Q: possible unidentified trojan

It is a scam pop up. Do not call or click on anything it asks you to. If using Safari, force quit Safari then while pressing and holding the shift key restart Safari.

MalwareBytes is safe.

This sounds like adware.

Download and run MalwareBytes: https://www.malwarebytes.org/antimalware/mac/. It was developed by the creator of The Safe Mac site.

When MalwareBytes finished running, did it ask you to complete any other steps?

Have you restarted your browsers?

Also, see this page: https://support.malwarebytes.org/customer/portal/articles/2045704-what-should-i- do-if-malwarebytes-anti-malware-for-mac-didn-t-solve-my-problem-?b_id=9511.

Easiest: Roll in your Time Machine backup from immediately prior to loading the Adobe Illustrator software.

Was the installed software directly from Adobe and Oracle web sites, or was the software acquired from other download sources?   More than a few of the "other sources" can be infested.

Both Flash Player and Oracle Java have a history of security problems.   A plug-in blocker or otherwise disabling access from the browsers is the usual way to try to contain those packages.    Oracle Java can reportedly install adware, too.

1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.

The test works on OS X 10.7 ("Lion") and later. I don't recommend running it on older versions of OS X. It will do no harm, but it won't do much good either.

Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.

2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.

There are ways to back up a computer that isn't fully functional. Ask if you need guidance.

3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.

You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.

In this case, however, there are ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the requisite skill can verify what it does.

You may not be able to understand the script yourself. But variations of it have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message. See, for example, this discussion.

Another indication that the test is safe can be found in this thread, and this one, for example, where the comment in which I suggested it was recommended by one of the Apple Community Specialists, as explained here.

Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.

4. Here's a general summary of what you need to do, if you choose to proceed:

☞ Copy a particular line of text to the Clipboard.

☞ Paste into the window of another application.

☞ Wait for the test to run. It usually takes a few minutes.

☞ Paste the results, which will have been copied automatically, back into a reply on this page.

These are not specific instructions; just an overview. The details are in parts 7 and 8 of this comment. The sequence is: copy, paste, wait, paste again. You don't need to copy a second time.

5. Try to test under conditions that reproduce the problem, as far as possible. For example, if the computer is intermittently slow, run the test during a slowdown.

You may have started up in safe mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual before running it. If you can only test in safe mode, do that.

6. If you have more than one user, and only one user is affected by the problem,, and the affected user is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.

7. Load this linked web page (on the website "Pastebin.") The title of the page is "Diagnostic Test." Below the title is a text box headed by three small icons. The one on the right represents a clipboard. Click that icon to select the text, then copy it to the Clipboard on your computer by pressing the key combination command-C.

If the text doesn't highlight when you click the icon, select it by triple-clicking anywhere inside the box. Don't select the whole page, just the text in the box.

8. Launch the built-in Terminal application in any of the following ways:

☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

Click anywhere in the Terminal window to activate it. Paste from the Clipboard into the window by pressing command-V, then press return. The text you pasted should vanish immediately.

9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter

exec bash

and press return. Then paste the script again.

10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. If you don't know the password, or if you prefer not to enter it, just press return three times at the password prompt. Again, the script will still run.

If the test is taking much longer than usual to run because the computer is very slow, you might be prompted for your password a second time. The authorization that you grant by entering it expires automatically after five minutes.

If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.

11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, a series of lines will appear in the Terminal window like this:

    Test started

        Part 1 of 4 done at: … sec
        …
        Part 4 of 4 done at: … sec

    The test results are on the Clipboard.

    Please close this window.

The intervals between parts won't be exactly equal, but they give a rough indication of progress.

Wait for the final message "Please close this window" to appear. If you don't see it within about 15 minutes, the test probably won't complete in a reasonable time. In that case, press the key combination control-C or command-period to stop it. Then go to the next step. You'll have incomplete results, but still something. If you close the Terminal window while the test is still running, the partial results won't be saved and you'll have to start over.

12. When the test is complete, or if you stopped it because it was taking too long, quit Terminal. The results will have been saved to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.

At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "close this window" message. Please wait for it and try again.

If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.

13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "The message contains invalid characters." That's a bug in the software that runs this website. Please post the test results on Pastebin, then post a link here to the page you created.

If you have an account on Pastebin, please don't select Private from the Paste Exposure menu on the page, because then no one but you will be able to see it.

14. This is a public forum, and others may give you advice based on the results of the test. They speak for themselves, not for me. The test itself is harmless, but whatever else you're told to do may not be. For others who choose to run it, I don't recommend that you post the test results on this website unless I asked you to.

______________________________________________________________

Copyright © 2014, 2015 by Linc Davis. As the sole author of this work (including the referenced "Diagnostic Test"), I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

There's "net.freemacsoft.AppCleaner-SmartDelete".   I'm not familiar with that particular product.   Some of the cache cleaners and tuning tools and other such "free" packages can be a common source of problems on OS X, however.  Here's a previous discussion, with links to potential ways to remove that.

I don't know what "com.pref.net-preferences", "com.Supporter.helper" or "com.begar.net-preferences" are.   Some of that is accessing a file "/etc/change_net_settings.sh" that's been added.  There's also some sort of banking software installed ("com.diebold.warsaw"), or something pretending to be that banking software.

If Adobe Illustrator and the other files were not installed from safe sources — if these or other applications were acquired from torrents, for instance — then it's quite possible that copies of your data — anything of value, banking information, whatever — have probably already been uploaded to the 'net.   Credit cards, banking information, passwords, all of it.

It's possible to try to continue to find whatever hunk is causing this, or you can start over.   To start over, make one or two complete backups of the contents of this disk to an external disk using Disk Utility or Time Machine, create an OS X installer (preferably on a different system, on the off chance whatever's installed here notices the installer and tries to corrupt it), and — once you're sure you have a good backup or two — boot from that installer and wipe the disk and reinstall OS X and add-ons from known-good distros, and copy over only the data files — no application files — from your backup.   Do not copy over any applications or executables from the backup.  (Migration Assistant can help here, by copying only certain types of files.)

Watch your credit cards and bank statements for evidence of fraud — or contact the banks — and change your passwords.

For better or for worse, having no backups means that you effectively decided that your data was worth the risk of complete loss.  Computers get dropped.  Computers get stolen, disks fail, file systems get corrupted, accidents happen.   All computers and all storage devices will eventually fail.   Having no backups means that no easy recovery path is available.

A

You installed what appear to be two or three different versions of the "VSearch" trojan, none of which has been completely removed. One of them is still partially active, and you can inactivate it as follows. The other components have no effect and removing them is more trouble than it's worth, in my opinion, but ask for instructions if you want them.

Please back up all data before proceeding.

Triple-click anywhere in the line below on this page to select it:

/Library/LaunchDaemons/com.begar.net-preferences.plist

Right-click or control-click the highlighted line and select

          Services ▹ Reveal in Finder (or just Reveal)

from the contextual menu.* A folder should open with an item selected. Move the selected item to the Trash. You may be prompted for your administrator login password. Restart the computer and empty the Trash.

*If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination command-C. In the Finder, select

          Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

B

You've also installed something called "Warsaw," which from what I can gather is some kind of security software distributed by, or on behalf of, certain Brazilian banks. It's not clear to me what this software really does or how it might be affecting you. It's not malware. If you don't know what it is, I suggest you remove it according to the developer's instructions.

C

A system file has been corrupted in an attempt to modify it.

Please enter the following command in a Terminal window in the same way as before:

sudo tr -d '\12\15' < /etc/hosts > /tmp/hosts && sudo sh -c 'cat /tmp/hosts > /etc/hosts'

There should be no output.

D

If the above steps don't solve your problem, you may be dealing with a compromised router. Ask for instructions in that case.