User profile for user: Merkaba22
Merkaba22 Author
User level: Level 2
201 points

MacBook Air actingly like malware is installed

I am a prior member of the Apple Solutions Experts and on-ste specialist for many years and am puzzled.

This MacBook Air using 10.11.1, etc. has some issues -- there has been malware and I followed the tips I could find to remove, have wiped the drive and re-installed the OS and used TimeMachine to repopulate data -- the issue repeats with a few hours ...

Curosr and return keys become inoperative -- booting in safe mode does not fix -- in booting in Recovery Mode the list of four options is only highlightable by using the arrow keys to navigate -- in several instance the the cursor and return keys were inoperative to proceed, restarting repeatedly provided an operative screen ...


I ran the hardware diagnostics and it has a clean bill of health -- I am looking for options

MacBook Air, OS X El Capitan (10.11.1), 4 gigs RAM

Posted on Nov 28, 2015 9:50 AM

Reply
21 replies
User profile for user: Merkaba22
Merkaba22 Author
User level: Level 2
201 points

Nov 28, 2015 6:04 PM in response to Merkaba22

update:


Ran ClamXAV and found four items, a 17MB m-box file, an Adobe installer DMG, and two other small files that were trashed... restarted to same result: got to the finder but the cursor is only drawing "Areas" with no functionality from the trackpad or keyboard.


I restarted again and, additionally, the screen was blinking like a video card issue which I had seen before -- again no hardware issue reported by an Apple test made earlier today. At least once, the flickering led to locking the login pane. I finally decided to login as a guest and interestingly, all is well, so to speak.


I ran ClamXAV on the rest of the files and there no errors found for all home and document folders.


Means something in the app or system files, right -- ideas?

Reply
User profile for user: Merkaba22
Merkaba22 Author
User level: Level 2
201 points

Nov 28, 2015 8:16 PM in response to Allan Eckert

Hey thanks -- I downloaded and ran from the Guest User account:


EtreCheck version: 2.6.4 (224)

Report generated 11/28/15, 8:14 PM

Runtime 1:43

Download EtreCheck from http://etresoft.com/etrecheck


Click the [Click for support] links for help with non-Apple products.

Click the [Click for details] links for more information about that line.


Hardware Information: (What does this mean?)

MacBook Air (13-inch, Mid 2013)

[Click for Technical Specifications]

[Click for User Guide]

MacBook Air - model: MacBookAir6,2

1 1.3 GHz Intel Core i5 CPU: 2-core

4 GB RAM Not upgradeable

BANK 0/DIMM0

2 GB DDR3 1600 MHz ok

BANK 1/DIMM0

2 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 221 - SN = D863414128CF90JAY


Video Information: (What does this mean?)

Intel HD Graphics 5000

Color LCD 1440 x 900


System Software: (What does this mean?)

OS X El Capitan 10.11.1 (15B42) - Time since boot: about 2 hours


Disk Information: (What does this mean?)

APPLE SSD SD0256F disk0 : (251 GB) (Solid State - TRIM: Yes)

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

Audio (disk0s4) /Volumes/Audio : 100.11 GB (99.89 GB free)

MacBook Air (disk1) / : 149.53 GB (45.52 GB free)

Core Storage: disk0s2 149.90 GB Online


USB Information: (What does this mean?)

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller


Thunderbolt Information: (What does this mean?)

Apple Inc. thunderbolt_bus


Gatekeeper: (What does this mean?)

Mac App Store and identified developers


Kernel Extensions: (What does this mean?)

/Applications/Boom 2.app

[not loaded] com.globaldelight.driver.Boom2Device (1.1 - SDK 10.10) [Click for support]


/Applications/Rowmote Helper.app

[not loaded] com.regularrateandrhythm.driver.RowmoteIREmu (1.0 - SDK 10.8) [Click for support]


/System/Library/Extensions

[not loaded] com.FTDI.driver.FTDIUSBSerialDriver (2.2.18 - SDK 10.6) [Click for support]

[not loaded] com.m-audio.usb.midisupport.driver (1.1) [Click for support]


Startup Items: (What does this mean?)

M-Audio Firmware Loader: Path: /Library/StartupItems/M-Audio Firmware Loader

Startup items are obsolete in OS X Yosemite


Launch Agents: (What does this mean?)

[loaded] com.adobe.AAM.Updater-1.0.plist [Click for support]

[failed] com.adobe.ARMDCHelper.cc24aef4a1b90ed56a...plist [Click for support] [Click for details]

[loaded] com.oracle.java.Java-Updater.plist [Click for support]


Launch Daemons: (What does this mean?)

[loaded] com.adobe.fpsaud.plist [Click for support]

[loaded] com.oracle.java.Helper-Tool.plist [Click for support]


User Login Items: (What does this mean?)

None


Other Apps: (What does this mean?)

[running] com.apple.xpc.launchd.oneshot.0x10000006.EtreCheck

[running] uk.co.canimaansoftware.clamxav.274592


Internet Plug-ins: (What does this mean?)

AdobeAAMDetect: Version: AdobeAAMDetect 1.0.0.0 - SDK 10.6 [Click for support]

FlashPlayer-10.6: Version: 19.0.0.245 - SDK 10.6 [Click for support]

QuickTime Plugin: Version: 7.7.3

AdobePDFViewerNPAPI: Version: 15.009.20069 - SDK 10.8 [Click for support]

AdobePDFViewer: Version: 15.009.20069 - SDK 10.8 [Click for support]

Flash Player: Version: 19.0.0.245 - SDK 10.6 [Click for support]

Default Browser: Version: 601 - SDK 10.11

Flip4Mac WMV Plugin: Version: 3.2.0.16 - SDK 10.8 [Click for support]

Silverlight: Version: 5.1.40728.0 - SDK 10.6 [Click for support]

JavaAppletPlugin: Version: Java 8 Update 66 build 17 Check version


3rd Party Preference Panes: (What does this mean?)

Flash Player [Click for support]

Flip4Mac WMV [Click for support]

Java [Click for support]


Time Machine: (What does this mean?)

Skip System Files: NO

Mobile backups: ON

Auto backup: YES

Volumes being backed up:

MacBook Air: Disk size: 149.53 GB Disk used: 104.01 GB

Destinations:

Studio 500 [Local]

Total size: 500.10 GB

Total number of backups: 45

Oldest backup: 2/14/14, 2:24 PM

Last backup: 11/21/15, 12:16 PM

Size of backup disk: Excellent

Backup size 500.10 GB > (Disk size 149.53 GB X 3)


MPB 500 [Local]

Total size: 499.62 GB

Total number of backups: 17

Oldest backup: 10/6/15, 2:45 PM

Last backup: 11/21/15, 1:18 PM

Size of backup disk: Excellent

Backup size 499.62 GB > (Disk size 149.53 GB X 3)


Top Processes by CPU: (What does this mean?)

8% WindowServer

4% kernel_task

3% Safari

3% hidd

3% mdworker(6)


Top Processes by Memory: (What does this mean?)

532 MB com.apple.WebKit.WebContent(3)

467 MB kernel_task

115 MB mds_stores

111 MB Safari

98 MB webfilterproxyd


Virtual Memory Information: (What does this mean?)

388 MB Free RAM

3.62 GB Used RAM (1.18 GB Cached)

39 MB Swap Used


Diagnostics Information: (What does this mean?)

Nov 28, 2015, 05:21:31 PM Self test - passed


Standard users cannot read /Library/Logs/DiagnosticReports.

Run as an administrator account to see more information.

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Nov 28, 2015 11:39 PM in response to Merkaba22

With all due respect for your previous experience in troubleshooting, the problem you describe doesn't sound like any malware I'm familiar with. I would have thought there was a hardware issue with the keyboard/trackpad until finding your Guest account didn't have the problem. It's a bit uncommon for Safe Mode to still show a software issue but a Guest account not.


Without knowing the infection names associated with those files ClamXav found, I can't really offer much there. The 17MB M-box file and Adobe.dmg sound very much like adware installers downloaded from a place like C|Net or Softonic (and even MacUpdate recently). They generally give you the application you were looking for along with generally unwanted advertising, but I don't see signs that it was ever installed from your EtreCheck results.


It looks like you inherited some older m-audio software from your Time Machine restoral. Neither the kernel extension nor the Startup Item are loaded, so they can't be the problem, but you might as well get rid of them or upgrade if you still use the device.


To be honest, you have a very clean setup with little or know third party crap installed and all plug-ins appear to be completely up-to-date.


However, since you ran it from the Guest account we can't see the third party software that is installed and loaded only for your admin account and we also can't see what kinds of diagnostic reports are being collected for the admin user and the System, so I think you are going to need to run it again from the account that is having the problem.

Reply
User profile for user: Merkaba22
Merkaba22 Author
User level: Level 2
201 points

Nov 29, 2015 12:34 AM in response to MadMacs0

Been logged into Guest User since last entry with no issue until I tried to remove an icon rom the dock -- the "remove" label such to the curser rendering it unusable along with the rest of the keyboard and trackpad -- I restarted to get here and just now re-downloaded EtraCheck:


EtreCheck version: 2.6.4 (224)

Report generated 11/29/15, 12:33 AM

Runtime 1:41

Download EtreCheck from http://etresoft.com/etrecheck


Click the [Click for support] links for help with non-Apple products.

Click the [Click for details] links for more information about that line.


Hardware Information: (What does this mean?)

MacBook Air (13-inch, Mid 2013)

[Click for Technical Specifications]

[Click for User Guide]

MacBook Air - model: MacBookAir6,2

1 1.3 GHz Intel Core i5 CPU: 2-core

4 GB RAM Not upgradeable

BANK 0/DIMM0

2 GB DDR3 1600 MHz ok

BANK 1/DIMM0

2 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 221 - SN = D863414128CF90JAY


Video Information: (What does this mean?)

Intel HD Graphics 5000

Color LCD 1440 x 900


System Software: (What does this mean?)

OS X El Capitan 10.11.1 (15B42) - Time since boot: less than an hour


Disk Information: (What does this mean?)

APPLE SSD SD0256F disk0 : (251 GB) (Solid State - TRIM: Yes)

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

Audio (disk0s4) /Volumes/Audio : 100.11 GB (99.89 GB free)

MacBook Air (disk1) / : 149.53 GB (47.50 GB free)

Core Storage: disk0s2 149.90 GB Online


USB Information: (What does this mean?)

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller


Thunderbolt Information: (What does this mean?)

Apple Inc. thunderbolt_bus


Gatekeeper: (What does this mean?)

Mac App Store and identified developers


Kernel Extensions: (What does this mean?)

/Applications/Boom 2.app

[not loaded] com.globaldelight.driver.Boom2Device (1.1 - SDK 10.10) [Click for support]


/Applications/Rowmote Helper.app

[not loaded] com.regularrateandrhythm.driver.RowmoteIREmu (1.0 - SDK 10.8) [Click for support]


/System/Library/Extensions

[not loaded] com.FTDI.driver.FTDIUSBSerialDriver (2.2.18 - SDK 10.6) [Click for support]

[not loaded] com.m-audio.usb.midisupport.driver (1.1) [Click for support]


Startup Items: (What does this mean?)

M-Audio Firmware Loader: Path: /Library/StartupItems/M-Audio Firmware Loader

Startup items are obsolete in OS X Yosemite


Launch Agents: (What does this mean?)

[loaded] com.adobe.AAM.Updater-1.0.plist [Click for support]

[failed] com.adobe.ARMDCHelper.cc24aef4a1b90ed56a...plist [Click for support] [Click for details]

[loaded] com.oracle.java.Java-Updater.plist [Click for support]


Launch Daemons: (What does this mean?)

[loaded] com.adobe.fpsaud.plist [Click for support]

[loaded] com.oracle.java.Helper-Tool.plist [Click for support]


User Login Items: (What does this mean?)

None


Other Apps: (What does this mean?)

[running] com.apple.xpc.launchd.oneshot.0x10000003.EtreCheck


Internet Plug-ins: (What does this mean?)

AdobeAAMDetect: Version: AdobeAAMDetect 1.0.0.0 - SDK 10.6 [Click for support]

FlashPlayer-10.6: Version: 19.0.0.245 - SDK 10.6 [Click for support]

QuickTime Plugin: Version: 7.7.3

AdobePDFViewerNPAPI: Version: 15.009.20069 - SDK 10.8 [Click for support]

AdobePDFViewer: Version: 15.009.20069 - SDK 10.8 [Click for support]

Flash Player: Version: 19.0.0.245 - SDK 10.6 [Click for support]

Default Browser: Version: 601 - SDK 10.11

Flip4Mac WMV Plugin: Version: 3.2.0.16 - SDK 10.8 [Click for support]

Silverlight: Version: 5.1.40728.0 - SDK 10.6 [Click for support]

JavaAppletPlugin: Version: Java 8 Update 66 build 17 Check version


3rd Party Preference Panes: (What does this mean?)

Flash Player [Click for support]

Flip4Mac WMV [Click for support]

Java [Click for support]


Time Machine: (What does this mean?)

Skip System Files: NO

Mobile backups: ON

Auto backup: YES

Volumes being backed up:

MacBook Air: Disk size: 149.53 GB Disk used: 102.03 GB

Destinations:

Studio 500 [Local]

Total size: 500.10 GB

Total number of backups: 45

Oldest backup: 2/14/14, 2:24 PM

Last backup: 11/21/15, 12:16 PM

Size of backup disk: Excellent

Backup size 500.10 GB > (Disk size 149.53 GB X 3)


MPB 500 [Local]

Total size: 499.62 GB

Total number of backups: 17

Oldest backup: 10/6/15, 2:45 PM

Last backup: 11/21/15, 1:18 PM

Size of backup disk: Excellent

Backup size 499.62 GB > (Disk size 149.53 GB X 3)


Top Processes by CPU: (What does this mean?)

7% WindowServer

4% kernel_task

2% hidd

2% fontd

1% Dock


Top Processes by Memory: (What does this mean?)

524 MB kernel_task

373 MB com.apple.WebKit.WebContent(2)

172 MB mdworker(11)

111 MB iconservicesagent(2)

102 MB ocspd


Virtual Memory Information: (What does this mean?)

835 MB Free RAM

3.18 GB Used RAM (1.22 GB Cached)

0 B Swap Used


Diagnostics Information: (What does this mean?)

Nov 29, 2015, 12:23:21 AM Self test - passed


Standard users cannot read /Library/Logs/DiagnosticReports.

Run as an administrator account to see more information.

Reply
User profile for user: Merkaba22
Merkaba22 Author
User level: Level 2
201 points

Nov 29, 2015 12:39 AM in response to MadMacs0

Now I am logged in as myself, downloaded and ran EtreCheck:


EtreCheck version: 2.6.4 (224)

Report generated 11/29/15, 12:39 AM

Runtime 2:22

Download EtreCheck from http://etresoft.com/etrecheck


Click the [Click for support] links for help with non-Apple products.

Click the [Click for details] links for more information about that line.


Hardware Information: (What does this mean?)

MacBook Air (13-inch, Mid 2013)

[Click for Technical Specifications]

[Click for User Guide]

MacBook Air - model: MacBookAir6,2

1 1.3 GHz Intel Core i5 CPU: 2-core

4 GB RAM Not upgradeable

BANK 0/DIMM0

2 GB DDR3 1600 MHz ok

BANK 1/DIMM0

2 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 222 - SN = D863414128CF90JAY


Video Information: (What does this mean?)

Intel HD Graphics 5000

Color LCD 1440 x 900


System Software: (What does this mean?)

OS X El Capitan 10.11.1 (15B42) - Time since boot: less than an hour


Disk Information: (What does this mean?)

APPLE SSD SD0256F disk0 : (251 GB) (Solid State - TRIM: Yes)

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

Audio (disk0s4) /Volumes/Audio : 100.11 GB (99.89 GB free)

MacBook Air (disk1) / : 149.53 GB (47.38 GB free)

Core Storage: disk0s2 149.90 GB Online


USB Information: (What does this mean?)

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller


Thunderbolt Information: (What does this mean?)

Apple Inc. thunderbolt_bus


Gatekeeper: (What does this mean?)

Mac App Store and identified developers


Kernel Extensions: (What does this mean?)

/Applications/Boom 2.app

[not loaded] com.globaldelight.driver.Boom2Device (1.1 - SDK 10.10) [Click for support]


/Applications/Rowmote Helper.app

[not loaded] com.regularrateandrhythm.driver.RowmoteIREmu (1.0 - SDK 10.8) [Click for support]


/System/Library/Extensions

[not loaded] com.FTDI.driver.FTDIUSBSerialDriver (2.2.18 - SDK 10.6) [Click for support]

[not loaded] com.m-audio.usb.midisupport.driver (1.1) [Click for support]


Startup Items: (What does this mean?)

M-Audio Firmware Loader: Path: /Library/StartupItems/M-Audio Firmware Loader

Startup items are obsolete in OS X Yosemite


Launch Agents: (What does this mean?)

[loaded] com.adobe.AAM.Updater-1.0.plist [Click for support]

[failed] com.adobe.ARMDCHelper.cc24aef4a1b90ed56a...plist [Click for support] [Click for details]

[loaded] com.oracle.java.Java-Updater.plist [Click for support]


Launch Daemons: (What does this mean?)

[loaded] com.adobe.fpsaud.plist [Click for support]

[loaded] com.oracle.java.Helper-Tool.plist [Click for support]


User Launch Agents: (What does this mean?)

[loaded] com.adobe.ARM.[...].plist [Click for support]

[failed] com.google.keystone.agent.plist [Click for support] [Click for details]

[failed] com.spotify.webhelper.plist [Click for support] [Click for details]


User Login Items: (What does this mean?)

iTunesHelper Application (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

iTunesHelper UNKNOWN Hidden (missing value)

Mail Application (/Applications/Mail.app)

Safari Application (/Applications/Safari.app)

AdobeResourceSynchronizer Application Hidden (/Applications/Adobe Acrobat Reader DC.app/Contents/Helpers/AdobeResourceSynchronizer.app)


Other Apps: (What does this mean?)

[running] com.apple.xpc.launchd.oneshot.0x10000005.ClamXav

[running] com.apple.xpc.launchd.oneshot.0x1000000d.EtreCheck

[running] org.mozilla.firefox.46432


Internet Plug-ins: (What does this mean?)

AdobeAAMDetect: Version: AdobeAAMDetect 1.0.0.0 - SDK 10.6 [Click for support]

FlashPlayer-10.6: Version: 19.0.0.245 - SDK 10.6 [Click for support]

QuickTime Plugin: Version: 7.7.3

AdobePDFViewerNPAPI: Version: 15.009.20069 - SDK 10.8 [Click for support]

AdobePDFViewer: Version: 15.009.20069 - SDK 10.8 [Click for support]

Flash Player: Version: 19.0.0.245 - SDK 10.6 [Click for support]

Default Browser: Version: 601 - SDK 10.11

Flip4Mac WMV Plugin: Version: 3.2.0.16 - SDK 10.8 [Click for support]

Silverlight: Version: 5.1.40728.0 - SDK 10.6 [Click for support]

JavaAppletPlugin: Version: Java 8 Update 66 build 17 Check version


User internet Plug-ins: (What does this mean?)

CitrixOnlineWebDeploymentPlugin: Version: 1.0.105 [Click for support]

Move_Media_Player: Version: npmnqmp 071505000006 [Click for support]

Google Earth Web Plug-in: Version: 7.1 [Click for support]


Safari Extensions: (What does this mean?)

AdBlock

Ghostery

Myppes


3rd Party Preference Panes: (What does this mean?)

Flash Player [Click for support]

Flip4Mac WMV [Click for support]

Java [Click for support]

Perian [Click for support]


Time Machine: (What does this mean?)

Skip System Files: NO

Mobile backups: ON

Auto backup: YES

Volumes being backed up:

MacBook Air: Disk size: 149.53 GB Disk used: 102.15 GB

Destinations:

Studio 500 [Local]

Total size: 500.10 GB

Total number of backups: 45

Oldest backup: 2/14/14, 2:24 PM

Last backup: 11/21/15, 12:16 PM

Size of backup disk: Excellent

Backup size 500.10 GB > (Disk size 149.53 GB X 3)


MPB 500 [Local]

Total size: 499.62 GB

Total number of backups: 17

Oldest backup: 10/6/15, 2:45 PM

Last backup: 11/21/15, 1:18 PM

Size of backup disk: Excellent

Backup size 499.62 GB > (Disk size 149.53 GB X 3)


Top Processes by CPU: (What does this mean?)

9% firefox

2% kernel_task

2% fontd(2)

1% WindowServer

0% com.apple.WebKit.WebContent(3)


Top Processes by Memory: (What does this mean?)

562 MB kernel_task

434 MB firefox

303 MB mdworker(23)

168 MB com.apple.WebKit.WebContent(3)

106 MB iTunes


Virtual Memory Information: (What does this mean?)

25 MB Free RAM

3.97 GB Used RAM (820 MB Cached)

0 B Swap Used


Diagnostics Information: (What does this mean?)

Nov 29, 2015, 12:23:21 AM Self test - passed

Nov 28, 2015, 07:00:28 PM /Library/Logs/DiagnosticReports/mdworker32_2015-11-28-190028_[redacted].crash

Nov 26, 2015, 09:55:48 PM ~/Library/Logs/DiagnosticReports/mdworker32_2015-11-26-215548_[redacted].crash

Reply
User profile for user: Merkaba22
Merkaba22 Author
User level: Level 2
201 points

Nov 29, 2015 7:51 PM in response to MadMacs0

OK -- after going back to my regular account, using the Macbook for longer periods, mostly on Safari -- a FB the pane was drawn poorly with the title bar near the bottom margin; I decided to run ClamXav again and found some issues not revealed earlier.


I hav screen shots in pdf format less than 250kb that I can not upload that included a shot of ClamXav showing:


12572.emix -- Email, Phisihing.Auction-16

12574.emix -- Email, Phisihing.Auction-233

12605.emix -- Email, Phisihing.Auction-16

12634.emix -- HTML, Phisihing.Pay-23

mbox -- Exploit.HTML.IFrame-8


----------- SCAN SUMMARY -----------

Known viruses: 4146545

Engine version: 0.98.7

Scanned directories: 19642

Scanned files: 146460

Infected files: 5

Data scanned: 46421.01 MB

Data read: 68485.23 MB (ratio 0.68:1)

Time: 4851.751 sec (80 m 51 s)


Etre Check prior to deleting the files CamXav found among other things a Safari Extension identified below as Myppes -- when I look at Safari > Preferences > Extensions only shows Adblock and Ghostery, I am trashing " /Library/StartupItems/M-Audio Firmware Loader" -- lot's of odd ball stuff that's taking up RAM:


EtreCheck version: 2.6.5 (225)

Report generated 11/29/15, 7:44 PM

Runtime 1:48

Download EtreCheck from http://etrecheck.com


Click the [Click for support] links for help with non-Apple products.

Click the [Click for details] links for more information about that line.


Hardware Information: (What does this mean?)

MacBook Air (13-inch, Mid 2013)

[Click for Technical Specifications]

[Click for User Guide]

MacBook Air - model: MacBookAir6,2

1 1.3 GHz Intel Core i5 CPU: 2-core

4 GB RAM Not upgradeable

BANK 0/DIMM0

2 GB DDR3 1600 MHz ok

BANK 1/DIMM0

2 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 222 - SN = D863414128CF90JAY


Video Information: (What does this mean?)

Intel HD Graphics 5000

Color LCD 1440 x 900


System Software: (What does this mean?)

OS X El Capitan 10.11.1 (15B42) - Time since boot: about one day


Disk Information: (What does this mean?)

APPLE SSD SD0256F disk0 : (251 GB) (Solid State - TRIM: Yes)

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

Audio (disk0s4) /Volumes/Audio : 100.11 GB (99.89 GB free)

MacBook Air (disk1) / : 149.53 GB (42.32 GB free)

Core Storage: disk0s2 149.90 GB Online


USB Information: (What does this mean?)

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller


Thunderbolt Information: (What does this mean?)

Apple Inc. thunderbolt_bus


Gatekeeper: (What does this mean?)

Mac App Store and identified developers


Kernel Extensions: (What does this mean?)

/Applications/Boom 2.app

[not loaded] com.globaldelight.driver.Boom2Device (1.1 - SDK 10.10) [Click for support]


/Applications/Rowmote Helper.app

[not loaded] com.regularrateandrhythm.driver.RowmoteIREmu (1.0 - SDK 10.8) [Click for support]


/System/Library/Extensions

[not loaded] com.FTDI.driver.FTDIUSBSerialDriver (2.2.18 - SDK 10.6) [Click for support]

[not loaded] com.m-audio.usb.midisupport.driver (1.1) [Click for support]


Startup Items: (What does this mean?)

M-Audio Firmware Loader: Path: /Library/StartupItems/M-Audio Firmware Loader

Startup items are obsolete in OS X Yosemite


System Launch Agents: (What does this mean?)

[killed] com.apple.AssetCacheLocatorService.plist

[killed] com.apple.BezelUI.plist

[killed] com.apple.CallHistoryPluginHelper.plist

[killed] com.apple.CallHistorySyncHelper.plist

[killed] com.apple.DiskArbitrationAgent.plist

[killed] com.apple.EscrowSecurityAlert.plist

[killed] com.apple.FolderActionsDispatcher.plist

[killed] com.apple.Safari.SafeBrowsing.Service.plist

[killed] com.apple.SafariCloudHistoryPushAgent.plist

[killed] com.apple.SafariNotificationAgent.plist

[killed] com.apple.cloudphotosd.plist

[killed] com.apple.coreservices.appleid.authentication.plist

[killed] com.apple.gamed.plist

[killed] com.apple.icloud.fmfd.plist

[killed] com.apple.photolibraryd.plist

[killed] com.apple.recentsd.plist

[killed] com.apple.reversetemplated.plist

[killed] com.apple.security.cloudkeychainproxy.plist

[killed] com.apple.security.idskeychainsyncingproxy.plist

[killed] com.apple.spindump_agent.plist

[killed] com.apple.spotlight.IndexAgent.plist

[killed] com.apple.telephonyutilities.callservicesd.plist

22 processes killed due to insufficient RAM


System Launch Daemons: (What does this mean?)

[killed] com.apple.AssetCacheLocatorService.plist

[killed] com.apple.GSSCred.plist

[killed] com.apple.awdd.plist

[killed] com.apple.icloud.findmydeviced.plist

[killed] com.apple.ifdreader.plist

[killed] com.apple.periodic-daily.plist

[killed] com.apple.softwareupdated.plist

[killed] com.apple.spindump.plist

[killed] com.apple.wdhelper.plist

[killed] com.apple.xpc.smd.plist

10 processes killed due to insufficient RAM


Launch Agents: (What does this mean?)

[loaded] com.adobe.AAM.Updater-1.0.plist [Click for support]

[failed] com.adobe.ARMDCHelper.cc24aef4a1b90ed56a...plist [Click for support]

[loaded] com.oracle.java.Java-Updater.plist [Click for support]


Launch Daemons: (What does this mean?)

[loaded] com.adobe.fpsaud.plist [Click for support]

[loaded] com.oracle.java.Helper-Tool.plist [Click for support]


User Launch Agents: (What does this mean?)

[loaded] com.adobe.ARM.[...].plist [Click for support]

[failed] com.google.keystone.agent.plist [Click for support]

[failed] com.spotify.webhelper.plist [Click for support]


User Login Items: (What does this mean?)

iTunesHelper Application (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

iTunesHelper UNKNOWN Hidden (missing value)

Mail Application (/Applications/Mail.app)

Safari Application (/Applications/Safari.app)

AdobeResourceSynchronizer Application Hidden (/Applications/Adobe Acrobat Reader DC.app/Contents/Helpers/AdobeResourceSynchronizer.app)


Other Apps: (What does this mean?)

[running] com.apple.xpc.launchd.oneshot.0x10000005.ClamXav

[running] com.apple.xpc.launchd.oneshot.0x10000010.EtreCheck

[running] org.mozilla.firefox.46432


Internet Plug-ins: (What does this mean?)

AdobeAAMDetect: Version: AdobeAAMDetect 1.0.0.0 - SDK 10.6 [Click for support]

FlashPlayer-10.6: Version: 19.0.0.245 - SDK 10.6 [Click for support]

QuickTime Plugin: Version: 7.7.3

AdobePDFViewerNPAPI: Version: 15.009.20069 - SDK 10.8 [Click for support]

AdobePDFViewer: Version: 15.009.20069 - SDK 10.8 [Click for support]

Flash Player: Version: 19.0.0.245 - SDK 10.6 [Click for support]

Default Browser: Version: 601 - SDK 10.11

Flip4Mac WMV Plugin: Version: 3.2.0.16 - SDK 10.8 [Click for support]

Silverlight: Version: 5.1.40728.0 - SDK 10.6 [Click for support]

JavaAppletPlugin: Version: Java 8 Update 66 build 17 Check version


User internet Plug-ins: (What does this mean?)

CitrixOnlineWebDeploymentPlugin: Version: 1.0.105 [Click for support]

Move_Media_Player: Version: npmnqmp 071505000006 [Click for support]

Google Earth Web Plug-in: Version: 7.1 [Click for support]


Safari Extensions: (What does this mean?)

AdBlock

Ghostery

Myppes


3rd Party Preference Panes: (What does this mean?)

Flash Player [Click for support]

Flip4Mac WMV [Click for support]

Java [Click for support]

Perian [Click for support]


Time Machine: (What does this mean?)

Time Machine information is not available


Top Processes by CPU: (What does this mean?)

26% com.apple.WebKit.WebContent(11)

6% WindowServer

3% kernel_task

2% fontd(2)

0% coreaudiod


Top Processes by Memory: (What does this mean?)

603 MB kernel_task

451 MB com.apple.WebKit.WebContent(11)

147 MB mdworker(14)

45 MB Safari(2)

45 MB firefox


Virtual Memory Information: (What does this mean?)

52 MB Free RAM

3.95 GB Used RAM (489 MB Cached)

1.40 GB Swap Used


Diagnostics Information: (What does this mean?)

Nov 29, 2015, 03:23:50 PM /Library/Logs/DiagnosticReports/com.apple.WebKit.Networking_2015-11-29-152350_[ redacted].cpu_resource.diag [Click for details]

Nov 29, 2015, 12:19:15 PM /Library/Logs/DiagnosticReports/backupd_2015-11-29-121915_[redacted].cpu_resour ce.diag [Click for details]

Nov 29, 2015, 12:23:22 AM Self test - passed

Nov 28, 2015, 07:00:28 PM /Library/Logs/DiagnosticReports/mdworker32_2015-11-28-190028_[redacted].crash

Nov 26, 2015, 09:55:48 PM ~/Library/Logs/DiagnosticReports/mdworker32_2015-11-26-215548_[redacted].crash

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Nov 29, 2015 8:31 PM in response to Merkaba22

Merkaba22 wrote:


OK -- after going back to my regular account, using the Macbook for longer periods, mostly on Safari -- a FB the pane was drawn poorly with the title bar near the bottom margin; I decided to run ClamXav again and found some issues not revealed earlier.


I hav screen shots in pdf format less than 250kb that I can not upload that included a shot of ClamXav showing:


12572.emix -- Email, Phisihing.Auction-16

12574.emix -- Email, Phisihing.Auction-233

12605.emix -- Email, Phisihing.Auction-16

12634.emix -- HTML, Phisihing.Pay-23

mbox -- Exploit.HTML.IFrame-8

Screen shots are never useful in such cases, best to just select all and copy the contents of the ClamXav window and paste into a reply here. But in this case I have almost everything I need. You made some small errors in the infection names and unfortunately they have to be exact, but I was able to figure some of them out but cannot tell you exactly where they are located.


The files ending in ".emlx" (not .emix) are Apple Mail messages.


Never use ClamXav (or any other A-V software) to move (quarantine) or delete e-mail. It will corrupt the mailbox index which could cause loss of other e-mail and other issues with functions such as searching. It may also leave the original e-mail on your ISP's e-mail server and will be re-downloaded to your hard drive the next time you check for new mail.


When possibly infected e-mail files are found:

  • Highlight the entry in the ClamXav window's top pane that needs to be dealt with.
  • Right-click/<Control>-click on the entry.
  • Select "Reveal In Finder" from the pop-up menu.
  • When the window opens, double-click on the file to open the message in your e-mail client application.
  • Read the message and if you agree that it is junk/spam/phishing then note the date and subject of the message and close the e-mail window. Now, using your e-mail client, locate that message in whatever mailbox folder it was found in and delete the message using the delete button. Reading it is especially important when the word "Heuristics" appears in the infection name.If you disagree and choose to retain the message, return to ClamXav and choose "Exclude From Future Scans" from the pop-up menu.
  • If this is a g-mail account and those messages continue to show up after you have deleted them in the above manner, you may need to log in to webmail using your browser, go to the "All Mail" folder, find the message(s) and use the delete button there to permanently delete them from the server. Then check the "Trash" folder and delete them there.


The first and third e-mails contain the phrase "eBay sent this message from".


There is no Email.Phishing.Auction-233, so I don't know what that might be.


If the fourth is actually HTML.Phishing.Pay-23 then it contains "to verify your information at this time, please visit our secure server_webform by clicking the hyperlink below:" except I substituted an underscore "_" for one of the spaces so this entry won't be identified as infected. There are different definitions for numbers 230 through 239, so if you missed a digit at the end then it will be somewhat different.


I'm guessing you already know that phishing e-mails cannot cause any problems unless you fall for them, click a link or open an attachment that takes you to a fake web page in order to harvest privacy information (usually login ID and password). So they are otherwise harmless and just need to be deleted. They certainly aren't responsible for your reported problem.


I'm afraid I'm still mostly in the dark about your mbox infection. I can find the signature which simply describes an HTML iFrame along with a source for filling it in, but mostly I'm concerned that "mbox" might stand for mailbox. If true then trashing it could cause you to lose everything in the mailbox which I'm sure you don't want. Do you use an e-mail client other than Apple Mail to read messages?

Reply
User profile for user: Merkaba22
Merkaba22 Author
User level: Level 2
201 points

Nov 29, 2015 9:03 PM in response to MadMacs0

Hey back -- I hadn't gotten your reply in time to avoid trashing those files and rebooting -- fortunately, my Mail email files seem intact back to 2005 in a casual look.

Latest Scan:


EtreCheck version: 2.6.5 (225)

Report generated 11/29/15, 9:01 PM

Runtime 1:44

Download EtreCheck from http://etrecheck.com


Click the [Click for support] links for help with non-Apple products.

Click the [Click for details] links for more information about that line.


Hardware Information: (What does this mean?)

MacBook Air (13-inch, Mid 2013)

[Click for Technical Specifications]

[Click for User Guide]

MacBook Air - model: MacBookAir6,2

1 1.3 GHz Intel Core i5 CPU: 2-core

4 GB RAM Not upgradeable

BANK 0/DIMM0

2 GB DDR3 1600 MHz ok

BANK 1/DIMM0

2 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 222 - SN = D863414128CF90JAY


Video Information: (What does this mean?)

Intel HD Graphics 5000

Color LCD 1440 x 900


System Software: (What does this mean?)

OS X El Capitan 10.11.1 (15B42) - Time since boot: about one hour


Disk Information: (What does this mean?)

APPLE SSD SD0256F disk0 : (251 GB) (Solid State - TRIM: Yes)

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

Audio (disk0s4) /Volumes/Audio : 100.11 GB (99.89 GB free)

MacBook Air (disk1) / : 149.53 GB (45.74 GB free)

Core Storage: disk0s2 149.90 GB Online


USB Information: (What does this mean?)

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

Apple Inc. iPhone


Thunderbolt Information: (What does this mean?)

Apple Inc. thunderbolt_bus


Gatekeeper: (What does this mean?)

Mac App Store and identified developers


Kernel Extensions: (What does this mean?)

/Applications/Boom 2.app

[not loaded] com.globaldelight.driver.Boom2Device (1.1 - SDK 10.10) [Click for support]


/Applications/Rowmote Helper.app

[not loaded] com.regularrateandrhythm.driver.RowmoteIREmu (1.0 - SDK 10.8) [Click for support]


/System/Library/Extensions

[not loaded] com.FTDI.driver.FTDIUSBSerialDriver (2.2.18 - SDK 10.6) [Click for support]

[not loaded] com.m-audio.usb.midisupport.driver (1.1) [Click for support]


Launch Agents: (What does this mean?)

[loaded] com.adobe.AAM.Updater-1.0.plist [Click for support]

[failed] com.adobe.ARMDCHelper.cc24aef4a1b90ed56a...plist [Click for support]

[loaded] com.oracle.java.Java-Updater.plist [Click for support]


Launch Daemons: (What does this mean?)

[loaded] com.adobe.fpsaud.plist [Click for support]

[loaded] com.oracle.java.Helper-Tool.plist [Click for support]


User Launch Agents: (What does this mean?)

[loaded] com.adobe.ARM.[...].plist [Click for support]

[failed] com.google.keystone.agent.plist [Click for support] [Click for details]

[failed] com.spotify.webhelper.plist [Click for support] [Click for details]


User Login Items: (What does this mean?)

iTunesHelper Application (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

iTunesHelper UNKNOWN Hidden (missing value)

Mail Application (/Applications/Mail.app)

Safari Application (/Applications/Safari.app)

AdobeResourceSynchronizer Application Hidden (/Applications/Adobe Acrobat Reader DC.app/Contents/Helpers/AdobeResourceSynchronizer.app)


Other Apps: (What does this mean?)

[running] com.apple.xpc.launchd.oneshot.0x10000006.firefox

[running] com.etresoft.EtreCheck.145312


Internet Plug-ins: (What does this mean?)

AdobeAAMDetect: Version: AdobeAAMDetect 1.0.0.0 - SDK 10.6 [Click for support]

FlashPlayer-10.6: Version: 19.0.0.245 - SDK 10.6 [Click for support]

QuickTime Plugin: Version: 7.7.3

AdobePDFViewerNPAPI: Version: 15.009.20069 - SDK 10.8 [Click for support]

AdobePDFViewer: Version: 15.009.20069 - SDK 10.8 [Click for support]

Flash Player: Version: 19.0.0.245 - SDK 10.6 [Click for support]

Default Browser: Version: 601 - SDK 10.11

Flip4Mac WMV Plugin: Version: 3.2.0.16 - SDK 10.8 [Click for support]

Silverlight: Version: 5.1.40728.0 - SDK 10.6 [Click for support]

JavaAppletPlugin: Version: Java 8 Update 66 build 17 Check version


User internet Plug-ins: (What does this mean?)

CitrixOnlineWebDeploymentPlugin: Version: 1.0.105 [Click for support]

Move_Media_Player: Version: npmnqmp 071505000006 [Click for support]

Google Earth Web Plug-in: Version: 7.1 [Click for support]


Safari Extensions: (What does this mean?)

AdBlock

Ghostery

Myppes


3rd Party Preference Panes: (What does this mean?)

Flash Player [Click for support]

Flip4Mac WMV [Click for support]

Java [Click for support]

Perian [Click for support]


Time Machine: (What does this mean?)

Time Machine information is not available


Top Processes by CPU: (What does this mean?)

21% Mail

16% WindowServer

8% cfprefsd(2)

6% kernel_task

3% hidd


Top Processes by Memory: (What does this mean?)

909 MB com.apple.WebKit.WebContent(7)

475 MB kernel_task

205 MB Safari

131 MB firefox

86 MB Mail


Virtual Memory Information: (What does this mean?)

14 MB Free RAM

3.99 GB Used RAM (768 MB Cached)

0 B Swap Used


Diagnostics Information: (What does this mean?)

Nov 29, 2015, 07:54:54 PM Self test - passed

Nov 29, 2015, 03:23:50 PM /Library/Logs/DiagnosticReports/com.apple.WebKit.Networking_2015-11-29-152350_[ redacted].cpu_resource.diag [Click for details]

Nov 29, 2015, 12:19:15 PM /Library/Logs/DiagnosticReports/backupd_2015-11-29-121915_[redacted].cpu_resour ce.diag [Click for details]

Nov 28, 2015, 07:00:28 PM /Library/Logs/DiagnosticReports/mdworker32_2015-11-28-190028_[redacted].crash

Nov 26, 2015, 09:55:48 PM ~/Library/Logs/DiagnosticReports/mdworker32_2015-11-26-215548_[redacted].crash

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Nov 29, 2015 9:39 PM in response to Merkaba22

Merkaba22 wrote:


Hey back -- I hadn't gotten your reply in time to avoid trashing those files and rebooting -- fortunately, my Mail email files seem intact back to 2005 in a casual look.

The following Applescript will give you a list of everything ClamXav has found and where.


set question to display dialog "This script will scan all ClamXav logs for infections found." buttons {"OK", "Quit"} default button 1

if button returned of question is equal to "OK" then

-- Check ClamXav Application (Web Site) Scan Logs

do shell script "echo 'ClamXav (Web) Infected Files' > ~/Desktop/ClamXavFound.txt"

do shell script "echo ' ' >> ~/Desktop/ClamXavFound.txt"

try

do shell script "grep ' FOUND' ~/Library/Logs/clamXav-scan.log >> ~/Desktop/ClamXavFound.txt"

end try

try

do shell script "bzcat ~/Library/Logs/clamXav-scan.log.?.bz2 | grep ' FOUND' >> ~/Desktop/ClamXavFound.txt"

end try

do shell script "echo ' ' >> ~/Desktop/ClamXavFound.txt"

do shell script "echo 'ClamXav (App Store) Infected Files' >> ~/Desktop/ClamXavFound.txt"

do shell script "echo ' ' >> ~/Desktop/ClamXavFound.txt"

-- Check ClamXav Application (App Store) Scan Logs

try

do shell script "grep ' FOUND' ~/Library/ClamXav/ClamXav-scan.log >> ~/Desktop/ClamXavFound.txt"

end try

try

do shell script "bzcat ~/Library/Logs/ClamXav/ClamXav-scan.log.?.bz2 | grep ' FOUND' >> ~/Desktop/ClamXavFound.txt"

end try

do shell script "echo ' ' >> ~/Desktop/ClamXavFound.txt"

do shell script "echo 'ClamXav Sentry Infected Files' >> ~/Desktop/ClamXavFound.txt"

do shell script "echo ' ' >> ~/Desktop/ClamXavFound.txt"

-- Check ClamXav Sentry Scan Logs

try

do shell script "grep ' FOUND' ~/Library/Logs/ClamXavSentry-scan.log >> ~/Desktop/ClamXavFound.txt"

end try

try

do shell script "bzcat ~/Library/Logs/ClamXavSentry-scan.log.?.bz2 | grep ' FOUND' >> ~/Desktop/ClamXavFound.txt"

end try

do shell script "echo ' ' >> ~/Desktop/ClamXavFound.txt"

else

display dialog "OK, nothing has been changed." buttons {"OK"} default button 1

end if

do shell script "open ~/Desktop/ClamXavFound.txt"


Just open Script Editor (found in /Applications/Utilities/) then copy and paste the above and press the "Run" icon. When finished it will open the file on your desktop in a TextEdit window.


Use this list to figure out what mailboxes need to be rebuilt. To fix the corrupted mailbox index(es), highlight each one that was corrupted and choose Rebuild from the Apple Mail Mailbox menu. It's possible that those messages still exist on the server and will be downloaded to your computer again the next time you check for new mail. If so, just follow the instructions I gave before to delete them from both your computer and the server.

Reply
User profile for user: Merkaba22
Merkaba22 Author
User level: Level 2
201 points

Nov 30, 2015 10:40 AM in response to MadMacs0

ClamXav (Web) Infected Files


/Users/geoffrey1/Library/Mail/V3/Mailboxes/Financial.mbox/2006.mbox/D86BB9C2-19A C-41A5-A371-5DE391BBE3A8/Data/2/1/Messages/12572.emlx: Email.Phishing.Auction-16 FOUND

/Users/geoffrey1/Library/Mail/V3/Mailboxes/Financial.mbox/2006.mbox/D86BB9C2-19A C-41A5-A371-5DE391BBE3A8/Data/2/1/Messages/12574.emlx: HTML.Phishing.Auction-233 FOUND

/Users/geoffrey1/Library/Mail/V3/Mailboxes/Financial.mbox/2006.mbox/D86BB9C2-19A C-41A5-A371-5DE391BBE3A8/Data/2/1/Messages/12605.emlx: Email.Phishing.Auction-16 FOUND

/Users/geoffrey1/Library/Mail/V3/Mailboxes/Financial.mbox/2007.mbox/D86BB9C2-19A C-41A5-A371-5DE391BBE3A8/Data/2/1/Messages/12834.emlx: HTML.Phishing.Pay-23 FOUND

/Users/geoffrey1/Library/Mail/V3/MailData/Old Mail/POP-merkaba22@sbcglobal.net@pop.sbcglobal.yahoo.com/Junk.mbox/mbox: Exploit.HTML.IFrame-8 FOUND

/Users/geoffrey1/Downloads/adobe_flashplayer_e2c7b_Setup.dmg: PUA.OSX.InstallCore.UNOFFICIAL FOUND

/Users/geoffrey1/Library/Application Support/Manroling/Manroling.app/Contents/MacOS/AppNOS: Adware.OSX.Genieo.UNOFFICIAL FOUND

/Users/geoffrey1/Library/Application Support/Myppes/Myppes.app/Contents/MacOS/AppTS: Adware.OSX.Genieo.UNOFFICIAL FOUND

/Users/geoffrey1/Library/Mail/Mail Lost+Found/POP-merkaba22@sbcglobal.net@pop.sbcglobal.yahoo.com/Deleted Messages.mbox/mbox: Exploit.HTML.IFrame-8 FOUND


ClamXav (App Store) Infected Files


Some of the files were like what I trashed yesterday, but several of the last ones do not appear "visible" my Library in Users Folder is visable.

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Nov 30, 2015 3:54 PM in response to Merkaba22

So as you have probably figured out by now the mailboxes that need to be rebuilt are Financial/2006 and 2007. Since those are pretty old I would guess that whatever those were are no longer needed, but there is always the possibility that they were falsely identified as infected (False Positives) which is why it's always a good idea to read these to make sure they aren't something you need to retain.


The HTML.Phishing.Auction-233 signature is "666 size=1><b>ebay sent this message{WILDCARD_ANY_STRING(LENGTH>=1&&<=8)}from {WILDCARD_ANY_STRING(LENGTH<=50)}</b><br>your registered name is included to show this".


The two Exploit.HTML.IFrame-8 are from an "Old" SBCGlobal.Yahoo POP account. The first had already been classified as Junk and for some reason Apple Mail did not know what to do with the Deleted Message mailbox and moved it to Lost+Found. Probably no harm done by trashing the entire mailbox in that case.


The other three are evidence of having download Genieo Adware at some point. ClamXav is good at finding the original installer and is catching up on many of the files that some Adware Installers give you, but it's not perfect yet, so I recommend you download and run MalwareBytes Anti-Malware for Mac (currently free) just to make sure it's all been taken care of.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

MacBook Air actingly like malware is installed

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up