my Macbook is infected with adware?

Question

Hi,I have the same problem - my Macbook is infected with adware and I followed the instructions that you posted to Rebecca and downloaded EtreCheck and it issued a report. When I go to remove the infected files it tells me that I must remove them manually.  Could you please show me how to do this?  I am also wondering why it says that I have insufficient RAM as I just increased it by 8GB a couple of months ago. Thanks for your help!EtreCheck version: 2.9.11 (264)Report generated 2016-04-29 07:37:40Download EtreCheck from https://etrecheck.comRuntime 4:37Performance: GoodClick the [Support] links for help with non-Apple products.Click the [Details] links for more information about that line.Click the [Remove] links to remove adware.Problem: Other problemDescription:my browser (Safari)  opens with perfetnight.com.  I want to get rid of it. Hardware Information: ⓘ    MacBook Pro (13-inch, Late 2011)    [Technical Specifications] - [User Guide] - [Warranty &amp; Service]    MacBook Pro - model: MacBookPro8,1    1 2.4 GHz Intel Core i5 CPU: 2-core    8 GB RAM Upgradeable - [Instructions]        BANK 0/DIMM0            4 GB DDR3 1333 MHz ok        BANK 1/DIMM0            4 GB DDR3 1333 MHz ok    Bluetooth: Old - Handoff/Airdrop2 not supported    Wireless:  en1: 802.11 a/b/g/n    Battery: Health &#x3D; Normal - Cycle count &#x3D; 599Video Information: ⓘ    Intel HD Graphics 3000        Color LCD 1280 x 800System Software: ⓘ    OS X El Capitan 10.11.2 (15C50) - Time since boot: about 13 daysDisk Information: ⓘ    Hitachi HTS547550A9E384 disk0 : (500.11 GB) (Rotational)        EFI (disk0s1) &lt;not mounted&gt; : 210 MB        Macintosh HD (disk0s2) / : 499.25 GB (226.88 GB free)        Recovery HD (disk0s3) &lt;not mounted&gt;  [Recovery]: 650 MB    MATSHITADVD-R   UJ-8A8   ()USB Information: ⓘ    Apple Inc. FaceTime HD Camera (Built-in)    Apple Inc. Apple Internal Keyboard / Trackpad    Apple Inc. BRCM2070 Hub        Apple Inc. Bluetooth USB Host Controller    Apple Computer, Inc. IR ReceiverThunderbolt Information: ⓘ    Apple Inc. thunderbolt_busGatekeeper: ⓘ    Mac App Store and identified developersAdware: ⓘ    /Library/LaunchAgents/com.EasyShopper.agent.plist    /Library/LaunchAgents/com.SoftwareUpdater.agent.plist    /Library/LaunchAgents/com.google.keystone.agent.plist    /Library/LaunchDaemons/com.google.keystone.daemon.plist    ~/Library/LaunchAgents/Javeview.update.plist    ~/Library/LaunchAgents/Perfetnight.AppVemoral.plist    ~/Library/LaunchAgents/Perfetnight.btvlit.plist    ~/Library/LaunchAgents/Perfetnight.dolnwoad.plist    ~/Library/LaunchAgents/Perfetnight.uadpte.plist    ~/Library/LaunchAgents/com.EasyShopper.agent.plist    ~/Library/LaunchAgents/com.SoftwareUpdater.agent.plist    ~/Library/LaunchAgents/com.google.keystone.agent.plist    ~/Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist    ~/Library/LaunchAgents/com.jdibackup.ZipCloud.notify.plist    ~/Library/Safari/Extensions/Perfetnight.safariextz    15 adware files found. [Remove]Kernel Extensions: ⓘ        /Library/Extensions    [not loaded]    expressvpn.tap (20150118 - 2016-02-20) [Support]    [loaded]    expressvpn.tun (20150118 - 2016-02-20) [Support]        /System/Library/Extensions    [not loaded]    com.devguru.driver.SamsungComposite (1.4.25 - SDK 10.6 - 2016-01-12) [Support]    [not loaded]    com.tomtom.driver.UsbEthernetGadget (1.0.0d1 - 2016-01-12) [Support]        /System/Library/Extensions/ssuddrv.kext/Contents/PlugIns    [not loaded]    com.devguru.driver.SamsungACMControl (1.4.25 - SDK 10.6 - 2014-08-13) [Support]    [not loaded]    com.devguru.driver.SamsungACMData (1.4.25 - SDK 10.6 - 2014-08-13) [Support]    [not loaded]    com.devguru.driver.SamsungMTP (1.4.25 - SDK 10.5 - 2014-08-13) [Support]    [not loaded]    com.devguru.driver.SamsungSerial (1.4.25 - SDK 10.6 - 2014-08-13) [Support]System Launch Agents: ⓘ    [not loaded]    7 Apple tasks    [loaded]    152 Apple tasks    [running]    74 Apple tasks    [killed]    3 Apple tasks    3 processes killed due to insufficient RAMSystem Launch Daemons: ⓘ    [failed]    com.apple.Kerberos.digest-service.plist    [not loaded]    45 Apple tasks    [loaded]    151 Apple tasks    [running]    86 Apple tasks    [killed]    5 Apple tasks    5 processes killed due to insufficient RAMLaunch Agents: ⓘ    [failed]    com.EasyShopper.agent.plist (2016-02-19) Adware!  [Remove]    [loaded]    com.SoftwareUpdater.agent.plist (2016-02-19) Adware!  [Remove]        /Applications/SoftwareUpdater/SoftwareUpdater    [failed]    com.adobe.ARMDCHelper.cc24aef4a1b90ed56a...plist (2016-01-18) [Support]    [loaded]    com.google.keystone.agent.plist (2016-02-03) [Support]    [running]    com.trusteer.rapport.rapportd.plist (2016-03-19) [Support]Launch Daemons: ⓘ    [loaded]    com.adobe.ARMDC.Communicator.plist (2016-01-18) [Support]    [loaded]    com.adobe.ARMDC.SMJobBlessHelper.plist (2016-01-18) [Support]    [loaded]    com.adobe.fpsaud.plist (2016-04-15) [Support]    [loaded]    com.expressvpn.tap.plist (2016-02-20) [Support]    [loaded]    com.expressvpn.tun.plist (2016-02-20) [Support]    [loaded]    com.google.keystone.daemon.plist (2016-02-03) [Support]    [loaded]    com.microsoft.office.licensing.helper.plist (2015-11-19) [Support]    [running]    com.trusteer.rooks.rooksd.plist (2016-03-19) [Support]User Launch Agents: ⓘ    [loaded]    Javeview.update.plist (2016-04-23) Adware!  [Remove]        ~/Library/Application Support/Javeview/Javeview.app/Contents/MacOS/AppNOS    [loaded]    Perfetnight.AppVemoral.plist (2016-04-28) Adware!  [Remove]        ~/Library/Application Support/Perfetnight/Perfetnight.app/Contents/MacOS/AppEH    [loaded]    Perfetnight.btvlit.plist (2016-04-28) Adware!  [Remove]        ~/Library/Application Support/Perfetnight/Perfetnight.app/Contents/MacOS/AppEH    [loaded]    Perfetnight.dolnwoad.plist (2016-04-28) Adware!  [Remove]        ~/Library/Application Support/Perfetnight/Perfetnight.app/Contents/MacOS/AppEH    [loaded]    Perfetnight.uadpte.plist (2016-04-28) Adware!  [Remove]        ~/Library/Application Support/Perfetnight/Perfetnight.app/Contents/MacOS/AppEH    [failed]    com.EasyShopper.agent.plist (2016-02-19) Adware!  [Remove]    [loaded]    com.SoftwareUpdater.agent.plist (2016-02-19) Adware!  [Remove]        /Applications/SoftwareUpdater/SoftwareUpdater    [failed]    com.adobe.ARM.[...].plist (2014-03-25) [Support]    [failed]    com.google.keystone.agent.plist (2015-06-18) Adware!  [Remove]        ~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Reso urces/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent    [failed]    com.jdibackup.ZipCloud.autostart.plist (2016-02-20) Adware!  [Remove]    [failed]    com.jdibackup.ZipCloud.notify.plist (2016-02-20) Adware!  [Remove]User Login Items: ⓘ    Flux    Application  (/Applications/Flux.app)    iTunesHelper    Application  (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)    Dropbox    Application  (/Applications/Dropbox.app)    ExpressVPN    Application  (/Applications/ExpressVPN.app)    fuspredownloader    Application Hidden (~/Library/Application Support/.FUS/fuspredownloader.app)Other Apps: ⓘ    [running]    2BUA8C4S2C.com.agilebits.onepassword-osx-helper    [running]    com.adobe.Reader.85792    [running]    com.epson.scanner.ica.114272.7CE282F9-3940-4FC5-8C8F-72BAE1507CFD    [running]    com.evernote.Evernote.62752    [running]    com.expressvpn.ExpressVPN.107232    [running]    com.getdropbox.dropbox.84832    [running]    com.microsoft.Word.67872    [running]    com.microsoft.autoupdate.fba.73312    [running]    com.skype.skype.76512    [loaded]    com.tidal.LaunchHelper    [running]    org.herf.Flux.97632    [loaded]    396 Apple tasks    [running]    206 Apple tasks    [killed]    6 Apple tasksInternet Plug-ins: ⓘ    FlashPlayer-10.6: 21.0.0.226 - SDK 10.6 (2016-04-22) [Support]    QuickTime Plugin: 7.7.3 (2015-12-03)    AdobePDFViewerNPAPI: 15.010.20060 - SDK 10.8 (2016-03-10) [Support]    AdobePDFViewer: 15.010.20060 - SDK 10.8 (2016-03-10) [Support]    Flash Player: 21.0.0.226 - SDK 10.6 (2016-04-22) [Support]    Default Browser: 601 - SDK 10.11 (2015-12-03)    o1dbrowserplugin: 5.41.3.0 - SDK 10.8 (2016-02-03) [Support]    SharePointBrowserPlugin: 14.5.9 - SDK 10.6 (2016-01-12) [Support]    googletalkbrowserplugin: 5.41.3.0 - SDK 10.8 (2015-12-11) [Support]    Silverlight: 5.1.41212.0 - SDK 10.6 (2016-02-20) [Support]User internet Plug-ins: ⓘ    Google Earth Web Plug-in: 7.1 (2013-10-07) [Support]Safari Extensions: ⓘ    1Password - AgileBits - https://agilebits.com/onepassword (2016-04-05)    Evernote Web Clipper - Evernote Corp. - http://evernote.com (2016-04-28)    Perfetnight - Perfetnight - http://www.perfetnight.com/faq#perfetnight (2016-02-19) Adware!  [Remove]3rd Party Preference Panes: ⓘ    Flash Player (2016-04-15) [Support]    Trusteer Endpoint Protection (2016-03-28) [Support]Time Machine: ⓘ    Auto backup: YES    Volumes being backed up:        Macintosh HD: Disk size: 499.25 GB Disk used: 272.36 GB    Destinations:        Time Machine [Local]        Total size: 79.68 GB        Total number of backups: 0        Oldest backup: -        Last backup: -        Size of backup disk: Too small            Backup size 79.68 GB &lt; (Disk used 272.36 GB X 3)        LaCie [Local]        Total size: 999.86 GB        Total number of backups: 17        Oldest backup: 2013-08-18, 5:16 PM        Last backup: 2016-01-12, 3:13 PM        Size of backup disk: Adequate            Backup size 999.86 GB &gt; (Disk used 272.36 GB X 3)Top Processes by CPU: ⓘ        10%    WindowServer         5%    launchservicesd         3%    kernel_task         2%    com.apple.WebKit.WebContent(2)         1%    hiddTop Processes by Memory: ⓘ    789 MB    kernel_task    565 MB    com.apple.WebKit.WebContent(2)    500 MB    com.apple.audio.SandboxHelper(82)    254 MB    Safari    238 MB    mdworker(15)Virtual Memory Information: ⓘ    708 MB    Free RAM    7.31 GB    Used RAM (2.05 GB Cached)    215 MB    Swap UsedDiagnostics Information: ⓘ    Apr 29, 2016, 06:43:04 AM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-29-064304_[r edacted].crash        /Users/USER/Library/Google/*/GoogleSoftwareUpdate.bundle/Contents/Resources/Goo gleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent    Apr 28, 2016, 11:26:26 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-28-232626_[r edacted].crash    Apr 28, 2016, 01:14:53 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-28-131453_[r edacted].crash    Apr 28, 2016, 12:16:10 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-28-121610_[r edacted].crash    Apr 28, 2016, 11:17:35 AM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-28-111735_[r edacted].crash    Apr 28, 2016, 10:05:27 AM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-28-100527_[r edacted].crash    Apr 28, 2016, 09:06:45 AM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-28-090645_[r edacted].crash    Apr 28, 2016, 07:46:25 AM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-28-074625_[r edacted].crash    Apr 27, 2016, 04:39:29 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-27-163929_[r edacted].crash    Apr 27, 2016, 01:35:39 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-27-133539_[r edacted].crash    Apr 26, 2016, 10:42:26 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-26-224226_[r edacted].crash    Apr 26, 2016, 03:10:29 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-26-151029_[r edacted].crash    Apr 26, 2016, 12:19:44 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-26-121944_[r edacted].crash    Apr 26, 2016, 08:20:56 AM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-26-082056_[r edacted].crash&lt;Re-Titled by Hosts&gt;

thunderzzz · Answer

Tons of adware on your Mac.Follow the instructions on this web page  in order to manually remove adware from your mac: https://support.apple.com/en-us/HT203987You may also find adware removal guide on this page http://www.thesafemac.com/arg-identification/If you do not want to remove adware manually use this anti malware tool in order to scan and remove it: https://www.malwarebytes.org/antimalware/mac/?utm_source&#x3D;blog&amp;utm_medium&#x3D;socialDownload, open dmg file ,  and run it by clicking “Scan for Adware” button  to remove adware.  Once done, quit the application  and restart your mac.

etresoft · Answer

Hello Michele,What was the exact message when you tried to remove these files? EtreCheck may have removed some of those files. It would tell you that either "Some files could not be deleted" or "No files could be deleted". Also, there appears to be a bug where one of the adware checks is catching two Google files. You should locate those Google files in the trash and use the "put back" feature to restore them. I will look into why this is happening and fix it.If you want to delete these files manually, do the following:1) Switch to the Finder and chose "Go to Folder" from the "Go" menu.2) In the "Go to folder" dialog, enter the following "/Library/LaunchAgents" (without the quotes)3) In the window that appears, find the following files and move them to the trash:com.EasyShopper.agent.plistcom.SoftwareUpdater.agent.plistThen do the next set:1) Switch to the Finder and chose "Go to Folder" from the "Go" menu.2) In the "Go to folder" dialog, enter the following "~/Library/LaunchAgents" (without the quotes)3) In the window that appears, find the following files and move them to the trash:Javeview.update.plistPerfetnight.AppVemoral.plistPerfetnight.btvlit.plistPerfetnight.dolnwoad.plistPerfetnight.uadpte.plistcom.EasyShopper.agent.plistcom.SoftwareUpdater.agent.plistcom.jdibackup.ZipCloud.autostart.plistcom.jdibackup.ZipCloud.notify.plistNext, remove the Safari extension:1) Switch to Safari and choose "Preferences" from the "Safari" menu2) Click the "Extensions" tab3) Locate the "Perfetnight" extension and remove itSome of these files might not be there anymore if EtreCheck deleted them. Make sure to double-check your Trash folder and restore those Google files if they are in the Trash. I will fix EtreCheck so those don&#x27;t get caught again. Sorry for the trouble.Feel free to contact me via the e-mail address listed here: http://etresoft.com/#support

Michele Ashley · Answer

Hi, I am sending screen shots of my latest diagnostic tests after running your software, running software by Malwarebytes and restarting the computer.  There are a few things that failed but I&#x27;m not sure if they are important?  And I&#x27;m not exactly sure what you want me to remove from the trash?Thanks.

etresoft · Answer

Hello again Michele,You don&#x27;t need to do anything. Those Google files are still where they are supposed to be. I think the file that caused EtreCheck to get confused was also causing trouble for the Google software itself. You have been having lots of crashes related to the Google software updater. Hopefully those will be fixed now.I have already fixed EtreCheck so that it will no longer flag Google&#x27;s file as adware. I don&#x27;t know why you had that one file in two different places. It isn&#x27;t supposed to be like that. Otherwise I would have noticed it because I have the same Google software you do. But at least now if I see someone else with lots of Google update crashes, I can look for duplicate launchd files.In any event, your adware is now cleaned up. You may still need to reset your Safari home page and default search provider. EtreCheck can&#x27;t do that and I don&#x27;t know if MalwareBytes does either. Those low RAM messages are normal. You should only be concerned if your machine is running very slowly. You have a MacBook Pro so you could upgrade to an SSD if you did start to have performance problems.Finally, you need to update your system software. You are running 10.11.2 and the latest version is 10.11.4. Apple includes automatic malware removal in OS updates so keeping your system updated will also help to reduce adware and malware.

Michele Ashley · Answer

Thank you so much!  I really appreciate your input.  And I am very glad to have gotten rid of all of that junk!  I  just hope that there is no collateral damage on the computer as a result of this.  When I read about Perfetnight it was very disturbing. It sounds like it is very pernicious.

Esquared · Answer

Don&#x27;t forget to ask yourself the question what it is you installed on 16 February 2016, and where you downloaded it from. 🙂