User profile for user: lemeals
lemeals Author
User level: Level 1
8 points

Help, cannot connect to http sites, only https...

BLUF: I can only connect to HTTPS websites, http gives me "can't connect to server" or "no route to host" errors.


While i was out of town, the wife ended up downloading something on her MBP that cause a bunch of pop-ups anytime while using the internet. I ran Malwarebytes Anti-Malware and it found and removed a bunch of infected files. All this while the computer was running OS X 10.9.x. Since then, on any browser (firefox, safari, chrome) we can only connect to https pages. For example, http://www.google.com = no go "can't connect to server...", while https://www.googlec.com = good, but alas most of the links are http, so it's useless.


I've spent the better part of the last 2 days pouring over forums and troubleshooting to fix this issue...what I've done:


Reset my router (no avail, everything else connected to it is good (everything else is also windows/andriod)

Reset my modem (even had my ISP reset whatever they could on their end too)

Reset/reinstalled all browsers,

cleared the PRAM using the option+command+p+r during startup,

checked that no Proxy boxes are checked in the advanced network settings,

tried changing the DNS settings, manual, automatic, opendns, googles 8.8.8.8/8.8.4.4, using my ISPs DNS, nothing changes,

uninstalled everything that was installed the last week (not much, but now i don't even remember what it was),

disabled all browser extensions/plug-ins,

disabled/reenabled IPv6 (set to automatic),


What works:

Safe mode, internet is full up.


While in safe mode i was able to connect to the app store (couldn't in a regular login or guest user) and upgrade to OS X 10.11.5, but even installing that didn't fix any missing/corrupted files, I still have the same issue.


I thought for sure the new OS would have fixed it, but now I'm really stumped.


Is there a way to completely reset all network settings? Could port 80 (http) be getting blocked? How do I tell?


Any help would be much appreciated,


v/r


Sean

(a husband who knows enough about computers to really break them, ha)

MacBook Pro (Retina, 13-inch, Late 2012), OS X El Capitan (10.11.5)

Posted on Jun 4, 2016 9:21 PM

Reply
10 replies
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,739 points

Jun 4, 2016 10:21 PM in response to lemeals

First, never use any kind of "anti-virus" or "anti-malware" software on a Mac. That's how you cause problems, not how you solve them.

1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.

The test works on OS X 10.8 ("Mountain Lion") and later. I don't recommend running it on older versions of OS X. It will do no harm, but it won't do much good either.

Don't be put off by the complexity of these instructions. The procedure is easy to do right, but it's also easy to do wrong, so I've made the instructions very detailed. You do harder tasks with the computer all the time.

2. If you don't already have a current backup, please back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.

There are ways to back up a computer that isn't fully functional. Ask if you need guidance.

3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.

You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.

In this case, however, there are ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone who understands the code can verify what it does.

You may not be able to understand the script yourself. But variations of it have been posted on this website many times over a period of years. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message. See, for example, this discussion.

Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.

4. Here's a general summary of what you need to do, if you choose to proceed:

☞ Copy the text of a particular web page (not this one) to the Clipboard.

☞ Paste into the window of another application.

☞ Wait for the test to run. It usually takes a few minutes.

☞ Paste the results, which will have been copied automatically, back into a reply on this page.

These are not specific instructions; just an overview. The details are in parts 7 and 8 of this comment. The sequence is: copy, paste, wait, paste again. You don't need to copy a second time.

5. Try to test under conditions that reproduce the problem, as far as possible. For example, if the computer is intermittently slow, run the test during a slowdown.

You may have started up in safe mode. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual before running it. If you can only test in safe mode, do that.

6. If you have more than one user, and only one user is affected by the problem,, and the affected user is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.

7. Load this linked web page (on the website "Pastebin") in Safari. Press the key combination command-A to select all the text, then copy it to the Clipboard by pressing command-C.

8. Launch the built-in Terminal application in any one of the following ways:

☞ Enter the first few letters of its name ("Terminal") into a Spotlight search. Select it in the results (it should be at the top.)

☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.

☞ Open LaunchPad and start typing the name.

Click anywhere in the Terminal window to activate it. Paste from the Clipboard into the window by pressing command-V, then press return. The text you pasted should vanish immediately.

9. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. If you don't know the password, or if you prefer not to enter it, just press return three times at the password prompt. Again, the script will still run.

If the test is taking much longer than usual to run because the computer is very slow, you might be prompted for your password a second time. The authorization that you grant by entering it expires automatically after five minutes.

If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.

10. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, a series of lines will appear in the Terminal window like this:

Test started

Part 1 of 4 done at: … sec

Part 4 of 4 done at: … sec

The test results are on the Clipboard.

Please close this window.

The intervals between parts won't be exactly equal, but they give a rough indication of progress.

Wait for the final message "Please close this window" to appear—again, usually within a few minutes. If you don't see that message within about 30 minutes, the test probably won't complete in a reasonable time. In that case, press the key combination control-C or command-period to stop it. Then go to the next step. You'll have incomplete results, but still something.

In order to get results, the test must either be allowed to complete or else manually stopped as above. If you close the Terminal window while the test is still running, the partial results won't be saved.

11. When the test is complete, or if you stopped it manually, quit Terminal. The results will have been saved to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.

At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "close this window" message. Please wait for it and try again.

If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.

12. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "The message contains invalid characters." That's a bug in the software that runs this website. Please post the test results on Pastebin, then post a link here to the page you created.

If you have an account on Pastebin, please don't select Private from the Paste Exposure menu on the page, because then no one but you will be able to see it.

13. When you're done with the test, it's gone. There is nothing to uninstall or clean up.

14. This is a public forum, and others may give you advice based on the results of the test. They speak for themselves, not for me. The test itself is harmless, but whatever else you do may not be. For others who choose to run it, I don't recommend that you post the test results on this website unless I asked you to.

15. The linked UNIX shell script bears a notice of copyright. Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

Reply
User profile for user: lemeals
lemeals Author
User level: Level 1
8 points

Jun 4, 2016 11:13 PM in response to Linc Davis

Linc Davis, I've been reading your responses to others with similar issues and they've all been resolved. I have high hopes! I was wary of running the malwarebytes, but a Apple phone support tech recommended that one, oh well. I'm running your test now, results soon... Thanks again for replying.


Results:


1 Start time: 00:04:56 06/05/16

2

3 Revision: 1611

4

5 Model Identifier: MacBookPro10,2

6 Boot ROM Version: MBP102.0106.B0A

7 System Version: OS X 10.11.5 (15F34)

8 Kernel Version: Darwin 15.5.0

9 Time since boot: 1:04

10

11 USB

12

13 Fitbit Base Station (Fitbit Inc.)

14

15 LS schemes: No

16

17 Proxies

18

19 ProxyAutoConfigEnable : 1

20 ProxyAutoConfigURLString : http://wpad/wpad.dat

21 ProxyAutoDiscoveryEnable : 1

22

23 Diagnostic reports

24

25 2016-05-16 plugin-container crash

26 2016-05-27 Finder crash

27 2016-06-05 smarmy crash x20

28

29 HID errors: 4

30

31 Kernel log

32

33 Jun 4 22:28:08 Process launchd [1] disabling system-wide CPU Throttling

34 Jun 4 22:28:08 Process mds_stores [189] disabling system-wide I/O Throttling

35 Jun 4 22:28:08 Process mds_stores [189] disabling system-wide CPU Throttling

36 Jun 4 22:29:27 IO80211ControllerMonitor::configureSubscriptions() failed to add subscriptionIO80211Controller::start _controller is 0x846c0cea96898389, provider is 0x846c0ce9d70b4889

37 Jun 4 22:29:27 init: error getting PHY_MODE; using MODE_UNKNOWN

38 Jun 4 22:29:27 AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized

39 Jun 4 22:29:27 pci pause: SDXC

40 Jun 4 22:29:28 000039.377345 IOUSBHostHIDDevice@: IOUSBHostHIDDevice::handleStart: unable to open interface

41 Jun 4 22:29:28 000039.377379 IOUSBHostHIDDevice@: IOUSBHostHIDDevice::start: unable to start IOHIDDevice

42 Jun 4 22:29:28 Kext com.apple.driver.AppleHV failed to load (0xdcCouldn't alloc class "AppleThunderboltEDMSink"

43 Jun 4 22:29:28 000039.405926 IOUSBHostHIDDevice@: IOUSBHostHIDDevice::handleStart: unable to open interface

44 Jun 4 22:29:28 000039.405950 IOUSBHostHIDDevice@: IOUSBHostHIDDevice::start: unable to start IOHIDDevice

45 Jun 4 22:29:28 000039.423336 IOUSBHostHIDDevice@: IOUSBHostHIDDevice::handleStart: unable to open interface

46 Jun 4 22:29:28 000039.423361 IOUSBHostHIDDevice@: IOUSBHostHIDDevice::start: unable to start IOHIDDevice

47 Jun 4 22:29:28 000039.433261 IOUSBHostHIDDevice@: IOUSBHostHIDDevice::handleStart: unable to open interface

48 Jun 4 22:29:28 000039.433286 IOUSBHostHIDDevice@: IOUSBHostHIDDevice::start: unable to start IOHIDDevice

49 Jun 4 22:29:28 000039.435493 IOUSBHostHIDDevice@: IOUSBHostHIDDevice::handleStart: unable to open interface

50 Jun 4 22:29:28 000039.435516 IOUSBHostHIDDevice@: IOUSBHostHIDDevice::start: unable to start IOHIDDevice

51 Jun 4 22:48:13 Limiting icmp unreach response from 251 to 250 packets per second

52 Jun 4 22:59:52 Process launchd [1] disabling system-wide I/O Throttling

53 Jun 4 22:59:52 Process launchd [1] disabling system-wide CPU Throttling

54 Jun 4 23:00:32 IO80211ControllerMonitor::configureSubscriptions() failed to add subscriptionIO80211Controller::start _controller is 0x2038afd706557b73, provider is 0x2038afd6470a3e73

55 Jun 4 23:00:32 init: error getting PHY_MODE; using MODE_UNKNOWN

56 Jun 4 23:00:32 AppleUSBMultitouchDriver::checkStatus - received Status Packet, Payload 2: device was reinitialized

57 Jun 4 23:01:00 pci pause: SDXC

58

59 System log

60

61 Jun 5 00:05:55 underdraftUpd: 2 libdispatch.dylib 0x0000000101238303 dispatch_once_f + 67

62 Jun 5 00:05:55 underdraftUpd: 3 CarbonCore 0x0000000104884fbc _Gestalt_SystemVersion + 987

63 Jun 5 00:05:55 underdraftUpd: 4 CarbonCore 0x00000001048847d0 Gestalt + 139

64 Jun 5 00:05:55 underdraftUpd: 5 QtCore 0x0000000100198766 QtCore + 14182

65 Jun 5 00:05:55 underdraftUpd: 6 ??? 0x00007fff6761d10b 0x0 + 140734927851787

66 Jun 5 00:05:56 mtmfs: MTM FS server failed to start because of error -1

67 Jun 5 00:05:58 mtmfs: MTM FS server failed to start because of error -1

68 Jun 5 00:05:59 mtmfs: MTM FS server failed to start because of too many retries

69 Jun 5 00:05:59 mtmfs: MTM FS server failed, last error -1

70 Jun 5 00:06:02 mtmfs: MTM FS server failed to start because of error -1

71 Jun 5 00:06:03 mtmfs: MTM FS server failed to start because of error -1

72 Jun 5 00:06:05 mtmfs: MTM FS server failed to start because of error -1

73 Jun 5 00:06:06 underdraftUpd: WARNING: The Gestalt selector gestaltSystemVersion is returning 10.9.5 instead of 10.11.5. This is not a bug in Gestalt -- it is a documented limitation. Use NSProcessInfo's operatingSystemVersion property to get correct system version number.

74 Call location:

75 Jun 5 00:06:06 underdraftUpd: 0 CarbonCore 0x00000001048f86df ___Gestalt_SystemVersion_block_invoke + 113

76 Jun 5 00:06:06 underdraftUpd: 1 libdispatch.dylib 0x000000010123840b _dispatch_client_callout + 8

77 Jun 5 00:06:06 underdraftUpd: 2 libdispatch.dylib 0x0000000101238303 dispatch_once_f + 67

78 Jun 5 00:06:06 underdraftUpd: 3 CarbonCore 0x0000000104884fbc _Gestalt_SystemVersion + 987

79 Jun 5 00:06:06 underdraftUpd: 4 CarbonCore 0x00000001048847d0 Gestalt + 139

80 Jun 5 00:06:06 underdraftUpd: 5 QtCore 0x0000000100198766 QtCore + 14182

81 Jun 5 00:06:06 underdraftUpd: 6 ??? 0x00007fff6247010b 0x0 + 140734842208523

82 Jun 5 00:06:06 mtmfs: MTM FS server failed to start because of error -1

83 Jun 5 00:06:08 mtmfs: MTM FS server failed to start because of error -1

84 Jun 5 00:06:09 mtmfs: MTM FS server failed to start because of too many retries

85 Jun 5 00:06:09 mtmfs: MTM FS server failed, last error -1

86

87 launchd log

88

89 Jun 4 15:28:25 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

90 Jun 4 15:28:54 com.apple.xpc.launchd.user.domain.501.100008.Aqua: Could not import service from caller: path = /System/Library/LaunchAgents/com.apple.FirmwareUpdateHelper.plist, caller = loginwindow.96, error = 138: Service cannot be loaded on this hardware

91 Jun 4 15:29:14 com.apple.xpc.launchd.user.domain.248.100016.Aqua: Could not import service from caller: path = /System/Library/LaunchAgents/com.apple.FirmwareUpdateHelper.plist, caller = loginwindow.412, error = 138: Service cannot be loaded on this hardware

92 Jun 4 15:29:15 com.apple.xpc.launchd.user.domain.248.100016.Aqua: Could not import service from caller: caller = otherbsd.429, service = com.apple.photostream-agent, error = 119: Service is disabled

93 Jun 4 15:57:41 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

94 Jun 4 16:00:05 com.apple.xpc.launchd.user.domain.501.100008.Aqua: Could not import service from caller: path = /System/Library/LaunchAgents/com.apple.FirmwareUpdateHelper.plist, caller = loginwindow.101, error = 138: Service cannot be loaded on this hardware

95 Jun 4 22:29:26 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

96 Jun 4 22:30:07 com.apple.xpc.launchd.user.domain.501.100005.Aqua: Could not import service from caller: path = /System/Library/LaunchAgents/com.apple.FirmwareUpdateHelper.plist, caller = loginwindow.106, error = 138: Service cannot be loaded on this hardware

97 Jun 4 22:30:07 com.apple.xpc.launchd.user.domain.501.100005.Aqua: Failed to bootstrap path: path = /System/Library/LaunchAgents/com.apple.FirmwareUpdateHelper.plist, error = 138: Service cannot be loaded on this hardware

98 Jun 4 23:00:32 com.apple.airplaydiagnostics.server: Unrecognized MachService property: ResetAtClose

99 Jun 4 23:01:08 com.apple.xpc.launchd.user.domain.501.100007.Aqua: Could not import service from caller: path = /System/Library/LaunchAgents/com.apple.FirmwareUpdateHelper.plist, caller = loginwindow.102, error = 138: Service cannot be loaded on this hardware

100

101 Console log

102

103 Jun 4 15:29:23 fontd: Failed to open read-only database, regenerating DB

104 Jun 4 16:00:06 fontd: Failed to open read-only database, regenerating DB

105 Jun 4 22:30:17 fontd: XType - wal checkpoint: 0, -1, -1.

106 Jun 4 23:01:09 fontd: Failed to open read-only database, regenerating DB

107

108 System services loaded

109

110 /Library/ucrybur/ucrybur.app/Contents/MacOS/ucrybur

111 com.adobe.ARMDC.Communicator

112 com.adobe.ARMDC.SMJobBlessHelper

113 com.apple.cheechran

114 - status: 78

115 com.apple.crybur

116 - status: 78

117 com.apple.logd

118 - status: 1

119 com.apple.mtmfs

120 - status: 99

121 com.apple.watchdogd

122 com.characteristicness.plist

123 com.fitbit.fitbitd

124 com.fitbit.galileod

125 com.google.keystone.daemon

126 com.hegemonical.plist

127 com.malwarebytes.MBAMHelperTool

128 com.microsoft.office.licensing.helper

129 com.nicotinic.plist

130 com.polymagnet.plist

131 com.quiritary.plist

132 com.smarmy.plist

133 com.vitiligo.plist

134 underdraftUpd.plist

135

136 System services disabled

137

138 org.openldap.slapd

139 com.apple.PasswordService

140

141 Login services loaded

142

143 com.adobe.ARMDCHelper.UUID

144 - status: 111

145 com.google.keystone.system.agent

146 com.nero.HSMMonitor

147 - status: 78

148

149 Contents of /Library/LaunchAgents/com.adobe.ARMDCHelper.UUID.plist

150 - mod date: May 11 12:28:19 2016

151 - size (B): 577

152 - checksum: 2197523146

153

154 <?xml version="1.0" encoding="UTF-8"?>

155 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

156 <plist version="1.0">

157 <dict>

158 <key>Label</key>

159 <string>com.adobe.ARMDCHelper.UUID</string>

160 <key>ProgramArguments</key>

161 <array>

162 <string>/Library/Application Support/Adobe/ARMDC/Application/Acrobat Update Helper.app/Contents/MacOS/Acrobat Update Helper</string>

163 </array>

164 <key>RunAtLoad</key>

165 <true/>

166 <key>StartInterval</key>

167 <integer>12600</integer>

168 </dict>

169 </plist>

170

171 Contents of /Library/LaunchDaemons/com.apple.cheechran.plist

172 - mod date: May 26 14:03:07 2016

173 - size (B): 372

174 - checksum: 133221565

175

176 <?xml version="1.0" encoding="UTF-8"?>

177 <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

178 <plist version="1.0">

179 <dict>

180 <key>KeepAlive</key>

181 <true/>

182 <key>Label</key>

183 <string>com.apple.cheechran</string>

184 <key>RunAtLoad</key>

185 <true/>

186 <key>Program</key>

187 <string>/Library/cheechran</string>

188 </dict>

189 </plist>

190

191 Contents of /Library/LaunchDaemons/com.apple.crybur.plist

192 - mod date: May 15 10:57:43 2016

193 - size (B): 366

194 - checksum: 323452292

195

196 <?xml version="1.0" encoding="UTF-8"?>

197 <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

198 <plist version="1.0">

199 <dict>

200 <key>KeepAlive</key>

201 <true/>

202 <key>Label</key>

203 <string>com.apple.crybur</string>

204 <key>RunAtLoad</key>

205 <true/>

206 <key>Program</key>

207 <string>/Library/crybur</string>

208 </dict>

209 </plist>

210

211 Contents of /Library/LaunchDaemons/com.characteristicness.plist

212 - Apple binary property list

213 - mod date: Jun 1 21:31:55 2016

214 - size (B): 186

215 - checksum: 3026544731

216

217 Dict {

218 ProgramArguments = Array {

219 /etc/characteristicness.sh

220 }

221 KeepAlive = true

222 UserName = root

223 RunAtLoad = true

224 Label = com.characteristicness.plist

225 }

226

227 Contents of /Library/LaunchDaemons/com.fitbit.fitbitd.plist

228 - mod date: Mar 30 00:30:23 2012

229 - size (B): 1069

230 - checksum: 3171374426

231

232 <?xml version="1.0" encoding="UTF-8"?>

233 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

234 <plist version="1.0">

235 <dict>

236 <key>Program</key>

237 <string>/usr/local/bin/fitbitd</string>

238 <key>Label</key>

239 <string>com.fitbit.fitbitd</string>

240 <key>UserName</key>

241 <string>nobody</string>

242 <key>GroupName</key>

243 <string>daemon</string>

244 <key>InitGroups</key>

245 <true/>

246 <key>OnDemand</key>

247 <false/>

248 <key>ServiceIPC</key>

249 <true/>

250 <key>Sockets</key>

251 <dict>

252 <key>UserClients</key>

253 <dict>

254 <key>SockPathName</key>

255 <string>/var/run/com.fitbit.fitbitd.socket</string>

256 <key>SockType</key>

257

258 ...and 23 more line(s)

259

260 Contents of /Library/LaunchDaemons/com.fitbit.galileod.plist

261 - mod date: Oct 4 23:55:09 2012

262 - size (B): 1161

263 - checksum: 333804614

264

265 <?xml version="1.0" encoding="UTF-8"?>

266 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

267 <plist version="1.0">

268 <dict>

269 <key>Program</key>

270 <string>/usr/local/bin/galileod</string>

271 <key>ProgramArguments</key>

272 <array>

273 <string>/usr/local/bin/galileod</string>

274 </array>

275 <key>Label</key>

276 <string>com.fitbit.galileod</string>

277 <key>UserName</key>

278 <string>root</string>

279 <key>GroupName</key>

280 <string>daemon</string>

281 <key>InitGroups</key>

282 <true/>

283 <key>OnDemand</key>

284 <false/>

285 <key>ServiceIPC</key>

286 <true/>

287 <key>Sockets</key>

288 <dict>

289 <key>UserClients</key>

290

291 ...and 27 more line(s)

292

293 Contents of /Library/LaunchDaemons/com.hegemonical.plist

294 - Apple binary property list

295 - mod date: Jun 3 19:56:47 2016

296 - size (B): 172

297 - checksum: 1994929885

298

299 Dict {

300 ProgramArguments = Array {

301 /etc/hegemonical.sh

302 }

303 KeepAlive = true

304 UserName = root

305 RunAtLoad = true

306 Label = com.hegemonical.plist

307 }

308

309 Contents of /Library/LaunchDaemons/com.malwarebytes.MBAMHelperTool.plist

310 - mod date: Jun 4 12:33:57 2016

311 - size (B): 483

312 - checksum: 2107430944

313

314 <?xml version="1.0" encoding="UTF-8"?>

315 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

316 <plist version="1.0">

317 <dict>

318 <key>Label</key>

319 <string>com.malwarebytes.MBAMHelperTool</string>

320 <key>MachServices</key>

321 <dict>

322 <key>com.malwarebytes.MBAMHelperTool</key>

323 <true/>

324 </dict>

325 <key>ProgramArguments</key>

326 <array>

327 <string>/Library/PrivilegedHelperTools/com.malwarebytes.MBAMHelperTool</string>

328 </array>

329 </dict>

330 </plist>

331

332 Contents of /Library/LaunchDaemons/com.nicotinic.plist

333 - Apple binary property list

334 - mod date: Jun 2 20:15:52 2016

335 - size (B): 168

336 - checksum: 1766601413

337

338 Dict {

339 ProgramArguments = Array {

340 /etc/nicotinic.sh

341 }

342 KeepAlive = true

343 UserName = root

344 RunAtLoad = true

345 Label = com.nicotinic.plist

346 }

347

348 Contents of /Library/LaunchDaemons/com.polymagnet.plist

349 - Apple binary property list

350 - mod date: Jun 3 19:54:41 2016

351 - size (B): 170

352 - checksum: 402887116

353

354 Dict {

355 ProgramArguments = Array {

356 /etc/polymagnet.sh

357 }

358 KeepAlive = true

359 UserName = root

360 RunAtLoad = true

361 Label = com.polymagnet.plist

362 }

363

364 Contents of /Library/LaunchDaemons/com.quiritary.plist

365 - Apple binary property list

366 - mod date: Jun 3 19:54:41 2016

367 - size (B): 168

368 - checksum: 2225207502

369

370 Dict {

371 ProgramArguments = Array {

372 /etc/quiritary.sh

373 }

374 KeepAlive = true

375 UserName = root

376 RunAtLoad = true

377 Label = com.quiritary.plist

378 }

379

380 Contents of /Library/LaunchDaemons/com.smarmy.plist

381 - Apple binary property list

382 - mod date: Jun 3 21:20:34 2016

383 - size (B): 160

384 - checksum: 1713762974

385

386 Dict {

387 ProgramArguments = Array {

388 /etc/smarmy.sh

389 }

390 KeepAlive = true

391 UserName = root

392 RunAtLoad = true

393 Label = com.smarmy.plist

394 }

395

396 Contents of /Library/LaunchDaemons/com.ucrybur.plist

397 - mod date: May 15 10:57:17 2016

398 - size (B): 475

399 - checksum: 1334640900

400

401 <?xml version="1.0" encoding="UTF-8"?>

402 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

403 <plist version="1.0">

404 <dict>

405 <key>KeepAlive</key>

406 <true/>

407 <key>Label</key>

408 <string>/Library/ucrybur/ucrybur.app/Contents/MacOS/ucrybur</string>

409 <key>Program</key>

410 <string>/Library/ucrybur/ucrybur.app/Contents/MacOS/ucrybur.sh</string>

411 <key>RunAtLoad</key>

412 <true/>

413 <key>UserName</key>

414 <string>root</string>

415 </dict>

416 </plist>

417

418 Contents of /Library/LaunchDaemons/com.underdraftUpd.plist

419 - Apple binary property list

420 - mod date: Jun 1 21:33:19 2016

421 - size (B): 172

422 - checksum: 3598689305

423

424 Dict {

425 ProgramArguments = Array {

426 /etc/underdraftUpd.sh

427 }

428 KeepAlive = true

429 UserName = root

430 RunAtLoad = true

431 Label = underdraftUpd.plist

432 }

433

434 Contents of /Library/LaunchDaemons/com.vitiligo.plist

435 - Apple binary property list

436 - mod date: Jun 1 21:35:02 2016

437 - size (B): 166

438 - checksum: 3904594448

439

440 Dict {

441 ProgramArguments = Array {

442 /etc/vitiligo.sh

443 }

444 KeepAlive = true

445 UserName = root

446 RunAtLoad = true

447 Label = com.vitiligo.plist

448 }

449

450 Contents of /private/etc/characteristicness.conf

451 - mod date: Jun 1 21:31:55 2016

452 - size (B): 190

453 - checksum: 3565406252

454

455 rdr pass inet proto tcp from en0 to any port 80 -> 127.0.0.1 port 9882

456 pass out on en0 route-to lo0 inet proto tcp from en0 to any port 80 keep state

457 pass out proto tcp all user unbronzed

458

459 Contents of /private/etc/characteristicness.sh

460 - mod date: Jun 1 21:31:52 2016

461 - size (B): 234

462 - checksum: 4107517225

463

464 if [ -a /Library/characteristicness/Contents/MacOS/characteristicness ];

465 then

466 sleep 10

467 sudo pfctl -evf /etc/characteristicness.conf

468 sudo -u unbronzed /Library/characteristicness/Contents/MacOS/characteristicness

469 fi

470 exit 0

471

472 Contents of /private/etc/hegemonical.conf

473 - mod date: Jun 3 19:56:47 2016

474 - size (B): 191

475 - checksum: 1107196509

476

477 rdr pass inet proto tcp from en0 to any port 80 -> 127.0.0.1 port 9882

478 pass out on en0 route-to lo0 inet proto tcp from en0 to any port 80 keep state

479 pass out proto tcp all user phyllocyst

480

481 Contents of /private/etc/hegemonical.sh

482 - mod date: Jun 3 19:56:46 2016

483 - size (B): 200

484 - checksum: 2919415972

485

486 if [ -a /Library/hegemonical/Contents/MacOS/hegemonical ];

487 then

488 sleep 10

489 sudo pfctl -evf /etc/hegemonical.conf

490 sudo -u phyllocyst /Library/hegemonical/Contents/MacOS/hegemonical

491 fi

492 exit 0

493

494 Contents of /private/etc/hosts

495 - mod date: Jul 1 12:22:26 2015

496 - size (B): 1518

497 - checksum: 4030047864

498

499 [NA]

500

501 Contents of /private/etc/nicotinic.conf

502 - mod date: Jun 2 20:15:52 2016

503 - size (B): 189

504 - checksum: 4019706026

505

506 rdr pass inet proto tcp from en0 to any port 80 -> 127.0.0.1 port 9882

507 pass out on en0 route-to lo0 inet proto tcp from en0 to any port 80 keep state

508 pass out proto tcp all user conaxial

509

510 Contents of /private/etc/nicotinic.sh

511 - mod date: Jun 2 20:15:50 2016

512 - size (B): 188

513 - checksum: 2940614213

514

515 if [ -a /Library/nicotinic/Contents/MacOS/nicotinic ];

516 then

517 sleep 10

518 sudo pfctl -evf /etc/nicotinic.conf

519 sudo -u conaxial /Library/nicotinic/Contents/MacOS/nicotinic

520 fi

521 exit 0

522

523 Contents of /private/etc/polymagnet.conf

524 - mod date: Jun 3 19:54:41 2016

525 - size (B): 194

526 - checksum: 1602545928

527

528 rdr pass inet proto tcp from en0 to any port 80 -> 127.0.0.1 port 9882

529 pass out on en0 route-to lo0 inet proto tcp from en0 to any port 80 keep state

530 pass out proto tcp all user precompliance

531

532 Contents of /private/etc/polymagnet.sh

533 - mod date: Jun 3 19:54:39 2016

534 - size (B): 198

535 - checksum: 3503044597

536

537 if [ -a /Library/polymagnet/Contents/MacOS/polymagnet ];

538 then

539 sleep 10

540 sudo pfctl -evf /etc/polymagnet.conf

541 sudo -u precompliance /Library/polymagnet/Contents/MacOS/polymagnet

542 fi

543 exit 0

544

545 Contents of /private/etc/quiritary.conf

546 - mod date: Jun 3 19:54:41 2016

547 - size (B): 186

548 - checksum: 1152386830

549

550 rdr pass inet proto tcp from en0 to any port 80 -> 127.0.0.1 port 9882

551 pass out on en0 route-to lo0 inet proto tcp from en0 to any port 80 keep state

552 pass out proto tcp all user sewan

553

554 Contents of /private/etc/quiritary.sh

555 - mod date: Jun 3 19:54:39 2016

556 - size (B): 185

557 - checksum: 509959526

558

559 if [ -a /Library/quiritary/Contents/MacOS/quiritary ];

560 then

561 sleep 10

562 sudo pfctl -evf /etc/quiritary.conf

563 sudo -u sewan /Library/quiritary/Contents/MacOS/quiritary

564 fi

565 exit 0

566

567 Contents of /private/etc/smarmy.conf

568 - mod date: Jun 3 21:20:34 2016

569 - size (B): 188

570 - checksum: 2565972300

571

572 rdr pass inet proto tcp from en0 to any port 80 -> 127.0.0.1 port 9882

573 pass out on en0 route-to lo0 inet proto tcp from en0 to any port 80 keep state

574 pass out proto tcp all user cymling

575

576 Contents of /private/etc/smarmy.sh

577 - mod date: Jun 3 21:20:33 2016

578 - size (B): 172

579 - checksum: 3245934265

580

581 if [ -a /Library/smarmy/Contents/MacOS/smarmy ];

582 then

583 sleep 10

584 sudo pfctl -evf /etc/smarmy.conf

585 sudo -u cymling /Library/smarmy/Contents/MacOS/smarmy

586 fi

587 exit 0

588

589 Contents of /private/etc/underdraftUpd.sh

590 - mod date: Jun 1 21:33:19 2016

591 - size (B): 157

592 - checksum: 3731197210

593

594 if [ -a /Library/underdraftUpd/Contents/MacOS/underdraftUpd ];

595 then

596 sleep 10

597 sudo /Library/underdraftUpd/Contents/MacOS/underdraftUpd

598 fi

599 exit 0

600

601 Contents of /private/etc/vitiligo.conf

602 - mod date: Jun 1 21:35:02 2016

603 - size (B): 187

604 - checksum: 1333613938

605

606 rdr pass inet proto tcp from en0 to any port 80 -> 127.0.0.1 port 9882

607 pass out on en0 route-to lo0 inet proto tcp from en0 to any port 80 keep state

608 pass out proto tcp all user scyphi

609

610 Contents of /private/etc/vitiligo.sh

611 - mod date: Jun 1 21:35:00 2016

612 - size (B): 181

613 - checksum: 310520239

614

615 if [ -a /Library/vitiligo/Contents/MacOS/vitiligo ];

616 then

617 sleep 10

618 sudo pfctl -evf /etc/vitiligo.conf

619 sudo -u scyphi /Library/vitiligo/Contents/MacOS/vitiligo

620 fi

621 exit 0

622

623 Contents of Library/LaunchAgents/com.nero.HSMMonitor.plist

624 - mod date: May 8 15:19:04 2016

625 - size (B): 497

626 - checksum: 455399590

627

628 <?xml version="1.0" encoding="UTF-8"?>

629 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

630 <plist version="1.0">

631 <dict>

632 <key>Label</key>

633 <string>com.nero.HSMMonitor</string>

634 <key>ProgramArguments</key>

635 <array>

636 <string>/Applications/HTC Sync Manager.app/Contents/Resources/HSMMonitor.app/Contents/MacOS/HSMMonitor</string >

637 <string>-runMode</string>

638 <string>autoLaunched</string>

639 </array>

640 <key>RunAtLoad</key>

641 <true/>

642 </dict>

643 </plist>

644

645 User login items

646

647 iTunesHelper

648 - /Applications/iTunes.app/Contents/MacOS/iTunesHelper.app

649

650 iCloud services

651

652 PHOTO_STREAM

653 CONTACTS

654 CALENDAR

655 REMINDERS

656 BOOKMARKS

657 NOTES

658 KEYCHAIN_SYNC

659 SHARED_STREAMS

660

661 iCloud errors

662

663 cloudd 29

664 comapple.CloudPhotosConfiguration 9

665 mdworker 4

666 cloudphotosd 4

667 Finder 3

668 storedownloadd 2

669 bird 1

670

671 Continuity errors

672

673 sharingd 16

674

675 Restrictive permissions: 49

676

677 Lockfiles: 1

678

679 Extensions

680

681 /Library/Extensions/hp_io_enabler_compound.kext

682 - com.hp.kext.io.enabler.compound

683 - Hewlett Packard (6HB5Y2QTA3)

684 /System/Library/Extensions/SiLabsUSBDriver.kext

685 - com.silabs.driver.CP210xVCPDriver

686 /System/Library/Extensions/hp_Inkjet7_io_enabler.kext

687 - com.hp.print.hpio.inkjet7.kext

688 /System/Library/Extensions/hp_fax_io.kext

689 - com.hp.kext.hp-fax-io

690

691 Applications

692

693 /Applications/Malwarebytes Anti-Malware.app

694 - com.malwarebytes.antimalware

695 - Malwarebytes Corporation (GVZRY6KDKR)

696

697 Frameworks

698

699 /Library/Frameworks/TSLicense.framework

700 - net.telestream.license

701

702 Bundles

703

704 /Library/Internet Plug-Ins/AdobePDFViewer.plugin

705 - com.adobe.acrobat.pdfviewer

706 - Adobe Systems, Inc.

707 /Library/Internet Plug-Ins/AdobePDFViewerNPAPI.plugin

708 - com.adobe.acrobat.pdfviewerNPAPI

709 - Adobe Systems, Inc.

710 /Library/Internet Plug-Ins/Flip4Mac WMV Plugin.plugin

711 - net.telestream.wmv.plugin

712 - Telestream Inc.

713 /Library/Internet Plug-Ins/Quartz Composer.webplugin

714 - com.apple.QuartzComposer.webplugin

715 - Software Signing

716 /Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin

717 - com.microsoft.sharepoint.browserplugin

718 /Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin

719 - com.microsoft.sharepoint.webkitplugin

720 /Library/Internet Plug-Ins/Silverlight.plugin

721 - com.microsoft.SilverlightPlugin

722 /Library/Internet Plug-Ins/googletalkbrowserplugin.plugin

723 - com.google.googletalkbrowserplugin

724 - Google Inc.

725 /Library/Internet Plug-Ins/o1dbrowserplugin.plugin

726 - com.google.o1dbrowserplugin

727 - Google Inc.

728 /Users/USER/Library/Address Book Plug-Ins/SkypeABDialer.bundle

729 - com.skype.skypeabdialer

730 /Users/USER/Library/Address Book Plug-Ins/SkypeABSMS.bundle

731 - com.skype.skypeabsms

732 /Users/USER/Library/Internet Plug-Ins/Picasa.plugin

733 - com.google.PicasaPlugin

734 - Google Inc.

735 /Users/USER/Library/Internet Plug-Ins/ZoomUsPlugIn.plugin

736 - us.zoom.plugin

737

738 Library paths

739

740 /Library/characteristicness/Contents/PlugIns/accessible/libqtaccessiblewidgets. dylib

741 /Library/characteristicness/Contents/PlugIns/bearer/libqcorewlanbearer.dylib

742 /Library/characteristicness/Contents/PlugIns/bearer/libqgenericbearer.dylib

743 /Library/characteristicness/Contents/PlugIns/codecs/libqcncodecs.dylib

744 /Library/characteristicness/Contents/PlugIns/codecs/libqjpcodecs.dylib

745 /Library/characteristicness/Contents/PlugIns/codecs/libqkrcodecs.dylib

746 /Library/characteristicness/Contents/PlugIns/codecs/libqtwcodecs.dylib

747 /Library/characteristicness/Contents/PlugIns/imageformats/libqdds.dylib

748 /Library/characteristicness/Contents/PlugIns/imageformats/libqgif.dylib

749 /Library/characteristicness/Contents/PlugIns/imageformats/libqicns.dylib

750 /Library/characteristicness/Contents/PlugIns/imageformats/libqico.dylib

751 /Library/characteristicness/Contents/PlugIns/imageformats/libqjp2.dylib

752 /Library/characteristicness/Contents/PlugIns/imageformats/libqjpeg.dylib

753 /Library/characteristicness/Contents/PlugIns/imageformats/libqmng.dylib

754 /Library/characteristicness/Contents/PlugIns/imageformats/libqtga.dylib

755 /Library/characteristicness/Contents/PlugIns/imageformats/libqtiff.dylib

756 /Library/characteristicness/Contents/PlugIns/imageformats/libqwbmp.dylib

757 /Library/characteristicness/Contents/PlugIns/imageformats/libqwebp.dylib

758 /Library/hegemonical/Contents/PlugIns/accessible/libqtaccessiblewidgets.dylib

759 /Library/hegemonical/Contents/PlugIns/bearer/libqcorewlanbearer.dylib

760 /Library/hegemonical/Contents/PlugIns/bearer/libqgenericbearer.dylib

761 /Library/hegemonical/Contents/PlugIns/codecs/libqcncodecs.dylib

762 /Library/hegemonical/Contents/PlugIns/codecs/libqjpcodecs.dylib

763 /Library/hegemonical/Contents/PlugIns/codecs/libqkrcodecs.dylib

764 /Library/hegemonical/Contents/PlugIns/codecs/libqtwcodecs.dylib

765 /Library/hegemonical/Contents/PlugIns/imageformats/libqdds.dylib

766 /Library/hegemonical/Contents/PlugIns/imageformats/libqgif.dylib

767 /Library/hegemonical/Contents/PlugIns/imageformats/libqicns.dylib

768 /Library/hegemonical/Contents/PlugIns/imageformats/libqico.dylib

769 /Library/hegemonical/Contents/PlugIns/imageformats/libqjp2.dylib

770 /Library/hegemonical/Contents/PlugIns/imageformats/libqjpeg.dylib

771 /Library/hegemonical/Contents/PlugIns/imageformats/libqmng.dylib

772 /Library/hegemonical/Contents/PlugIns/imageformats/libqtga.dylib

773 /Library/hegemonical/Contents/PlugIns/imageformats/libqtiff.dylib

774 /Library/hegemonical/Contents/PlugIns/imageformats/libqwbmp.dylib

775 /Library/hegemonical/Contents/PlugIns/imageformats/libqwebp.dylib

776 /Library/nicotinic/Contents/PlugIns/accessible/libqtaccessiblewidgets.dylib

777 /Library/nicotinic/Contents/PlugIns/bearer/libqcorewlanbearer.dylib

778 /Library/nicotinic/Contents/PlugIns/bearer/libqgenericbearer.dylib

779 /Library/nicotinic/Contents/PlugIns/codecs/libqcncodecs.dylib

780 /Library/nicotinic/Contents/PlugIns/codecs/libqjpcodecs.dylib

781 /Library/nicotinic/Contents/PlugIns/codecs/libqkrcodecs.dylib

782 /Library/nicotinic/Contents/PlugIns/codecs/libqtwcodecs.dylib

783 /Library/nicotinic/Contents/PlugIns/imageformats/libqdds.dylib

784 /Library/nicotinic/Contents/PlugIns/imageformats/libqgif.dylib

785 /Library/nicotinic/Contents/PlugIns/imageformats/libqicns.dylib

786 /Library/nicotinic/Contents/PlugIns/imageformats/libqico.dylib

787 /Library/nicotinic/Contents/PlugIns/imageformats/libqjp2.dylib

788 /Library/nicotinic/Contents/PlugIns/imageformats/libqjpeg.dylib

789 /Library/nicotinic/Contents/PlugIns/imageformats/libqmng.dylib

790 /Library/nicotinic/Contents/PlugIns/imageformats/libqtga.dylib

791 /Library/nicotinic/Contents/PlugIns/imageformats/libqtiff.dylib

792 /Library/nicotinic/Contents/PlugIns/imageformats/libqwbmp.dylib

793 /Library/nicotinic/Contents/PlugIns/imageformats/libqwebp.dylib

794 /Library/nonamotionUpd/Contents/PlugIns/accessible/libqtaccessiblewidgets.dylib

795 /Library/nonamotionUpd/Contents/PlugIns/bearer/libqcorewlanbearer.dylib

796 /Library/nonamotionUpd/Contents/PlugIns/bearer/libqgenericbearer.dylib

797 /Library/nonamotionUpd/Contents/PlugIns/codecs/libqcncodecs.dylib

798 /Library/nonamotionUpd/Contents/PlugIns/codecs/libqjpcodecs.dylib

799 /Library/nonamotionUpd/Contents/PlugIns/codecs/libqkrcodecs.dylib

800 /Library/nonamotionUpd/Contents/PlugIns/codecs/libqtwcodecs.dylib

801 /Library/nonamotionUpd/Contents/PlugIns/imageformats/libqgif.dylib

802 /Library/nonamotionUpd/Contents/PlugIns/imageformats/libqico.dylib

803 /Library/nonamotionUpd/Contents/PlugIns/imageformats/libqjpeg.dylib

804 /Library/nonamotionUpd/Contents/PlugIns/imageformats/libqmng.dylib

805 /Library/nonamotionUpd/Contents/PlugIns/imageformats/libqtga.dylib

806 /Library/nonamotionUpd/Contents/PlugIns/imageformats/libqtiff.dylib

807 /Library/polymagnet/Contents/PlugIns/accessible/libqtaccessiblewidgets.dylib

808 /Library/polymagnet/Contents/PlugIns/bearer/libqcorewlanbearer.dylib

809 /Library/polymagnet/Contents/PlugIns/bearer/libqgenericbearer.dylib

810 /Library/polymagnet/Contents/PlugIns/codecs/libqcncodecs.dylib

811 /Library/polymagnet/Contents/PlugIns/codecs/libqjpcodecs.dylib

812 /Library/polymagnet/Contents/PlugIns/codecs/libqkrcodecs.dylib

813 /Library/polymagnet/Contents/PlugIns/codecs/libqtwcodecs.dylib

814 /Library/polymagnet/Contents/PlugIns/imageformats/libqdds.dylib

815 /Library/polymagnet/Contents/PlugIns/imageformats/libqgif.dylib

816 /Library/polymagnet/Contents/PlugIns/imageformats/libqicns.dylib

817 /Library/polymagnet/Contents/PlugIns/imageformats/libqico.dylib

818 /Library/polymagnet/Contents/PlugIns/imageformats/libqjp2.dylib

819 /Library/polymagnet/Contents/PlugIns/imageformats/libqjpeg.dylib

820 /Library/polymagnet/Contents/PlugIns/imageformats/libqmng.dylib

821 /Library/polymagnet/Contents/PlugIns/imageformats/libqtga.dylib

822 /Library/polymagnet/Contents/PlugIns/imageformats/libqtiff.dylib

823 /Library/polymagnet/Contents/PlugIns/imageformats/libqwbmp.dylib

824 /Library/polymagnet/Contents/PlugIns/imageformats/libqwebp.dylib

825 /Library/quiritary/Contents/PlugIns/accessible/libqtaccessiblewidgets.dylib

826 /Library/quiritary/Contents/PlugIns/bearer/libqcorewlanbearer.dylib

827 /Library/quiritary/Contents/PlugIns/bearer/libqgenericbearer.dylib

828 /Library/quiritary/Contents/PlugIns/codecs/libqcncodecs.dylib

829 /Library/quiritary/Contents/PlugIns/codecs/libqjpcodecs.dylib

830 /Library/quiritary/Contents/PlugIns/codecs/libqkrcodecs.dylib

831 /Library/quiritary/Contents/PlugIns/codecs/libqtwcodecs.dylib

832 /Library/quiritary/Contents/PlugIns/imageformats/libqdds.dylib

833 /Library/quiritary/Contents/PlugIns/imageformats/libqgif.dylib

834 /Library/quiritary/Contents/PlugIns/imageformats/libqicns.dylib

835 /Library/quiritary/Contents/PlugIns/imageformats/libqico.dylib

836 /Library/quiritary/Contents/PlugIns/imageformats/libqjp2.dylib

837 /Library/quiritary/Contents/PlugIns/imageformats/libqjpeg.dylib

838 /Library/quiritary/Contents/PlugIns/imageformats/libqmng.dylib

839 /Library/quiritary/Contents/PlugIns/imageformats/libqtga.dylib

840 /Library/quiritary/Contents/PlugIns/imageformats/libqtiff.dylib

841 /Library/quiritary/Contents/PlugIns/imageformats/libqwbmp.dylib

842 /Library/quiritary/Contents/PlugIns/imageformats/libqwebp.dylib

843 /Library/smarmy/Contents/PlugIns/accessible/libqtaccessiblewidgets.dylib

844 /Library/smarmy/Contents/PlugIns/bearer/libqcorewlanbearer.dylib

845 /Library/smarmy/Contents/PlugIns/bearer/libqgenericbearer.dylib

846 /Library/smarmy/Contents/PlugIns/codecs/libqcncodecs.dylib

847 /Library/smarmy/Contents/PlugIns/codecs/libqjpcodecs.dylib

848 /Library/smarmy/Contents/PlugIns/codecs/libqkrcodecs.dylib

849 /Library/smarmy/Contents/PlugIns/codecs/libqtwcodecs.dylib

850 /Library/smarmy/Contents/PlugIns/imageformats/libqdds.dylib

851 /Library/smarmy/Contents/PlugIns/imageformats/libqgif.dylib

852 /Library/smarmy/Contents/PlugIns/imageformats/libqicns.dylib

853 /Library/smarmy/Contents/PlugIns/imageformats/libqico.dylib

854 /Library/smarmy/Contents/PlugIns/imageformats/libqjp2.dylib

855 /Library/smarmy/Contents/PlugIns/imageformats/libqjpeg.dylib

856 /Library/smarmy/Contents/PlugIns/imageformats/libqmng.dylib

857 /Library/smarmy/Contents/PlugIns/imageformats/libqtga.dylib

858 /Library/smarmy/Contents/PlugIns/imageformats/libqtiff.dylib

859 /Library/smarmy/Contents/PlugIns/imageformats/libqwbmp.dylib

860 /Library/smarmy/Contents/PlugIns/imageformats/libqwebp.dylib

861 /Library/toughlyUpd/Contents/PlugIns/accessible/libqtaccessiblewidgets.dylib

862 /Library/toughlyUpd/Contents/PlugIns/bearer/libqcorewlanbearer.dylib

863 /Library/toughlyUpd/Contents/PlugIns/bearer/libqgenericbearer.dylib

864 /Library/toughlyUpd/Contents/PlugIns/codecs/libqcncodecs.dylib

865 /Library/toughlyUpd/Contents/PlugIns/codecs/libqjpcodecs.dylib

866 /Library/toughlyUpd/Contents/PlugIns/codecs/libqkrcodecs.dylib

867 /Library/toughlyUpd/Contents/PlugIns/codecs/libqtwcodecs.dylib

868 /Library/toughlyUpd/Contents/PlugIns/imageformats/libqgif.dylib

869 /Library/toughlyUpd/Contents/PlugIns/imageformats/libqico.dylib

870 /Library/toughlyUpd/Contents/PlugIns/imageformats/libqjpeg.dylib

871 /Library/toughlyUpd/Contents/PlugIns/imageformats/libqmng.dylib

872 /Library/toughlyUpd/Contents/PlugIns/imageformats/libqtga.dylib

873 /Library/toughlyUpd/Contents/PlugIns/imageformats/libqtiff.dylib

874 /Library/underdraftUpd/Contents/PlugIns/accessible/libqtaccessiblewidgets.dylib

875 /Library/underdraftUpd/Contents/PlugIns/audio/libqtaudio_coreaudio.dylib

876 /Library/underdraftUpd/Contents/PlugIns/bearer/libqcorewlanbearer.dylib

877 /Library/underdraftUpd/Contents/PlugIns/bearer/libqgenericbearer.dylib

878 /Library/underdraftUpd/Contents/PlugIns/codecs/libqcncodecs.dylib

879 /Library/underdraftUpd/Contents/PlugIns/codecs/libqjpcodecs.dylib

880 /Library/underdraftUpd/Contents/PlugIns/codecs/libqkrcodecs.dylib

881 /Library/underdraftUpd/Contents/PlugIns/codecs/libqtwcodecs.dylib

882 /Library/underdraftUpd/Contents/PlugIns/generic/libqtuiotouchplugin.dylib

883 /Library/underdraftUpd/Contents/PlugIns/geoservices/libqtgeoservices_mapbox.dyl ib

884 /Library/underdraftUpd/Contents/PlugIns/geoservices/libqtgeoservices_nokia.dyli b

885 /Library/underdraftUpd/Contents/PlugIns/geoservices/libqtgeoservices_osm.dylib

886 /Library/underdraftUpd/Contents/PlugIns/imageformats/libqdds.dylib

887 /Library/underdraftUpd/Contents/PlugIns/imageformats/libqgif.dylib

888 /Library/underdraftUpd/Contents/PlugIns/imageformats/libqicns.dylib

889 /Library/underdraftUpd/Contents/PlugIns/imageformats/libqico.dylib

890 /Library/underdraftUpd/Contents/PlugIns/imageformats/libqjp2.dylib

891 /Library/underdraftUpd/Contents/PlugIns/imageformats/libqjpeg.dylib

892 /Library/underdraftUpd/Contents/PlugIns/imageformats/libqmng.dylib

893 /Library/underdraftUpd/Contents/PlugIns/imageformats/libqtga.dylib

894 /Library/underdraftUpd/Contents/PlugIns/imageformats/libqtiff.dylib

895 /Library/underdraftUpd/Contents/PlugIns/imageformats/libqwbmp.dylib

896 /Library/underdraftUpd/Contents/PlugIns/imageformats/libqwebp.dylib

897 /Library/underdraftUpd/Contents/PlugIns/mediaservice/libqavfcamera.dylib

898 /Library/underdraftUpd/Contents/PlugIns/mediaservice/libqavfmediaplayer.dylib

899 /Library/underdraftUpd/Contents/PlugIns/mediaservice/libqtmedia_audioengine.dyl ib

900 /Library/underdraftUpd/Contents/PlugIns/platforms/libqcocoa.dylib

901 /Library/underdraftUpd/Contents/PlugIns/platforms/libqminimal.dylib

902 /Library/underdraftUpd/Contents/PlugIns/platforms/libqoffscreen.dylib

903 /Library/underdraftUpd/Contents/PlugIns/playlistformats/libqtmultimedia_m3u.dyl ib

904 /Library/underdraftUpd/Contents/PlugIns/position/libqtposition_positionpoll.dyl ib

905 /Library/underdraftUpd/Contents/PlugIns/printsupport/libcocoaprintersupport.dyl ib

906 /Library/underdraftUpd/Contents/PlugIns/qml1tooling/libqmldbg_inspector.dylib

907 /Library/underdraftUpd/Contents/PlugIns/qml1tooling/libqmldbg_tcp_qtdeclarative .dylib

908 /Library/underdraftUpd/Contents/PlugIns/sensorgestures/libqtsensorgestures_plug in.dylib

909 /Library/underdraftUpd/Contents/PlugIns/sensorgestures/libqtsensorgestures_shak eplugin.dylib

910 /Library/underdraftUpd/Contents/PlugIns/sensors/libqtsensors_generic.dylib

911 /Library/vitiligo/Contents/PlugIns/accessible/libqtaccessiblewidgets.dylib

912 /Library/vitiligo/Contents/PlugIns/bearer/libqcorewlanbearer.dylib

913 /Library/vitiligo/Contents/PlugIns/bearer/libqgenericbearer.dylib

914 /Library/vitiligo/Contents/PlugIns/codecs/libqcncodecs.dylib

915 /Library/vitiligo/Contents/PlugIns/codecs/libqjpcodecs.dylib

916 /Library/vitiligo/Contents/PlugIns/codecs/libqkrcodecs.dylib

917 /Library/vitiligo/Contents/PlugIns/codecs/libqtwcodecs.dylib

918 /Library/vitiligo/Contents/PlugIns/imageformats/libqdds.dylib

919 /Library/vitiligo/Contents/PlugIns/imageformats/libqgif.dylib

920 /Library/vitiligo/Contents/PlugIns/imageformats/libqicns.dylib

921 /Library/vitiligo/Contents/PlugIns/imageformats/libqico.dylib

922 /Library/vitiligo/Contents/PlugIns/imageformats/libqjp2.dylib

923 /Library/vitiligo/Contents/PlugIns/imageformats/libqjpeg.dylib

924 /Library/vitiligo/Contents/PlugIns/imageformats/libqmng.dylib

925 /Library/vitiligo/Contents/PlugIns/imageformats/libqtga.dylib

926 /Library/vitiligo/Contents/PlugIns/imageformats/libqtiff.dylib

927 /Library/vitiligo/Contents/PlugIns/imageformats/libqwbmp.dylib

928 /Library/vitiligo/Contents/PlugIns/imageformats/libqwebp.dylib

929 /Users/USER/Desktop/Old Firefox Data/tbbgcvxb.default-1442972594324/gmp-gmpopenh264/1.5.3/libgmpopenh264.dylib

930

931 MD importers

932

933 /Applications/Microsoft Office 2011/Microsoft Outlook.app/Contents/Library/Spotlight/Microsoft Outlook.mdimporter

934

935 Non-loading kernel extensions

936

937 /System/Library/Extensions/AppleOSXUSBNCM.kext

938 - com.apple.driver.AppleOSXUSBNCM

939 - Software Signing

940

941 Installations

942

943 nfmavdefinitions: 6/3/16, 10:40 PM

944 Norton Security SKU: 6/3/16, 10:40 PM

945 Norton for Mac: 6/3/16, 10:40 PM

946 Avast Mac Security: 6/3/16, 8:13 PM

947 Adobe Flash Player: 6/2/16, 10:20 PM

948

949 Elapsed time (sec): 489

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,739 points

Jun 5, 2016 3:22 AM in response to lemeals

I was wary of running the malwarebytes, but a Apple phone support tech recommended that one


A

You installed one or more variants of the "VSearch" trojan. Please inactivate them as follows. This procedure will leave a few small files behind, but they have no effect, and trying to remove them all would be a lot more trouble than it's worth.

This malware has many variants. Anyone else finding this comment should not expect it to be applicable.

Back up all data before proceeding.

1. The VSearch variant that you have regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.

2. While running in safe mode, load this web page and then triple-click anywhere in the line below to select it:

/Library/LaunchDaemons

In the Finder, select

Go Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" will open. Press the key combination command-2 to select list view, if it's not already selected.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within a few minutes, so they will be clustered together when you sort the folder this way, making them easy to identify.

3. Inside the LaunchDaemons folder, there may be one or more files with a name of this form:

com.apple.something.plist

where something is a random, meaningless string of letters, different in every case.

Note that the name consists of four words separated by periods. Typical examples:

com.apple.builins.plist

com.apple.cereng.plist

com.apple.nysgar.plist

There may also be one or more items with a full name of this form:

com.something.plist

Again, something is a random, meaningless string—not necessarily the same one that appears in any of the other file names.

These names consist of three words separated by periods. Typical examples:

com.semifasciaUpd.plist

com.ubuiling.plist

Drag all such items to the Trash. You may be prompted for your administrator login password.

Restart the computer and empty the Trash.

If you're not sure whether a file is part of the malware, order the folder contents by modification date, not by name. The malware files will be clustered together. There could be more than one such cluster. A file dated years in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.

If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Try again.

4. Reset the home page in each of your web browsers, if it was changed. In Safari, first load the home page you want, then select

Safari Preferences... General

and click

Set to Current Page

If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.

5. This step is optional. Open the Users & Groups pane in System Preferences and click the lock icon to unlock the settings. In the list of users, there may be one or more with random names that were added by the malware. You can delete those users. If in doubt about whether a user is legitimate or not, don't delete it.

B

The "Malwarebytes" product failed to remove the malware. That's what you should always expect from such products: failure. I suggest that you remove it according to its developer's instructions and never install any "anti-malware" or "anti-virus" software again. Relying on such software for your security is a dangerous mistake. Security lies in safe computing practices, not in software. Ask if you want guidance.

<Edited by Host>

Reply
User profile for user: lemeals
lemeals Author
User level: Level 1
8 points

Jun 5, 2016 7:48 AM in response to Linc Davis

Sir Davis, thank you! Everything seems to be working properly.


Security lies in safe computing practices, not in software. Ask if you want guidance.

I'm sure you have your canned response ready; I wouldn't mind reading it.


What in the test results that I posted for you caught your eye to know what to remove? I'm thinking lines 293-600ish where it shows the contents of Launch daemons and some of those showing interaction with port 80...?


Thanks again for your help.


vr,


Sean

Reply
User profile for user: nature_girl75
nature_girl75
User level: Level 2
155 points

Jun 5, 2016 7:47 AM in response to lemeals

I did not read your entire post nor the replies, I am just responding to what I copied below (I guess also for my own knowledge/benefit).


RE: BLUF: I can only connect to HTTPS websites, http gives me "can't connect to server" or "no route to host" errors.


Can't we, these days, just type in any address without the http/https and the computer will automatically direct you there. Kind of like how tv commercials advertise their sites with just their company name and the dot com? Can't we just type that part in and the computer does the rest, meaning it chooses either http or https by itself?

Reply
User profile for user: lemeals
lemeals Author
User level: Level 1
8 points

Jun 5, 2016 7:55 AM in response to nature_girl75

Yes it does do that, but in my case when the computer put "http" in front it failed to work (due to malware hidden in the launchdaemons folder as Linc Davis pointed out). So sites like amazon that has an http and https version I had to manually force my computer to go to https for it to work. You can tell if you are connected to a http or https(secure) site by looking in your url bar at the top. For example, here the apple support communities the site is secure (https) and the url bar just shows a Green colored lock instead of the letters https.

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,739 points

Jun 5, 2016 8:41 AM in response to lemeals

Mac users often ask what they should do to protect themselves from malicious software ("malware," or loosely speaking, "viruses") and in particular, whether they should use "anti-virus" (AV) or "anti-malware" software. The short answer to the latter question is "no," but that answer may give the wrong impression that there is no threat to defend against. There is a threat.

1. This is a comment on what you should—and should not—do to avoid malware that circulates on the Internet and gets onto a computer as an unintended consequence of the user's actions.

It does not apply to software, such as keystroke loggers, that may be installed deliberately by an intruder who has hands-on access to the computer, or who has been able to take control of it remotely. That threat is in a different category, and there's no easy way to defend against it. AV software is not intended to, and does not, defend against such attacks.

The comment is long because the issue is complex. The key points are in sections 5, 6, and 12.

OS X now implements three layers of built-in protection specifically against malware, not counting runtime protections such as file quarantine, execute disable, sandboxing, system integrity protection, system library randomization, and address space layout randomization that may also guard against other kinds of exploits.

2. All versions of OS X since 10.6.7 have been able to detect known Mac malware in downloaded files, and to block insecure web plugins. This feature is transparent to the user. Internally Apple calls it "XProtect."

The malware recognition database used by XProtect is automatically updated; however, you shouldn't rely on it, because the attackers are always at least a day ahead of the defenders.

The following caveats apply to XProtect:

☞ It can be bypassed by some third-party networking software, such as BitTorrent clients and Java applets.

☞ It only applies to software downloaded from the network. Software installed from a CD or other media is not checked.

As new versions of OS X are released, it's not clear whether Apple will indefinitely continue to maintain the XProtect database of older versions such as 10.6. The security of obsolete system versions may eventually be degraded. Security updates to the code of obsolete systems will stop being released at some point, and that may leave them open to other kinds of attack besides malware.

3. Starting with OS X 10.7.5, there has been a second layer of built-in malware protection, designated "Gatekeeper" by Apple. By default, applications and Installer packages downloaded from the network will only run if they're digitally signed by a developer with a certificate issued by Apple. Software certified in this way hasn't been checked for security by Apple unless it comes from the App Store, but you can be reasonably sure that it hasn't been modified by anyone other than the developer. His identity is known to Apple, so he could be held legally responsible if he distributed malware. That may not mean much if the developer lives in a country with a weak legal system (see below.)

Gatekeeper doesn't depend on a database of known malware. It has, however, the same limitations as XProtect, and in addition the following:

☞ It can easily be disabled or overridden by the user.

☞ A malware attacker could find a way around it, or could get control of a code-signing certificate under false pretenses, or could simply ignore the consequences of distributing codesigned malware.

☞ An App Store developer could find a way to bypass Apple's oversight, or the oversight could fail due to human error.

Apple has taken far too long to revoke the codesigning certificates of some known abusers, thereby diluting the value of Gatekeeper and the Developer ID program. Those lapses don't involve App Store products, however.

For the reasons given, App Store products, and—to a lesser extent—other applications recognized by Gatekeeper as signed, are safer than others, but they can't be considered absolutely safe. "Sandboxed" applications may prompt for access to private data, such as your contacts, or for access to the network. Think before granting that access. Sandbox security is based on user input. Never click through any request for authorization without thinking.

4. Starting with OS X 10.8.3, a third layer of protection has been added: a "Malware Removal Tool" (MRT). MRT runs automatically in the background. It checks for, and removes, malware that matches a recognition database maintained by Apple. To ensure that MRT will run when that database is updated, open the App Store pane in System Preferences and check the box marked

Install system data files and security updates

if it's not already checked.

Like XProtect, MRT is effective against known threats, but not against unknown ones. It notifies you if it finds malware, but otherwise it has no user interface.

5. The built-in security features of OS X reduce the risk of malware attack, but they are not, and never will be, complete protection. Malware is a problem of human behavior, not machine behavior, and no technological fix alone is going to solve it. Trusting software to protect you will only make you more vulnerable.

The best defense is always going to be your own intelligence. With the possible exception of Java exploits, all known malware circulating on the Internet that affects a fully-updated installation of OS X 10.6 or later takes the form of so-called "Trojan horses," which can only have an effect if the victim is duped into running them. The threat therefore amounts to a battle of wits between you and Internet criminals. If you're better informed than they think you are, you'll win. That means, in effect, that you always stay within a safe harbor of computing practices. How do you know when you're leaving the safe harbor? Below are some warning signs of danger.

Software from an untrustworthy source

☞ Software with a corporate brand, such as Adobe Flash Player, doesn't come directly from the developer’s website. Do not trust an alert from any website to update Flash, or your browser, or any other software. A genuine alert that Flash is outdated and blocked is shown on this support page. Follow the instructions on the support page in that case. Otherwise, assume that the alert is fake and someone is trying to scam you into installing malware. If you see such alerts on more than one website, ask for instructions.

☞ Software of any kind is distributed via BitTorrent, or Usenet, or on a website that also distributes pirated music or movies.

☞ Rogue websites such as CNET Download, MacUpdate, Soft32, Softonic, and SourceForge distribute free applications that have been packaged in a superfluous "installer."

☞ The software is advertised by means of spam or intrusive web ads. Any ad, on any site, that includes a direct link to a download should be ignored.

Software that is plainly illegal or does something illegal

☞ High-priced commercial software such as Photoshop is "cracked" or "free."

☞ An application helps you to infringe copyright, for instance by circumventing the copy protection on commercial software, or saving streamed media for reuse without permission. All "YouTube downloaders" are in this category, though not all are necessarily malicious.

Unsolicited offers or advice from strangers

☞ A telephone caller or a web page tells you that you have a “virus” and offers to help you remove it. (Some reputable websites did legitimately warn visitors who were infected with the "DNSChanger" malware. That exception to this rule no longer applies.)

☞ A web site offers free content such as video or music, but to use it you must install a “codec,” “plug-in,” "player," "downloader," "extractor," or “certificate” that comes from that same site, or an unknown one.

☞ You win a prize in a contest you never entered.

☞ A stranger on the Internet is eager for you download an unknown application. Software should be installed only because you—not anyone else—decided that you want it.

☞ A "FREE WI-FI !!!" network advertises itself in a public place such as an airport, but is not provided by the management.

☞ Anything online that you would expect to pay for is "free."

Unexpected events

☞ A file is downloaded automatically when you visit a web page, with no other action on your part. Delete any such file without opening it.

☞ You open what you think is a document and get an alert that it's "an application downloaded from the Internet." Click Cancel and delete the file. Even if you don't get the alert, you should still delete any download that isn't what you expected it to be.

☞ An application does something you don't expect, such as asking for permission to access your contacts, your location, or the Internet for no obvious reason.

☞ Software is attached to email that you didn't request, even if it comes (or seems to come) from someone you trust.

Looking for help in all the wrong places

☞ You need technical support, so you search the Web for a term such as "Microsoft Office help," expecting to find a phone number for Microsoft. Very often, the top search hit, and maybe several of the top hits, will be one of the fake tech-support scams that infest the search engines. When you call the number, you'll be connected, not to Microsoft, but to a criminal in a country with weak law enforcement. He will ask to take remote control of your computer, and for your credit card number.

☞ The danger level is especially high if you're searching for help with a malware problem. Internet criminals know that people who have already been attacked successfully are easy marks for another attack. You'll get not just a few scams in the search results, but hundreds of them. They will all be promoting AV software.

I don't say that leaving the safe harbor just once will necessarily result in disaster, but making a habit of it will weaken your defenses against malware attack and other kinds of exploitation. Any of the above scenarios should, at the very least, make you uncomfortable.

6. The emergence of data-destroying "ransomware" for the Mac has made backing up all data a part of the defense against attack. Since an infected machine could destroy its own backups, at least one backup device must always be offline. For example, you could rotate your backup drives, keeping one with you or at another site. That strategy also protects against a physical threat such as fire or theft.

7. Java on the Web (not to be confused with JavaScript, to which it's not related, despite the similarity of the names) is a weak point in the security of any system. Java is, among other things, a platform for running complex applications in a web page. That was always a bad idea, and Java's developers have proven themselves incapable of implementing it without also creating a portal for malware to enter. Past Java exploits are the closest thing there has ever been to a Windows-style virus affecting OS X. Merely loading a page with malicious Java content could be harmful.

Fortunately, client-side Java on the Web is obsolete and mostly extinct. Only a few outmoded sites still use it. Try to hasten the process of extinction by avoiding those sites, if you have a choice. Forget about playing games or other non-essential uses of Java.

Java is not included in OS X 10.7 and later. Discrete Java installers are distributed by Apple and by Oracle (the developer of Java.) Don't use either one unless you need it. Most people don't. If Java is installed, disable itnot JavaScript—in your browsers.

Regardless of version, experience has shown that Java on the Web can't be trusted. If you must use a Java applet for a task on a specific site, enable Java only for that site in Safari. Never enable Java for a public website that carries third-party advertising. Use it only on well-known, login-protected, secure websites without ads. In Safari 6 or later, you'll see a padlock icon in the address bar when visiting a secure site.

8. Another perennial weak point is Adobe Flash Player. Like Java, Flash is in well-deserved decline, but Flash content is still much more widespread than Java content on the Web. If you choose to install the Flash plugin, you can reduce your exposure to Flash by checking the box marked

Stop plug-ins to save power

in Advanced tab of the Safari preferences window, if it's not already checked. Consider also installing a Safari extension such as "ClickToFlash" or "ClickToPlugin." They will prevent Flash content from loading automatically, and will also cause non-Flash video to be substituted for Flash on YouTube and maybe some other sites. I've tested those extensions and found them safe, but you should always do your own research before deciding whether to trust any third-party software.

9. Stay within the safe harbor, and you’ll be as safe from malware as you can practically be. The rest of this comment concerns what you should not do to protect yourself.

Although it may seem counter-intuitive, you should never install any AV or "Internet security" products for the Mac if you have a choice, as they are all worse than useless. If you're required by a (mistaken) institutional policy to install some kind of AV, pick one of the free apps in the Mac App Store—nothing else.

Why shouldn't you use AV products?

☞ To recognize malware, the software depends on a database of known threats, which is always at least a day out of date. That technique is a proven failure, as a major AV software vendor has admitted. Most attacks are "zero-day"—that is, previously unknown. Recognition-based AV does not defend against such attacks, and the enterprise IT industry is coming to the realization that traditional AV software is worthless.

☞ The design is usually predicated on the nonexistent threat that malware may be injected at any time, anywhere in the file system. Malware is downloaded from the network; it doesn't materialize from nowhere. In order to meet that nonexistent threat, most commercial AV software modifies or duplicates low-level functions of the operating system—a common cause of instability and poor performance.

☞ By modifying the operating system, the software may also create weaknessesthat could be exploited by malware attackers.

☞ Most importantly, a false sense of security is dangerous. That fact pertains to all AV software there will ever be, no matter what else changes.

Using AV software sets you up for double exploitation: by malware attackers, from whom the software doesn't protect you, and by the AV industry itself. The latter will often try to hook you with a free loss-leader product so it can charge you for "upgrades" later. In the words of one independent IT security researcher, "Security as a product is the biggest lie ever."

10. A free AV product from the App Store may serve a purpose if it satisfies an ill-informed network administrator who insists that you have some kind of AV application. It won't modify the operating system; in fact, it won't do anything unless you run it. It's harmless, as long as you don't make the dangerous mistake of thinking that it actually protects you, and that you don't let it delete or move any files. Ignore any warnings about "heuristics" or "phishing." Those warnings, if they're not merely false positives, refer to the text of email messages or to cached web pages, not to malware. Also ignore any attempts to sell you a paid version of the product.

The fact that a product is in the App Store does not mean that it's any good, or that it's endorsed by Apple. All it means is that the developer has paid Apple $99, and that the app has passed superficial scrutiny to make sure it's not malicious.

An AV app is not needed, and can't be relied upon, for protection against OS X malware. It's useful, if at all, only for detecting Windows malware, and even for that use it's not really effective, because new Windows malware is emerging much faster than OS X malware.

Windows malware can't harm you directly (unless, of course, you use Windows.) Just don't pass it on to anyone else. A malicious attachment in email is usually easy to recognize by the name alone. An actual example:

London Terror Moovie.avi [124 spaces] Checked By Norton Antivirus.exe

You don't need software to tell you that's a Windows trojan. Software may be able to tell you which trojan it is, but who cares? In practice, there's no reason to use recognition software unless an organizational policy requires it. Windows malware is so widespread that you should assume it's in every email attachment until proven otherwise.

If you're just curious as to whether a file is recognized as malware by AV engines, you can upload it to the "VirusTotal" website, where it will be tested against most of them. A negative result is no proof of anything, for the reasons stated above. I don't recommend doing this with a file that might contain private information.

11. It seems to be a common belief that the built-in Application Firewall acts as a barrier to infection, or prevents malware from functioning. It does neither. It blocks inbound connections to certain network services you're running, such as file sharing. It's disabled by default and you should leave it that way if you're behind a router on a private home or office network. Activate it only when you're on an untrusted network, for instance a public Wi-Fi hotspot, where you don't want to provide services. Disable any services you don't use in the Sharing preference pane. All are disabled by default.

12. As a Mac user, you don't have to live in fear that your computer may be infected every time you install software, read email, or visit a web page. But neither can you assume that you will always be safe, no matter what you do. Navigating the Internet is like walking the streets of a big city. It can be as safe or as dangerous as you choose to make it. The greatest harm done by AV software is precisely its selling point: it makes people feel safe. They may then feel safe enough to take risks from which the software doesn't protect them. Nothing can lessen the need for safe computing practices.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Help, cannot connect to http sites, only https...

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up