The products in the App Store, while they aren't always very good, can at least be considered safe enough to use.

F

Remove the Norton/Symantec product by following these instructions. If you have a different version of the product, the procedure may be different.

Back up all data before making any changes.

G

"ZipCloud" is some sort of cloud-storage service with a doubtful reputation. The OS X client is sometimes distributed along with malware. Although ZipCloud may not be malicious itself, it should be deemed suspect by virtue of the company it keeps.

To remove ZipCloud, start by backing up all data (not with ZipCloud itself, of course.)

Quit the application, if it's running, and drag it from the Applications folder to the Trash.

Triple-click anywhere in the line below on this page to select it:

~/Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist

Right-click or control-click the highlighted line and select

Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with a file selected. Move the selected file to the Trash.

In the same folder, there may also be a file named

com.jdibackup.ZipCloud.notify.plist

Move that to the Trash as well.

Log out or restart the computer and empty the Trash.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

H

Some of your user files (not system files) have incorrect permissions or are locked. This procedure will unlock those files and reset their ownership, permissions, and access controls to the default. If you've intentionally set special values for those attributes, they will be reverted. In that case, either stop here, or be prepared to recreate the settings if necessary. Do so only after verifying that those settings didn't cause the problem. If none of this is meaningful to you, you don't need to worry about it, but you do need to follow the instructions below.

Back up all data before proceeding.

Step 1

If you have more than one user, and the one in question is not an administrator, then go to Step 2.

Enter the following command in the Terminal window in the same way as before (triple-click, copy, and paste):

sudo find ~ $TMPDIR.. -exec chflags -h nouchg,nouappnd,noschg,nosappnd {} + -exec chown -h $UID {} + -exec chmod +rw {} + -exec chmod -h -N {} + -type d -exec chmod -h +x {} + 2>&-

You'll be prompted for your login password, which won't be displayed when you type it. Type carefully and then press return. You may get a one-time warning to be careful. If you don’t have a login password, you’ll need to set one before you can run the command. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.

The command may take several minutes to run, depending on how many files you have. Wait for a new line ending in a dollar sign ($) to appear, then quit Terminal.

Step 2 (optional)

Take this step only if you have trouble with Step 1, if you prefer not to take it, or if it doesn't solve the problem.

Start up in Recovery mode. When the OS X Utilities screen appears, select

Utilities ▹ Terminal

from the menu bar. A Terminal window will open. In that window, type this:

resetp

Press the tab key. The partial command you typed will automatically be completed to this:

resetpassword

Press return. A Reset Password window will open. You’re not going to reset a password.

Select your startup volume ("Macintosh HD," unless you gave it a different name) if not already selected.

Select your username from the menu labeled Select the user account if not already selected.

Under Reset Home Directory Permissions and ACLs, click the Reset button.

Select

 ▹ Restart

from the menu bar.

I

Back up all data.

Run the following command in the same way as before. It moves to the Trash "semaphore" files that have not been cleaned up by the system and may be interfering with normal operation. The files are empty; they contain no data. There will be no output this time.

find L*/{Con*/*/Data/L*/,}Pref* -type f -size 0c -name *.plist.??????? -exec mv {} .Trash/ \; 2>&-

Log out or restart the computer and empty the Trash.

Reply

Answer 9

Mar 21, 2015 7:09 PM in response to Linc Davis

YOU ARE THE MAN !!!

I did everything but somehow could not remove the symantec because Idid not have the uninstall

will check with the Genius bar to see whether I need to change my hard drive or get a new imac

MANY MANY thanks

Reply

Answer 10

Mar 23, 2015 12:10 PM in response to raegan_reann

I read this and everything just really confused me. I'm not very computer savvy so does anyone know of any youtube videos or anything that is a step by step? Thanks!

Reply

Answer 11

Mar 24, 2015 1:40 PM in response to Linc Davis

Hi Linc: I don't know whether this is an appropriate question to post on the site since it is somewhat personal, but do you "moonlight" as an Apple consultant? I have a number of issues that I would like fixed (slow iMac etc) and would be happy if you actually take "private clients"

Reply

Answer 12

shea1384

Level 1

0 points

Mar 25, 2015 6:55 AM in response to Linc Davis

how do i back something up ? I don't want to lose my pictures, music . Thanks !

Reply

Answer 13

Eric Root

Level 10

684,057 points

Mar 25, 2015 2:23 PM in response to qaisfromnew york

MacKeeper – Do Not Install

MacKeeper – Do Not Install (2) See SDW2001’s post

MacKeeper Removal

Reply

Answer 14

Mar 29, 2015 12:08 AM in response to Linc Davis

Linc Davis, you're my hero.

Reply

Answer 15

Mar 31, 2015 8:37 AM in response to Linc Davis

Hi Linc,

first of all thank you for this article!

At the moment I have problems with 2 macs (1 macbook, and 1 iMac).. I've run the above test and posted the results in the paste bin as requested:

For the iMac, the problem is that it started to slow down a week ago, and every day is worse (I have not noted FlashMail there yet..) - I did the above checks to see if there were any files on the computer (such as crossrider, web helper, flash mail,..) but didn't find anything.

The test results are here: http://pastebin.com/nFcNLBms

With respect to de macbook, there I DO have these annoying Flashmail ads (in every browser I open!), but still, the search didn't reveal any files either (crossrider, web helper, flash mail,..) ???…

The test results for MacBook (the one with Flashmail) are posted in the pastebin: http://pastebin.com/UMXii3Lm

I really appreciate any help - suggestions you might have...

Many thanks in advance!

Isabel

Reply