Thanks. I have Sophos anti-virus, but this has been running for ages without issue. Also, a web monitoring app ('Covenant Eyes') which I suspect is the culprit, as this was recently upgraded to a newer version. I will try reverting to an older version to test this. This is the results of the test:
1 Start time: 15:36:19 09/27/15
2
3 Revision: 1347
4
5 Model Identifier: MacBookPro8,1
6 System Version: OS X 10.10.5 (14F27)
7 Kernel Version: Darwin 14.5.0
8 Time since boot: 17:44
9
10 SerialATA
11
12 ST*******ASG
13
14 Energy (lifetime)
15
16 kernel_task (UID 0): 14.38
17
18 Energy (sampled)
19
20 kernel_task (UID 0): 8.54
21
22 Profiles: 3
23
24 Font issues: 23
25
26 Global prefs (system)
27
28 MultipleSessionEnabled = 1
29
30 Firewall: On
31
32 DNS: 194.168.4.100
33
34 Listeners
35
36 kdc: kerberos
37 launchd: afpovertcp
38 launchd: microsoft-ds
39
40 System caches/logs
41
42 4.2 GiB: /System/Library/Caches/com.apple.coresymbolicationd/data
43
44 Diagnostic reports
45
46 2015-09-01 Citrix Viewer crash
47 2015-09-08 com.apple.security.pboxd crash
48 2015-09-08 mapspushd crash
49 2015-09-10 Photos crash
50 2015-09-14 Citrix Viewer crash
51 2015-09-16 Citrix Viewer crash
52 2015-09-26 Finder crash* x5
53 2015-09-26 com.apple.AmbientDisplayAgent crash
54 * Code injection
55
56 HID errors: 6
57
58 Kernel log
59
60 Sep 24 21:25:12 sflt_register for AF_INET6 TCP returned error 0.
61 Sep 24 21:27:49 Finder (map: 0xffffff8023878a50) triggered DYLD shared region unnest for map: 0xffffff8023878a50, region 0x7fff8ee00000->0x7fff8f000000. While not abnormal for debuggers, this increases system memory footprint until the target exits.
62 Sep 24 22:17:38 firefox (map: 0xffffff8031af9f00) triggered DYLD shared region unnest for map: 0xffffff8031af9f00, region 0x7fff89a00000->0x7fff89c00000. While not abnormal for debuggers, this increases system memory footprint until the target exits.
63 Sep 26 16:09:08 AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized
64 Sep 26 16:09:09 sflt_register for AF_INET TCP returned error 0.
65 Sep 26 16:09:09 sflt_register for AF_INET6 TCP returned error 0.
66 Sep 26 16:11:17 Finder (map: 0xffffff801e0b4870) triggered DYLD shared region unnest for map: 0xffffff801e0b4870, region 0x7fff8fc00000->0x7fff8fe00000. While not abnormal for debuggers, this increases system memory footprint until the target exits.
67 Sep 26 20:39:21 AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized
68 Sep 26 20:39:48 Dependency com.Cvnt.nke of kext com.Cvnt.driver.CvntDriver failed to load.
69 Sep 26 20:39:48 Kext com.Cvnt.driver.CvntDriver failed to load (0xdc008015).
70 Sep 26 20:51:08 AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized
71 Sep 26 20:51:13 sflt_register for AF_INET TCP returned error 0.
72 Sep 26 20:51:13 sflt_register for AF_INET6 TCP returned error 0.
73 Sep 26 20:53:31 ctl_enqueuedata: m_allocpacket_internal(7805) failed
74 Sep 26 20:53:31 tl_ctl_enqueuedata failed with error: 12
75 Sep 26 21:02:26 AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized
76 Sep 26 21:02:37 sflt_register for AF_INET TCP returned error 0.
77 Sep 26 21:02:37 sflt_register for AF_INET6 TCP returned error 0.
78 Sep 26 21:05:06 considerRebuildOfPrelinkedKernel com.apple.kext.OSvKernDSPLib triggered rebuild
79 Sep 26 21:23:50 CoreStorageFamily::unlockVEKs(UUID) VEK unwrap failed. this is normal, except for the root volume.
80 Sep 26 21:53:17 AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized
81 Sep 26 21:53:27 sflt_register for AF_INET TCP returned error 0.
82 Sep 26 21:53:27 sflt_register for AF_INET6 TCP returned error 0.
83 Sep 27 09:28:06 CoreStorageFamily::unlockVEKs(UUID) VEK unwrap failed. this is normal, except for the root volume.
84 Sep 27 15:23:05 CoreStorageFamily::unlockVEKs(UUID) VEK unwrap failed. this is normal, except for the root volume.
85
86 System log
87
88 Sep 27 14:32:17 InterCheck: loaded code with pid 1230 is trusted
89 Sep 27 15:13:08 WindowServer: WSGetSurfaceInWindow : Invalid surface 1117911046 for window 194
90 Sep 27 15:13:08 WindowServer: WSGetSurfaceInWindow : Invalid surface 1117911046 for window 194
91 Sep 27 15:13:08 WindowServer: WSGetSurfaceInWindow : Invalid surface 1117911046 for window 194
92 Sep 27 15:13:39 WindowServer: disable_update_timeout: UI updates were forcibly disabled by application "Finder" for over 1.00 seconds. Server has re-enabled them.
93 Sep 27 15:14:40 WindowServer: WSGetSurfaceInWindow : Invalid surface 1066001118 for window 214
94 Sep 27 15:14:40 WindowServer: WSGetSurfaceInWindow : Invalid surface 1100251401 for window 214
95 Sep 27 15:14:40 WindowServer: WSBindSurface : Invalid surface 1100251401 for window 214
96 Sep 27 15:15:48 com.apple.kextd: LVG changed
97 Sep 27 15:15:48 com.apple.kextd: LVG changed
98 Sep 27 15:16:16 SophosWebD: [FilterRequestBroker.m:212] Timeout waiting for content scan.
99 Sep 27 15:16:16 SophosWebD: [FilterRequestBroker.m:212] Timeout waiting for content scan.
100 Sep 27 15:16:19 SophosWebD: [FilterRequestBroker.m:212] Timeout waiting for content scan.
101 Sep 27 15:22:19 WindowServer: WSGetSurfaceInWindow : Invalid surface 1281541070 for window 250
102 Sep 27 15:22:19 WindowServer: WSGetSurfaceInWindow : Invalid surface 1281541070 for window 250
103 Sep 27 15:22:19 WindowServer: WSGetSurfaceInWindow : Invalid surface 1281541070 for window 250
104 Sep 27 15:23:05 com.apple.kextd: LVG changed
105 Sep 27 15:23:05 com.apple.kextd: LVG changed
106 Sep 27 15:25:33 fseventsd: Events arrived for /Volumes/Iomega_HDD after an unmount request! Re-initializing.
107 Sep 27 15:25:33 fseventsd: creating a dls for /Volumes/Iomega_HDD but it already has one...
108 Sep 27 15:25:44 diskarbitrationd: mds [61]:19755 not responding.
109 Sep 27 15:26:02 com.apple.kextd: LVG changed
110 Sep 27 15:26:02 com.apple.kextd: LVG changed
111 Sep 27 15:31:01 launchservicesd: Application App:"loginwindow" asn:0x0-1001 pid:99 refs=7 @ 0x7f879961e750 tried to be brought forward, but isn't in fPermittedFrontApps ( ( "LSApplication:0x0-0x7d07d pid=1362 "ScreenSaverEngine"")), so denying. : LASSession.cp #1521 SetFrontApplication() q=LSSession 100006/0x186a6 queue
112 Sep 27 15:31:01 launchservicesd: Application App:"loginwindow" asn:0x0-1001 pid:99 refs=8 @ 0x7f879961e750 tried to be brought forward, but isn't in fPermittedFrontApps ( ( "LSApplication:0x0-0x7d07d pid=1362 "ScreenSaverEngine"")), so denying. : LASSession.cp #1521 SetFrontApplication() q=LSSession 100006/0x186a6 queue
113
114 launchd log
115
116 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedSer viceRunner.xpc/Contents/MacOS/SandboxedServiceRunner error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAg ent.xpc
117 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Path not allowed in target domain: type = uid, path = /System/Library/PrivateFrameworks/SpeechRecognitionCore.framework/Versions/A/XP CServices/com.apple.SpeechRecognitionCore.brokerd.xpc/Contents/MacOS/com.apple.S peechRecognitionCore.brokerd error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAg ent.xpc
118 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Path not allowed in target domain: type = uid, path = /System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/XPCSer vices/DataDetectorsDynamicData.xpc/Contents/MacOS/DataDetectorsDynamicData error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAg ent.xpc
119 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Path not allowed in target domain: type = uid, path = /System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/XPCSer vices/DataDetectorsDynamicData.xpc/Contents/MacOS/DataDetectorsDynamicData error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAg ent.xpc
120 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedSer viceRunner.xpc/Contents/MacOS/SandboxedServiceRunner error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAg ent.xpc
121 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/XPCTimeSta mpingService.xpc/Contents/MacOS/XPCTimeStampingService error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAg ent.xpc
122 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Diction aryServices.framework/Versions/A/XPCServices/com.apple.DictionaryServiceHelper.x pc/Contents/MacOS/com.apple.DictionaryServiceHelper error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAg ent.xpc
123 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/XPCKeychai nSandboxCheck.xpc/Contents/MacOS/XPCKeychainSandboxCheck error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAg ent.xpc
124 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/IOKit.framework/Versions/A/XPCServices/IOServiceAuth orizeAgent.xpc/Contents/MacOS/IOServiceAuthorizeAgent error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAg ent.xpc
125 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Path not allowed in target domain: type = uid, path = /System/Library/PrivateFrameworks/SpeechRecognitionCore.framework/Versions/A/XP CServices/com.apple.SpeechRecognitionCore.brokerd.xpc/Contents/MacOS/com.apple.S peechRecognitionCore.brokerd error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAg ent.xpc
126 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Failed to bootstrap path: path = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/XPCTimeSta mpingService.xpc, error = 1: Operation not permitted
127 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Failed to bootstrap path: path = /System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/XPCSer vices/DataDetectorsDynamicData.xpc, error = 1: Operation not permitted
128 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Failed to bootstrap path: path = /System/Library/PrivateFrameworks/SpeechRecognitionCore.framework/Versions/A/XP CServices/com.apple.SpeechRecognitionCore.brokerd.xpc, error = 1: Operation not permitted
129 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Failed to bootstrap path: path = /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedSer viceRunner.xpc, error = 1: Operation not permitted
130 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Failed to bootstrap path: path = /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/Diction aryServices.framework/Versions/A/XPCServices/com.apple.DictionaryServiceHelper.x pc, error = 1: Operation not permitted
131 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Failed to bootstrap path: path = /System/Library/Frameworks/IOKit.framework/Versions/A/XPCServices/IOServiceAuth orizeAgent.xpc, error = 1: Operation not permitted
132 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Failed to bootstrap path: path = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/XPCKeychai nSandboxCheck.xpc, error = 1: Operation not permitted
133 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Path not allowed in target domain: type = uid, path = /System/Library/Frameworks/AppKit.framework/Versions/C/XPCServices/SandboxedSer viceRunner.xpc/Contents/MacOS/SandboxedServiceRunner error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAg ent.xpc
134 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Path not allowed in target domain: type = uid, path = /System/Library/PrivateFrameworks/SpeechRecognitionCore.framework/Versions/A/XP CServices/com.apple.SpeechRecognitionCore.brokerd.xpc/Contents/MacOS/com.apple.S peechRecognitionCore.brokerd error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAg ent.xpc
135 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Path not allowed in target domain: type = uid, path = /System/Library/PrivateFrameworks/DataDetectorsCore.framework/Versions/A/XPCSer vices/DataDetectorsDynamicData.xpc/Contents/MacOS/DataDetectorsDynamicData error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAg ent.xpc
136 Sep 26 21:53:50 com.apple.xpc.launchd.domain.pid.SecurityAgent.238: Path not allowed in target domain: type = uid, path = /System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/ com.apple.geod.xpc/Contents/MacOS/com.apple.geod error = 1: Operation not permitted, origin = /System/Library/Frameworks/Security.framework/Versions/A/XPCServices/SecurityAg ent.xpc
137 Sep 26 21:56:32 com.apple.xpc.launchd.user.501.100006.Aqua: Could not import service from caller: caller = otherbsd.281, service = com.linebreak.CloudLoginHelper, error = 119: Service is disabled
138 Sep 26 21:56:32 com.apple.xpc.launchd.user.501.100006.Aqua: Could not import service from caller: caller = otherbsd.281, service = com.jetson.Magic-Window-Helper, error = 119: Service is disabled
139 Sep 26 21:56:32 com.apple.xpc.launchd.user.501.100006.Aqua: Could not import service from caller: caller = otherbsd.281, service = com.sockii.helper.capture365journalmac, error = 119: Service is disabled
140 Sep 26 21:56:32 com.apple.xpc.launchd.user.501.100006.Aqua: Could not import service from caller: caller = otherbsd.281, service = com.apple.photostream-agent, error = 119: Service is disabled
141
142 Console log
143
144 Sep 22 00:02:19 mdworker: -[__NSArrayM objectForKey:]: unrecognized selector sent to instance 0x7fc3b36298a0
145 Sep 22 00:03:40 mdworker: -[__NSArrayM objectForKey:]: unrecognized selector sent to instance 0x7fc3b3625470
146 Sep 26 20:52:10 fontd: Failed to open read-only database, regenerating DB
147
148 Loaded kernel extensions
149
150 com.Cvnt.driver.CvntDriver (0208.05.97)
151 com.Cvnt.nke (0208.05.97)
152 com.sophos.kext.sav (9.4.50)
153 com.sophos.nke.swi (9.4.50)
154
155 System services loaded
156
157 com.Cvnt.daemon
158 com.adobe.fpsaud
159 com.apple.Kerberos.kdc
160 - status: 1
161 com.apple.watchdogd
162 com.cvnt.cehostsd
163 com.cvnt.celapid
164 com.google.keystone.daemon
165 com.oracle.java.Helper-Tool
166 com.oracle.java.JavaUpdateHelper
167 com.sophos.autoupdate
168 com.sophos.common.servicemanager
169 com.sophos.configuration
170 com.sophos.intercheck
171 com.sophos.notification
172 com.sophos.scan
173 com.sophos.sxld
174 com.sophos.webd
175 net.waterroof.rules
176
177 Login services loaded
178
179 2BUA8C4S2C.com.agilebits.onepassword-osx-helper
180 com.Cvnt.start
181 com.apple.Finder
182 - status: -15
183 com.citrix.AuthManager_Mac
184 com.citrix.ReceiverHelper
185 com.citrix.ServiceRecords
186 com.google.keystone.system.agent
187 com.hp.devicemonitor
188 com.oracle.java.Java-Updater
189 com.sophos.uiserver
190
191 Login services disabled
192
193 com.apple.photostream-agent
194
195 User services disabled
196
197 com.apple.photostream-agent
198
199 User login items
200
201 CitrixFMDPrefPlugin
202 - /Applications/Citrix/FollowMeData/CitrixFMDPrefPlugin.app
203
204 Parental Controls: On
205
206 Safari extensions
207
208 1Password
209 - com.agilebits.onepassword4-safari
210 ClickToFlash
211 - com.hoyois.safari.clicktoflash
212 Covenant Eyes
213 - com.covenanteyes.safari-extension
214 Save to Pocket
215 - com.ideashower.pocket.safari
216 Twitter for Safari
217 - com.twitter.safari-extension
218 YouTube5
219 - com.verticalforest.youtube5
220
221 Widgets
222
223 iCal Events
224
225 iCloud errors
226
227 Finder 606
228 cloudd 167
229 bird 15
230 Spotlight 4
231 CallHistorySyncHelper 3
232 comapple.CloudPhotosConfiguration 2
233
234 Continuity errors
235
236 sharingd 1
237
238 Restricted files: 9089
239
240 Lockfiles: 38
241
242 Global prefs (user)
243
244 NSCloseAlwaysConfirmsChanges = 1
245 NSQuitAlwaysKeepsWindows = 1
246
247 Contents of /Library/LaunchAgents/com.Cvnt.start.plist
248 - mod date: Sep 23 17:57:18 2015
249 - size (B): 496
250 - checksum: 1162679678
251
252 <?xml version="1.0" encoding="UTF-8"?>
253 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
254 <plist version="1.0">
255 <dict>
256 <key>KeepAlive</key>
257 <true/>
258 <key>Label</key>
259 <string>com.Cvnt.start</string>
260 <key>ProgramArguments</key>
261 <array>
262 <string>/Applications/Covenant Eyes.app/Contents/MacOS/Covenant Eyes</string>
263 </array>
264 <key>RunAtLoad</key>
265 <true/>
266 <key>LaunchOnlyOnce</key>
267 <true/>
268 <key>Disabled</key>
269 <false/>
270 </dict>
271 </plist>
272
273 Contents of /Library/LaunchAgents/com.oracle.java.Java-Updater.plist
274 - mod date: Apr 18 10:35:39 2013
275 - size (B): 104
276 - checksum: 3703665025
277
278 <?xml version="1.0" encoding="UTF-8"?>
279 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
280 <plist version="1.0">
281 <dict>
282 <key>Label</key>
283 <string>com.oracle.java.Java-Updater</string>
284 <key>ProgramArguments</key>
285 <array>
286 <string>/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater</string>
287 <string>-bgcheck</string>
288 </array>
289 <key>StandardErrorPath</key>
290 <string>/dev/null</string>
291 <key>StandardOutPath</key>
292 <string>/dev/null</string>
293 <key>StartCalendarInterval</key>
294 <dict>
295 <key>Hour</key>
296 <integer>21</integer>
297 <key>Minute</key>
298 <integer>7</integer>
299 <key>Weekday</key>
300 <integer>5</integer>
301 </dict>
302 </dict>
303
304 ...and 1 more line(s)
305
306 Contents of /Library/LaunchAgents/com.sophos.uiserver.plist
307 - mod date: Sep 24 17:34:47 2015
308 - size (B): 563
309 - checksum: 40276757
310
311 <?xml version="1.0" encoding="UTF-8"?>
312 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
313 <plist version="1.0">
314 <dict>
315 <key>KeepAlive</key>
316 <true/>
317 <key>Label</key>
318 <string>com.sophos.uiserver</string>
319 <key>ProgramArguments</key>
320 <array>
321 <string>/Library/Sophos Anti-Virus/SophosUIServer.app/Contents/MacOS/SophosUIServer</string>
322 </array>
323 <key>RunAtLoad</key>
324 <true/>
325 <key>StandardErrorPath</key>
326 <string>/dev/null</string>
327 <key>StandardOutPath</key>
328 <string>/dev/null</string>
329 </dict>
330 </plist>
331
332 Contents of /Library/LaunchDaemons/com.Cvnt.daemon.plist
333 - mod date: Sep 23 17:57:18 2015
334 - size (B): 957
335 - checksum: 3551062947
336
337 <?xml version="1.0" encoding="UTF-8"?>
338 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
339 <plist version="1.0">
340 <dict>
341 <key>Label</key>
342 <string>com.Cvnt.daemon</string>
343 <key>ProgramArguments</key>
344 <array>
345 <string>/usr/local/libexec/CvntDaemon</string>
346 </array>
347 <key>RunAtLoad</key>
348 <true/>
349 <key>WatchPaths</key>
350 <array>
351 <string>/System/Library/Extensions/Cvnt.legacy.kext</string>
352 <string>/System/Library/Extensions/CvntDriver.legacy.kext</string>
353 <string>/Library/Extensions/Cvnt.kext</string>
354 <string>/Library/Extensions/CvntDriver.kext</string>
355 <string>/Applications/Covenant Eyes.app</string>
356 <string>/usr/local/libexec/cehostsd</string>
357 <string>/usr/local/libexec/celapid</string>
358 <string>/Library/LaunchDaemons/com.cvnt.cehostsd.plist</string>
359 <string>/Library/LaunchDaemons/com.cvnt.celapid.plist</string>
360 <string>/private/var/.ce</string>
361 </array>
362
363 ...and 2 more line(s)
364
365 Contents of /Library/LaunchDaemons/com.cvnt.cehostsd.plist
366 - mod date: Sep 23 17:57:18 2015
367 - size (B): 535
368 - checksum: 3123200950
369
370 <?xml version="1.0" encoding="UTF-8"?>
371 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
372 <plist version="1.0">
373 <dict>
374 <key>Label</key>
375 <string>com.cvnt.cehostsd</string>
376 <key>ProgramArguments</key>
377 <array>
378 <string>/usr/local/libexec/cehostsd</string>
379 </array>
380 <key>RunAtLoad</key>
381 <true/>
382 <key>StartInterval</key>
383 <integer>3600</integer>
384 <key>UserName</key>
385 <string>root</string>
386 <key>WatchPaths</key>
387 <array>
388 <string>/etc/hosts</string>
389 </array>
390 </dict>
391 </plist>
392
393 Contents of /Library/LaunchDaemons/com.cvnt.celapid.plist
394 - mod date: Sep 23 17:57:18 2015
395 - size (B): 410
396 - checksum: 3440685966
397
398 <?xml version="1.0" encoding="UTF-8"?>
399 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
400 <plist version="1.0">
401 <dict>
402 <key>Label</key>
403 <string>com.cvnt.celapid</string>
404 <key>KeepAlive</key>
405 <true/>
406 <key>ProgramArguments</key>
407 <array>
408 <string>/usr/local/libexec/celapid</string>
409 </array>
410 <key>UserName</key>
411 <string>root</string>
412 </dict>
413 </plist>
414
415 Contents of /Library/LaunchDaemons/com.sophos.common.servicemanager.plist
416 - mod date: Sep 24 17:34:38 2015
417 - size (B): 658
418 - checksum: 521223032
419
420 <?xml version="1.0" encoding="UTF-8"?>
421 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
422 <plist version="1.0">
423 <dict>
424 <key>StandardErrorPath</key>
425 <string>/dev/null</string>
426 <key>StandardOutPath</key>
427 <string>/dev/null</string>
428 <key>Label</key>
429 <string>com.sophos.common.servicemanager</string>
430 <key>ProgramArguments</key>
431 <array>
432 <string>/Library/Sophos Anti-Virus/SophosServiceManager.bundle/Contents/MacOS/SophosServiceManager</str ing>
433 </array>
434 <key>KeepAlive</key>
435 <true/>
436 <key>MachServices</key>
437 <dict>
438 <key>com.sophos.common.servicemanager</key>
439 <true/>
440 </dict>
441 </dict>
442 </plist>
443
444 Contents of /Library/LaunchDaemons/net.waterroof.rules.plist
445 - mod date: Sep 21 14:29:51 2011
446 - size (B): 449
447 - checksum: 3313947869
448
449 <?xml version="1.0" encoding="UTF-8"?>
450 <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
451 <plist version="1.0">
452 <dict>
453 <key>Label</key>
454 <string>net.waterroof.rules</string>
455 <key>ProgramArguments</key>
456 <array>
457 <string>/etc/waterroof.sh</string>
458 </array>
459 <key>RunAtLoad</key>
460 <true/>
461 <key>ServiceDescription</key>
462 <string>WaterRoof: load firewall rules</string>
463 </dict>
464 </plist>
465
466 Contents of /System/Library/LaunchDaemons/org.apache.httpd.plist
467 - mod date: Apr 12 21:22:07 2015
468 - size (B): 554
469 - checksum: 3012644940
470
471 <?xml version="1.0" encoding="UTF-8"?>
472 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
473 <plist version="1.0">
474 <dict>
475 <key>Disabled</key>
476 <true/>
477 <key>Label</key>
478 <string>org.apache.httpd</string>
479 <key>EnvironmentVariables</key>
480 <dict>
481 <key>XPC_SERVICES_UNAVAILABLE</key>
482 <string>1</string>
483 </dict>
484 <key>ProgramArguments</key>
485 <array>
486 <string>/usr/sbin/httpd-wrapper</string>
487 <string>-D</string>
488 <string>FOREGROUND</string>
489 </array>
490 <key>OnDemand</key>
491 <false/>
492 </dict>
493 </plist>
494
495 Contents of /private/etc/hosts
496 - mod date: Apr 2 09:21:35 2014
497 - size (B): 9950
498 - checksum: 2249785262
499
500 216.239.32.20 www.google.ac # __CE_WATERMARK__
501 216.239.32.20 www.google.ad # __CE_WATERMARK__
502 216.239.32.20 www.google.ae # __CE_WATERMARK__
503 216.239.32.20 www.google.al # __CE_WATERMARK__
504 216.239.32.20 www.google.am # __CE_WATERMARK__
505 216.239.32.20 www.google.as # __CE_WATERMARK__
506 216.239.32.20 www.google.at # __CE_WATERMARK__
507 216.239.32.20 www.google.az # __CE_WATERMARK__
508 216.239.32.20 www.google.ba # __CE_WATERMARK__
509 216.239.32.20 www.google.be # __CE_WATERMARK__
510 216.239.32.20 www.google.bf # __CE_WATERMARK__
511 216.239.32.20 www.google.bg # __CE_WATERMARK__
512 216.239.32.20 www.google.bi # __CE_WATERMARK__
513 216.239.32.20 www.google.bj # __CE_WATERMARK__
514 216.239.32.20 www.google.bs # __CE_WATERMARK__
515 216.239.32.20 www.google.bt # __CE_WATERMARK__
516 216.239.32.20 www.google.by # __CE_WATERMARK__
517 216.239.32.20 www.google.ca # __CE_WATERMARK__
518 216.239.32.20 www.google.cat # __CE_WATERMARK__
519 216.239.32.20 www.google.cc # __CE_WATERMARK__
520 216.239.32.20 www.google.cd # __CE_WATERMARK__
521 216.239.32.20 www.google.cf # __CE_WATERMARK__
522 216.239.32.20 www.google.cg # __CE_WATERMARK__
523 216.239.32.20 www.google.ch # __CE_WATERMARK__
524 216.239.32.20 www.google.ci # __CE_WATERMARK__
525
526 ...and 179 more line(s)
527
528 Extensions
529
530 /Library/Extensions/Cvnt.kext
531 - com.Cvnt.nke
532 /Library/Extensions/CvntDriver.kext
533 - com.Cvnt.driver.CvntDriver
534 /Library/Extensions/SophosNetworkInterceptor.kext
535 - com.sophos.nke.swi
536 /Library/Extensions/SophosOnAccessInterceptor.kext
537 - com.sophos.kext.sav
538 /System/Library/Extensions/JMicronATA.kext
539 - com.jmicron.JMicronATA
540 /System/Library/Extensions/ssuddrv.kext/Contents/PlugIns/ssudmdmcontrol.kext
541 - com.devguru.driver.SamsungACMControl
542 /System/Library/Extensions/ssuddrv.kext/Contents/PlugIns/ssudmdmdata.kext
543 - com.devguru.driver.SamsungACMData
544 /System/Library/Extensions/ssuddrv.kext/Contents/PlugIns/ssudmtp.kext
545 - com.devguru.driver.SamsungMTP
546 /System/Library/Extensions/ssuddrv.kext/Contents/PlugIns/ssudserial.kext
547 - com.devguru.driver.SamsungSerial
548 /System/Library/Extensions/ssuddrv.kext
549 - com.devguru.driver.SamsungComposite
550
551 Applications
552
553 /Applications/Citrix Receiver.app
554 - com.citrix.receiver.nomas
555 /Applications/Citrix/FollowMeData/CitrixFMDAgent.app
556 - com.citrix.FMDAgent
557 /Applications/Citrix/FollowMeData/CitrixFMDPrefPlugin.app
558 - com.citrix.FMDPlugin
559 /Applications/Citrix/FollowMeData/ContextMenuApp.app
560 - Citrix.ContextMenuApp
561 /Applications/Citrix/FollowMeData/SyncEngine/SyncEngine.app
562 - com.citrix.SyncEngine
563 /Applications/Citrix/FollowMeData/Uninstall ShareFile Plug-in.app
564 - com.citrix.FMDUninStaller
565 /Applications/Google Earth.app
566 - com.Google.GoogleEarthPlus
567 /Applications/Hewlett-Packard/HP Scan 3.app
568 - com.hp.scan.app
569 /Applications/Hewlett-Packard/HP Uninstaller.app
570 - com.hp.Uninstaller
571 /Applications/Keynote '09.app
572 - com.apple.automator.Keynote '09
573 /Applications/Numbers '09.app
574 - com.apple.automator.Numbers '09
575 /Applications/Pages '09.app
576 - com.apple.automator.iWork '09 - Pages
577 /Applications/Utilities/Adobe AIR Application Installer.app
578 - com.adobe.air.ApplicationInstaller
579 /Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Add to iPhoto Library.app
580 - com.apple.automator.AddtoiPhotoLibrary
581 /Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Email Image.app
582 - com.apple.automator.EmailImage
583 /Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Email PDF.app
584 - com.apple.automator.EmailPDF
585 /Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Open HP Scan.app
586 - com.apple.automator.OpenHPScan
587 /Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Open PDF in Preview.app
588 - com.apple.automator.OpenPDFinPreview
589 /Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Open in Preview.app
590 - com.apple.automator.OpeninPreview
591 /Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Save PDF in Documents.app
592 - com.apple.automator.SavePDFinDocuments
593 /Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Save in Pictures.app
594 - com.apple.automator.SaveinPictures
595 /Library/Application Support/Microsoft/Silverlight/OutOfBrowser/SLLauncher.app
596 - com.microsoft.silverlight.sllauncher
597 /Library/Frameworks/Adobe AIR.framework/Versions/1.0/Adobe AIR Application Installer.app
598 - com.adobe.air.ApplicationInstaller
599 /Library/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/Template.app
600 - com.adobe.air.Template
601 /Library/Printers/hp/Fax/fax.backend
602 - com.hp.fax
603 /Library/Printers/hp/Fax/rastertofax.filter
604 - com.hp.rastertofax
605 /Library/Printers/hp/cups/filters/commandtohp.filter
606 - com.hp.print.cups.filter.commandtohp
607 /Library/Printers/hp/cups/filters/pdftopdf.filter
608 - com.hp.print.cups.filter.pdftopdf
609 /Library/Printers/hp/cups/tools/autosetup.tool
610 - com.hp.print.autosetup
611 /Users/USER/Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Add to iPhoto Library.app
612 - com.apple.automator.AddtoiPhotoLibrary
613 /Users/USER/Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Email Image.app
614 - com.apple.automator.EmailImage
615 /Users/USER/Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Email PDF.app
616 - com.apple.automator.EmailPDF
617 /Users/USER/Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Open HP Scan.app
618 - com.apple.automator.OpenHPScan
619 /Users/USER/Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Open PDF in Preview.app
620 - com.apple.automator.OpenPDFinPreview
621 /Users/USER/Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Open in Preview.app
622 - com.apple.automator.OpeninPreview
623 /Users/USER/Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Save PDF in Documents.app
624 - com.apple.automator.SavePDFinDocuments
625 /Users/USER/Library/Application Support/Hewlett-Packard/Workflows/Shortcuts/Save in Pictures.app
626 - com.apple.automator.SaveinPictures
627 /usr/local/libexec/AuthManager_Mac.app
628 - com.citrix.AuthManagerMac
629 /usr/local/libexec/ReceiverHelper.app
630 - com.citrix.ReceiverHelper
631 /usr/local/libexec/ServiceRecords.app
632 - Citrix.ServiceRecords
633
634 Frameworks
635
636 /Library/Frameworks/Adobe AIR.framework
637 - com.adobe.AIR
638 /Library/Frameworks/SAVI.framework
639 - com.sophos.sav.savi
640 /Library/Frameworks/SUMScanKit.framework
641 - com.sophos.sum.scan.kit
642 /Library/Frameworks/SophosGenericsCommon.framework
643 - com.sophos.macendpoint.SophosGenericsCommon
644 /Library/Frameworks/SophosGenericsCore.framework
645 - com.sophos.macendpoint.SophosGenericsCore
646 /Users/USER/Library/Frameworks/SamsungKiesFoundation.framework
647 - com.samsung.kies.framework.foundation
648 /Users/USER/Library/Frameworks/SamsungKiesSerialPort.framework
649 - com.samsung.kies.framework.serialport
650
651 PrefPane
652
653 /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/deploy/JavaControlPanel.pref Pane
654 - com.oracle.java.JavaControlPanel
655 /Library/PreferencePanes/FMDSysPrefPane.prefPane
656 - Citrix.FMDSysPrefPane
657 /Library/PreferencePanes/Flash Player.prefPane
658 - com.adobe.flashplayerpreferences
659
660 Bundles
661
662 /Library/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/AdobeCP15.plugin
663 - com.adobe.adobecp
664 /Library/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/Flash Player.plugin
665 - com.macromedia.FlashPlayer-10.6.plugin
666 /Library/Internet Plug-Ins/CitrixICAClientPlugIn.plugin
667 - com.citrix.citrixicaclientplugIn
668 /Library/Internet Plug-Ins/Flash Player.plugin
669 - com.macromedia.Flash Player.plugin
670 /Library/Internet Plug-Ins/JavaAppletPlugin.plugin
671 - com.oracle.java.JavaAppletPlugin
672 /Library/Internet Plug-Ins/NP_2020Player_IKEA.plugin
673 - com.2020technologies.2020Player-IKEA.NP
674 /Library/Internet Plug-Ins/Silverlight.plugin
675 - com.microsoft.SilverlightPlugin
676 /Users/USER/Library/Address Book Plug-Ins/SkypeABDialer.bundle
677 - com.skype.skypeabdialer
678 /Users/USER/Library/Address Book Plug-Ins/SkypeABSMS.bundle
679 - com.skype.skypeabsms
680 /Users/USER/Library/Internet Plug-Ins/Google Earth Web Plug-in.plugin
681 - com.Google.GoogleEarthPlugin.plugin
682 /Users/USER/Library/Widgets/iCal Events.wdgt
683 - com.benkazez.widget.icalevents
684
685 Bundles (new)
686
687 /Applications/Covenant Eyes.app
688 - com.Cvnt.ce
689 /Applications/Remove Sophos Anti-Virus.app
690 - com.sophos.macendpoint.Remove-Sophos-Anti-Virus
691 /Applications/Sophos Anti-Virus.app
692 - com.sophos.macendpoint.Sophos-Anti-Virus
693 /Applications/Utilities/Adobe Flash Player Install Manager.app
694 - com.adobe.flashplayer.installmanager
695 /Applications/Utilities/Uninstall Covenant Eyes.app
696 - com.Cvnt.Uninstall
697 /Library/Application Support/Sophos/he/Installer.app
698 - com.sophos.macendpoint.Installer
699 /Library/Application Support/Sophos/he/Sophos Installer Components/savi.bundle
700 - com.sophos.macinstallpkg.savi
701 /Library/Frameworks/SAVI.framework
702 - com.sophos.sav.savi
703 /Library/Frameworks/SAVI.framework/Versions/A/Frameworks/Python.framework
704 - org.python.python
705 /Library/Frameworks/SUMScanKit.framework
706 - com.sophos.sum.scan.kit
707 /Library/Frameworks/SophosGenericsCommon.framework
708 - com.sophos.macendpoint.SophosGenericsCommon
709 /Library/Frameworks/SophosGenericsCore.framework
710 - com.sophos.macendpoint.SophosGenericsCore
711 /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
712 - com.google.Keystone
713 /Library/Internet Plug-Ins/Flash Player.plugin
714 - com.macromedia.Flash Player.plugin
715 /Library/PreferencePanes/Flash Player.prefPane
716 - com.adobe.flashplayerpreferences
717 /Library/Sophos Anti-Virus/InterCheck.app
718 - com.sophos.sav.ic
719 /Library/Sophos Anti-Virus/SophosAntiVirus.app
720 - com.sophos.SophosAntiVirus
721 /Library/Sophos Anti-Virus/SophosAutoUpdate.app
722 - com.sophos.autoupdate
723 /Library/Sophos Anti-Virus/SophosSXLD.app
724 - com.Sophos.macendpoint.SophosSXLD
725 /Library/Sophos Anti-Virus/SophosScanD.app
726 - com.sophos.SophosScanD
727 /Library/Sophos Anti-Virus/SophosServiceManager.bundle
728 - com.sophos.macendpoint.SophosServiceManager
729 /Library/Sophos Anti-Virus/SophosUIServer.app
730 - com.sophos.ui
731 /Library/Sophos Anti-Virus/SophosWebIntelligence.bundle
732 - com.sophos.macendpoint.SophosWebIntelligence
733 /Library/Sophos Anti-Virus/Tools/SDU4OSX.app
734 - com.sophos.SDU4OSX
735
736 Library paths
737
738 /Library/Frameworks/Adobe AIR.framework/Versions/1.0/Resources/WebKit.dylib
739 /Library/Image Capture/Support/Hewlett-Packard/Frameworks/HPScanAnalysis.framework/Versions/A/ Resources/Libraries/libopencv_core.dylib
740 /Library/Image Capture/Support/Hewlett-Packard/Frameworks/HPScanAnalysis.framework/Versions/A/ Resources/Libraries/libopencv_highgui.dylib
741 /Library/Image Capture/Support/Hewlett-Packard/Frameworks/HPScanAnalysis.framework/Versions/A/ Resources/Libraries/libopencv_imgproc.dylib
742 /Library/Image Capture/Support/Hewlett-Packard/Frameworks/HPScanAnalysis.framework/Versions/A/ Resources/Libraries/libopencv_objdetect.dylib
743 /Library/Printers/Samsung/ML-1660/SCMS/libscmssc.dylib
744 /Library/Sophos Anti-Virus/Libraries/libcrypto.dylib
745 /Library/Sophos Anti-Virus/Libraries/libssl.dylib
746 /Users/USER/Library/Application Support/Digiarty/MacX YouTube Downloader/onlinevideo.dylib
747 /Users/USER/Library/Application Support/Firefox/Profiles/m1jm9hxg.default/gmp-gmpopenh264/1.4/libgmpopenh264.dy lib
748 /usr/lib/libMonoPosixHelper.dylib
749 /usr/lib/libSFFileMonitor.32.dylib
750 /usr/lib/libSFIPC.32.dylib
751 /usr/lib/libSFIPC.I.dylib
752 /usr/lib/libSFSyncEngine.I.dylib
753 /usr/lib/libSFsqlite3.7.4.dylib
754 /usr/local/lib/libMonoPosixHelper.dylib
755 /usr/local/lib/libSFFileMonitor.32.dylib
756 /usr/local/lib/libSFIPC.32.dylib
757 /usr/local/lib/libSFIPC.I.dylib
758 /usr/local/lib/libSFSyncEngine.I.dylib
759 /usr/local/lib/libSFsqlite3.7.4.dylib
760
761 App extensions
762
763 com.linebreak.CloudAppMacOSX.Share
764 com.linebreak.CloudAppMacOSX.Today
765 com.microsoft.onenote.mac.shareextension
766 it.bloop.airmail2.Airmail-Compose
767 it.bloop.airmail2.Airmail-Share
768 it.bloop.airmail2.Airmail-Today
769
770 Modifications
771
772 file added: /Applications/VLC.app/Contents/MacOS/plugins/plugins.dat
773
774 Installations
775
776 Covenant Eyes: 24/09/2015 21:18
777 Adobe Flash Player: 21/09/2015 21:44
778 Capture 365 Journal: 16/09/2015 10:28
779 Airmail: 07/09/2015 17:39
780 Capture 365 Journal: 03/09/2015 08:11
781
782 Elapsed time (sec): 958
<Edited By Host>