User profile for user: errza
errza Author
User level: Level 1
8 points

Remove adware

Hi, i'm using macbook pro 13' mid 2012. With OS X El Capitan already installed. I have problem with adware that always shows up when im using Google Chrome. I already try to clean the malware using third party application (Malwarebytes), yes they found the adware which is vshare. but after i restarted my macbook, the adware appear again. Based on this thread How to remove Adware? i already perform the diagnostic test as the recommendation from Linc Davis. And this is the result. Does anyone know how to fix this? Thanks in advance!


Boot Mode: Normal



Model: MacBookPro9,2



Battery cycles: 589



System load advisory



combined level = Bad

- user level = OK

- battery level = Bad

- thermal level = Great



System diagnostics



2016-06-04 sculch crash

2016-06-04 sculch crash

2016-06-04 sculch crash

2016-06-04 sculch crash

2016-06-04 sculch crash

2016-06-04 sculch crash

2016-06-04 sculch crash

2016-06-04 sculch crash

2016-06-04 softwareupdated crash

2016-06-06 Microsoft Excel hang



User diagnostics



2016-06-03 RimAlbumArtDaemon crash

2016-06-03 RimAlbumArtDaemon crash

2016-06-03 RimAlbumArtDaemon crash

2016-06-03 RimAlbumArtDaemon crash

2016-06-03 RimAlbumArtDaemon crash

2016-06-03 RimAlbumArtDaemon crash

2016-06-03 garcon crash

2016-06-03 garcon crash

2016-06-03 garcon crash

2016-06-03 garcon crash



Kernel messages



Jun 2 07:06:02 PM notification timeout (pid 11397, PeerManager)

--- last message repeated 1 time ---

Jun 2 08:55:42 Process launchd [1] disabling system-wide I/O Throttling

Jun 2 08:55:42 Process launchd [1] disabling system-wide CPU Throttling

Jun 2 08:57:05 AssertMacros: tmpData (value: 0x0), file: /BuildRoot/Library/Caches/com.apple.xbs/Sources/AppleCredentialManager/AppleCre dentialManager-82.10.1/AppleCredentialManager/AppleCredentialManager.cpp, line: 765

Jun 3 09:37:35 003574.391721 DataTraveler 2.0@14200000: AppleUSBDevice::waitForInterfacesGated: timeout waiting for _interfacesMatched

Jun 3 09:37:35 003574.406982 DataTraveler 2.0@14200000: AppleUSBDevice::waitForInterfacesGated: timeout waiting for _interfacesMatched

Jun 3 09:57:07 Over-release of kernel-internal importance assertions for pid 83 (launchservicesd), dropping 1 assertion(s) but task only has 1 remaining (1 external).

Jun 3 11:04:59 AssertMacros: tmpData (value: 0x0), file: /BuildRoot/Library/Caches/com.apple.xbs/Sources/AppleCredentialManager/AppleCre dentialManager-82.10.1/AppleCredentialManager/AppleCredentialManager.cpp, line: 765

--- last message repeated 1 time ---

Jun 3 11:57:25 PM notification timeout (pid 309, PeerManager)

--- last message repeated 2 times ---

Jun 4 00:00:24 011534.951401 EPSON L300 Series@14200000: AppleUSBDevice::waitForInterfacesGated: timeout waiting for _interfacesMatched

Jun 4 00:00:24 011535.068923 EPSON L300 Series@14200000: AppleUSBDevice::waitForInterfacesGated: timeout waiting for _interfacesMatched

Jun 4 00:00:24 011535.072958 EPSON L300 Series@14200000: AppleUSBDevice::waitForInterfacesGated: timeout waiting for _interfacesMatched

Jun 4 12:25:28 017168.069933 DataTraveler 2.0@14200000: AppleUSBDevice::waitForInterfacesGated: timeout waiting for _interfacesMatched

Jun 4 12:25:28 017168.070012 DataTraveler 2.0@14200000: AppleUSBDevice::waitForInterfacesGated: timeout waiting for _interfacesMatched

Jun 4 12:25:28 017168.120931 DataTraveler 2.0@14200000: AppleUSBDevice::waitForInterfacesGated: timeout waiting for _interfacesMatched

Jun 5 14:06:27 AssertMacros: tmpData (value: 0x0), file: /BuildRoot/Library/Caches/com.apple.xbs/Sources/AppleCredentialManager/AppleCre dentialManager-82.10.1/AppleCredentialManager/AppleCredentialManager.cpp, line: 765

Jun 5 14:31:51 001566.760098 EPSON L300 Series@14200000: AppleUSBDevice::waitForInterfacesGated: timeout waiting for _interfacesMatched

Jun 5 14:31:51 001566.760947 EPSON L300 Series@14200000: AppleUSBDevice::waitForInterfacesGated: timeout waiting for _interfacesMatched

Jun 5 15:57:46 PM notification timeout (pid 301, PeerManager)

--- last message repeated 1 time ---

Jun 6 09:43:14 022229.662834 Apple Internal Keyboard / Trackpad@1d183000: AppleUSBDevice::waitForInterfacesGated: timeout waiting for _interfacesMatched

Jun 6 09:50:35 AssertMacros: tmpData (value: 0x0), file: /BuildRoot/Library/Caches/com.apple.xbs/Sources/AppleCredentialManager/AppleCre dentialManager-82.10.1/AppleCredentialManager/AppleCredentialManager.cpp, line: 765



Total CPU usage: user 10%, system 5%



CPU usage by process "Google Chrome He" with UID 501: 19.6%



Loaded extrinsic kernel extensions



com.rim.driver.BlackBerryUSBDriverInt (2.2.16) no UUID

com.rim.driver.BlackBerryVirtualPrivateNetwork (1.0.18) UUID



Extrinsic daemons



com.rim.tunmgr

com.rim.BBDaemon

com.BlueStacks.AppPlayer.bstservice_helper

com.sculch.plist

com.precaptivity.plist

com.profederation.plist

/Library/uenthinge/uenthinge.app/Contents/MacOS/uenthinge

com.microsoft.office.licensing.helper

com.oracle.java.Helper-Tool

com.irrepair.plist

com.adobe.SwitchBoard

com.rebuild.plist

com.unpinked.plist

com.adobe.fpsaud

com.counselorship.plist

com.malwarebytes.MBAMHelperTool

org.macosforge.xquartz.privileged_startx

com.ametria.plist



Extrinsic agents



com.rim.blackberrylink.BlackBerry-Link-Helper-Agent

com.rim.BBLaunchAgent

com.BlueStacks.AppPlayer.Service

org.macosforge.xquartz.startx

com.rim.RimAlbumArtDaemon

au.id.haroldchu.mac.BandwidthLauncher

com.oracle.java.Java-Updater

com.BlueStacks.AppPlayer.UninstallWatcher

com.rim.PeerManager

com.paragon.updater

com.BlueStacks.AppPlayer.Updater



launchd items



/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist

(com.adobe.AAM.Startup-1.0)

/Library/LaunchAgents/com.oracle.java.Java-Updater.plist

(com.oracle.java.Java-Updater)

/Library/LaunchAgents/com.paragon.updater.plist

(com.paragon.updater)

/Library/LaunchAgents/com.rim.BBAlbumArtCacher.plist

(com.rim.RimAlbumArtDaemon)

/Library/LaunchAgents/com.rim.BBLaunchAgent.plist

(com.rim.BBLaunchAgent)

/Library/LaunchAgents/com.rim.blackberrylink.BlackBerry-Link-Helper-Agent.plist

(com.rim.blackberrylink.BlackBerry-Link-Helper-Agent)

/Library/LaunchAgents/com.rim.PeerManager.plist

(com.rim.PeerManager)

/Library/LaunchAgents/org.macosforge.xquartz.startx.plist

(org.macosforge.xquartz.startx)

/Library/LaunchDaemons/com.acclivity.fileconnect.plist

(com.acclivity.fileconnect)

/Library/LaunchDaemons/com.adobe.fpsaud.plist

(com.adobe.fpsaud)

/Library/LaunchDaemons/com.adobe.SwitchBoard.plist

(com.adobe.SwitchBoard)

/Library/LaunchDaemons/com.apple.aelwriter.plist

(com.apple.aelwriter)

/Library/LaunchDaemons/com.BlueStacks.AppPlayer.bstservice_helper.plist

(com.BlueStacks.AppPlayer.bstservice_helper)

/Library/LaunchDaemons/com.malwarebytes.MBAMHelperTool.plist

(com.malwarebytes.MBAMHelperTool)

/Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist

(com.microsoft.office.licensing.helper)

/Library/LaunchDaemons/com.oracle.java.Helper-Tool.plist

(com.oracle.java.Helper-Tool)

/Library/LaunchDaemons/com.rim.BBDaemon.plist

(com.rim.BBDaemon)

/Library/LaunchDaemons/com.rim.nkehelper.plist

(com.rim.nkehelper)

/Library/LaunchDaemons/com.rim.tunmgr.plist

(com.rim.tunmgr)

/Library/LaunchDaemons/org.macosforge.xquartz.privileged_startx.plist

(org.macosforge.xquartz.privileged_startx)

Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist

(com.adobe.AAM.Scheduler-1.0)

Library/LaunchAgents/com.BlueStacks.AppPlayer.Service.plist

(com.BlueStacks.AppPlayer.Service)

Library/LaunchAgents/com.BlueStacks.AppPlayer.UninstallWatcher.plist

(com.BlueStacks.AppPlayer.UninstallWatcher)

Library/LaunchAgents/com.BlueStacks.AppPlayer.Updater.plist

(com.BlueStacks.AppPlayer.Updater)



Extrinsic loadable bundles



/System/Library/Extensions/BJUSBLoad.kext

(jp.co.canon.bj.print.BJUSBLoad)

/System/Library/Extensions/EPSONUSBPrintClass.kext

(com.epson.print.kext.USBPrintClass)

/System/Library/Extensions/hp_fax_io.kext

(com.hp.kext.hp-fax-io)

/System/Library/Extensions/hp_Inkjet9_io_enabler.kext

(com.hp.print.hpio.Inkjet9.kext)

/System/Library/Extensions/JMicronATA.kext

(com.jmicron.JMicronATA)

/System/Library/Extensions/RIMBBUSB.kext

(com.rim.driver.BlackBerryUSBDriverInt)

/System/Library/Extensions/RIMBBVSP.kext

(com.rim.driver.BlackBerryUSBDriverVSP)

/Library/Extensions/BJUSBLoad.kext

(jp.co.canon.bj.print.BJUSBLoad)

/Library/Extensions/BlackBerryUSBCDCNCM.kext

(com.BlackBerry.driver.USBCDCNCM)

/Library/Extensions/BlackBerryVirtualPrivateNetwork.kext

(com.rim.driver.BlackBerryVirtualPrivateNetwork)

/Library/Extensions/CIJUSBLoad.kext

(jp.co.canon.ij.print.CIJUSBLoad)

/Library/Extensions/EPSONUSBPrintClass.kext

(com.epson.print.kext.USBPrintClass)

/Library/Extensions/hp_io_enabler_compound.kext

(com.hp.kext.io.enabler.compound)

/Library/Extensions/RIMBBUSB.kext

(com.rim.driver.BlackBerryUSBDriverInt)

/Library/Internet Plug-Ins/Flash Player.plugin

(com.macromedia.Flash Player.plugin)

/Library/Internet Plug-Ins/Google Earth Web Plug-in.plugin

(com.Google.GoogleEarthPlugin.plugin)

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin

(com.oracle.java.JavaAppletPlugin)

/Library/Internet Plug-Ins/MeetingJoinPlugin.plugin

(com.microsoft.communicator.meetingjoinplugin)

/Library/Internet Plug-Ins/PMCADownloader.plugin

(com.sony.PMCADownloader)

/Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin

(com.microsoft.sharepoint.browserplugin)

/Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin

(com.microsoft.sharepoint.webkitplugin)

/Library/Internet Plug-Ins/Unity Web Player.plugin

(com.unity.UnityWebPlayer)

/Library/PreferencePanes/AccountEdge.prefPane

(com.acclivity.fileconnect.preferences)

/Library/PreferencePanes/Flash Player.prefPane

(com.adobe.flashplayerpreferences)

/Library/PreferencePanes/JavaControlPanel.prefPane

(com.oracle.java.JavaControlPanel)

/Library/ScriptingAdditions/Adobe Unit Types.osax

(No bundle ID)

Library/Address Book Plug-Ins/SkypeABDialer.bundle

(com.skype.skypeabdialer)

Library/Address Book Plug-Ins/SkypeABSMS.bundle

(com.skype.skypeabsms)

Library/Audio/Plug-Ins/Components/A52Codec.component

(com.shepmater.A52Codec)

Library/Internet Plug-Ins/Google Earth Web Plug-in.plugin

(com.Google.GoogleEarthPlugin.plugin)

Library/Internet Plug-Ins/WebEx64.plugin

(com.cisco_webex.plugin.gpc64)

Library/PreferencePanes/Perian.prefPane

(org.perian.PerianPane)

Library/QuickTime/AC3MovieImport.component

(com.cod3r.ac3movieimport)

Library/QuickTime/Perian.component

(org.perian.Perian)



DNS (from DHCP): 61.247.0.133



User login items



uHD-Agent

iTunesHelper

Dropbox

SpeechSynthesisServer

Android File Transfer Agent



Safari extensions



Dashlane

com



Restricted user files: 1180



Bad plists



Library/Containers/com.omnigroup.OmniGraffle6/Data/Library/Application Support/The Omni Group/OmniGraffle/Stencils/Common/Colors.gstencil/data.plist

Library/Containers/com.omnigroup.OmniGraffle6/Data/Library/Application Support/The Omni Group/OmniGraffle/Stencils/Science/Circuit Engineering.gstencil/data.plist

Library/Containers/com.omnigroup.OmniGraffle6/Data/Library/Application Support/The Omni Group/OmniGraffle/Stencils/Software/ERD.gstencil/data.plist

Library/Containers/com.omnigroup.OmniGraffle6/Data/Library/Application Support/The Omni Group/OmniGraffle/Stencils/Software/FlowChart.gstencil/data.plist

Library/Containers/com.omnigroup.OmniGraffle6/Data/Library/Application Support/The Omni Group/OmniGraffle/Stencils/Software/Garrett IA.gstencil/data.plist

Library/Containers/com.omnigroup.OmniGraffle6/Data/Library/Application Support/The Omni Group/OmniGraffle/Stencils/Software/Konigi Wireframes.gstencil/data.plist

Library/Containers/com.omnigroup.OmniGraffle6/Data/Library/Application Support/The Omni Group/OmniGraffle/Stencils/Software/UML-General.gstencil/data.plist

Library/Containers/com.omnigroup.OmniGraffle6/Data/Library/Application Support/The Omni Group/OmniGraffle/Stencils/Software/UML-Sequence.gstencil/data.plist

Library/Containers/com.omnigroup.OmniGraffle6/Data/Library/Application Support/The Omni Group/OmniGraffle/Stencils/Software/UML-State.gstencil/data.plist

Library/Containers/com.omnigroup.OmniGraffle6/Data/Library/Application Support/The Omni Group/OmniGraffle/Stencils/Software/UML-UseCase.gstencil/data.plist

Library/Preferences/com.apple.WebFoundation.plist



Keychains file count: 10



Elapsed time (s): 403

MacBook Pro (13-inch Mid 2012), OS X El Capitan (10.11.5)

Posted on Jun 5, 2016 8:47 PM

Reply
3 replies
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,739 points

Jun 6, 2016 5:49 AM in response to errza

You installed one or more variants of the "VSearch" trojan. Please inactivate them as follows. This procedure will leave a few small files behind, but they have no effect, and trying to remove them all would be a lot more trouble than it's worth.

This malware has many variants. Anyone else finding this comment should not expect it to be applicable.

Back up all data before proceeding.

Step 1

The VSearch variant that you have regenerates itself if you try to delete it while it's running. To remove it, you must first start up in safe mode to disable the malware temporarily.

Note: If FileVault is enabled in OS X 10.9 or earlier, or if a firmware password is set, or if the startup volume is a software RAID, you can’t do this. Ask for other instructions.

Step 2

While running in safe mode, load this web page and then triple-click anywhere in the line below to select it:

/Library/LaunchDaemons

In the Finder, select

Go Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return.

A folder named "LaunchDaemons" will open. Press the key combination command-2 to select list view, if it's not already selected.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. Please don't skip this step. Files that belong to an instance of VSearch will have the same modification time to within a few minutes, so they will be clustered together when you sort the folder this way, making them easy to identify.

Step 3

Inside the LaunchDaemons folder, there may be one or more files with a name of this form:

com.apple.something.plist

where something is a random, meaningless string of letters, different in every case.

Note that the name consists of four words separated by periods. Typical examples:

com.apple.builins.plist

com.apple.cereng.plist

com.apple.nysgar.plist

There may also be one or more items with a name of this form:

com.something.plist

Again, something is a random, meaningless string—not necessarily the same one that appears in any of the other file names.

These names consist of three words separated by periods. Typical examples:

com.semifasciaUpd.plist

com.ubuiling.plist

Drag all such items to the Trash. You may be prompted for your administrator login password.

Restart the computer and empty the Trash.

If you're not sure whether a file is part of the malware, order the folder contents by modification date, not by name. The malware files will be clustered together. There could be more than one such cluster. A file dated far in the past is not part of the malware. A file dated right in the middle of an obviously malicious cluster is almost certainly also malicious.

If the files come back after you have deleted them, or if they're replaced by others with similar names, then either you didn't start up in safe mode or you didn't get all of them. Go back to Step 1 and try again.

Step 4

Reset the home page in each of your web browsers, if it was changed. In Safari, first load the home page you want, then select

Safari Preferences... General

and click

Set to Current Page

If you use the Firefox and/or Chrome web browser, remove any extensions or add-ons that you don't know you need. If in doubt, remove all of them.

Step 5

The malware enables web proxy discovery in the network settings. If you know that the setting was already enabled for a good reason, skip this step. Otherwise you should revert the change.

Open the Network pane in System Preferences. If there is a closed padlock icon in the lower left corner of the window, click it and authenticate to unlock the settings. Click the Advanced button, then select Proxies in the sheet that drops down. Uncheck the box marked Auto Proxy Discovery if it's checked. Click OK, then Apply.

Step 6

This step is optional. Open the Users & Groups pane in System Preferences and click the lock icon to unlock the settings. In the list of users, there may be one or more with random names that were added by the malware. You can delete those users. If you're not sure whether a user is legitimate, don't delete it.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Remove adware

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up