What is FlashMail? How do I remove it from my Mac?
This ad keeps popping up in my safari. I am not sure how to make it go away. Help. PLEASE!
MacBook Air (11-inch, Early 2014), iOS 8
This ad keeps popping up in my safari. I am not sure how to make it go away. Help. PLEASE!
MacBook Air (11-inch, Early 2014), iOS 8
There is no need to download anything to solve this problem. You installed the "Crossrider" trojan. Take the steps below to disable it.
Malware is always changing to get around the defenses against it. These instructions are valid as of today, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
Back up all data before continuing.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.
2. Inside the folder you just opened, there may be files with any of the following names:
com.crossrider.wss*.agent.plist
com.webhelper.plist
com.webtools.update.agent.plist
flashmall_updater.plist
flashmall_updater.sh
WebSocketServerApp
Here * stands for a variable six-digit number. Some of these files may be absent. Move any that you have to the Trash and close the Finder window. Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.
3. Do as in Step 1 with this line:
~/Library/Application Support
A folder named "Application Support" will open. Inside it there may be a subfolder with this name:
webHelperApp
If so, move that subfolder—not the "Application Support" folder—to the Trash.
4. Finally, open this folder in the same way as above:
~/Library
Look for a subfolder with this name:
WebTools
and move it to the Trash, if present. Finally, empty the Trash.
There is no need to download anything to solve this problem. You installed the "Crossrider" trojan. Take the steps below to disable it.
Malware is always changing to get around the defenses against it. These instructions are valid as of today, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
Back up all data before continuing.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.
2. Inside the folder you just opened, there may be files with any of the following names:
com.crossrider.wss*.agent.plist
com.webhelper.plist
com.webtools.update.agent.plist
flashmall_updater.plist
flashmall_updater.sh
WebSocketServerApp
Here * stands for a variable six-digit number. Some of these files may be absent. Move any that you have to the Trash and close the Finder window. Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.
3. Do as in Step 1 with this line:
~/Library/Application Support
A folder named "Application Support" will open. Inside it there may be a subfolder with this name:
webHelperApp
If so, move that subfolder—not the "Application Support" folder—to the Trash.
4. Finally, open this folder in the same way as above:
~/Library
Look for a subfolder with this name:
WebTools
and move it to the Trash, if present. Finally, empty the Trash.
Thanks SO much for your knowledge! Now I need to backtrack & research how I fell for this in 1st place! Human engineering is still a viable pen tool...
(I actually thought it was an extension update when I was using Firefox & once opened, realized something was bad wrong. But how it actually appeared is what I want to figure out)
Linc, you're brilliant! Just used your step-by-step to eliminate the virus on my Mac with Safari. Thanks so much!
great reply Linc, but unfortunately, I did everything you say, but as you suspected, it did not get rid of everything
what shall I do now?
Thanks
Download the AdwareMedic removal tool
http://www.adwaremedic.com/kb/download-redirect.php
To understand where this came from and how to avoid it in the future read John Galt's How to install adware.
https://discussions.apple.com/docs/DOC-7471
You can download AdwareMedic directly from here if you get redirected to MacKeeper.
1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.
The test works on OS X 10.7 ("Lion") and later. I don't recommend running it on older versions of OS X. It will do no harm, but it won't do much good either.
Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.
2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.
There are ways to back up a computer that isn't fully functional. Ask if you need guidance.
3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.
You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.
In this case, however, there are a couple of ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the necessary skill can verify what it does.
You may not be able to understand the script yourself. But variations of it have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message. See, for example, this discussion.
Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.
4. Here's a summary of what you need to do, if you choose to proceed:
☞ Copy a line of text in this window to the Clipboard.
☞ Paste into the window of another application.
☞ Wait for the test to run. It usually takes a few minutes.
☞ Paste the results, which will have been copied automatically, back into a reply on this page.
The sequence is: copy, paste, wait, paste again. You don't need to copy a second time. Details follow.
5. Try to test under conditions that reproduce the problem, as far as possible. For example, if the computer is sometimes, but not always, slow, run the test during a slowdown.
You may have started up in "safe" mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.
6. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.
7. The script is a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, though you may not see all of it in the browser window, and you can then copy it. If you try to select the line by dragging across the part you can see, you won't get all of it.
Triple-click anywhere in the line of text below on this page to select it:
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/libexec;clear;cd;p=(1296 ' 0.5 0.25 50 1000 15 5120 1000 25000 6 6 5 1 0 100 ' 51 25600 4 10 25 5120 102400 1000 25 1536 450 40 500 300 85 25 20480 262144 20 2000 524288 604800 5 1024 25 );k=({Soft,Hard}ware Memory Diagnostics Power FireWire Thunderbolt USB Bluetooth SerialATA Extensions Applications Frameworks PrefPane Fonts Displays PCI UniversalAccess InstallHistory ConfigurationProfile AirPort 'com\.apple\.' -\\t N\\/A 'AES|atr|udit|msa|dnse|ax|ensh|fami|FileS|fing|ft[pw]|gedC|kdu|etS|is\.|alk|ODSA|otp|htt|pace|pcas|ps-lp|rexe|rlo|rsh|smb|snm|teln|upd-[aw]|uuc|vix|webf' OSBundle{Require,AllowUserLoa}d 'Mb/s:Mb/s:ms/s:KiB/s:%:total:MB:total:lifetime:sampled:per sec' 'Net in:Net out:I/O wait time:I/O requests:CPU usage:Open files:Memory:Mach ports:Energy:Energy:File opens:Forks:Failed forks:System errors' 'tsA|[ST]M[HL]' PlistBuddy{,' 2>&1'}' -c Print' 'Info\.plist' CFBundleIdentifier );f=('\n%s'{': ','\n\n'}'%s\n' '\nRAM details\n%s\n' %s{' ','\n'{"${k[22]}",}}'%s\n' '%.1f GiB: %s\n' '\n ...and %s more line(s)\n' '\nContents of %s\n '"${k[22]}"'mod date: %s\n '"${k[22]}"'checksum: %s\n%s\n' );c=(879294308 4071182229 461455494 216630318 3627668074 1083382502 1274181950 1855907737 2758863019 1848501757 464843899 2636415542 3694147963 1233118628 2456546649 2806998573 2778718105 842973933 1383871077 1591517921 676087606 1445213025 2051385900 3301885676 891055588 998894468 695903914 1443423563 4136085286 3374894509 1051159591 892310726 1707497389 523110921 2883943871 3873345487 );s=(' s/[0-9A-Za-z._]+@[0-9A-Za-z.]+\.[0-9A-Za-z]{2,4}/EMAIL/g;/faceb/s/(at\.)[^.]+/\1NAME/g;/\/Shared/!s/(\/Users\/)[^ /]+/\1USER/g;s/[-0-9A-Fa-f]{22,}/UUID/g;' ' s/^ +//;/de: S|[nst]:/p;' ' {sub(/^ +/,"")};/er:/;/y:/&&$2<'${p[4]} ' s/:$//;3,6d;/[my].+:/d;s/^ {4}//;H;${ g;s/\n$//;/s: (E[^m]|[^EO])|x([^08]|02[^F]|8[^0])/p;} ' ' 5h;6{ H;g;/P/!p;} ' ' ($1~/^Cy/&&$3>'${p[9]}')||($1~/^Cond/&&$2!~/^N/) ' ' /:$/{ N;/:.+:/d;s/ *://;b0'$'\n'' };/^ *(V.+ [0N]|Man).+ /{ s/ 0x.... //;s/[()]//g;s/(.+: )(.+)/ (\2)/;H;};$b0'$'\n'' d;:0'$'\n'' x;s/\n\n//;/Apple[ ,]|Genesy|Intel|SMSC/d;s/\n.*//;/\)$/p;' ' s/^.*C/C/;H;${ g;/No th|pms/!p;} ' '/= [^GO]/p' '{$1=""};1' ' /Of|yc/!{ s/^.+is |\.//g;p;q;} ' ' BEGIN { FS="\f";if(system("A1 42 83 114")) d="^'"${k[21]}"'launch(d\.peruser\.[0-9]+|ctl\.(Aqua|Background|System))$";} { if($2~/[1-9]/) { $2="status: "$2;printf("'"${f[4]}"'",$1,$2);} else if(!d||$1!~d) print $1;} ' ' $1>1{$NF=$NF" x"$1} /\*/{if(!f)f="\n\t* Code injection"} {$1=""} 1;END{print f} ' ' NR==2&&$4<='${p[7]}'{print $4} ' ' BEGIN{FS=":"} ($1~"wir"&&$2>'${p[22]}') {printf("wired %.1f\n",$2/2^18)} ($1~/P.+ts/&&$2>'${p[19]}') {printf("paged %.1f\n",$2/2^18)} ' '/YLD/s/=/ /p' ' { q=$1;$1="";u=$NF;$NF="";gsub(/ +$/,"");print q"\f"$0"\f"u;} ' ' /^ {6}[^ ]/d;s/:$//;/([^ey]|[^n]e):/d;/e: Y/d;s/: Y.+//g;H;${ g;s/ \n (\n)/\1/g;s/\n +(M[^ ]+)[ -~]+/ (\1)/;s/\n$//;/( {8}[^ ].*){2,}/p;} ' 's:^:/:p;' ' !/, .+:/ { print;n++;} END{if(n<'{${p[12]},${p[13]}}')printf("^'"${k[21]}"'.+")} ' '|uniq' ' 1;END { print "/L.+/Scr.+/Templ.+\.app$";print "/L.+/Pri.+\.plugin$";if(NR<'{${p[14]},${p[21]}}') print "^/[Sp].+|'${k[21]}'";} ' ' /\.(framew|lproj)|\):/d;/plist:|:.+(Mach|scrip)/s/:.+//p;' '&&echo On' '/\.(bundle|component|framework|kext|mdimporter|plugin|qlgenerator|saver|wdgt)$/p' '/\.dylib$/p' ' /Temp|emac/{next};/(etc|Preferences|Launch[AD].+)\// { sub(".","");print $0"$";} END { split("'"${c[*]}"'",c);for(i in c) print "\t"c[i]"$";} ' ' /^\/(Ap|Dev|Inc|Prev)/d;/((iTu|ok).+dle|\.(component|mailbundle|mdimporter|plugin|qlgenerator|saver|wdgt))$/p;' ' BEGIN{ FS="= "} $2 { gsub(/[()"]/,"",$2);print $2;} !/:/&&!$2{print "'${k[23]}'"} ' ' /^\//!d;s/^.{5}//;s/ [^/]+\//: \//p;' '>&-||echo No' '{print $3"\t"$1}' 's/\'$'\t''.+//p' 's/1/On/p' '/Prox.+: [^0]/p' '$2>'${p[2]}'{$2=$2-1;print}' ' BEGIN { M1='${p[16]}';M2='${p[18]}';M3='${p[8]}';M4='${p[3]}';} !/^A/{next};/%/ { getline;if($5<M1) o["CPU"]="CPU: user "$2"%, system "$4"%";next;} $2~/^disk/&&$4>M2 { o[$2]=$2": "$3" ops/s, "$4" blocks/s";next;} $2~/^(en[0-9]|bridg)/ { if(o[$2]) { e=$3+$4+$5+$6;if(e) o[$2]=o[$2]"; errors "e"/s";next;};if($4>M3||$6>M4) o[$2]=$2": in "int($4/1024)", out "int($6/1024)" (KiB/s)";} END { for(i in o) print o[i];} ' ' /r\[0\] /&&$NF!~/^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./ { print $NF;exit;} ' ' !/^T/ { printf "(static)";exit;} ' '/apsd|BKAg|OpenD/!s/:.+//p' ' (/k:/&&$3!~/(255\.){3}0/)||(/v6:/&&$2!~/A/) ' ' BEGIN{FS=": "} /^ {10}O/ {exit} /^ {0,12}[^ ]/ {next} $1~"Ne"&&$2!~/^In/{print} $1~"Si" { split($2,a," ");if(a[1]-a[4]<'${p[5]}') print;};$1~"T"&&$2<'${p[20]}'{print};$1~"Se"&&$2!~"2"{print};' ' BEGIN { FS="\f";} { n=split($3,a,".");sub(/_2[01].+/,"",$3);print $2" "$3" "a[n]$1;} ' ' BEGIN { split("'"${p[1]}"'",m);FS="\f";} $2<=m[$1]{next} $1==9||$1==10 { "ps -c -ouid -p"$4"|sed 1d"|getline $4;} $1<11 { o[$1]=o[$1]"\n "$3" (UID "int($4)"): "$2;} $1==11&&$5!~"^/dev" { o[$1]=o[$1]"\n "$3" (UID "$4") => "$5" (status "$6"): "$2;} $1==12&&$5 { "ps -c -ocomm -p"$5"|sed 1d"|getline n;if(n) $5=n;o[$1]=o[$1]"\n "$5" => "$3" (UID "$4"): "$2;} $1~/1[34]/ { o[$1]=o[$1]"\n "$3" (UID "$4", error "$5"): "$2;} END { n=split("'"${k[27]}"'",u,":");for(i=n+1;i<n+4;i++)u[i]=u[n];split("'"${k[28]}"'",l,":");for(i=1;i<15;i++) if(o[i])print "\n"l[i]" ("u[i]")\n"o[i];} ' ' /^ {8}[^ ]/{print} ' ' BEGIN { L='${p[17]}';} !/^[[:space:]]*(#.*)?$/ { l++;if(l<=L) f=f"\n "$0;} END { F=FILENAME;if(!F) exit;if(!f) f="\n [N/A]";"cksum "F|getline C;split(C, A);C=A[1];"stat -f%Sm "F|getline D;"file -b "F|getline T;if(T~/^Apple b/) { f="";l=0;while("'"${k[30]}"' "F|getline g) { l++;if(l<=L) f=f"\n "g;};};if(T!~/^(AS.+ (En.+ )?text(, with v.+)?$|(Bo|PO).+ sh.+ text ex|XM)/) F=F"\n '"${k[22]}"'"T;printf("'"${f[8]}"'",F,D,C,f);if(l>L) printf("'"${f[7]}"'",l-L);} ' ' s/^ ?n...://p;s/^ ?p...:/-'$'\t''/p;' 's/0/Off/p' 's/^.{52}(.+) <.+/\1/p' ' /id: N|te: Y/{i++} END{print i} ' ' /kext:/ { split($0,a,":");p=a[1];k[S]='${k[25]}';k[U]='${k[26]}';v[S]="Safe";v[U]="true";for(i in k) { s=system("'"${k[30]}"'\\ :"k[i]" \""p"\"/*/I*|grep -qw "v[i]);if(!s) a[1]=a[1]" "i;};if(!a[2]) a[2]="'"${k[23]}"'";printf("'"${f[4]}"'",a[1],a[2]);next;} !/^ *$/ { p="'"${k[31]}"'\\ :'"${k[33]}"' \""$0"\"/*/'${k[32]}'";p|getline b;close(p);if(b~/, .+:/||b=="") b="'"${k[23]}"'";printf("'"${f[4]}"'",$0,b);} ' '/ en/!s/\.//p' ' NR>=13 { gsub(/[^0-9]/,"",$1);print;} ' ' $10~/\(L/&&$9!~"localhost" { sub(/.+:/,"",$9);print $1": "$9|"sort|uniq";} ' '/^ +r/s/.+"(.+)".+/\1/p' 's/(.+\.wdgt)\/(Contents\/)?'${k[32]}'$/\1/p' 's/^.+\/(.+)\.wdgt$/\1/p' ' /l: /{ /DVD/d;s/.+: //;b0'$'\n'' };/s: /{ / [VY]/d;s/^ */- /;H;};$b0'$'\n'' d;:0'$'\n'' x;/APPLE [^:]+$/d;p;' '/^find: /!p;' ' /^p/{ s/.//g;x;s/\nu/'$'\f''/;s/(\n)c/\1'$'\f''/;s/\n\n//;p;};H;' ' BEGIN{FS="= "} /Path/{print $2} ' ' /^ *$/d;s/^ */ /;p;' ' s/^.+ |\(.+\)$//g;p;' '1;END{if(NR<'${p[15]}')printf("^/(S|usr/(X|li))")}' ' /2/{print "WARN"};/4/{print "CRITICAL"};' ' /EVHF|MACR|^s/d;s/^.+: //p;' ' $3~/^[1-9][0-9]{0,2}(\.[1-9][0-9]{0,2}){2}$/ { i++;n=n"\n"$1"\t"$3;} END{ if(i>1)print n} ' s/{'\.|jnl: ','P.+:'}'//;s/ +([0-9]+)(.+)/\2'$'\t\t''\1/p' ' /^ +iP.+:$/{ s/://;b0'$'\n'' };/es: ./{ /iOS/d;s/^.+://;b0'$'\n'' };/^ +C.+ted: +[NY]/H;/:$/b0'$'\n'' d;:0'$'\n'' x;/: +N/d;s/\n.+//p;' ' 1d;/:$/b0'$'\n'' $b0'$'\n'' /(D|^ *Loc.+): /{ s/^.+: //;H;};/(B2|[my]): /H;d;:0'$'\n'' x;/[my]: [AM]|m: I.+p$|^\/Vo/d;s/(^|\n) [ -~]+//g;s/(.+)\n(.+)/\2:\1/;s/\n//g;/[ -~]/p;' 's/$/'$'\f''(0|-(4[34])?)$/p' '|sort'{'|uniq'{,\ -c},\ -nr} ' s/^/'{5,6,7,8,9,10}$'\f''/;s/ *'$'\f'' */'$'\f''/g;p;' 's/:.+$//p' '|wc -l' /{\\.{kext,xpc,'(appex|pluginkit)'}'\/(Contents\/)?'Info,'Launch[AD].+'}'\.plist$/p' 's/([-+.?])/\\\1/g;p' 's/, /\'$'\n/g;p' ' BEGIN{FS="\f"} { printf("'"${f[6]}"'",$1/2^30,$2);} ' ' /= D/&&$1!~/'{${k[24]},${k[29]}}'/ { getline d;if(d~"t") print $1;} ' ' BEGIN{FS="\t"} NR>1&&$NF!~/0x|\.([0-9]{3,}|[-0-9A-F]{36})$/ { print $NF"\f"a[split($(NF-1),a," ")];} ' '|tail -n'{${p[6]},${p[10]}} ' s/.+bus /Bus: /;s/,.+[(]/ /;s/,.+//p;' ' { $NF=$NF" Errors: "$1;$1="";} 1 ' ' 1s/^/\'$'\n''/;/^ +(([MNPRSV]|De|Li|Tu).+|Bus): .|d: Y/d;s/:$//;$d;p;' ' BEGIN { RS=",";FS=":";} $1~"name" { gsub("\"","",$2);print $2;} ' '|grep -q e:/' '/[^ .]/p' '{ print $1}' ' /^ +N.+: [1-9]/ { i++;} END { if(i) print "system: "i;} ' ' NF { print "'{admin,user}' "$NF;exit;} ' ' /se.+ =/,/[\}]/!d;/[=\}]/!p ' ' 3,4d;/^ +D|Of|Fu| [0B]/d;s/^ |:$//g;$!H;${ x;/:/p;} ' ' BEGIN { FS=": ";} NR==1 { sub(":","");h="\n"$1"\n";} /:$/ { l=$1;next;} $1~"S"&&$2!~3 { getline;next;} /^ {6}I/ { i++;L[i]=l" "$2;if(i=='${p[24]}') exit;} END { if(i) print h;for(j=0;j<i;j++) print L[i-j];} ' ' /./H;${ x;s/\n//;s/\n/, /g;/,/p;} ' ' {if(int($6)>'${p[25]}')printf("swap used %.1f\n",$6/1024)} ' ' BEGIN{FS="\""} $3~/ t/&&$2!~/'{${k[24]},${k[29]}}'/{print $2} ' ' int($1)>13 ' p ' BEGIN{FS="DB="} { sub(/\.db.*/,".db",$2);print $2;} ' {,1d\;}'/r%/,/^$/p' ' NR==1{next} NR>11||!$0{exit} {print $NF"\f"substr($0,1,32)"\f"$(NF-7)} ' '/e:/{print $2}' ' /^[(]/{ s/....//;s/$/:/;N;/: [)]$/d;s/\n.+ ([^ ]+).$/\1/;H;};${ g;p;} ' '1;END { exit "find /var/db/r*/'${k[21]}'*.{BS,Bas,Es,J,OSXU,Rem,up}*.bom -mtime -'${p[23]}'s"|getline;} ' ' NR<='${p[26]}' { o=o"\n"$0;next;} { o="";exit;} END{print o|"sed 1d"} ' );c1=(system_profiler pmset\ -g nvram fdesetup find syslog df vm_stat sar ps crontab kextfind top pkgutil "${k[30]}\\" echo cksum kextstat launchctl smcDiagnose sysctl\ -n defaults\ read stat lsbom 'mdfind -onlyin' env pluginkit scutil 'dtrace -q -x aggsortrev -n' security sed\ -En awk 'dscl . -read' networksetup mdutil lsof test osascript\ -e netstat mdls route cat uname powermetrics );c2=(${k[21]}loginwindow\ LoginHook ' /L*/P*/loginw*' "'tell app \"System Events\" to get properties of login items'" 'L*/Ca*/'${k[21]}'Saf*/E* -d 2 -name '${k[32]} '~ $TMPDIR.. \( -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 \)' -i '-nl -print' '-F \$Sender -k Level Nle 3 -k Facility Req "'${k[21]}'('{'bird|.*i?clou','lsu|sha'}')"' "-f'%N: %l' Desktop {/,}L*/Keyc*" therm sysload boot-args status " -F '\$Time \$Message' -k Sender kernel -k Message CRne '0xdc008012|(allow|call)ing|Goog|(mplet|nabl)ed|ry HD|safe b|xpm' -k Message CReq 'bad |Can.t l|corru|dead|fail|GPU |hfs: Ru|inval|Limiti|v_c|NVDA[(]|pagin|Purg(ed|in)|error|Refus|TCON|tim(ed? ?|ing )o|trig|WARN' " '-du -n DEV -n EDEV 1 10' 'acrx -o%cpu,comm,ruid' "' syscall::recvfrom:return {@a[execname,uid]=sum(arg0)} syscall::sendto:return {@b[execname,uid]=sum(arg0)} syscall::open*:entry {@c[execname,uid,copyinstr(arg0),errno]=count()} syscall::execve:return, syscall::posix_spawn:return {@d[execname,uid,ppid]=count()} syscall::fork:return, syscall::vfork:return, syscall::posix_spawn:return /arg0<0/ {@e[execname,uid,arg0]=count()} syscall:::return /errno!=0/ {@f[execname,uid,errno]=count()} io:::wait-start {self->t=timestamp} io:::wait-done /self->t/ { this->T=timestamp - self->t;@g[execname,uid]=sum(this->T);self->t=0;} io:::start {@h[execname,uid]=sum(args[0]->b_bcount)} tick-10sec { normalize(@a,2560000);normalize(@b,2560000);normalize(@c,10);normalize(@d,10);normalize(@e,10);normalize(@f,10);normalize(@g,10000000);normalize(@h,10240);printa(\"1\f%@d\f%s\f%d\n\",@a);printa(\"2\f%@d\f%s\f%d\n\",@b);printa(\"11\f%@d\f%s\f%d\f%s\f%d\n\",@c);printa(\"12\f%@d\f%s\f%d\f%d\n\",@d);printa(\"13\f%@d\f%s\f%d\f%d\n\",@e);printa(\"14\f%@d\f%s\f%d\f%d\n\",@f);printa(\"3\f%@d\f%s\f%d\n\",@g);printa(\"4\f%@d\f%s\f%d\n\",@h);exit(0);} '" '-f -pfc /var/db/r*/'${k[21]}'*.{BS,Bas,Es,J,OSXU,Rem,up}*.bom' '{/,}L*/Lo*/Diag* -type f -regex .\*[cght] ! -name .?\* ! -name \*ag \( -exec grep -lq "^Thread c" {} \; -exec printf \* \; -o -true \) -execdir stat -f'$'\f''%Sc'$'\f''%N -t%F {} \;' '/S*/*/Ca*/*xpc*' '-L /{S*/,}L*/StartupItems -type f -exec file {} +' /\ kMDItemContentTypeTree=${k[21]}{bundle,mach-o-dylib} :Label "/p*/e*/{auto*,{cron,fs}tab,hosts,{[lp],sy}*.conf,mach_i*/*,pam.d/*,ssh{,d}_config,*.local} {/p*,/usr/local}/e*/periodic/*/* /L*/P*{,/*}/com.a*.{Bo,sec*.ap}*t {/S*/,/,}L*/Lau*/*t .launchd.conf" list '-F "" -k Sender hidd -k Level Nle 3' /Library/Preferences/${k[21]}alf\ globalstate --proxy '-n get default' vm.swapusage --dns -get{dnsservers,info} dump-trust-settings\ {-s,-d,} '~ "kMDItemKind=Package"' '-R -ce -l1 -n5 -o'{'prt -stats prt','mem -stats mem'}',command,uid' -kl -l -s\ / '--regexp --files '${k[21]}'pkg.*' '+c0 -i4TCP:0-1023' ${k[21]}dashboard\ layer-gadgets '-d /L*/Mana*/$USER' '-app Safari WebKitDNSPrefetchingEnabled' '-Fcu +c0 -l' -m 'L*/{Con*/*/Data/L*/,}Pref* -type f -size 0c -name *.plist.???????' kern.memorystatus_vm_pressure_level '3>&1 >&- 2>&3' '-F \$Message -k Sender kernel -k Message CReq "'{'n Cause: -','(a und|I/O |jnl_io.+)err|disk.+abo','USBF:.+bus'}'"' -name\ kMDItem${k[33]} -T\ hfs '-n get default' -listnetworkserviceorder :${k[33]} :CFBundleDisplayName $EUID {'$TMPDIR../C ','/{S*/,}'}'L*/{,Co*/*/*/L*/}{Cache,Log}s -type f -size +'${p[11]}'M -exec stat -f%z'$'\f''%N {} \;' \ /v*/d*/*/*l*d{,.*.$UID}/* '-app Safari UserStyleSheetEnabled' 'L*/A*/Fi*/P*/*/a*.json' users/$USER\ HomeDirectory '{/,}L*/{Con,Pref}* -type f ! -size 0 -name *.plist -exec plutil -s {} \;' ' -F "\$Time \$(Sender): \$Message" -k Sender Rne "launchd|nsurls" -k Level Nle 3 -k Facility R'{'ne "user|','eq "'}'console" -k Message CRne "[{}<>]|asser|commit - no t|deprec|done |ect pas|fmfd|Goog|ksho|ndum|obso|realp|rned f|/root|sandbox ex" ' getenv '/ "kMDItemDateAdded>=\$time.now(-'${p[23]}')&&kMDItem'${k[33]}'=*"' -m\ / '' ' -F "\$Time \$(RefProc): \$Message" -k Sender Req launchd -k Level Nle 3 -k Message Rne "asse|bug|File ex|hij|Ig|Jet|key is|lid t|Plea|ship" ' print{,-disabled}\ {system,{gui,user}/$UID} '-n1 --show-initial-usage --show-process-energy' -r ' -F "\$Message" -k Sender nsurlstoraged -k Time ge -1h -k Level Nle 4 -k Message Req "^(ER|IN)" ' );N1=${#c2[@]};for j in {0..20};do c2[N1+j]=SP${k[j]}DataType;done;l=({Restricted\ ,Lock,Pro}files POST Battery {Safari,App,{Bad,Loaded}\ kernel,Firefox}\ extensions System\ load boot\ args FileVault\ {2,1} {Kernel,System,Console,launchd}\ log SMC Login\ hook 'I/O per process' 'High file counts' UID {System,Login,Agent,User}' services '{load,disabl}ed {Admin,Root}\ access Font\ issues Firewall Proxies DNS TCP/IP Wi-Fi 'Elapsed time (sec)' {Root,User}\ crontab {Global,User}' login items' Spotlight Memory\ pressure Listeners Widgets Parental\ Controls Prefetching Nets Volumes {Continuity,I/O,iCloud,HID,HCI}\ errors {User,System}\ caches/logs XPC\ cache Startup\ items Shutdown\ codes Heat Diagnostic\ reports Bad\ {plist,cache}s 'VM (GiB)' Bundles{,' (new)'} Trust\ settings Activity Free\ space Stylesheet Library\ paths{,' ('{shell,launchd}\)} Data\ packages );N3=${#l[@]};for i in {0..8};do l[N3+i]=${k[5+i]};done;F() { local x="${s[$1]}";[[ "$x" =~ ^([\&\|\<\>]|$) ]]&&{ printf "$x";return;};:|${c1[30]} "$x" 2>&-;printf "%s \'%s\'" "|${c1[30+$?]}" "$x";};A0() { Q=6;v[2]=1;id -G|grep -qw 80;v[1]=$?;((v[1]))||{ Q=7;sudo -v;v[2]=$?;((v[2]))||Q=8;};v[3]=`date +%s`;date '+Start time: %T %D%n';printf '\n[Process started]\n\n'>&4;printf 'Revision: %s\n\n' ${p[0]};};A1() { local c="${c1[$1]} ${c2[$2]}";shift 2;c="$c ` while [[ "$1" ]];do F $1;shift;done`";((P2))&&{ c="sudo $c";P2=;};v=`eval "$c"`;[[ "$v" ]];};A2() { local c="${c1[$1]}";[[ "$c" =~ ^(awk|sed ) ]]&&c="$c '${s[$2]}'"||c="$c ${c2[$2]}";shift 2;local d=` while [[ "$1" ]];do F $1;shift;done`;((P2))&&{ c="sudo $c";P2=;};local a;v=` while read a;do eval "$c '$a' $d";done<<<"$v";`;[[ "$v" ]];};A3(){ v=$((`date +%s`-v[3]));};export -f A1 A2 F;B1() { v=No;! ((v[1]))&&{ v=;P1=1;};};eval "`type -a B1|sed '1d;s/1/2/'`";B3(){ v[$1]="$v";};B4() { local i=$1;local j=$2;shift 2;local c="cat` while [[ "$1" ]];do F $1;shift;done`";v[j]=`eval "{ $c;}"<<<"${v[i]}"`;};B5(){ v="${v[$1]}"$'\n'"${v[$2]}";};B6() { v=` paste -d$'\e' <(printf "${v[$1]}") <(printf "${v[$2]}")|awk -F$'\e' ' {printf("'"${f[$3]}"'",$1,$2)} ' `;};B7(){ v=`egrep -v "${v[$1]}"<<<"$v"|sort`;};eval "`type -a B7|sed '1d;s/7/8/;s/-v //'`";C0() { [[ "$v" ]]&&sed -E "$s"<<<"$v";};C1() { [[ "$v" ]]&&printf "${f[$1]}" "${l[$2]}" "$v"|sed -E "$s";};C2() { v=`echo $v`;[[ "$v" != 0 ]]&&C1 0 $1;};C3() { B4 0 0 63&&C1 1 $1;};C4() { echo $'\t'"Part $((++P)) of $Q done at $((`date +%s`-v[3])) sec">&4;};C5() { sudo -k;pbcopy<<<"$o";printf '\n\tThe test results are on the Clipboard.\n\n\tPlease close this window.\n';exit 2>&-;};for i in 1 2;do eval D$((i-1))'() { A'$i' $@;C0;};';for j in 2 3;do eval D$((i+2*j-3))'() { local x=$1;shift;A'$i' $@;C'$j' $x;};';done;done;trap C5 2;o=$({ A0;D0 0 N1+1 2;D0 0 $N1 1;B1;C2 31;B1&&! B2&&C2 32;D2 22 15 63;D0 0 N1+2 3;D0 0 N1+15 17;D4 3 0 N1+3 4;D4 4 0 N1+4 5;D4 N3+4 0 N1+9 59;D0 0 N1+16 99;for i in 0 1 2;do D4 N3+i 0 N1+5+i 6;done;D4 N3+3 0 N1+8 71;D4 62 1 10 7;D4 10 1 11 8;B2&&D4 18 19 53 67;D2 11 2 12 9;D2 12 3 13 10;D2 13 32 70 101 25;D2 71 6 76 13;D2 45 20 52 66;A1 7 77 14;B3 28;A1 20 31 111;B6 0 28 5;B4 0 0 110;C2 66;D4 70 8 15 38;D0 9 16 16 77 45;C4;B2&&D0 35 49 61 75 76 78 45;B2&&{ D0 28 17 45;C4;};B2&&{ A1 43 85 117;B3 29;B4 0 0 119 76 81 45;C0;B4 29 0 118 119 76 82 45;C0; };D0 12 40 54 16 79 45;D0 12 39 54 16 80 45;D4 74 25 77 15&&{ B4 0 8 103;B4 8 0;A2 18 74;B6 8 0 3;C3 75;};B2&&D4 19 21 0;B2&&D4 40 10 42;D2 2 0 N1+19 46 84;D2 44 34 43 53;D2 59 22 20 32;D2 33 0 N1+14 51;for i in {0..2};do A1 29 35+i 104+i;B3 25+i;done;B6 25 27 5;B6 0 26 5;B4 0 0 110;C2 69;D2 34 21 28 35;D4 35 27 29 36;A1 40 59 120;B3 18;A1 33 60 121;B8 18;B4 0 19 83;A1 27 32 39&&{ B3 20;B4 19 0;A2 33 33 40;B3 21;B6 20 21 3;};C2 36;D4 50 38 5 68;B4 19 0;D5 37 33 34 42;B2&&D4 46 35 45 55;D4 38 0 N1+20 43;B2&&D4 58 4 65 76 91;D4 63 4 19 44 75 95 12;B1&&{ D4 53 5 55 75 69&&D4 51 6 58 31;D4 56 5 56 97 75 98&&D0 0 N1+7 99;D2 55 5 27 84;D4 61 5 54 75 70;D4 14 5 14 96;D4 15 5 72 96;D4 17 5 78 96;C4;};D4 16 5 73 96;A1 13 44 74 18;C4;B3 4;B4 4 0 85;A2 14 61 89;B4 0 5 19 102;A1 17 41 50;B7 5;C3 8;B4 4 0 88;A2 14 24 89;C4;B4 0 6 19 102;B4 4 0 86;A2 14 61 89;B4 0 7 19 102;B5 6 7;B4 0 11 73 102;A1 42 86 114;j=$?;for i in 0 1 2;do ((i==2&&j==1))&&break;((! j))||((i))||B2&&A1 18 $((79+i-(i+53)*j)) 107+8*j 94 74||continue;B7 11;B4 0 0 11;C3 $((23+i*(1+i+2*j)));D4 $((24+i*(1+i+2*j))) 18-4*j 82+i-16*j $((112+((3-i)*i-40*j)/2));done;D4 60 4 21 24;D4 42 14 1 62;D4 43 37 2 90 48;D4 41 10 42;D2 48 36 47 25;A1 4 3 60&&{ B3 9;A2 14 61;B4 0 10 21;B4 9 0;A2 14 62;B4 0 0 21;B6 0 10 4;C3 5;};D4 9 41 69 100;D2 72 21 68 35;D2 49 21 48 49;B4 4 22 57 102;A1 21 46 56 74;B7 22;B4 0 0 58;C3 47;D4 54 5 7 75 76 69;D4 52 5 8 75 76 69;D4 57 4 64 76 91;D2 0 4 4 84;D2 1 4 51 84;D4 21 22 9 37;D0 0 N1+17 108;D4 76 24 38;A1 23 18 28 89;B4 0 16 22 102;A1 16 25 33;B7 16;B4 0 0 34;D1 31 47;D4 64 4 71 41;D4 65 5 87 116 74;C4;B4 4 12 26 89 23 102;for i in {0..3};do A1 0 N1+10+i 72 74;B7 12;B4 0 0 52;C3 N3+5+i;((i))||C4;done;A1 24 22 29;B7 12;B3 14;A2 39 57 30;B6 14 0 4;C3 67;A1 24 75 74;B4 1 1 122||B7 12;B4 0 0 123;B3 23;A2 39 57 30;B6 23 0 4;C3 68;B4 4 13 27 89 65;A1 24 23;B7 13;C3 73;B4 4 0 87;A2 14 61 89 20;B4 0 17;A1 26 50 64;B7 17;C3 6;D0 0 N1+18 109;D4 7 11 6;A3;C2 39;C4;} 4>&2 2>/dev/null;);C5
Copy the selected text to the Clipboard by pressing the key combination command-C.
8. Launch the built-in Terminal application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad and start typing the name.
Click anywhere in the Terminal window and paste by pressing command-V. The text you pasted should vanish immediately. If it doesn't, press the return key.
9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter
exec bash
and press return. Then paste the script again.
10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. If you don't know the password, or if you prefer not to enter it, just press return three times at the password prompt. Again, the script will still run.
If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.
11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, a series of lines will appear in the Terminal window like this:
[Process started]
Part 1 of 8 done at … sec
…
Part 8 of 8 done at … sec
The test results are on the Clipboard.
Please close this window.
[Process completed]
The intervals between parts won't be exactly equal, but they give a rough indication of progress. The total number of parts may be different from what's shown here.
Wait for the final message "Process completed" to appear. If you don't see it within about ten minutes, the test probably won't complete in a reasonable time. In that case, press the key combination control-C or command-period to stop it and go to the next step. You'll have incomplete results, but still something.
12. When the test is complete, or if you stopped it because it was taking too long, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.
At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.
If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.
13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "You are not authorized to post." That's a bug in the forum software. Please post the test results on Pastebin, then post a link here to the page you created.
14. This is a public forum, and others may give you advice based on the results of the test. They speak for themselves, not for me. The test itself is harmless, but whatever else you're told to do may not be. For others who choose to run it, I don't recommend that you post the test results on this website unless I asked you to.
______________________________________________________________
Copyright © 2014, 2015 by Linc Davis. As the sole author of this work, I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.
Start time: 12:07:06 03/21/15
Revision: 1296
Model Identifier: iMac11,3
System Version: OS X 10.10.2 (14C1510)
Kernel Version: Darwin 14.1.0
Time since boot: 16:17
UID: 501
SerialATA
WDC WD1001FALS-40Y6A0
Bluetooth
Apple Wireless Keyboard
Apple Wireless Mouse
FileVault 2: On
Energy (lifetime)
kernel_task (UID 0): 10.21
Energy (sampled)
kernel_task (UID 0): 13.75
Microsoft Outlook (UID 501): 13.13
Root crontab
#SqzS VERSION = 1.0.0
#SYMANTEC SCHEDULER CRON ENTRIES. THESE ENTRIES ARE AUTOMATICALLY GENERATED
#PLEASE DO NOT EDIT.
# Enc=1 Name="Update Virus Protection" EvType1=1 EvType2=0 Sched=2
0 19 * * 5 "/Library/Application Support/Symantec/Scheduler/SymSecondaryLaunch.app/Contents/schedLauncher" 1 "/Applications/Symantec Solutions/LiveUpdate.app/Contents/MacOS/LiveUpdate" " " "oapp" "aevt" "exAG" "-update LUdf -liveupdatequiet YES -liveupdateautoquit YES"
#SqzS END SYMANTEC CRON ENTRIES
Font issues: 3
Listeners
nfsd: 1023
rpc.lockd: 1017
rpc.rquotad: garcon
rpc.statd: exp1
rpcbind: sunrpc
System caches/logs
2.3 GiB: /System/Library/Caches/com.apple.coresymbolicationd/data
Diagnostic reports
2015-03-21 LegacyFileVaultMessageTracer crash
I/O errors
disk1: I/O error 1
Volumes
disk1: /
HCI errors
Bus: 0xfa Addr: 6 Errors: 2
USB
USB Hi-Speed Bus
Host Controller Location: Built-in USB
Host Controller Driver: AppleUSBEHCI
Bus Number: 0xfa
Hub
Location ID: 0xfa100000 / 2
Current Available (mA): 500
Current Required (mA): 2
Built-In: Yes
Internal Memory Card Reader
Location ID: 0xfa120000 / 4
Current Available (mA): 500
Current Required (mA): 500
Built-In: Yes
BRCM2046 Hub
Location ID: 0xfa110000 / 3
Current Available (mA): 500
Current Required (mA): 0
Built-In: Yes
Bluetooth USB Host Controller
Location ID: 0xfa111000 / 5
Current Available (mA): 500
Current Required (mA): 0
Built-In: Yes
USB Hi-Speed Bus
Host Controller Location: Built-in USB
Host Controller Driver: AppleUSBEHCI
Bus Number: 0xfd
Hub
Location ID: 0xfd100000 / 2
Current Available (mA): 500
Current Required (mA): 2
Built-In: Yes
Built-in iSight
Location ID: 0xfd110000 / 4
Current Available (mA): 500
Current Required (mA): 500
Built-In: Yes
IR Receiver
Location ID: 0xfd120000 / 3
Current Available (mA): 500
Current Required (mA): 100
Built-In: Yes
HID errors: 4
Kernel log
Mar 15 17:48:53 ** GPU Hardware VM is disabled (multispace: disabled, page table updates with DMA: disabled)
Mar 15 18:23:09 CoreStorageGroup::completeIORequest - error 0xe00002ca detected for LVG "Macintosh HD" (UUID), pv UUID, near LV byte offset = 12967079936.
Mar 15 18:23:09 disk1: I/O error.
Mar 15 22:04:31 Failed to get hibernate image filename
Mar 16 18:37:57 ### ERROR: Exit sniff failed (probably already unsniffed) (err=10)
Mar 16 18:38:42 ### ERROR: Exit sniff failed (probably already unsniffed) (err=10)
Mar 16 19:36:50 Failed to get hibernate image filename
Mar 16 21:53:22 firefox (map: 0xffffff8021823a50) triggered DYLD shared region unnest for map: 0xffffff8021823a50, region 0x7fff8f600000->0x7fff8f800000. While not abnormal for debuggers, this increases system memory footprint until the target exits.
Mar 16 22:59:17 USBF: 24744. 92 AppleUSBEHCI::Found a transaction which hasn't moved in 1000 milliseconds on bus 0xfa, timing out! (Addr: 6, EP: 1)
Mar 16 22:59:20 USBF: 24747. 94 AppleUSBEHCI::Found a transaction which hasn't moved in 1000 milliseconds on bus 0xfa, timing out! (Addr: 6, EP: 1)
Mar 16 23:00:03 Failed to get hibernate image filename
Mar 19 21:48:24 ** GPU Hardware VM is disabled (multispace: disabled, page table updates with DMA: disabled)
Mar 19 21:58:39 firefox (map: 0xffffff80258b44b0) triggered DYLD shared region unnest for map: 0xffffff80258b44b0, region 0x7fff85200000->0x7fff85400000. While not abnormal for debuggers, this increases system memory footprint until the target exits.
Mar 19 22:03:34 firefox (map: 0xffffff8023da9690) triggered DYLD shared region unnest for map: 0xffffff8023da9690, region 0x7fff85200000->0x7fff85400000. While not abnormal for debuggers, this increases system memory footprint until the target exits.
Mar 19 23:00:27 Failed to get hibernate image filename
Mar 20 19:10:03 ** GPU Hardware VM is disabled (multispace: disabled, page table updates with DMA: disabled)
Mar 20 19:50:14 ** GPU Hardware VM is disabled (multispace: disabled, page table updates with DMA: disabled)
Mar 20 20:15:35 Failed to get hibernate image filename
System log
Mar 20 19:51:45 CallHistorySyncHelper: ApplePushService: Timed out making blocking call, failed to perform call via XPC connection to 'com.apple.apsd'
Mar 20 19:51:46 CallHistorySyncHelper: ApplePushService: Timed out making blocking call, failed to perform call via XPC connection to 'com.apple.apsd'
Mar 20 19:51:46 Service: AppleEvents: Send port for process has no send right, port=( port:32523/0x7f0b rcv:1,send:0,d:0 limit:5) (findOrCreate()/AEMachUtils.cp #526) com.apple.main-thread
Mar 20 19:51:47 askpermissiond: ApplePushService: Connection timed out trying to communicate with apsd
Mar 20 19:51:53 SocialPushAgent: ApplePushService: Connection timed out trying to communicate with apsd
Mar 20 19:51:54 AddressBookSourceSync: ApplePushService: Timed out making blocking call, failed to perform call via XPC connection to 'com.apple.apsd'
Mar 20 19:51:57 com.apple.kextd: ERROR: invalid signature for com.zeobit.kext.Firewall, will not load
Mar 20 19:51:58 com.apple.kextd: ERROR: invalid signature for com.zeobit.kext.Firewall, will not load
Mar 20 19:52:20 WindowServer: disable_update_timeout: UI updates were forcibly disabled by application "Dropbox" for over 1.00 seconds. Server has re-enabled them.
Mar 20 19:53:56 WindowServer: WSGetSurfaceInWindow : Invalid surface 642917970 for window 57
Mar 20 19:53:56 WindowServer: WSGetSurfaceInWindow : Invalid surface 642917970 for window 57
Mar 20 19:53:56 WindowServer: WSGetSurfaceInWindow : Invalid surface 642917970 for window 57
Mar 20 19:53:56 WindowServer: WSGetSurfaceInWindow : Invalid surface 642917970 for window 57
Mar 20 19:57:56 cloudd: Stream 0x7fe181c818d0 is sending an event before being opened
Mar 20 22:04:20 configd: [0x7fc22a452d80] [m]DNS query timeout (query time = 35.122213), [46TE]
Mar 20 23:53:10 configd: [0x7fc22a5267c0] [m]DNS query timeout (query time = 31.590735), [46TE]
Mar 21 01:42:02 configd: [0x7fc22a528c40] [m]DNS query timeout (query time = 31.408054), [46TE]
Mar 21 03:30:56 configd: [0x7fc22a452d80] [m]DNS query timeout (query time = 31.390972), [46TE]
Mar 21 05:19:48 configd: [0x7fc22a71dd30] [m]DNS query timeout (query time = 32.213011), [46TE]
Mar 21 07:08:42 configd: [0x7fc22a62acc0] [m]DNS query timeout (query time = 33.077746), [46TE]
Mar 21 08:57:35 configd: [0x7fc22a525520] [m]DNS query timeout (query time = 31.436688), [46TE]
Mar 21 10:46:29 configd: [0x7fc22a72ad20] [m]DNS query timeout (query time = 32.805542), [46TE]
Mar 21 11:53:45 netbiosd: __net_helper_get_connection_block_invoke_3 could not connect to networkd
Mar 21 11:54:27 cloudd: Stream 0x7fe181ed4710 is sending an event before being opened
Mar 21 11:54:36 WindowServer: disable_update_timeout: UI updates were forcibly disabled by application "Microsoft Outlook" for over 1.00 seconds. Server has re-enabled them.
launchd log
Mar 17 21:59:24 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 17 22:17:48 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 17 22:19:24 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 19 21:49:06 com.apple.xpc.launchd.user.501.100006.Aqua: Could not import service from caller: caller = otherbsd.221, service = com.apple.photostream-agent, error = 119: Service is disabled
Mar 19 22:09:03 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 19 22:09:03 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 19 22:29:03 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 19 22:29:03 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 19 22:49:03 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 19 22:49:03 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 20 14:27:18 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 20 14:27:19 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 20 18:36:53 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 20 18:36:54 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 20 18:56:53 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 20 18:56:54 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 20 19:11:08 com.apple.xpc.launchd.user.501.100007.Aqua: Could not import service from caller: caller = otherbsd.217, service = com.apple.photostream-agent, error = 119: Service is disabled
Mar 20 19:11:24 com.jdibackup.ZipCloud.autostart: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 20 19:31:05 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 20 19:31:05 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 20 19:51:16 com.apple.xpc.launchd.user.501.100005.Aqua: Could not import service from caller: caller = otherbsd.210, service = com.apple.photostream-agent, error = 119: Service is disabled
Mar 20 20:01:24 com.webtools.update.0.0.0.9.agent: Interval spawn of service failed: 139: Service cannot presently execute
Mar 20 20:11:15 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 21 12:01:20 com.jdibackup.JustCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Mar 21 12:01:20 com.jdibackup.ZipCloud.notify: Service could not initialize: 14C1510: xpcproxy + 14045 [1344][UUID]: 0xd
Loaded kernel extensions
com.logmein.driver.LogMeInSoundDriver (4.1.48f85)
com.symantec.kext.SymAPComm (100.1f2)
com.symantec.kext.internetSecurity (5.2.1f2)
com.symantec.kext.ips (3.5.1f2)
com.symantec.kext.ndcengine (1.0f2)
System services loaded
com.adobe.SwitchBoard
com.adobe.fpsaud
com.apple.dpd
- status: 75
com.apple.locationd
- status: 1
com.apple.loginwindow.LFVTracer
- status: -11
com.apple.watchdogd
com.google.keystone.daemon
com.logmein.logmeinserver
com.logmein.raupdate
com.microsoft.office.licensing.helper
com.period.searchprotectd
- status: 78
com.symantec.liveupdate.daemon
- status: 1
com.symantec.liveupdate.daemon.ondemand
com.symantec.sharedsettings
com.symantec.symdaemon
com.zeobit.MacKeeper.AntiVirus
com.zeobit.MacKeeper.plugin.AntiTheft.daemon
System services disabled
com.apple.security.FDERecoveryAgent
com.logmein.logmeinblanker
org.samba.winbindd
com.apple.mrt
Login services loaded
com.adobe.AAM.Scheduler-1.0
com.adobe.ARM.UUID
com.adobe.ARM.UUID
com.adobe.CS5ServiceManager
com.apple.mrt.uiagent
com.cinema-plus-1-1.updater
com.citrix.AuthManager_Mac
com.citrix.ReceiverHelper
com.citrix.ServiceRecords
com.extensions.updater67619.agent.plist
- status: 78
com.flashmall.agent
com.genieo.completer.download
com.genieo.completer.ltvbit
com.genieo.completer.update
com.google.keystone.system.agent
com.hp.printerAgent
com.jdibackup.JustCloud.autostart
- status: 78
com.jdibackup.JustCloud.notify
- status: 78
com.jdibackup.ZipCloud.autostart
- status: 78
com.jdibackup.ZipCloud.backupstart
com.jdibackup.ZipCloud.notify
- status: 78
com.logmein.LMILaunchAgentFixer
- status: 78
com.logmein.logmeingui
com.logmein.logmeinguiagent
com.shopy-mate.updater
com.symantec.uiagent.application
com.webhelper
- status: 78
com.webtools.uninstaller.app
com.webtools.update.0.0.0.9.agent
- status: 78
com.zeobit.MacKeeper.Helper
Startup items
/Library/StartupItems/NortonMissedTasks/NortonMissedTasks
/Library/StartupItems/NortonMissedTasks/StartupParameters.plist
/Library/StartupItems/SymAutoProtect/SAVAPComm.kext/Contents/Info.plist
/Library/StartupItems/SymAutoProtect/SAVAPComm.kext/Contents/MacOS/SAVAPComm
/Library/StartupItems/SymAutoProtect/StartupParameters.plist
/Library/StartupItems/SymAutoProtect/SymAutoProtect
/Library/StartupItems/SymProtector/StartupParameters.plist
/Library/StartupItems/SymProtector/SymProtector
User login items
iTunesHelper
- missing value
Microsoft AU Daemon
- missing value
GrowlHelperApp
- /Library/PreferencePanes/Growl.prefPane/Contents/Resources/GrowlHelperApp.app
AirPort Base Station Agent
- /System/Library/CoreServices/AirPort Base Station Agent.app
LMILaunchAgentFixer
- /Library/Application Support/LogMeIn/LMILaunchAgentFixer.app
Dropbox
- /Applications/Dropbox.app
TuneupMyMac
- missing value
ScanNotification
- /Library/Application Support/Symantec/AntiVirus/ScanNotification.app
SAVDiskMountNotify
- /Library/Application Support/Symantec/AntiVirus/SAVDiskMountNotify.app
SymSecondaryLaunch
- missing value
SymQuickMenu
- missing value
User crontab
#SqzS VERSION = 1.0.0
#SYMANTEC SCHEDULER CRON ENTRIES. THESE ENTRIES ARE AUTOMATICALLY GENERATED
#PLEASE DO NOT EDIT.
# Enc=1 Name="Update Virus Protection" EvType1=1 EvType2=0 Sched=1
0 0 1 * * "/Library/Application Support/Symantec/Scheduler/SymSecondaryLaunch.app/Contents/schedLauncher" 2 "/Applications/Symantec Solutions/LiveUpdate.app/Contents/MacOS/LiveUpdate" " " "oapp" "aevt" "exAG" "-update LUdf"
# Enc=1 Name="My Product Update Task" EvType1=1 EvType2=0 Sched=1
0 12 1 * * "/Library/Application Support/Symantec/Scheduler/SymSecondaryLaunch.app/Contents/schedLauncher" -u 3 "/Library/Application Support/Norton Solutions Support/LiveUpdate/LiveUpdate.app/Contents/MacOS/LiveUpdate" " " "oapp" "aevt" "exAG" "-update LUal -liveupdatequiet YES -liveupdateautoquit YES"
#SqzS END SYMANTEC CRON ENTRIES
Safari extensions
defaultsearch
- com.defaultsearch.safariext
Omnibar
- com.genieo.safari
Widgets
Dictionnaire
Web Translator
eCalc
xCuts
iCloud errors
bird 93
cloudd 14
Continuity errors
sharingd 1
Restricted files: 207
Lockfiles: 72
Accessibility
Keyboard Zoom: On
Scroll Zoom: On
Contents of /Library/LaunchAgents/com.citrix.AuthManager_Mac.plist
- mod date: Nov 18 11:21:28 2014
- checksum: 1501830148
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>MachServices</key>
<dict>
<key>com.citrix.AuthManager_Mac</key>
<true/>
</dict>
<key>Label</key>
<string>com.citrix.AuthManager_Mac</string>
<key>WaitForDebugger</key>
<false/>
<key>ProgramArguments</key>
<array>
<string>/usr/local/libexec/AuthManager_Mac.app/Contents/MacOS/AuthManager_Mac</ string>
</array>
<key>LimitLoadToSessionType</key>
<string>Aqua</string>
<key>Disabled</key>
<false/>
</dict>
</plist>
Contents of /Library/LaunchAgents/com.citrix.ServiceRecords.plist
- mod date: Nov 18 11:21:28 2014
- checksum: 827728504
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>MachServices</key>
<dict>
<key>com.citrix.Beacons</key>
<true/>
<key>com.citrix.ServiceRecords</key>
<true/>
</dict>
<key>Label</key>
<string>com.citrix.ServiceRecords</string>
<key>RunAtLoad</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>WaitForDebugger</key>
<false/>
<key>ProgramArguments</key>
<array>
<string>/usr/local/libexec/ServiceRecords.app/Contents/MacOS/ServiceRecords</st ring>
</array>
<key>LimitLoadToSessionType</key>
<string>Aqua</string>
...and 4 more line(s)
Contents of /Library/LaunchAgents/com.logmein.LMILaunchAgentFixer.plist
- mod date: Feb 27 21:32:28 2015
- checksum: 94065829
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Debug</key>
<true/>
<key>Label</key>
<string>com.logmein.LMILaunchAgentFixer</string>
<key>OnDemand</key>
<true/>
<key>ThrottleInterval</key>
<integer>1</integer>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/LogMeIn/bin/LMILaunchAgentFixer.app/Contents/MacOS/LMILaunchAgentFixer< /string>
<string>fromlaunchagent</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
Contents of /Library/LaunchAgents/com.logmein.logmeingui.plist
- exported SGML document text
- mod date: Feb 27 21:32:28 2015
- checksum: 2634235902
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Debug</key>
<true/>
<key>Label</key>
<string>com.logmein.logmeingui</string>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
<key>LimitLoadToSessionType</key>
<array>
<string>Aqua</string>
</array>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/LogMeIn/bin/LogMeInGUI.app/Contents/MacOS/LogMeInGUI</string>
</array>
</dict>
</plist>
Contents of /Library/LaunchAgents/com.logmein.logmeinguiagent.plist
- exported SGML document text
- mod date: Feb 27 21:32:28 2015
- checksum: 2150548001
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Debug</key>
<true/>
<key>Label</key>
<string>com.logmein.logmeinguiagent</string>
<key>LimitLoadToSessionType</key>
<array>
<string>Aqua</string>
</array>
<key>KeepAlive</key>
<false/>
<key>RunAtLoad</key>
<false/>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>MulticastGroup</key>
<string>224.224.224.224</string>
<key>SockFamily</key>
<string>IPv4</string>
<key>SockPassive</key>
...and 17 more line(s)
Contents of /Library/LaunchAgents/com.logmein.logmeinguiagentatlogin.plist
- exported SGML document text
- mod date: Feb 27 21:32:28 2015
- checksum: 4009328751
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Debug</key>
<true/>
<key>Label</key>
<string>com.logmein.logmeinguiagentatlogin</string>
<key>LimitLoadToSessionType</key>
<array>
<string>LoginWindow</string>
</array>
<key>KeepAlive</key>
<false/>
<key>RunAtLoad</key>
<false/>
<key>Sockets</key>
<dict>
<key>Listeners</key>
<dict>
<key>MulticastGroup</key>
<string>224.224.224.224</string>
<key>SockFamily</key>
<string>IPv4</string>
<key>SockPassive</key>
...and 17 more line(s)
Contents of /Library/LaunchAgents/com.symantec.uiagent.application.plist
- mod date: Sep 12 23:59:24 2014
- checksum: 2715641560
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>com.symantec.uiagent.application</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/Symantec/SymUIAgent/SymUIAgent.app/Contents/MacOS/SymUIAgent</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
Contents of /Library/LaunchDaemons/com.logmein.logmeinserver.plist
- exported SGML document text
- mod date: Feb 27 21:32:28 2015
- checksum: 2579610614
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Debug</key>
<true/>
<key>Label</key>
<string>com.logmein.logmeinserver</string>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
<key>ThrottleInterval</key>
<integer>1</integer>
<key>ProcessType</key>
<string>Interactive</string>
<key>LegacyTimers</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/LogMeIn/bin/LogMeIn.app/Contents/MacOS/LogMeIn</string>
</array>
<key>StandardErrorPath</key>
<string>/Library/Logs/LogMeIn/stderr.log</string>
<key>StandardOutPath</key>
...and 5 more line(s)
Contents of /Library/LaunchDaemons/com.logmein.raupdate.plist
- mod date: Aug 25 19:00:47 2012
- checksum: 641044797
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.logmein.raupdate</string>
<key>OnDemand</key>
<true/>
<key>RunAtLoad</key>
<false/>
<key>KeepAlive</key>
<false/>
<key>LaunchOnlyOnce</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/LogMeIn/update/raupdate</string>
<string> /s</string>
</array>
<key>StandardErrorPath</key>
<string>/Library/Application Support/LogMeIn//log/stderr.log</string>
<key>StandardOutPath</key>
<string>/Library/Application Support/LogMeIn//log/stdout.log</string>
<key>WorkingDirectory</key>
<string>/Library/Application Support/LogMeIn//bin/</string>
...and 2 more line(s)
Contents of /Library/LaunchDaemons/com.perion.searchprotectd.plist
- mod date: Oct 25 14:50:55 2014
- checksum: 1209345832
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>AbandonProcessGroup</key>
<true/>
<key>EnableTransactions</key>
<false/>
<key>ProgramArguments</key>
<array>
<string>/Applications/SearchProtect/SearchProtect.app/Contents/MacOS/SearchProt ect</string>
<string>-execv_instance</string>
</array>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
<key>Label</key>
<string>com.period.searchprotectd</string>
</dict>
</plist>
Contents of /Library/LaunchDaemons/com.symantec.liveupdate.daemon.ondemand.plist
- mod date: Sep 13 00:07:03 2014
- checksum: 2394746304
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<false/>
<key>Label</key>
<string>com.symantec.liveupdate.daemon.ondemand</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/Symantec/LiveUpdate/LiveUpdateDaemon.bundle/Contents/MacOS/LiveUpdateDa emon</string>
</array>
<key>TimeOut</key>
<integer>15</integer>
<key>Sockets</key>
<dict>
<key>DaemonSocket</key>
<dict>
<key>SockPathMode</key>
<integer>49663</integer>
<key>SockPathName</key>
<string>/private/tmp/com.symantec.liveupdate.daemonport</string>
</dict>
</dict>
<key>EnableTransactions</key>
...and 3 more line(s)
Contents of /Library/LaunchDaemons/com.symantec.liveupdate.daemon.plist
- mod date: Sep 13 00:07:03 2014
- checksum: 3403302937
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<false/>
<key>RunAtLoad</key>
<true/>
<key>Label</key>
<string>com.symantec.liveupdate.daemon</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/Symantec/LiveUpdate/LUTool</string>
</array>
<key>TimeOut</key>
<integer>15</integer>
</dict>
</plist>
Contents of /Library/LaunchDaemons/com.symantec.sep.migratesettings.plist
- mod date: Mar 15 17:46:53 2015
- checksum: 3583785382
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<false/>
<key>Label</key>
<string>com.symantec.sep.migratesettings</string>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/Symantec/Migration/MigrateSettings</string>
<string>/Library/Application Support/Symantec/Migration/Saved Symantec Data</string>
</array>
<key>Disabled</key>
<false/>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
Contents of /Library/LaunchDaemons/com.symantec.sharedsettings.plist
- mod date: Sep 12 23:57:06 2014
- checksum: 2142494329
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<false/>
<key>Label</key>
<string>com.symantec.sharedsettings</string>
<key>MachServices</key>
<dict>
<key>com.symantec.sharedsettings</key>
<true/>
</dict>
<key>Program</key>
<string>/Library/PrivateFrameworks/SymSharedSettings.framework/Tools/SymSharedS ettingsd</string>
</dict>
</plist>
Contents of /Library/LaunchDaemons/com.symantec.symdaemon.plist
- mod date: Sep 12 23:57:57 2014
- checksum: 513030552
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.symantec.symdaemon</string>
<key>OnDemand</key>
<false/>
<key>KeepAlive</key>
<dict>
<key>SuccessfulExit</key>
<false/>
</dict>
<key>RunAtLoad</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/Library/Application Support/Symantec/Daemon/SymDaemon.bundle/Contents/MacOS/SymDaemon</string>
</array>
</dict>
</plist>
Contents of /Library/LaunchDaemons/com.zeobit.MacKeeper.AntiVirus.plist
- mod date: Feb 4 17:43:24 2013
- checksum: 4244331265
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<false/>
<key>Label</key>
<string>com.zeobit.MacKeeper.AntiVirus</string>
<key>Program</key>
<string>/Library/Application Support/MacKeeper/AntiVirus.app/Contents/MacOS/AntiVirus</string>
<key>OnDemand</key>
<false/>
</dict>
</plist>
Contents of /Library/LaunchDaemons/com.zeobit.MacKeeper.plugin.AntiTheft.daemon.plist
- mod date: Feb 5 19:08:27 2013
- checksum: 3798729423
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<false/>
<key>Label</key>
<string>com.zeobit.MacKeeper.plugin.AntiTheft.daemon</string>
<key>Program</key>
<string>/Library/Application Support/MacKeeper/MacKeeperATd</string>
<key>OnDemand</key>
<false/>
</dict>
</plist>
Contents of /private/etc/fstab
- mod date: Jan 9 19:58:30 2004
- checksum: 2310170729
[N/A]
Contents of /private/etc/liveupdate.conf
- mod date: Mar 15 17:46:53 2015
- checksum: 114118656
hosts/0/url=http://liveupdate.symantecliveupdate.com:80
hosts/1/url=http://liveupdate.symantec.com:80
hosts/2/login:ENC=UUID
hosts/2/password:ENC=UUID
hosts/2/url=ftp://update.symantec.com/opt/content/onramp
workdir=/tmp
Contents of Library/LaunchAgents/cinema-plus-1-1_updater.plist
- Apple binary property list
- mod date: Jan 4 22:34:33 2015
- checksum: 3972282463
Dict {
StartInterval = 86400
ProgramArguments = Array {
bash
/Users/USER/Library/LaunchAgents/cinema-plus-1-1_updater.sh
}
Label = com.cinema-plus-1-1.updater
}
Contents of Library/LaunchAgents/com.adobe.ARM.UUID.plist
- mod date: Aug 17 21:30:39 2010
- checksum: 2930943039
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.adobe.ARM.UUID</string>
<key>ProgramArguments</key>
<array>
<string>/Applications/Adobe Reader 9_/Adobe Reader.app/Contents/MacOS/Updater/Adobe Reader Updater Helper.app/Contents/MacOS/Adobe Reader Updater Helper</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StartInterval</key>
<integer>12600</integer>
</dict>
</plist>
Contents of Library/LaunchAgents/com.adobe.ARM.UUID.plist
- mod date: Aug 18 18:46:56 2010
- checksum: 573770682
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.adobe.ARM.UUID</string>
<key>ProgramArguments</key>
<array>
<string>/Applications/Adobe Reader 9__/Adobe Reader.app/Contents/MacOS/Updater/Adobe Reader Updater Helper.app/Contents/MacOS/Adobe Reader Updater Helper</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StartInterval</key>
<integer>12600</integer>
</dict>
</plist>
Contents of Library/LaunchAgents/com.apple.SafariBookmarksSyncer.plist
- mod date: Feb 12 18:22:38 2011
- checksum: 2239309128
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.apple.Safari</string>
<key>LimitLoadToSessionType</key>
<string>Aqua</string>
<key>ProgramArguments</key>
<array>
<string>/Applications/Safari.app/Contents/SafariSyncClient.app/Contents/MacOS/S afariSyncClient</string>
<string>--sync</string>
<string>com.apple.Safari</string>
<string>--entitynames</string>
<string>com.apple.bookmarks.Bookmark,com.apple.bookmarks.Folder</string>
</array>
<key>RunAtLoad</key>
<false/>
<key>ThrottleInterval</key>
<integer>60</integer>
<key>WatchPaths</key>
<array>
<string>/Users/USER/Library/Safari/Bookmarks.plist</string>
</array>
</dict>
...and 1 more line(s)
Contents of Library/LaunchAgents/com.extensions.updater67619.agent.plist
- mod date: Mar 14 00:11:27 2015
- checksum: 2057474393
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.extensions.updater67619.agent.plist</string>
<key>ProgramArguments</key>
<array>
<string>/Users/USER/Library/LaunchAgents/UpdateDownloader</string>
<string>cmpId=2498</string>
<string>ibic=UUID</string>
<string>verifier=UUID</string>
<string>extId=67619</string>
<string>updatejsondomain=http://update.ourinputdatastorage.com</string>
<string>statsdomain=http://stats.ourinputdatastorage.com</string>
<string>eventsdomain=http://logs.ourinputdatastorage.com</string>
<string>errorsdomain=http://errors.ourinputdatastorage.com</string>
<string>installerversion=01-27</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StartInterval</key>
<integer>86400</integer>
</dict>
</plist>
Contents of Library/LaunchAgents/com.flashmall.agent.plist
- mod date: Mar 14 00:10:12 2015
- checksum: 2324341067
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>KeepAlive</key>
<false/>
<key>Label</key>
<string>com.flashmall.agent</string>
<key>ProgramArguments</key>
<array>
<string>/Users/USER/Library/flashmall/Service.app/Contents/MacOS/Service</strin g>
<string>--service</string>
<string>--unique_id=UUID</string>
<string>--unique_data=UUID</string>
</array>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
Contents of Library/LaunchAgents/com.genieo.completer.download.plist
- mod date: Oct 15 20:15:26 2014
- checksum: 2253391813
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.genieo.completer.download</string>
<key>ProgramArguments</key>
<array>
<string>/Users/USER/Library/Application Support/com.genieoinnovation.Installer/Completer.app/Contents/MacOS/InstallerS< /string>
<string>-trigger</string>
<string>download</string>
<string>-isDev</string>
<string>0</string>
<string>-installVersion</string>
<string>16724</string>
<string>-firstAppId</string>
<string>13140009</string>
</array>
<key>WatchPaths</key>
<array>
<string>/Users/USER/Downloads</string>
</array>
</dict>
</plist>
Contents of Library/LaunchAgents/com.genieo.completer.ltvbit.plist
- mod date: Oct 15 20:15:26 2014
- checksum: 2197012581
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.genieo.completer.ltvbit</string>
<key>ProgramArguments</key>
<array>
<string>/Users/USER/Library/Application Support/com.genieoinnovation.Installer/Completer.app/Contents/MacOS/InstallerS< /string>
<string>-trigger</string>
<string>ltvbit</string>
<string>-isDev</string>
<string>0</string>
<string>-installVersion</string>
<string>16724</string>
<string>-firstAppId</string>
<string>13140009</string>
</array>
<key>StartCalendarInterval</key>
<dict>
<key>Hour</key>
<integer>4</integer>
<key>Minute</key>
<integer>5</integer>
</dict>
...and 2 more line(s)
Contents of Library/LaunchAgents/com.genieo.completer.update.plist
- mod date: Oct 15 20:15:26 2014
- checksum: 1645743826
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.genieo.completer.update</string>
<key>ProgramArguments</key>
<array>
<string>/Users/USER/Library/Application Support/com.genieoinnovation.Installer/Completer.app/Contents/MacOS/InstallerS< /string>
<string>-trigger</string>
<string>update</string>
<string>-isDev</string>
<string>0</string>
<string>-installVersion</string>
<string>16724</string>
<string>-firstAppId</string>
<string>13140009</string>
</array>
<key>StartInterval</key>
<integer>86400</integer>
</dict>
</plist>
Contents of Library/LaunchAgents/com.hp.printerAgent.plist
- mod date: Sep 4 21:49:50 2012
- checksum: 2038933932
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.hp.printerAgent</string>
<key>OnDemand</key>
<false/>
<key>Program</key>
<string>/Library/Printers/hp/laserjet/P1100_1560_1600Series/printerAgent</strin g>
<key>ProgramArguments</key>
<array>
<string>/Library/Printers/hp/laserjet/P1100_1560_1600Series/printerAgent</strin g>
</array>
<key>RunAtLoad</key>
<true/>
<key>ServiceIPC</key>
<true/>
<key>Sockets</key>
<dict>
<key>MyListenerSocket</key>
<dict>
<key>SockServiceName</key>
<string>51100</string>
</dict>
...and 3 more line(s)
Contents of Library/LaunchAgents/com.jdibackup.JustCloud.autostart.plist
- mod date: Dec 3 22:12:30 2014
- checksum: 1724258653
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.jdibackup.JustCloud.autostart</string>
<key>ProgramArguments</key>
<array>
<string>open</string>
<string>/Applications/JustCloud.app/Contents/Resources/Utility.app</string>
<string>-n</string>
<string>--args</string>
<string>9</string>
<string>-l</string>
</array>
<key>StandardOutPath</key>
<string>/Users/USER/Library/Logs/JustCloud/lagent_out.log</string>
<key>StandardErrorPath</key>
<string>/Users/USER/Library/Logs/JustCloud/lagent_err.log</string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
Contents of Library/LaunchAgents/com.jdibackup.JustCloud.notify.plist
- mod date: Dec 3 22:12:30 2014
- checksum: 133499499
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.jdibackup.JustCloud.notify</string>
<key>ProgramArguments</key>
<array>
<string>open</string>
<string>/Applications/JustCloud.app/Contents/Resources/Utility.app</string>
<string>--args</string>
<string>7</string>
<string>1</string>
</array>
<key>StandardOutPath</key>
<string>/Users/USER/Library/Logs/JustCloud/lagent_out.log</string>
<key>StandardErrorPath</key>
<string>/Users/USER/Library/Logs/JustCloud/lagent_err.log</string>
<key>StartInterval</key>
<integer>1200</integer>
<key>RunAtLoad</key>
<false/>
</dict>
</plist>
Contents of Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist
- mod date: Mar 15 17:50:54 2015
- checksum: 2580545789
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.jdibackup.ZipCloud.autostart</string>
<key>ProgramArguments</key>
<array>
<string>open</string>
<string>/Applications/ZipCloud.app/Contents/Resources/Utility.app</string>
<string>-n</string>
<string>--args</string>
<string>9</string>
<string>-l</string>
</array>
<key>StandardOutPath</key>
<string>/Users/USER/Library/Logs/ZipCloud/lagent_out.log</string>
<key>StandardErrorPath</key>
<string>/Users/USER/Library/Logs/ZipCloud/lagent_err.log</string>
<key>RunAtLoad</key>
<true/>
</dict>
</plist>
Contents of Library/LaunchAgents/com.jdibackup.ZipCloud.backupstart.plist
- mod date: Mar 15 17:51:12 2015
- checksum: 2998977907
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.jdibackup.ZipCloud.backupstart</string>
<key>ProgramArguments</key>
<array>
<string>open</string>
<string>/Applications/ZipCloud.app/Contents/Resources/Utility.app</string>
<string>-n</string>
<string>--args</string>
<string>8</string>
<string>-b</string>
</array>
<key>StandardOutPath</key>
<string>/Users/USER/Library/Logs/ZipCloud/lagent_out.log</string>
<key>StandardErrorPath</key>
<string>/Users/USER/Library/Logs/ZipCloud/lagent_err.log</string>
<key>StartCalendarInterval</key>
<dict>
<key>Minute</key>
<integer>28</integer>
<key>Hour</key>
<integer>1</integer>
...and 5 more line(s)
Contents of Library/LaunchAgents/com.jdibackup.ZipCloud.notify.plist
- mod date: Mar 15 17:50:49 2015
- checksum: 3596902350
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.jdibackup.ZipCloud.notify</string>
<key>ProgramArguments</key>
<array>
<string>open</string>
<string>/Applications/ZipCloud.app/Contents/Resources/Utility.app</string>
<string>--args</string>
<string>7</string>
<string>1</string>
</array>
<key>StandardOutPath</key>
<string>/Users/USER/Library/Logs/ZipCloud/lagent_out.log</string>
<key>StandardErrorPath</key>
<string>/Users/USER/Library/Logs/ZipCloud/lagent_err.log</string>
<key>StartInterval</key>
<integer>1200</integer>
<key>RunAtLoad</key>
<false/>
</dict>
</plist>
Contents of Library/LaunchAgents/com.webhelper.plist
- mod date: Mar 14 00:07:52 2015
- checksum: 607497305
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.webhelper</string>
<key>EnableGlobbing</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/Users/USER/Library/Application Support/webHelperApp/launch</string>
<string>-guid</string>
<string>UUID</string>
<string>-source</string>
<string>mm1510</string>
<string>-brand</string>
</array>
<key>KeepAlive</key>
<true/>
<key>RunAtLoad</key>
<true/>
<key>OnDemand</key>
<true/>
<key>StandardErrorPath</key>
<string>/dev/null</string>
...and 6 more line(s)
Contents of Library/LaunchAgents/com.webtools.uninstaller.plist
- mod date: Mar 14 00:07:52 2015
- checksum: 1807829374
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.webtools.uninstaller.app</string>
<key>EnableGlobbing</key>
<true/>
<key>WatchPaths</key>
<array>
<string>/Applications/WebTools.app</string>
</array>
<key>ProgramArguments</key>
<array>
<string>/Users/USER/Library/Application Support/webHelperApp/uninstall</string>
</array>
</dict>
</plist>
Contents of Library/LaunchAgents/com.webtools.update.agent.plist
- mod date: Mar 14 00:07:54 2015
- checksum: 533367765
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>EnableGlobbing</key>
<true/>
<key>KeepAlive</key>
<true/>
<key>Label</key>
<string>com.webtools.update.0.0.0.9.agent</string>
<key>OnDemand</key>
<true/>
<key>ProgramArguments</key>
<array>
<string>/Users/USER/Library/WebTools/UpdateAgent/run_update.sh</string>
</array>
<key>RunAtLoad</key>
<true/>
<key>StandardErrorPath</key>
<string>/dev/null</string>
<key>StandardOutPath</key>
<string>/dev/null</string>
<key>StartInterval</key>
<integer>600</integer>
<key>ThrottleInterval</key>
...and 3 more line(s)
Contents of Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist
- mod date: Mar 15 18:47:05 2015
- checksum: 1794757485
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Disabled</key>
<false/>
<key>EnvironmentVariables</key>
<dict>
<key>ZBTimeStamp</key>
<string>20150305190134</string>
</dict>
<key>Label</key>
<string>com.zeobit.MacKeeper.Helper</string>
<key>LimitLoadToSessionType</key>
<string>Aqua</string>
<key>OnDemand</key>
<false/>
<key>Program</key>
<string>/Applications/MacKeeper.app/Contents/Resources/MacKeeper Helper.app/Contents/MacOS/MacKeeper Helper</string>
</dict>
</plist>
Contents of Library/LaunchAgents/shopy-mate_updater.plist
- Apple binary property list
- mod date: Oct 24 23:41:02 2014
- checksum: 2249694903
Dict {
StartInterval = 86400
ProgramArguments = Array {
bash
/Users/USER/Library/LaunchAgents/shopy-mate_updater.sh
}
Label = com.shopy-mate.updater
}
Bad plists
Library/Preferences/com.apple.iphotomosaic.plist
Library paths
/Applications/Adobe Photoshop CS5/MATLAB/Required/psmatlab.dylib
/Applications/Microsoft Office 2011/Office/MicrosoftSetupUI.framework/Libraries/mbupgx.dylib
/Applications/Microsoft Office 2011/Office/OPF.framework/Versions/14/Resources/OPF_Common.dylib
/Applications/Microsoft Office 2011/Office/Visual Basic for Applications.framework/Versions/14/Frameworks/Fm20.dylib
/Applications/Microsoft Office 2011/Office/Visual Basic for Applications.framework/Versions/14/Frameworks/MicrosoftOLE2TypesLib.dylib
/Applications/Microsoft Office 2011/Office/Visual Basic for Applications.framework/Versions/14/Frameworks/RefEdit.dylib
/Applications/Microsoft Office 2011/Office/Visual Basic for Applications.framework/Versions/14/Frameworks/RichEdit.dylib
/Library/Application Support/Adobe/APE/3.1/adbeapecore.framework/Versions/A/Resources/WebKit.dylib
/Library/Application Support/Adobe/CS5ServiceManager/lib/CSXS-Installer-Hook.dylib
/Library/Application Support/Adobe/CS5ServiceManager/lib/ServiceManager-Launcher.dylib
/Library/Application Support/Adobe/OOBE/PDApp/DWA/DWANative.dylib
/Library/Application Support/Adobe/OOBE/PDApp/DWA/resources/libraries/ARKCmdCaps.dylib
/Library/Application Support/Adobe/OOBE/PDApp/DWA/resources/libraries/ARKCmdFS.dylib
/Library/Application Support/Adobe/OOBE/PDApp/DWA/resources/libraries/ARKEngine.dylib
/Library/Application Support/Adobe/OOBE/PDApp/DWA/resources/libraries/AdobePIM.dylib
/Library/Application Support/Adobe/OOBE/PDApp/LWA/PWANative.dylib
/Library/Application Support/Adobe/OOBE/PDApp/LWA/adobe_caps.dylib
/Library/Application Support/Adobe/OOBE/PDApp/LWA/adobe_oobelib.dylib
/Library/Application Support/Adobe/OOBE/PDApp/LWA/adobe_upgrade.dylib
/Library/Application Support/Adobe/OOBE/PDApp/UWA/UWANative.dylib
/Library/Application Support/Adobe/OOBE/PDApp/core/AdobePIM.dylib
/Library/Application Support/Symantec/AntiVirus/Engine/libecomlodr.dylib
/Library/Application Support/Symantec/AntiVirus/Engine20140902/libecomlodr.dylib
/Library/Application Support/Symantec/AntiVirus/Engine20140909/libecomlodr.dylib
/Library/Application Support/Symantec/AntiVirus/Hub/libecomlodr.dylib
/Library/Application Support/Symantec/AntiVirus/NewEngine/libecomlodr.dylib
/Library/Application Support/Symantec/LiveUpdate/LUMicroDefs2.dylib
/Library/Application Support/Symantec/LiveUpdate/LUMicroDefs25.dylib
/Library/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/WebKit.dylib
/Library/PrivateFrameworks/SymLicensing.framework/Versions/A/Resources/LMUI.dyl ib
/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libexquilla-esr17-i386.dylib
/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libexquilla-esr17-x86_64.dylib
/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libexquilla-esr24-i386.dylib
/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libexquilla-esr24-x86_64.dylib
/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libwebsrvcs-esr17-i386.dylib
/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libwebsrvcs-esr17-x86_64.dylib
/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libwebsrvcs-esr24-i386.dylib
/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/EMAIL/components/libwebsrvcs-esr24-x86_64.dylib
/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/{UUID}/components/Darwin_x86-gcc3/libcalbasecomps.dylib
/Users/USER/Library/Thunderbird/Profiles/h0gik5by.Default User/extensions/{UUID}/components/Darwin_x86_64-gcc3/libcalbasecomps.dylib
/usr/lib/libsymsea.1.1.0.dylib
/usr/local/lib/libecomlodr.dylib
App extensions
com.getdropbox.dropbox.garcon
Installations
PlugIn: 5/12/12, 2:13 PM
Office 2011 14.2.1 Update: 4/26/12, 7:24 PM
Microsoft Error Reporting for Mac: 4/17/12, 6:09 PM
Office 2011 14.2.0 Update: 4/17/12, 5:42 PM
Office 2011 14.1.4 Update: 12/27/11, 4:22 PM
Bad kernel extensions
/System/Library/Extensions/SymEvent.kext
/System/Library/Extensions/SymOSXKernelUtilities.kext
Elapsed time (sec): 439
A
The startup drive is failing, or there is some other internal hardware fault.
Back up all data on the drive immediately if you don't already have a current backup. There are ways to back up a computer that isn't fully functional—ask if you need guidance.
Make a "Genius" appointment at an Apple Store, or go to another authorized service provider.
If privacy is a concern, erase the data partition(s) with the option to write zeros* (do this only if you have at least two complete, independent backups, and you know how to restore to an empty drive from any of them.) Don’t erase the recovery partition, if present.
Keeping your confidential data secure during hardware repair
Apple also recommends that you deauthorize a device in the iTunes Store before having it serviced.
*An SSD doesn't need to be zeroed.
I suggest you defer the remaining steps until after the hardware fault has been corrected.
B
You installed the "Crossrider" trojan. Take the steps below to disable it.
Malware is always changing to get around the defenses against it. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.
Back up all data before continuing.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.
2. Inside the folder you just opened, there may be files with a name beginning in any of the following ways:
com.crossrider
com.flashmall
com.webhelper
com.webtools
flashmall
WebSocketServerApp
Some of these files may be absent. Move any that you have to the Trash and close the Finder window. Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.
3. Do as in Step 1 with this line:
~/Library/Application Support
A folder named "Application Support" will open. Inside it there may be a subfolder with this name:
webHelperApp
If so, move that subfolder—not the "Application Support" folder—to the Trash.
4. Open this folder in the same way as above:
~/Library/ScriptingAdditions
and remove an item named
BrowserHelper.osax
if present.
5. Finally, open this folder:
~/Library
Look for a subfolder with this name:
WebTools
and move it to the Trash, if present. Finally, empty the Trash.
C
You also installed the "CinemaPro" trojan. Take the steps below to disable it.
1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/Library/LaunchAgents
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.
2. Inside the folder you just opened, there may be files with a name beginning in any of the following ways:
cinema-plus
cinemas-+-plus
com.cinemapro
com.extensions.updater
Safari Security
shopy-mate
UpdateDownloader
Move all such items to the Trash.
Log out or restart the computer. The trojan will now be inactive, but there are a few more components of it that should be cleaned up.
3. Do as in Step 1 with this line:
~/Library
A folder named "Library" will open. Inside it there may be a subfolder with a name beginning
cinemapro
If so, move that subfolder—not the Library folder—to the Trash.
4. Finally, open this folder in the same way as above:
~/Applications
This is not the usual Applications folder, but a different one inside your home folder. Look for an application with a name beginning like this:
cinemapro
and move it to the Trash, if present. Finally, empty the Trash.
D
You also installed the "Genieo" and "SearchProtect" trojans. Follow the instructions on this Apple Support page to remove those.
After removing the malware, remember to reset your home page in all the web browsers affected, if it was changed.
E
You need to become much more cautious about installing software. Until you have more experience as a Mac user, I suggest you change a setting to allow only Apple updates and software from the App Store to be installed.
Open the Security & Privacy pane in System Preferences and select the General tab. Click the lock icon in the lower left corner and enter your password to unlock the settings. Select the button marked
Mac App Store
and close the preference pane. For information about the effects of this setting, see this support article. You may need to change the setting temporarily to install some third-party software, such as Flash Player. Be especially careful with that, as malware is often distributed in the form of a fake Flash update. Never follow a link to a Flash update on any web page. Instead use the built-in updater in the Flash Player preference pane.
The products in the App Store, while they aren't always very good, can at least be considered safe enough to use.
F
Remove the Norton/Symantec product by following these instructions. If you have a different version of the product, the procedure may be different.
Back up all data before making any changes.
G
"ZipCloud" is some sort of cloud-storage service with a doubtful reputation. The OS X client is sometimes distributed along with malware. Although ZipCloud may not be malicious itself, it should be deemed suspect by virtue of the company it keeps.
To remove ZipCloud, start by backing up all data (not with ZipCloud itself, of course.)
Quit the application, if it's running, and drag it from the Applications folder to the Trash.
Triple-click anywhere in the line below on this page to select it:
~/Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist
Right-click or control-click the highlighted line and select
Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.* A folder should open with a file selected. Move the selected file to the Trash.
In the same folder, there may also be a file named
com.jdibackup.ZipCloud.notify.plist
Move that to the Trash as well.
Log out or restart the computer and empty the Trash.
*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.
H
Some of your user files (not system files) have incorrect permissions or are locked. This procedure will unlock those files and reset their ownership, permissions, and access controls to the default. If you've intentionally set special values for those attributes, they will be reverted. In that case, either stop here, or be prepared to recreate the settings if necessary. Do so only after verifying that those settings didn't cause the problem. If none of this is meaningful to you, you don't need to worry about it, but you do need to follow the instructions below.
Back up all data before proceeding.
Step 1
If you have more than one user, and the one in question is not an administrator, then go to Step 2.
Enter the following command in the Terminal window in the same way as before (triple-click, copy, and paste):
sudo find ~ $TMPDIR.. -exec chflags -h nouchg,nouappnd,noschg,nosappnd {} + -exec chown -h $UID {} + -exec chmod +rw {} + -exec chmod -h -N {} + -type d -exec chmod -h +x {} + 2>&-
You'll be prompted for your login password, which won't be displayed when you type it. Type carefully and then press return. You may get a one-time warning to be careful. If you don’t have a login password, you’ll need to set one before you can run the command. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.
The command may take several minutes to run, depending on how many files you have. Wait for a new line ending in a dollar sign ($) to appear, then quit Terminal.
Step 2 (optional)
Take this step only if you have trouble with Step 1, if you prefer not to take it, or if it doesn't solve the problem.
Start up in Recovery mode. When the OS X Utilities screen appears, select
Utilities ▹ Terminal
from the menu bar. A Terminal window will open. In that window, type this:
resetp
Press the tab key. The partial command you typed will automatically be completed to this:
resetpassword
Press return. A Reset Password window will open. You’re not going to reset a password.
Select your startup volume ("Macintosh HD," unless you gave it a different name) if not already selected.
Select your username from the menu labeled Select the user account if not already selected.
Under Reset Home Directory Permissions and ACLs, click the Reset button.
Select
▹ Restart
from the menu bar.
I
Back up all data.
Run the following command in the same way as before. It moves to the Trash "semaphore" files that have not been cleaned up by the system and may be interfering with normal operation. The files are empty; they contain no data. There will be no output this time.
find L*/{Con*/*/Data/L*/,}Pref* -type f -size 0c -name *.plist.??????? -exec mv {} .Trash/ \; 2>&-
Log out or restart the computer and empty the Trash.
YOU ARE THE MAN !!!
I did everything but somehow could not remove the symantec because Idid not have the uninstall
will check with the Genius bar to see whether I need to change my hard drive or get a new imac
MANY MANY thanks
I read this and everything just really confused me. I'm not very computer savvy so does anyone know of any youtube videos or anything that is a step by step? Thanks!
Hi Linc: I don't know whether this is an appropriate question to post on the site since it is somewhat personal, but do you "moonlight" as an Apple consultant? I have a number of issues that I would like fixed (slow iMac etc) and would be happy if you actually take "private clients"
<Email Edited by Host>
how do i back something up ? I don't want to lose my pictures, music . Thanks !
Linc Davis, you're my hero.
Hi Linc,
first of all thank you for this article!
At the moment I have problems with 2 macs (1 macbook, and 1 iMac).. I've run the above test and posted the results in the paste bin as requested:
For the iMac, the problem is that it started to slow down a week ago, and every day is worse (I have not noted FlashMail there yet..) - I did the above checks to see if there were any files on the computer (such as crossrider, web helper, flash mail,..) but didn't find anything.
The test results are here: http://pastebin.com/nFcNLBms
With respect to de macbook, there I DO have these annoying Flashmail ads (in every browser I open!), but still, the search didn't reveal any files either (crossrider, web helper, flash mail,..) ???…
The test results for MacBook (the one with Flashmail) are posted in the pastebin: http://pastebin.com/UMXii3Lm
I really appreciate any help - suggestions you might have...
Many thanks in advance!
Isabel
What is FlashMail? How do I remove it from my Mac?