Trojan, Malware Detection and Removal

rgusmao wrote:

Hi,

I`m running El Capitan 10.11.5 and i`m receiving some emails from my self (spams), using my email account!

It had never happened before and i think i may have a Trojan / Malware in my MacBook air (i dot not access my account outside Apple, only in iPhone 6 or this LapTop).

What can i do to fix it?

First, let's determine if you do in fact have malware or adware on your computer. It could be something as simple as a spammer getting your e-mail address. Please post the results of your EtreCheck report. It's a diagnostics tool developed by a trusted and respected contributor here, and it will allow us to see what is installed on your hard drive in the way of applications, drivers, plugins, extensions, etc. No sensitive information is included in the report, such as names, e-mail addresses, or serial numbers.

Does your Mail "sent" folder show that you sent the email? If it doesn't, you didn't.

There are plenty of email harvesting "bots" that lift your email address from any number of sources, and it is trivial for spammers to spoof the "from" address, making it appear as though you sent it. For that reason you should not post your email address in publicly accessible websites including Facebook, etc.

rgusmao wrote:

I had used EntreCheck but i could`t fix it, because "there is no time machine back up. The delete files operation is disable".

How may i remove them?

The EtreCheck Report is:

EtreCheck version: 2.9.12 (265)

Report generated 2016-06-01 21:34:00

Download EtreCheck from https://etrecheck.com

Runtime 1:48

Performance: Excellent

Click the [Support] links for help with non-Apple products.

Click the [Details] links for more information about that line.

Click the [Remove] links to remove adware.

Problem: Other problem

Hardware Information: ⓘ

MacBook Air (11-inch, Mid 2012)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Air - model: MacBookAir5,1

1 1,7 GHz Intel Core i5 CPU: 2-core

4 GB RAM Not upgradeable

BANK 0/DIMM0

2 GB DDR3 1600 MHz ok

BANK 1/DIMM0

2 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n

Battery: Health = Normal - Cycle count = 244

Video Information: ⓘ

Intel HD Graphics 4000

Color LCD 1366 x 768

System Software: ⓘ

OS X El Capitan 10.11.5 (15F34) - Time since boot: about 10 days

Disk Information: ⓘ

APPLE SSD TS128E disk0 : (121,33 GB) (Solid State - TRIM: Yes)

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

Macintosh HD (disk1) / [Startup]: 120.11 GB (11.42 GB free) (Low!)

Encrypted AES-XTS Unlocked

Core Storage: disk0s2 120.47 GB Online

USB Information: ⓘ

Apple Inc. FaceTime HD Camera (Built-in)

Apple Inc. Apple Internal Keyboard / Trackpad

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

Thunderbolt Information: ⓘ

Apple Inc. thunderbolt_bus

Gatekeeper: ⓘ

Mac App Store and identified developers

Adware: ⓘ

~/Library/Caches/com.apple.Safari/Extensions/Slick Savings.safariextension

~/Library/LaunchAgents/com.onlineapplicationstatus.AppStatus.plist

~/Library/Safari/Extensions/Slick Savings.safariextz

3 adware files found. [Remove]

Kernel Extensions: ⓘ

/Library/Extensions

[not loaded] com.seagate.driver.PowSecDriverCore (5.2.7 (26979) - SDK 10.4 - 2016-05-22) [Support]

/Library/Extensions/Seagate Storage Driver.kext/Contents/PlugIns

[not loaded] com.seagate.driver.PowSecLeafDriver_10_4 (5.2.7 (26979) - SDK 10.4 - 2015-07-17) [Support]

[not loaded] com.seagate.driver.PowSecLeafDriver_10_5 (5.2.7 (26979) - SDK 10.5 - 2015-07-17) [Support]

[not loaded] com.seagate.driver.SeagateDriveIcons (5.2.7 (26979) - SDK 10.4 - 2015-07-17) [Support]

System Launch Agents: ⓘ

[not loaded] 7 Apple tasks

[loaded] 148 Apple tasks

[running] 65 Apple tasks

[killed] 18 Apple tasks

18 processes killed due to insufficient RAM

System Launch Daemons: ⓘ

[not loaded] 47 Apple tasks

[loaded] 150 Apple tasks

[running] 74 Apple tasks

[killed] 20 Apple tasks

20 processes killed due to insufficient RAM

Launch Agents: ⓘ

[failed] com.adobe.ARMDCHelper.cc24aef4a1b90ed56a...plist (2016-05-12) [Support]

[loaded] com.oracle.java.Java-Updater.plist (2012-12-18) [Support]

[loaded] com.parallels.mobile.prl_deskctl_agent.launchagent.plist (2013-11-21) [Support]

[loaded] org.macosforge.xquartz.startx.plist (2012-09-27) [Support]

Launch Daemons: ⓘ

[loaded] com.adobe.ARMDC.Communicator.plist (2016-05-12) [Support]

[loaded] com.adobe.ARMDC.SMJobBlessHelper.plist (2016-05-12) [Support]

[failed] com.adobe.fpsaud.plist (2016-05-09) [Support]

[loaded] com.cocoatech.pathfinder.SMFHelper7.plist (2014-07-14) [Support]

[not loaded] com.juicybinary.slntfsDaemon.plist (2012-12-03) [Support]

[loaded] com.microsoft.office.licensing.helper.plist (2010-08-25) [Support]

[loaded] com.oracle.java.Helper-Tool.plist (2012-12-18) [Support]

[failed] com.parallels.mobile.dispatcher.launchdaemon.plist (2013-11-21) [Support]

[failed] com.parallels.mobile.kextloader.launchdaemon.plist (2013-11-21) [Support]

[running] com.seagate.TBDecorator.plist (2013-10-11) [Support]

[failed] com.torch.update.agent.plist (2013-08-10) [Support]

[loaded] org.macosforge.xquartz.privileged_startx.plist (2012-09-27) [Support]

User Launch Agents: ⓘ

[failed] com.Wondershare.TunesGoWatchDemo.plist (2014-07-05) [Support]

[failed] com.adobe.ARM.[...].plist (2014-02-01) [Support]

[running] com.google.Chrome.framework.plist (2016-05-22) [Support]

[loaded] com.google.keystone.agent.plist (2016-03-03) [Support]

[running] com.onlineapplicationstatus.AppStatus.plist (2016-05-01) Adware! [Remove]

~/Library/Application Support/AppCommon/AppStatus

[failed] com.parallels.mobile.startgui.launchagent.plist (2013-11-21) [Support]

User Login Items: ⓘ

iTunesHelper Aplicativo (/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

Dropbox Aplicativo (/Applications/Dropbox.app)

Google Drive Aplicativo (/Applications/Google Drive.app)

Other Apps: ⓘ

[loaded] com.adobe.Reader.124192

[running] com.getdropbox.dropbox.86432

[running] com.google.GoogleDrive.98592

[running] com.hp.devicemonitor

[loaded] 397 Apple tasks

[running] 176 Apple tasks

[killed] 42 Apple tasks

Internet Plug-ins: ⓘ

Flip4Mac WMV Plugin: 2.2.0.49 (2007-12-11) [Support]

FlashPlayer-10.6: 21.0.0.242 - SDK 10.6 (2016-05-12) [Support]

QuickTime Plugin: 7.7.3 (2016-05-22)

AdobePDFViewerNPAPI: 15.016.20041 - SDK 10.11 (2016-05-22) [Support]

AdobePDFViewer: 15.016.20041 - SDK 10.11 (2016-05-22) [Support]

Flash Player: 21.0.0.242 - SDK 10.6 (2016-05-12) [Support]

Default Browser: 601 - SDK 10.11 (2016-05-22)

PMCADownloader: 1.2.1998.896 - SDK 10.5 (2015-09-07) [Support]

SharePointBrowserPlugin: 14.0.0 (2010-08-25) [Support]

Silverlight: 5.1.10411.0 - SDK 10.6 (2012-12-09) [Support]

JavaAppletPlugin: Java 8 Update 77 build 03 (2016-03-24) Check version

User internet Plug-ins: ⓘ

npsf_uni: sf 3.3.2.1 (2013-09-16) [Support]

Safari Extensions: ⓘ

Slick Savings (2016-01-04) Adware! [Remove]

OpenIE - Parallels - http://www.parallels.com (2013-03-04)

3rd Party Preference Panes: ⓘ

Flash Player (2016-05-09) [Support]

Flip4Mac WMV (2007-12-11) [Support]

Java (2016-03-24) [Support]

MacFUSE (2008-12-19) [Support]

NTFS-3G (2010-10-11) [Support]

Paragon NTFS for Mac ® OS X (2014-09-06) [Support]

Perian (2011-07-23) [Support]

Seagate Dashboard for Mac OSX (2015-11-07) [Support]

Time Machine: ⓘ

Time Machine not configured!

Top Processes by CPU: ⓘ

7% WindowServer

3% kernel_task

3% aplicativoitau Helper(2)

2% RdrCEF helper(6)

1% fontd

Top Processes by Memory: ⓘ

624 MB kernel_task

590 MB com.apple.WebKit.WebContent(5)

270 MB mdworker(19)

98 MB Mail

98 MB RdrCEF helper(6)

Virtual Memory Information: ⓘ

78 MB Free RAM

3.92 GB Used RAM (769 MB Cached)

271 MB Swap Used

Diagnostics Information: ⓘ

Jun 1, 2016, 09:29:49 PM /Library/Logs/DiagnosticReports/alerterdaemon_2016-06-01-212949_[redacted].cras h

/usr/local/libexec/alerterdaemon

Jun 1, 2016, 08:59:51 PM /Library/Logs/DiagnosticReports/alerterdaemon_2016-06-01-205951_[redacted].cras h

May 31, 2016, 06:31:12 PM /Library/Logs/DiagnosticReports/alerterdaemon_2016-05-31-183112_[redacted].cras h

May 31, 2016, 06:01:12 PM /Library/Logs/DiagnosticReports/alerterdaemon_2016-05-31-180112_[redacted].cras h

May 31, 2016, 05:31:12 PM /Library/Logs/DiagnosticReports/alerterdaemon_2016-05-31-173112_[redacted].cras h

May 31, 2016, 05:01:14 PM /Library/Logs/DiagnosticReports/alerterdaemon_2016-05-31-170114_[redacted].cras h

May 30, 2016, 10:14:34 PM /Library/Logs/DiagnosticReports/alerterdaemon_2016-05-30-221434_[redacted].cras h

May 30, 2016, 09:44:34 PM /Library/Logs/DiagnosticReports/alerterdaemon_2016-05-30-214434_[redacted].cras h

May 30, 2016, 09:14:34 PM /Library/Logs/DiagnosticReports/alerterdaemon_2016-05-30-211434_[redacted].cras h

May 30, 2016, 08:40:15 PM /Library/Logs/DiagnosticReports/alerterdaemon_2016-05-30-204015_[redacted].cras h

You have a few issues that need addressing:

• You don't have enough free space on your hard drive. I would consider getting an external drive if you don't have one, or taking an already existing external drive and moving some files off your internal drive to it. Copy your music, pictures, videos, documents...files of that nature, and move them to the external drive, then delete the originals off your internal drive.
• You have adware on your hard drive. Click "Remove" in the EtreCheck report to get rid of it. You can also restart your computer if you don't want to do that. El Capitan now removes adware/malware at login, as of changes made to the following support article back in April --> Stop pop-up ads in Safari - Apple Support

Your question has nothing do with malware and there is absolutely no reason to download anything. If you habitually download unknown software that you don't need merely because you're prompted to do it on a website, you will be infected with malware.

Most likely, a spammer has compromised the mail account or PC of one of your contacts, and is forging your address as the return address in the headers of his messages. The bounce messages from mail servers that reject the spam come back to you. You should check your own mail accounts to make sure there's been no unauthorized activity.

You can create a Mail rule to delete the bounce messages automatically. Most often, the problem lasts only a few days before the spammer moves on to another forged address.

Hello rgusmao,

I added that Time Machine restriction on purpose - to get people to run Time Machine. If you want to put your data at risk, you can try this:

1) Copy the first line from the adware list to the clipboard

2) In Finder, choose Go > Go to folder...

3) In the "Go to the folder" dialog, paste the adware line into the text entry field

4) A new Finder window will open with that file selected. Drag the file into the trash.

Repeat all 4 steps with each file from the adware list.

Restart your machine.