vit77
Level 1
(12 points)
Q: Am I infected with malware?
Hello!
This is my first post in the forum, but I've been following the discussions since I got my MacBook and the community is very helpful.
I've decided to create this post to ask the experts opinion.
I've received a phone call from the network admin from my university saying that I (and few other students) were infected with Zeus trojan and it was attacking the university network. I found it very doubtful after doing a quick search about this trojan and didn't found any relations of Zeus with OSX. Still, it got me a little bit paranoid so I proceed to change my passwords and started to analyse the system in order to find if there's some malware.
One thing that is important to mention at this point, that I sometimes use a Windows 7 virtual machine (Parallels Desktop) which is only used to interact with the instrumentation in the lab in the university. The VM has a shared WiFi connection from OSX and shared folders to access the files. The VM had only Microsoft Security Essentials "antivirus" installed. And I don't remember installing any new software on the Windows VM since the supposed "attacks" started.
So I disconnected my Mac from the Internet, disabled folder sharing of VM with OSX and started analysing Windows VM using different software and following instructions on this website: https://malwaretips.com/blogs/zeus-trojan-virus/ Nothing was detected.
I've proceeded to analyse OSX by using MalwareBytes and even installed Kaspersky Internet Security to give it a try. Did some scans, and still nothing.
I made a scan with EltreCheck and read the report. I've removed some of the plugins that I wasn't using anymore, since this install of OSX was always upgraded starting from Lion.
This is the EltreCheck report right now:
EtreCheck version: 2.9.12 (265)
Report generated 2016-05-18 12:07:22
Download EtreCheck from https://etrecheck.com
Runtime 1:47
Performance: Excellent
Click the [Support] links for help with non-Apple products.
Click the [Details] links for more information about that line.
Problem: Other problem
MacBook Pro (15-inch, Early 2011)
[Technical Specifications] - [User Guide] - [Warranty & Service]
MacBook Pro - model: MacBookPro8,2
1 2 GHz Intel Core i7 CPU: 4-core
8 GB RAM Upgradeable - [Instructions]
BANK 0/DIMM0
4 GB DDR3 1333 MHz ok
BANK 1/DIMM0
4 GB DDR3 1333 MHz ok
Bluetooth: Old - Handoff/Airdrop2 not supported
Wireless: en1: 802.11 a/b/g/n
Battery: Health = Normal - Cycle count = 931
Intel HD Graphics 3000
Color LCD 1440 x 900
AMD Radeon HD 6490M - VRAM: 256 MB
OS X El Capitan 10.11.4 (15E65) - Time since boot: about one hour
TOSHIBA THNSNH128GBST disk0 : (128,04 GB) (Solid State - TRIM: Yes)
EFI (disk0s1) <not mounted> : 210 MB
Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB
Macintosh HD (disk1) / : 126.80 GB (32.74 GB free)
Core Storage: disk0s2 127.18 GB Online
TOSHIBA MK5065GSXF disk2 : (500,11 GB) (Rotational)
EFI (disk2s1) <not mounted> : 210 MB
DATA (disk2s2) /Volumes/DATA : 499.76 GB (15.47 GB free)
Apple Computer, Inc. IR Receiver
Apple Inc. FaceTime HD Camera (Built-in)
Apple Inc. Apple Internal Keyboard / Trackpad
Apple Inc. BRCM2070 Hub
Apple Inc. Bluetooth USB Host Controller
Apple Inc. thunderbolt_bus
/etc/hosts - Count: 2
Anywhere
/Applications/Parallels Desktop.app
[not loaded] com.parallels.kext.hypervisor (11.0.2 31348 - SDK 10.9 - 2015-10-21) [Support]
[not loaded] com.parallels.kext.netbridge (11.0.2 31348 - SDK 10.9 - 2015-10-21) [Support]
[not loaded] com.parallels.kext.usbconnect (11.0.2 31348 - SDK 10.9 - 2015-10-21) [Support]
[not loaded] com.parallels.kext.vnic (11.0.2 31348 - SDK 10.9 - 2015-10-21) [Support]
/Applications/Radio Silence.app
[loaded] com.radiosilenceapp.nke.filter (2.0 - SDK 10.11 - 2016-05-07) [Support]
/Library/Extensions
[loaded] com.kaspersky.kext.klif (3.4.0a25 - 2016-05-17) [Support]
[loaded] com.kaspersky.nke (2.1.0 - 2016-05-17) [Support]
[not loaded] org.cindori.TrimEnabler (1.0 - SDK 10.10 - 2016-05-17) [Support]
TuxeraNTFSUnmountHelper: Path: /Library/StartupItems/TuxeraNTFSUnmountHelper
Startup items are obsolete in OS X Yosemite
[not loaded] 8 Apple tasks
[loaded] 160 Apple tasks
[running] 70 Apple tasks
[not loaded] 45 Apple tasks
[loaded] 159 Apple tasks
[running] 85 Apple tasks
[not loaded] com.adobe.AAM.Updater-1.0.plist (2015-06-30) [Support]
[running] com.brother.LOGINserver.plist (2015-03-12) [Support]
[loaded] com.google.keystone.agent.plist (2016-03-03) [Support]
[not loaded] com.maintain.PurgeInactiveMemory.plist (2014-11-15) [Support]
[not loaded] com.maintain.Restart.plist (2014-11-15) [Support]
[not loaded] com.maintain.ShutDown.plist (2014-11-15) [Support]
[running] com.maintain.SystemEvents.plist (2014-11-15) [Support]
[loaded] com.oracle.java.Java-Updater.plist (2014-11-06) [Support]
[loaded] com.radiosilenceapp.agent.plist (2016-04-17) [Support]
[running] com.rosettastone.rosettastonedaemon.plist (2015-06-05) [Support]
[loaded] org.macosforge.xquartz.startx.plist (2015-10-16) [Support]
[failed] com.adobe.fpsaud.plist (2016-04-16) [Support]
[loaded] com.google.keystone.daemon.plist (2016-03-03) [Support]
[not loaded] com.maintain.HideSpotlightMenuBarIcon.plist (2014-11-15) [Support]
[loaded] com.malwarebytes.MBAMHelperTool.plist (2016-01-18) [Support]
[loaded] com.microsoft.autoupdate.helpertool.plist (2015-10-15) [Support]
[loaded] com.microsoft.office.licensingV2.helper.plist (2015-08-15) [Support]
[loaded] com.oracle.java.Helper-Tool.plist (2014-11-06) [Support]
[loaded] com.radiosilenceapp.nke.plist (2016-04-17) [Support]
[loaded] com.wdc.WDPrivilegedHelper.plist (2015-08-23) [Support]
[loaded] org.cindori.TEAuth.plist (2015-08-11) [Support]
[loaded] org.macosforge.xquartz.privileged_startx.plist (2015-10-16) [Support]
[loaded] com.bittorrent.uTorrent.plist (2016-02-23) [Support]
[running] com.spotify.webhelper.plist (2016-05-14) [Support]
Flux Application (~/Applications/Flux.app)
Macs Fan Control Application (/Applications/Macs Fan Control.app)
gfxCardStatus Application (/Applications/gfxCardStatus.app)
iTunesHelper Application (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)
Caffeine Application (/Applications/Caffeine.app)
Airmail 2 Application (/Applications/Airmail 2.app)
BetterTouchTool Application (/Applications/BetterTouchTool.app)
[loaded] com.batteryProject.FruitJuiceHelper
[running] com.batteryProject.FruitJuiceMAS.112992
[running] com.brother.utility.NETserver.99552
[running] com.brother.utility.USBserver.99232
[running] com.codykrieger.gfxCardStatus.98912
[running] com.crystalidea.MacsFanControl.51872
[running] com.etresoft.EtreCheck.147232
[running] com.hegenberg.BTTRelaunch.178592
[running] com.hegenberg.BetterTouchTool.153632
[running] com.lightheadsw.caffeine.47072
[running] com.mendeley.desktop.53472
[running] com.radiosilenceapp.client.256672
[running] it.bloop.airmail2.105632
[running] org.herf.Flux.85152
[loaded] 412 Apple tasks
[running] 194 Apple tasks
AdobeAAMDetect: AdobeAAMDetect 1.0.0.0 - SDK 10.6 (2015-06-30) [Support]
FlashPlayer-10.6: 21.0.0.226 - SDK 10.6 (2016-04-30) [Support]
QuickTime Plugin: 7.7.3 (2016-04-05)
AdobePDFViewerNPAPI: 11.0.11 - SDK 10.6 (2015-06-30) [Support]
AdobePDFViewer: 11.0.11 - SDK 10.6 (2015-06-30) [Support]
Flash Player: 21.0.0.226 - SDK 10.6 (2016-04-30) Outdated! Update
Default Browser: 601 - SDK 10.11 (2016-04-05)
o1dbrowserplugin: 5.41.3.0 - SDK 10.8 (2015-12-11) [Support]
googletalkbrowserplugin: 5.41.3.0 - SDK 10.8 (2015-12-11) [Support]
Silverlight: 5.1.41105.0 - SDK 10.6 (2015-12-09) [Support]
JavaAppletPlugin: Java 8 Update 91 build 14 (2016-05-09) Check version
AdBlock - BetaFish, Inc. - https://getadblock.com (2015-10-25)
JS Blocker 5 - Travis Roman - http://jsblocker.toggleable.com/ (2016-04-27)
Open in Internet Explorer - Parallels - http://www.parallels.com (2015-10-21)
Flash Player (2016-04-16) [Support]
GIFPaperPrefs (2014-02-23) [Support]
Java (2016-05-09) [Support]
Tuxera NTFS (2015-10-26) [Support]
Skip System Files: NO
Mobile backups: OFF
Auto backup: YES
Volumes being backed up:
Macintosh HD: Disk size: 126.80 GB Disk used: 94.06 GB
Destinations:
TIME [Local]
Total size: 1.00 TB
Total number of backups: 8
Oldest backup: 29/02/16 09:00
Last backup: 30/04/16 13:06
Size of backup disk: Excellent
Backup size 1.00 TB > (Disk size 126.80 GB X 3)
18% com.apple.WebKit.WebContent(20)
3% Safari
2% WindowServer
2% fontd
1% kernel_task
2.78 GB com.apple.WebKit.WebContent(20)
819 MB Safari
750 MB kernel_task
180 MB mds_stores
180 MB DashboardClient(4)
75 MB Free RAM
7.92 GB Used RAM (960 MB Cached)
0 B Swap Used
May 18, 2016, 10:42:09 AM Self test - passed
I've installed as well the Radio Silence "firewall" to analyse all the Apps and connections. After googling about some processes, still nothing "weird" popped out.
I'm willing to do a clean install of OSX, but since I'm weekly making Time Machine Backups, my main worries:
- what if my files on my backup external disk are infected with malware, I can't recover them without "infecting" again the clean install of OSX, right?
I want to ask your opinion about the vulnerability of my system and about any suggestion on further analysis for detection of the supposed malware.
Sorry for such a long post,
I would really appreciate some help
MacBook Pro (15-inch Early 2011), OS X El Capitan (10.11.4)
Posted on May 18, 2016 3:15 AM
