Pepperment
Level 1 (9 points)
Desktops

Q: what are suspicious malware files?

Getting alot of malware attacks, including voice commands to "clean computer, stop virus". Assume these are not legit. Going through my library and deleting obvious files, but what about things like: "pronto app", "Crash Reporter", "ILife Media", "Root Tools". Do not want to trash system files. Suggestions? Also would appreciate a reliable/legitimate malware program that I can download safely. Runni

Many thanks.

Pepperment

MacBook Air (13-inch, Early 2015), OS 10.10.3

Posted on Jan 9, 2016 12:03 PM

by stedman1,Apple recommended
stedman1 stedman1
Level 9 (73,733 points)
Apple Watch
A:

Please review the options below to determine which method is best to deal with the Adware installed on your computer.

The Easy, safe, effective method: https://www.malwarebytes.org/antimalware/mac/

 

If you are comfortable doing manual file removals, use the Apple support document below.

http://support.apple.com/en-us/HT203987

 

Also, read the articles below to better understand why it has happened and be more prepared for the next time there is an issue on your computer. https://discussions.apple.com/docs/DOC-7471

https://discussions.apple.com/docs/DOC-8071

http://www.thesafemac.com/tech-support-scam-pop-ups/

Posted on Jan 9, 2016 12:29 PM

Close
Pepperment

Q: what are suspicious malware files?

  • All replies
  • Helpful answers

  • by Kappy,

    Kappy Kappy Jan 9, 2016 12:05 PM in response to Pepperment
    Level 10 (271,101 points)
    Desktops
    Jan 9, 2016 12:05 PM in response to Pepperment

    Remove Browser Pop-up Problems

     

         Malwarebytes | Free Anti-Malware Detection & Removal Software for

         Apple Macintosh Computers

         Adblock Plus 1.8.9, GlimmerBlocker, or AdBlock

         Remove adware that displays pop-up ads and graphics on your Mac

         How to remove the FlashMall adware from OS X

         Stop pop-up ads and adware in Safari - Apple Support


    How to safely use MacUpdate to download malware-free software:

     

    This site has both free and paid membership accounts. If you have neither then some software will be distributed as an installer wrapper that includes adware/malware you may not want. Such a download may appear on your computer like this: Firefox Installer.dmg. Delete the download and return to the main site where you will find a direct link to the developer's website. Use that link from which to download the software.

     

    To avoid such downloads from MU just create a free membership account. Log into your account prior to using the site. This will avoid the installer wrappers and downloading adware or malware. I continue to use their site without any problems.

     

    If you prefer not to create a membership account then note that on the download page under the price box will be the link to the developer’s site. Use that link and download the software directly from the developer circumventing the use of MU altogether.

     

    You may be sent warnings from sone users that warns that the site is “dangerous.” This is an exaggeration. Learn the facts. You merely need to use the site intelligently. Support the site but do so wisely - establish a free or paid membership to avoid problems with malware. Don’t pay attention to other users who warn you away with hyperbole.

  • by Allan Eckert,

    Allan Eckert Allan Eckert Jan 9, 2016 12:05 PM in response to Pepperment
    Level 9 (53,621 points)
    Desktops
    Jan 9, 2016 12:05 PM in response to Pepperment

    Please download and install EtreCheck from http://etrecheck.com/

     

    Run it and post the report here.

  • by Pepperment,

    Pepperment Pepperment Jan 9, 2016 12:22 PM in response to Allan Eckert
    Level 1 (9 points)
    Desktops
    Jan 9, 2016 12:22 PM in response to Allan Eckert

    Thanks: here is the report.

    EtreCheck version: 2.6.6 (226)

    Report generated 1/9/16, 12:19 PM

    Runtime 1:58

    Download EtreCheck from http://etrecheck.com

     

    Click the [Click for support] links for help with non-Apple products.

    Click the [Click for details] links for more information about that line.

    Click the [Click to remove] links for help removing adware.

     

    Hardware Information: (What does this mean?)

        MacBook Air (13-inch, Early 2015)

        [Click for Technical Specifications]

        [Click for User Guide]

        MacBook Air - model: MacBookAir7,2

        1 1.6 GHz Intel Core i5 CPU: 2-core

        4 GB RAM Not upgradeable

                BANK 0/DIMM0

                2 GB DDR3 1600 MHz ok

            BANK 1/DIMM0

                2 GB DDR3 1600 MHz ok

        Bluetooth: Good - Handoff/Airdrop2 supported

        Wireless:  en0: 802.11 a/b/g/n/ac

        Battery: Health = Normal - Cycle count = 6 - SN = C0151270H32F90MAV

     

    Video Information: (What does this mean?)

        Intel HD Graphics 6000

            Color LCD 1440 x 900

     

    System Software: (What does this mean?)

        OS X Yosemite 10.10.3 (14D136) - Time since boot: less than an hour

     

    Disk Information: (What does this mean?)

        APPLE SSD SM0256G disk0 : (251 GB) (Solid State - TRIM: Yes)

            EFI (disk0s1) <not mounted> : 210 MB

            Recovery HD (disk0s3) <not mounted>  [Recovery]: 650 MB

            Macintosh HD (disk1) / : 249.78 GB (155.08 GB free)

                Core Storage: disk0s2 250.14 GB Online

     

    USB Information: (What does this mean?)

        Apple Internal Memory Card Reader

        Apple Inc. BRCM20702 Hub

            Apple Inc. Bluetooth USB Host Controller

     

    Thunderbolt Information: (What does this mean?)

        Apple Inc. thunderbolt_bus

     

    Gatekeeper: (What does this mean?)

        Mac App Store and identified developers

     

    Adware: (What does this mean?)

        Downlite, VSearch, Conduit, Trovi, MyBrand, Search Protect Adware! [Click to remove]

     

    System Launch Agents: (What does this mean?)

        [loaded]    com.apple.thermaltrap.plist - Invalid signature!

     

    Launch Agents: (What does this mean?)

        [loaded]    com.adobe.AAM.Updater-1.0.plist [Click for support]

        [running]    com.adobe.AdobeCreativeCloud.plist [Click for support]

        [failed]    com.canon.MFManager.plist [Click for support] [Click for details]

        [loaded]    com.google.keystone.agent.plist [Click for support]

        [failed]    com.vsearch.agent.plist [Click for support] [Click for details]

     

    Launch Daemons: (What does this mean?)

        [loaded]    com.adobe.fpsaud.plist [Click for support]

        [loaded]    com.google.keystone.daemon.plist [Click for support]

        [loaded]    com.microsoft.office.licensing.helper.plist [Click for support]

        [loaded]    com.vsearch.daemon.plist [Click for support]

        [failed]    com.vsearch.helper.plist [Click for support] [Click for details]

     

    User Launch Agents: (What does this mean?)

        [loaded]    com.adobe.ARM.[...].plist [Click for support]

        [loaded]    com.adobe.ARM.[...].plist [Click for support]

        [loaded]    jp.co.canon.Inkjet_Extended_Survey_Agent.plist [Click for support]

     

    User Login Items: (What does this mean?)

        iTunesHelper    UNKNOWN Hidden (missing value)

        Dropbox    UNKNOWN  (missing value)

        AdobeResourceSynchronizer    Application Hidden (/Applications/Adobe Acrobat 9 Pro/Adobe Acrobat Pro.app/Contents/Support/AdobeResourceSynchronizer.app)

        ImageTransferUtility    UNKNOWN  (missing value)

        WirelessCameraService    UNKNOWN  (missing value)

        Adobe Acrobat Pro    Application  (/Applications/Adobe Acrobat 9 Pro/Adobe Acrobat Pro.app)

        Spotify    UNKNOWN  (missing value)

        Canon IJ Network Scanner Selector EX    Application Hidden (/Applications/Canon Utilities/IJ Network Scanner Selector EX/Canon IJ Network Scanner Selector EX.app)

        ImageTransferUtility    Application  (/Applications/Canon Utilities/ImageTransferUtility/ImageTransferUtility.app)

        WirelessCameraService    Application  (/Applications/Canon Utilities/CameraWindow/Wireless/WirelessCameraService.app)

        AdobeResourceSynchronizer    Application Hidden (/Applications/Adobe Reader.app/Contents/Support/AdobeResourceSynchronizer.app)

     

    Other Apps: (What does this mean?)

        [running]    com.adobe.Acrobat.Pro.38656

        [running]    com.apple.xpc.launchd.oneshot.0x10000003.EtreCheck

        [running]    com.canon.ImageTransferUtility.7984

        [running]    com.canon.WirelessCameraService.14516

        [running]    jp.co.canon.cijscannerregister.4860

        [running]    jp.co.canon.ij.CNSSelectorAgent.4576

        [running]    org.mozilla.firefox.9972

     

    Internet Plug-ins: (What does this mean?)

        o1dbrowserplugin: Version: 5.41.3.0 - SDK 10.8 [Click for support]

        Unity Web Player: Version: UnityPlayer version 4.2.1f4 - SDK 10.6 [Click for support]

        Default Browser: Version: 600 - SDK 10.10

        AmazonMP3DownloaderPlugin1016264: Version: AmazonMP3DownloaderPlugin 1.0.16 [Click for support]

        Flip4Mac WMV Plugin: Version: 2.3.4.1 [Click for support]

        OfficeLiveBrowserPlugin: Version: 12.3.6 [Click for support]

        AdobeAAMDetect: Version: AdobeAAMDetect 2.0.0.0 - SDK 10.7 [Click for support]

        FlashPlayer-10.6: Version: 20.0.0.267 - SDK 10.6 [Click for support]

        Flash Player: Version: 20.0.0.267 - SDK 10.6 [Click for support]

        iPhotoPhotocast: Version: 7.0

        googletalkbrowserplugin: Version: 5.41.3.0 - SDK 10.8 [Click for support]

        QuickTime Plugin: Version: 7.7.3

        SharePointBrowserPlugin: Version: 14.4.8 - SDK 10.6 [Click for support]

        EPPEX Plugin: Version: 4.1.0.0 [Click for support]

        DirectorShockwave: Version: 12.0.9r149 - SDK 10.6 [Click for support]

     

    User internet Plug-ins: (What does this mean?)

        Google Earth Web Plug-in: Version: 7.1 [Click for support]

     

    3rd Party Preference Panes: (What does this mean?)

        Flash Player  [Click for support]

        Flip4Mac WMV  [Click for support]

     

    Time Machine: (What does this mean?)

        Skip System Files: NO

        Auto backup: YES

        Volumes being backed up:

            Macintosh HD: Disk size: 249.78 GB Disk used: 94.70 GB

        Destinations:

            My Passport for Mac [Local]

            Total size: 999.83 GB

            Total number of backups: 11

            Oldest backup: 3/11/15, 10:01 PM

            Last backup: 12/30/15, 6:31 PM

            Size of backup disk: Excellent

                Backup size 999.83 GB > (Disk size 249.78 GB X 3)

     

    Top Processes by CPU: (What does this mean?)

             9%    WindowServer

             3%    firefox

             2%    fontd

             2%    kernel_task

             0%    Creative Cloud

     

    Top Processes by Memory: (What does this mean?)

        512 MB    kernel_task

        262 MB    mdworker(13)

        254 MB    firefox

        111 MB    com.apple.WebKit.WebContent(2)

        90 MB    Mail

     

    Virtual Memory Information: (What does this mean?)

        860 MB    Free RAM

        3.16 GB    Used RAM (1.20 GB Cached)

        0 B    Swap Used

     

    Diagnostics Information: (What does this mean?)

        Jan 9, 2016, 11:55:41 AM    Self test - passed

        Jan 8, 2016, 03:15:36 PM    ~/Library/Logs/DiagnosticReports/AdobeResourceSynchronizer_2016-01-08-151536_[r edacted].crash

        Jan 8, 2016, 03:03:51 PM    ~/Library/Logs/DiagnosticReports/AdobeResourceSynchronizer_2016-01-08-150351_[r edacted].crash

  • by stedman1,Apple recommended

    stedman1 stedman1 Jan 9, 2016 12:29 PM in response to Pepperment
    Level 9 (73,733 points)
    Apple Watch
    Jan 9, 2016 12:29 PM in response to Pepperment

    Please review the options below to determine which method is best to deal with the Adware installed on your computer.

    The Easy, safe, effective method: https://www.malwarebytes.org/antimalware/mac/

     

    If you are comfortable doing manual file removals, use the Apple support document below.

    http://support.apple.com/en-us/HT203987

     

    Also, read the articles below to better understand why it has happened and be more prepared for the next time there is an issue on your computer. https://discussions.apple.com/docs/DOC-7471

    https://discussions.apple.com/docs/DOC-8071

    http://www.thesafemac.com/tech-support-scam-pop-ups/

  • by Linc Davis,

    Linc Davis Linc Davis Jan 9, 2016 6:41 PM in response to Pepperment
    Level 10 (207,963 points)
    Applications
    Jan 9, 2016 6:41 PM in response to Pepperment

    A

    You may have installed ad-injection malware ("adware").

    Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

    Some of the most common types of adware can be removed by following Apple's instructions.

    If you're not already running the latest version of OS X ("El Capitan"), updating or upgrading in the App Store may cause the adware to be removed automatically. Back up all data before taking that step. If you're already running the latest version of El Capitan, you can nevertheless download the current updater from the Apple Support Downloads page and run it. Again, some kinds of malware will be removed. That may be all you need to do as far as removal is concerned, but you'll still need to make changes to the way you use the computer to protect yourself from further attacks.

    If the above steps don't work for you, see below.

    This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.

    Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.

    If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. That will disable the malware temporarily.

    Step 1

    Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C: 

    ~/Library/LaunchAgents

    In the Finder, select

              Go Go to Folder...

    from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.

    If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.

    There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.

    Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.

    Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.

    Leave the folder open for now.

    Step 2

    Do as in Step 1 with this line:

    /Library/LaunchAgents

    The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.

    Step 3

    Repeat with this line:

    /Library/LaunchDaemons

    This time the folder will be named "LaunchDaemons."

    Step 4

    Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.

    Step 5

    If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.

    B

    Links have been posted in this thread to the "macupdate" website. Do not follow the links, and never download anything from that site. It intentionally distributes OS X malware by packaging some free applications (such as "Firefox" and "Skype") in an unnecessary and malicious "installer."

    All software should be downloaded directly from the developer's website or from the App Store. Don't trust any site such as "macupdate" that aggregates links.

  • by Pepperment,

    Pepperment Pepperment Jan 10, 2016 12:44 PM in response to Allan Eckert
    Level 1 (9 points)
    Desktops
    Jan 10, 2016 12:44 PM in response to Allan Eckert

    Allan,

    I sent you the report as you suggested. Now I'm concerned this may have not been a smart thing to do....Please advise.

  • by stedman1,

    stedman1 stedman1 Jan 10, 2016 12:52 PM in response to Pepperment
    Level 9 (73,733 points)
    Apple Watch
    Jan 10, 2016 12:52 PM in response to Pepperment

    Pepperment wrote:

     

    Allan,

    I sent you the report as you suggested. Now I'm concerned this may have not been a smart thing to do....Please advise.

    Why?

     

    Have you followed any of the instructions above to rid your computer of the AdWare you have installed?

  • by OGELTHORPE,

    OGELTHORPE OGELTHORPE Jan 10, 2016 12:57 PM in response to Pepperment
    Level 9 (52,323 points)
    Mac OS X
    Jan 10, 2016 12:57 PM in response to Pepperment

    Pepperment wrote:

     

    Allan,

    I sent you the report as you suggested. Now I'm concerned this may have not been a smart thing to do....Please advise.

    There is nothing inherently wrong with the Etrecheck report.  It will do your MBP no harm whatsoever.  It simply records certain elements and items from your MBP so that it can be used as an initial staring point for analyzing and pinpointing potential problems.  It is merely a utility, nothing more.

     

    Ciao.

  • by Allan Eckert,

    Allan Eckert Allan Eckert Jan 10, 2016 2:03 PM in response to Pepperment
    Level 9 (53,621 points)
    Desktops
    Jan 10, 2016 2:03 PM in response to Pepperment

    I agree with Stedman and Oglethorpe.

     

    <Edited by Host>

  • by OGELTHORPE,

    OGELTHORPE OGELTHORPE Jan 10, 2016 1:07 PM in response to Linc Davis
    Level 9 (52,323 points)
    Mac OS X
    Jan 10, 2016 1:07 PM in response to Linc Davis

    Linc Davis wrote:

    Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less

    Apple in their OFFICIAL documentation does condone the use of AV applications making this statement in conflict with OFFICIAL Apple policy.

     

    https://support.apple.com/en-us/HT201675

     

    The best course of action the user should take is to download Malwarebytes Anti-Malware for Mac

     

    https://www.malwarebytes.org/mac-download/

     

    It is faster, simpler and more comprehensive than any other approach to adware/malware removal.  In addition, it is widely recommenced for use by Apple telephone support personnel and Apple genius bar technicians.  One cannot find a better endorsement than that..

     

    Ciao.

  • by etresoft,

    etresoft etresoft Jan 10, 2016 2:45 PM in response to Pepperment
    Level 7 (29,198 points)
    Mac OS X
    Jan 10, 2016 2:45 PM in response to Pepperment

    Hello Pepperment,

    Now you know the reason for that big disclaimer when you copied your EtreCheck report to the clipboard.

     

    All you need to do is what others have suggested and run MalwareBytes for Mac. Your adware will be gone in seconds.

     

    Just because some software is in the Mac App Store does not mean it is safe. And just because some software is not in the Mac App Store doesn't mean it is unsafe. Apps in the Mac App Store have very strict limitations on what they can do. Any apps that need to do more than that cannot be in the Mac App Store. That doesn't mean there is anything wrong with them. In fact, the more powerful the software is, the less likely that it will qualify for the Mac App Store. MalwareBytes is perfectly safe and is by far the best anti-adware and anti-malware tool for the Mac.