Michele Ashley
Level 1 (14 points)
Notebooks

Q: my Macbook is infected with adware?

Hi,

I have the same problem - my Macbook is infected with adware and I followed the instructions that you posted to Rebecca and downloaded EtreCheck and it issued a report. When I go to remove the infected files it tells me that I must remove them manually.  Could you please show me how to do this?  I am also wondering why it says that I have insufficient RAM as I just increased it by 8GB a couple of months ago. Thanks for your help!

EtreCheck version: 2.9.11 (264)

Report generated 2016-04-29 07:37:40

Download EtreCheck from https://etrecheck.com

Runtime 4:37

Performance: Good

 

Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

Click the [Remove] links to remove adware.

 

Problem: Other problem

Description:

my browser (Safari)  opens with perfetnight.com.  I want to get rid of it.

 

Hardware Information:

    MacBook Pro (13-inch, Late 2011)

    [Technical Specifications] - [User Guide] - [Warranty & Service]

    MacBook Pro - model: MacBookPro8,1

    1 2.4 GHz Intel Core i5 CPU: 2-core

    8 GB RAM Upgradeable - [Instructions]

        BANK 0/DIMM0

            4 GB DDR3 1333 MHz ok

        BANK 1/DIMM0

            4 GB DDR3 1333 MHz ok

    Bluetooth: Old - Handoff/Airdrop2 not supported

    Wireless:  en1: 802.11 a/b/g/n

    Battery: Health = Normal - Cycle count = 599

 

Video Information:

    Intel HD Graphics 3000

        Color LCD 1280 x 800

 

System Software:

    OS X El Capitan 10.11.2 (15C50) - Time since boot: about 13 days

 

Disk Information:

    Hitachi HTS547550A9E384 disk0 : (500.11 GB) (Rotational)

        EFI (disk0s1) <not mounted> : 210 MB

        Macintosh HD (disk0s2) / : 499.25 GB (226.88 GB free)

        Recovery HD (disk0s3) <not mounted>  [Recovery]: 650 MB

 

    MATSHITADVD-R   UJ-8A8   ()

 

USB Information:

    Apple Inc. FaceTime HD Camera (Built-in)

    Apple Inc. Apple Internal Keyboard / Trackpad

    Apple Inc. BRCM2070 Hub

        Apple Inc. Bluetooth USB Host Controller

    Apple Computer, Inc. IR Receiver

 

Thunderbolt Information:

    Apple Inc. thunderbolt_bus

 

Gatekeeper:

    Mac App Store and identified developers

 

Adware:

    /Library/LaunchAgents/com.EasyShopper.agent.plist

    /Library/LaunchAgents/com.SoftwareUpdater.agent.plist

    /Library/LaunchAgents/com.google.keystone.agent.plist

    /Library/LaunchDaemons/com.google.keystone.daemon.plist

    ~/Library/LaunchAgents/Javeview.update.plist

    ~/Library/LaunchAgents/Perfetnight.AppVemoral.plist

    ~/Library/LaunchAgents/Perfetnight.btvlit.plist

    ~/Library/LaunchAgents/Perfetnight.dolnwoad.plist

    ~/Library/LaunchAgents/Perfetnight.uadpte.plist

    ~/Library/LaunchAgents/com.EasyShopper.agent.plist

    ~/Library/LaunchAgents/com.SoftwareUpdater.agent.plist

    ~/Library/LaunchAgents/com.google.keystone.agent.plist

    ~/Library/LaunchAgents/com.jdibackup.ZipCloud.autostart.plist

    ~/Library/LaunchAgents/com.jdibackup.ZipCloud.notify.plist

    ~/Library/Safari/Extensions/Perfetnight.safariextz

    15 adware files found. [Remove]

 

Kernel Extensions:

        /Library/Extensions

    [not loaded]    expressvpn.tap (20150118 - 2016-02-20) [Support]

    [loaded]    expressvpn.tun (20150118 - 2016-02-20) [Support]

 

        /System/Library/Extensions

    [not loaded]    com.devguru.driver.SamsungComposite (1.4.25 - SDK 10.6 - 2016-01-12) [Support]

    [not loaded]    com.tomtom.driver.UsbEthernetGadget (1.0.0d1 - 2016-01-12) [Support]

 

        /System/Library/Extensions/ssuddrv.kext/Contents/PlugIns

    [not loaded]    com.devguru.driver.SamsungACMControl (1.4.25 - SDK 10.6 - 2014-08-13) [Support]

    [not loaded]    com.devguru.driver.SamsungACMData (1.4.25 - SDK 10.6 - 2014-08-13) [Support]

    [not loaded]    com.devguru.driver.SamsungMTP (1.4.25 - SDK 10.5 - 2014-08-13) [Support]

    [not loaded]    com.devguru.driver.SamsungSerial (1.4.25 - SDK 10.6 - 2014-08-13) [Support]

 

System Launch Agents:

    [not loaded]    7 Apple tasks

    [loaded]    152 Apple tasks

    [running]    74 Apple tasks

    [killed]    3 Apple tasks

    3 processes killed due to insufficient RAM

 

System Launch Daemons:

    [failed]    com.apple.Kerberos.digest-service.plist

    [not loaded]    45 Apple tasks

    [loaded]    151 Apple tasks

    [running]    86 Apple tasks

    [killed]    5 Apple tasks

    5 processes killed due to insufficient RAM

 

Launch Agents:

    [failed]    com.EasyShopper.agent.plist (2016-02-19) Adware!  [Remove]

    [loaded]    com.SoftwareUpdater.agent.plist (2016-02-19) Adware!  [Remove]

        /Applications/SoftwareUpdater/SoftwareUpdater

    [failed]    com.adobe.ARMDCHelper.cc24aef4a1b90ed56a...plist (2016-01-18) [Support]

    [loaded]    com.google.keystone.agent.plist (2016-02-03) [Support]

    [running]    com.trusteer.rapport.rapportd.plist (2016-03-19) [Support]

 

Launch Daemons:

    [loaded]    com.adobe.ARMDC.Communicator.plist (2016-01-18) [Support]

    [loaded]    com.adobe.ARMDC.SMJobBlessHelper.plist (2016-01-18) [Support]

    [loaded]    com.adobe.fpsaud.plist (2016-04-15) [Support]

    [loaded]    com.expressvpn.tap.plist (2016-02-20) [Support]

    [loaded]    com.expressvpn.tun.plist (2016-02-20) [Support]

    [loaded]    com.google.keystone.daemon.plist (2016-02-03) [Support]

    [loaded]    com.microsoft.office.licensing.helper.plist (2015-11-19) [Support]

    [running]    com.trusteer.rooks.rooksd.plist (2016-03-19) [Support]

 

User Launch Agents:

    [loaded]    Javeview.update.plist (2016-04-23) Adware!  [Remove]

        ~/Library/Application Support/Javeview/Javeview.app/Contents/MacOS/AppNOS

    [loaded]    Perfetnight.AppVemoral.plist (2016-04-28) Adware!  [Remove]

        ~/Library/Application Support/Perfetnight/Perfetnight.app/Contents/MacOS/AppEH

    [loaded]    Perfetnight.btvlit.plist (2016-04-28) Adware!  [Remove]

        ~/Library/Application Support/Perfetnight/Perfetnight.app/Contents/MacOS/AppEH

    [loaded]    Perfetnight.dolnwoad.plist (2016-04-28) Adware!  [Remove]

        ~/Library/Application Support/Perfetnight/Perfetnight.app/Contents/MacOS/AppEH

    [loaded]    Perfetnight.uadpte.plist (2016-04-28) Adware!  [Remove]

        ~/Library/Application Support/Perfetnight/Perfetnight.app/Contents/MacOS/AppEH

    [failed]    com.EasyShopper.agent.plist (2016-02-19) Adware!  [Remove]

    [loaded]    com.SoftwareUpdater.agent.plist (2016-02-19) Adware!  [Remove]

        /Applications/SoftwareUpdater/SoftwareUpdater

    [failed]    com.adobe.ARM.[...].plist (2014-03-25) [Support]

    [failed]    com.google.keystone.agent.plist (2015-06-18) Adware!  [Remove]

        ~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Reso urces/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent

    [failed]    com.jdibackup.ZipCloud.autostart.plist (2016-02-20) Adware!  [Remove]

    [failed]    com.jdibackup.ZipCloud.notify.plist (2016-02-20) Adware!  [Remove]

 

User Login Items:

    Flux    Application  (/Applications/Flux.app)

    iTunesHelper    Application  (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

    Dropbox    Application  (/Applications/Dropbox.app)

    ExpressVPN    Application  (/Applications/ExpressVPN.app)

    fuspredownloader    Application Hidden (~/Library/Application Support/.FUS/fuspredownloader.app)

 

Other Apps:

    [running]    2BUA8C4S2C.com.agilebits.onepassword-osx-helper

    [running]    com.adobe.Reader.85792

    [running]    com.epson.scanner.ica.114272.7CE282F9-3940-4FC5-8C8F-72BAE1507CFD

    [running]    com.evernote.Evernote.62752

    [running]    com.expressvpn.ExpressVPN.107232

    [running]    com.getdropbox.dropbox.84832

    [running]    com.microsoft.Word.67872

    [running]    com.microsoft.autoupdate.fba.73312

    [running]    com.skype.skype.76512

    [loaded]    com.tidal.LaunchHelper

    [running]    org.herf.Flux.97632

    [loaded]    396 Apple tasks

    [running]    206 Apple tasks

    [killed]    6 Apple tasks

 

Internet Plug-ins:

    FlashPlayer-10.6: 21.0.0.226 - SDK 10.6 (2016-04-22) [Support]

    QuickTime Plugin: 7.7.3 (2015-12-03)

    AdobePDFViewerNPAPI: 15.010.20060 - SDK 10.8 (2016-03-10) [Support]

    AdobePDFViewer: 15.010.20060 - SDK 10.8 (2016-03-10) [Support]

    Flash Player: 21.0.0.226 - SDK 10.6 (2016-04-22) [Support]

    Default Browser: 601 - SDK 10.11 (2015-12-03)

    o1dbrowserplugin: 5.41.3.0 - SDK 10.8 (2016-02-03) [Support]

    SharePointBrowserPlugin: 14.5.9 - SDK 10.6 (2016-01-12) [Support]

    googletalkbrowserplugin: 5.41.3.0 - SDK 10.8 (2015-12-11) [Support]

    Silverlight: 5.1.41212.0 - SDK 10.6 (2016-02-20) [Support]

 

User internet Plug-ins:

    Google Earth Web Plug-in: 7.1 (2013-10-07) [Support]

 

Safari Extensions:

    1Password - AgileBits - https://agilebits.com/onepassword (2016-04-05)

    Evernote Web Clipper - Evernote Corp. - http://evernote.com (2016-04-28)

    Perfetnight - Perfetnight - http://www.perfetnight.com/faq#perfetnight (2016-02-19) Adware!  [Remove]

 

3rd Party Preference Panes:

    Flash Player (2016-04-15) [Support]

    Trusteer Endpoint Protection (2016-03-28) [Support]

 

Time Machine:

    Auto backup: YES

    Volumes being backed up:

        Macintosh HD: Disk size: 499.25 GB Disk used: 272.36 GB

    Destinations:

        Time Machine [Local]

        Total size: 79.68 GB

        Total number of backups: 0

        Oldest backup: -

        Last backup: -

        Size of backup disk: Too small

            Backup size 79.68 GB < (Disk used 272.36 GB X 3)

 

        LaCie [Local]

        Total size: 999.86 GB

        Total number of backups: 17

        Oldest backup: 2013-08-18, 5:16 PM

        Last backup: 2016-01-12, 3:13 PM

        Size of backup disk: Adequate

            Backup size 999.86 GB > (Disk used 272.36 GB X 3)

 

Top Processes by CPU:

        10%    WindowServer

         5%    launchservicesd

         3%    kernel_task

         2%    com.apple.WebKit.WebContent(2)

         1%    hidd

 

Top Processes by Memory:

    789 MB    kernel_task

    565 MB    com.apple.WebKit.WebContent(2)

    500 MB    com.apple.audio.SandboxHelper(82)

    254 MB    Safari

    238 MB    mdworker(15)

 

Virtual Memory Information:

    708 MB    Free RAM

    7.31 GB    Used RAM (2.05 GB Cached)

    215 MB    Swap Used

 

Diagnostics Information:

    Apr 29, 2016, 06:43:04 AM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-29-064304_[r edacted].crash

        /Users/USER/Library/Google/*/GoogleSoftwareUpdate.bundle/Contents/Resources/Goo gleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent

    Apr 28, 2016, 11:26:26 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-28-232626_[r edacted].crash

    Apr 28, 2016, 01:14:53 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-28-131453_[r edacted].crash

    Apr 28, 2016, 12:16:10 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-28-121610_[r edacted].crash

    Apr 28, 2016, 11:17:35 AM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-28-111735_[r edacted].crash

    Apr 28, 2016, 10:05:27 AM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-28-100527_[r edacted].crash

    Apr 28, 2016, 09:06:45 AM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-28-090645_[r edacted].crash

    Apr 28, 2016, 07:46:25 AM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-28-074625_[r edacted].crash

    Apr 27, 2016, 04:39:29 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-27-163929_[r edacted].crash

    Apr 27, 2016, 01:35:39 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-27-133539_[r edacted].crash

    Apr 26, 2016, 10:42:26 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-26-224226_[r edacted].crash

    Apr 26, 2016, 03:10:29 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-26-151029_[r edacted].crash

    Apr 26, 2016, 12:19:44 PM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-26-121944_[r edacted].crash

    Apr 26, 2016, 08:20:56 AM    ~/Library/Logs/DiagnosticReports/GoogleSoftwareUpdateAgent_2016-04-26-082056_[r edacted].crash

 

<Re-Titled by Hosts>

Posted on Apr 29, 2016 5:07 AM

Close
Michele Ashley

Q: my Macbook is infected with adware?

  • All replies
  • Helpful answers

  • by thunderzzz,

    thunderzzz thunderzzz Apr 29, 2016 5:07 AM in response to Michele Ashley
    Level 6 (8,379 points)
    Notebooks
    Apr 29, 2016 5:07 AM in response to Michele Ashley

    Tons of adware on your Mac.

    Follow the instructions on this web page  in order to manually remove adware from your mac: https://support.apple.com/en-us/HT203987

    You may also find adware removal guide on this page http://www.thesafemac.com/arg-identification/

    If you do not want to remove adware manually use this anti malware tool in order to scan and remove it: https://www.malwarebytes.org/antimalware/mac/?utm_source=blog&utm_medium=social

    Download, open dmg file ,  and run it by clicking “Scan for Adware” button  to remove adware.

      Once done, quit the application  and restart your mac.


  • by etresoft,

    etresoft etresoft Apr 29, 2016 11:44 AM in response to Michele Ashley
    Level 7 (29,380 points)
    Apr 29, 2016 11:44 AM in response to Michele Ashley

    Hello Michele,

    What was the exact message when you tried to remove these files? EtreCheck may have removed some of those files. It would tell you that either "Some files could not be deleted" or "No files could be deleted". Also, there appears to be a bug where one of the adware checks is catching two Google files. You should locate those Google files in the trash and use the "put back" feature to restore them. I will look into why this is happening and fix it.

     

    If you want to delete these files manually, do the following:

     

    1) Switch to the Finder and chose "Go to Folder" from the "Go" menu.

    2) In the "Go to folder" dialog, enter the following "/Library/LaunchAgents" (without the quotes)

    3) In the window that appears, find the following files and move them to the trash:

    com.EasyShopper.agent.plist

    com.SoftwareUpdater.agent.plist

     

    Then do the next set:

    1) Switch to the Finder and chose "Go to Folder" from the "Go" menu.

    2) In the "Go to folder" dialog, enter the following "~/Library/LaunchAgents" (without the quotes)

    3) In the window that appears, find the following files and move them to the trash:

    Javeview.update.plist

    Perfetnight.AppVemoral.plist

    Perfetnight.btvlit.plist

    Perfetnight.dolnwoad.plist

    Perfetnight.uadpte.plist

    com.EasyShopper.agent.plist

    com.SoftwareUpdater.agent.plist

    com.jdibackup.ZipCloud.autostart.plist

    com.jdibackup.ZipCloud.notify.plist

     

    Next, remove the Safari extension:

    1) Switch to Safari and choose "Preferences" from the "Safari" menu

    2) Click the "Extensions" tab

    3) Locate the "Perfetnight" extension and remove it

     

    Some of these files might not be there anymore if EtreCheck deleted them. Make sure to double-check your Trash folder and restore those Google files if they are in the Trash. I will fix EtreCheck so those don't get caught again. Sorry for the trouble.

     

    Feel free to contact me via the e-mail address listed here: http://etresoft.com/#support

  • by Michele Ashley,

    Michele Ashley Michele Ashley Apr 29, 2016 3:37 PM in response to etresoft
    Level 1 (14 points)
    Notebooks
    Apr 29, 2016 3:37 PM in response to etresoft

    Screen Shot 2016-04-29 at 6.31.20 PM.pngScreen Shot 2016-04-29 at 6.31.06 PM.pngScreen Shot 2016-04-29 at 6.30.37 PM.pngScreen Shot 2016-04-29 at 6.30.50 PM.pngHi, I am sending screen shots of my latest diagnostic tests after running your software, running software by Malwarebytes and restarting the computer.  There are a few things that failed but I'm not sure if they are important?  And I'm not exactly sure what you want me to remove from the trash?

    Thanks.

  • by etresoft,

    etresoft etresoft Apr 29, 2016 4:43 PM in response to Michele Ashley
    Level 7 (29,380 points)
    Apr 29, 2016 4:43 PM in response to Michele Ashley

    Hello again Michele,

    You don't need to do anything. Those Google files are still where they are supposed to be. I think the file that caused EtreCheck to get confused was also causing trouble for the Google software itself. You have been having lots of crashes related to the Google software updater. Hopefully those will be fixed now.

     

    I have already fixed EtreCheck so that it will no longer flag Google's file as adware. I don't know why you had that one file in two different places. It isn't supposed to be like that. Otherwise I would have noticed it because I have the same Google software you do. But at least now if I see someone else with lots of Google update crashes, I can look for duplicate launchd files.

     

    In any event, your adware is now cleaned up. You may still need to reset your Safari home page and default search provider. EtreCheck can't do that and I don't know if MalwareBytes does either.

     

    Those low RAM messages are normal. You should only be concerned if your machine is running very slowly. You have a MacBook Pro so you could upgrade to an SSD if you did start to have performance problems.

     

    Finally, you need to update your system software. You are running 10.11.2 and the latest version is 10.11.4. Apple includes automatic malware removal in OS updates so keeping your system updated will also help to reduce adware and malware.

  • by Michele Ashley,

    Michele Ashley Michele Ashley Apr 29, 2016 8:25 PM in response to etresoft
    Level 1 (14 points)
    Notebooks
    Apr 29, 2016 8:25 PM in response to etresoft

    Thank you so much!  I really appreciate your input.  And I am very glad to have gotten rid of all of that junk!  I  just hope that there is no collateral damage on the computer as a result of this.  When I read about Perfetnight it was very disturbing. It sounds like it is very pernicious.

  • by Esquared,

    Esquared Esquared Apr 30, 2016 5:36 AM in response to Michele Ashley
    Level 6 (8,518 points)
    Mac OS X
    Apr 30, 2016 5:36 AM in response to Michele Ashley

    Don't forget to ask yourself the question what it is you installed on 16 February 2016, and where you downloaded it from.