User profile for user: Nayr101
Nayr101 Author
User level: Level 1
8 points

Possible adware found on my MacBook air! Please help!

I have recently had pop-up ads on my mac and have used EtreCheck to remove the adware, and the pop-ups stopped for a little bit. The next day the pop-ups happened so I ran the test and there was 6 possible adware files found so I went to remove them when I got this message, "You are deleting un unknown file. Are you sure this is a malicious file? Using EtreCheck to delete legitimate files could damage your system."


These are the possible adware files found:

Possible adware: β“˜

Unknown file: /Library/LaunchAgents/com.pokeberry-airy.plist

Unknown file: /Library/LaunchDaemons/com.CNSKxCQG.plist

Unknown file: /Library/LaunchDaemons/com.apple.nalen.plist

Unknown file: /Library/LaunchDaemons/com.apple.rilchin.plist

Unknown file: /Library/LaunchDaemons/com.xucoqhphiygs.plist

Unknown file: ~/Library/LaunchAgents/com.oristic.plist

/Library/oristic/oristic

6 possible adware files found. [Remove/Report]

Do I delete these files to stop the issue, or what?

MacBook Air, Other OS

Posted on Jun 14, 2017 12:26 AM

Reply
9 replies
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,233 points

Jun 15, 2017 1:08 AM in response to Nayr101

That's certainly the worst infection I've run across, but once all those identified have been dealt with, you still need to deal with how these occurred, why some of them keep coming back, are the installers still present on your computer and how to avoid such things going forward.


My previous suggestion still stands to scan your computer with MalwareBytes or ClamXav, especially your download folder, for the original source of these.


Many such malware infections originate from download sites. Always try to get any third party software from the App Store or the developers site and avoid going to distribution sites such as Softonics, Download[dot]com and even MacUpdate if you aren't signed in as a member. BitTorrent sites are all malware sources. Never respond to a web site that offers to update Flash Player for you. If you absolutely must have Flash Player installed, then only get it via System Preference->Flash Player or the get.adobe.com/flashplayer site, otherwise uninstall and do without it since it is often compromised and in need of patches (like the one you got yesterday).

Reply
User profile for user: Nayr101
Nayr101 Author
User level: Level 1
8 points

Jun 14, 2017 3:09 PM in response to etresoft

This is the current EtreCheck report:


EtreCheck version: 3.4 (420)

Report generated 2017-06-15 07:14:05

Download EtreCheck from https://etrecheck.com

Runtime: 6:02

Performance: Below Average


Click the [Lookup] links for more information from Apple Support Communities.

Click the [Details] links for more information about that line.

Click the [Remove/Report] links to remove adware or update the whitelist of legitimate software.


Problem: No problem - just checking


Hardware Information:β“˜

11" MacBook Air (Mid 2013)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Air - model: MacBookAir6,1

1 1.4 GHz Intel Core i5 (i5-4260U) CPU: 2-core

4 GB RAM Not upgradeable

BANK 0/DIMM0

2 GB DDR3 1600 MHz ok

BANK 1/DIMM0

2 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 459


Video Information:β“˜

Intel HD Graphics 5000 - VRAM: 1536 MB

Color LCD 1366 x 768


Disk Information:β“˜

APPLE SSD TS0256F disk0: (251 GB) (Solid State - TRIM: Yes)

[Show SMART report]

(disk0s1) <not mounted> [EFI]: 210 MB

(disk0s2) <not mounted> [CoreStorage Container]: 250.14 GB

(disk0s3) <not mounted> [Recovery]: 650 MB


USB Information:β“˜

USB30Bus

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller


Thunderbolt Information:β“˜

Apple Inc. thunderbolt_bus


Virtual disks:β“˜

Macintosh HD (disk1 - Journaled HFS+) / [Startup]: 249.81 GB (76.72 GB free)

Encrypted AES-XTS Unlocked

Physical disk: disk0s2 250.14 GB Online


System Software:β“˜

macOS Sierra 10.12 (16A323) - Time since boot: about 17 days


Gatekeeper:β“˜

Mac App Store and identified developers


Possible adware:β“˜

Unknown file: /Library/LaunchAgents/com.pokeberry-airy.plist

Unknown file: /Library/LaunchDaemons/com.CNSKxCQG.plist

Unknown file: /Library/LaunchDaemons/com.apple.nalen.plist

Unknown file: /Library/LaunchDaemons/com.apple.rilchin.plist

Unknown file: /Library/LaunchDaemons/com.xucoqhphiygs.plist

Unknown file: ~/Library/LaunchAgents/com.oristic.plist

/Library/oristic/oristic

6 possible adware files found. [Remove/Report]


System Launch Agents:β“˜

[not loaded] 7 Apple tasks

[loaded] 155 Apple tasks

[running] 82 Apple tasks

[killed] 27 Apple tasks

27 processes killed due to insufficient RAM


System Launch Daemons:β“˜

[not loaded] 42 Apple tasks

[loaded] 155 Apple tasks

[running] 94 Apple tasks

[killed] 12 Apple tasks

12 processes killed due to insufficient RAM


Launch Agents:β“˜

[loaded] com.google.keystone.agent.plist (Google, Inc. - installed 2017-03-29) [Lookup]

[loaded] com.oracle.java.Java-Updater.plist (? 4adb4daf f01a04da - installed 2015-02-11) [Lookup]

[not loaded] com.pokeberry-airy.plist (? 0 ? - installed 2017-05-26) [Lookup]


Launch Daemons:β“˜

[not loaded] com.CNSKxCQG.plist (? 0 ? - installed 2017-05-26) [Lookup]

[loaded] com.adobe.fpsaud.plist (? 2afb3af7 225fb24b - installed 2017-06-10) [Lookup]

[not loaded] com.apple.nalen.plist (? 0 ? - installed 2016-11-24)

[not loaded] com.apple.rilchin.plist (? 0 ? - installed 2016-05-26)

[loaded] com.google.keystone.daemon.plist (Google, Inc. - installed 2017-04-18) [Lookup]

[loaded] com.microsoft.autoupdate.helpertool.plist (Microsoft Corporation - installed 2016-05-16) [Lookup]

[loaded] com.microsoft.office.licensing.helper.plist (? 6d8cb30e d17a0150 - installed 2015-01-16) [Lookup]

[loaded] com.microsoft.office.licensingV2.helper.plist (Microsoft Corporation - installed 2016-04-11) [Lookup]

[loaded] com.oracle.java.Helper-Tool.plist (Shell Script e3fefdd2 - installed 2015-02-11) [Lookup]

[not loaded] com.xucoqhphiygs.plist (? 0 ? - installed 2016-11-24) [Lookup]


User Launch Agents:β“˜

[loaded] com.adobe.ARM.[...].plist (? 560d19c8 6f08ab03 - installed 2017-04-13) [Lookup]

[running] com.oristic.plist (? fac8c593 cecdcb33 - installed 2017-06-12) [Lookup]

[running] com.spotify.webhelper.plist (Spotify - installed 2017-06-14) [Lookup]

[loaded] com.valvesoftware.steamclean.plist (? 821d71e2 c0939638 - installed 2016-07-07) [Lookup]


User Login Items:β“˜

MacClient Application

(/Applications/UniFLOW/MacClient.app)

AdobeResourceSynchronizer Application - Hidden

(/Applications/Adobe Reader.app/Contents/Support/AdobeResourceSynchronizer.app)

SpeechSynthesisServer Application

(/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks /SpeechSynthesis.framework/Versions/A/SpeechSynthesisServer.app)

Google Chrome Application - Hidden

(/Applications/Google Chrome.app)


Internet Plug-ins:β“˜

FlashPlayer-10.6: 26.0.0.126 (installed 2017-06-13) [Lookup]

QuickTime Plugin: 7.7.3 (installed 2016-09-14)

AdobePDFViewerNPAPI: 11.0.19 (installed 2017-02-16) [Lookup]

AdobePDFViewer: 11.0.19 (installed 2017-02-16) [Lookup]

Flash Player: 26.0.0.126 (installed 2017-06-13) Cannot contact Adobe

SharePointBrowserPlugin: 14.4.8 (installed 2015-03-25) [Lookup]

Google Earth Web Plug-in: 7.1 (installed 2015-08-31) [Lookup]

Unity Web Player: UnityPlayer version 5.1.2f1 (installed 2015-10-20) [Lookup]

JavaAppletPlugin: Java 8 Update 31 (installed 2017-06-08) Check version


User internet Plug-ins:β“˜

NPRoblox: 1, 2, 8, 25 (installed 2017-04-07) [Lookup]


Safari Extensions:β“˜

[not loaded] Grammarly for Safari - Grammarly - https://www.grammarly.com (installed 2016-09-19)


3rd Party Preference Panes:β“˜

Flash Player (installed 2017-06-10) [Lookup]

Java (installed 2015-02-11) [Lookup]

MacClientConfig (installed 2014-10-15) [Lookup]


Time Machine:β“˜

Time Machine not configured!


Top Processes by CPU:β“˜

17% WindowServer

14% launchservicesd

12% launchd

10% UserEventAgent

8% osascript


Top Processes by Memory:β“˜

1.51 GB kernel_task

130 MB com.apple.WebKit.WebContent

98 MB Safari

78 MB com.apple.WebKit.WebContent

68 MB Finder


Top Processes by Network Use:β“˜

Input Output Process name

251 MB 20 MB mDNSResponder

42 MB 140 KB netbiosd

77 KB 3 KB storeaccountd

9 KB 13 KB storeassetd

0 B 16 KB SystemUIServer


Top Processes by Energy Use:β“˜

24.54 WindowServer

10.74 launchservicesd

4.66 launchd

3.82 UserEventAgent


Virtual Memory Information:β“˜

589 MB Available RAM

42 MB Free RAM

3.42 GB Used RAM

548 MB Cached files

704 MB Swap Used


Software installs:β“˜

Kaspersky Virus Scanner: 15.0.2 (installed 2017-05-25)

VPN Unlimited: 4.13 (installed 2017-06-05)

Adobe Flash Player: (installed 2017-06-13)


Install information may not be complete.


Diagnostics Information:β“˜

2017-06-13 10:12:20 Firefox.app Crash [Open]

2017-06-12 17:39:06 Microsoft Word.app Hang [Open]


Files deleted by EtreCheck:β“˜

2017-06-13 18:34:35 - /Library/LaunchDaemons/com.hortatory.service.plist - Unknown

2017-06-13 18:34:35 - /Library/LaunchDaemons/com.methanometer.service.plist - Unknown

2017-06-13 18:34:35 - /Library/LaunchDaemons/com.predictability.service.plist - Unknown

2017-06-13 18:34:35 - /Library/LaunchDaemons/com.toplessUpd.plist - Unknown

2017-06-13 18:34:35 - /Library/LaunchDaemons/com.unprejudged.service.plist - Unknown

2017-06-13 18:34:35 - /Library/LaunchDaemons/com.wondering.plist - Unknown



And this is the first report:


Hardware Information:β“˜

MacBook Air (11-inch, Early 2014)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Air - model: MacBookAir6,1

1 1.4 GHz Intel Core i5 (i5-4260U) CPU: 2-core

4 GB RAM Not upgradeable

BANK 0/DIMM0

2 GB DDR3 1600 MHz ok

BANK 1/DIMM0

2 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported

Wireless: en0: 802.11 a/b/g/n/ac

Battery: Health = Normal - Cycle count = 457

iCloud Quota: 1.27 GB available


Video Information:β“˜

Intel HD Graphics 5000 - VRAM: 1536 MB

Color LCD 1366 x 768


Disk Information:β“˜

APPLE SSD TS0256F disk0: (251 GB) (Solid State - TRIM: Yes)

[Show SMART report]

(disk0s1) <not mounted> [EFI]: 210 MB

(disk0s2) <not mounted> [CoreStorage Container]: 250.14 GB

(disk0s3) <not mounted> [Recovery]: 650 MB


USB Information:β“˜

USB30Bus

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller


Thunderbolt Information:β“˜

Apple Inc. thunderbolt_bus


Virtual disks:β“˜

Macintosh HD (disk1 - Journaled HFS+) / [Startup]: 249.81 GB (76.46 GB free)

Encrypted AES-XTS Unlocked

Physical disk: disk0s2 250.14 GB Online


System Software:β“˜

macOS Sierra 10.12 (16A323) - Time since boot: about 16 days


Gatekeeper:β“˜

Mac App Store and identified developers


Possible adware:β“˜

Unknown file: /Library/LaunchAgents/com.pokeberry-airy.plist

Unknown file: /Library/LaunchDaemons/com.CNSKxCQG.plist

Unknown file: /Library/LaunchDaemons/com.apple.nalen.plist

Unknown file: /Library/LaunchDaemons/com.apple.rilchin.plist

Adware: /Library/LaunchDaemons/com.hortatory.service.plist

Adware: /Library/LaunchDaemons/com.methanometer.service.plist

Adware: /Library/LaunchDaemons/com.predictability.service.plist

Adware: /Library/LaunchDaemons/com.toplessUpd.plist

Adware: /Library/LaunchDaemons/com.unprejudged.service.plist

Adware: /Library/LaunchDaemons/com.wondering.plist

Unknown file: /Library/LaunchDaemons/com.xucoqhphiygs.plist

Unknown file: ~/Library/LaunchAgents/com.oristic.plist

/Library/oristic/oristic

12 possible adware files found. [Remove/Report]


Clean up:β“˜

/Library/LaunchDaemons/com.wondering.plist

/etc/wondering.sh

Executable not found!

One orphan file found. [Clean up]


System Launch Agents:β“˜

[not loaded] 7 Apple tasks

[loaded] 154 Apple tasks

[running] 78 Apple tasks

[killed] 32 Apple tasks

32 processes killed due to insufficient RAM


System Launch Daemons:β“˜

[not loaded] 42 Apple tasks

[loaded] 155 Apple tasks

[running] 89 Apple tasks

[killed] 17 Apple tasks

17 processes killed due to insufficient RAM


Launch Agents:β“˜

[loaded] com.google.keystone.agent.plist (Google, Inc. - installed 2017-03-29) [Lookup]

[loaded] com.oracle.java.Java-Updater.plist (? 4adb4daf f01a04da - installed 2015-02-11) [Lookup]

[not loaded] com.pokeberry-airy.plist (? 0 ? - installed 2017-05-26) [Lookup]


Launch Daemons:β“˜

[not loaded] com.CNSKxCQG.plist (? 0 ? - installed 2017-05-26) [Lookup]

[loaded] com.adobe.fpsaud.plist (? 2afb3af7 225fb24b - installed 2017-06-10) [Lookup]

[not loaded] com.apple.nalen.plist (? 0 ? - installed 2016-11-24)

[not loaded] com.apple.rilchin.plist (? 0 ? - installed 2016-05-26)

[loaded] com.google.keystone.daemon.plist (Google, Inc. - installed 2017-04-18) [Lookup]

[running] com.hortatory.service.plist (Shell Script 10a0ea5e - installed 2016-11-05) Adware! [Remove/Report]

/etc/run_app.sh

[running] com.methanometer.service.plist (? 10a0ea5e 6e7829fd - installed 2016-11-05) Adware! [Remove/Report]

/etc/run_app.sh

[loaded] com.microsoft.autoupdate.helpertool.plist (Microsoft Corporation - installed 2016-05-16) [Lookup]

[loaded] com.microsoft.office.licensing.helper.plist (? 6d8cb30e d17a0150 - installed 2015-01-16) [Lookup]

[loaded] com.microsoft.office.licensingV2.helper.plist (Microsoft Corporation - installed 2016-04-11) [Lookup]

[loaded] com.oracle.java.Helper-Tool.plist (Shell Script e3fefdd2 - installed 2015-02-11) [Lookup]

[running] com.predictability.service.plist (? 10a0ea5e 6e7829fd - installed 2016-11-05) Adware! [Remove/Report]

/etc/run_app.sh

[loaded] com.toplessUpd.plist (Shell Script 4c1fd736 - installed 2015-10-23) Adware! [Remove/Report]

/etc/run_upd.sh

[running] com.unprejudged.service.plist (? 10a0ea5e 6e7829fd - installed 2016-11-05) Adware! [Remove/Report]

/etc/run_app.sh

[not loaded] com.wondering.plist (? 384f6a77 0 - installed 2016-06-05) Adware! [Remove/Report]

[not loaded] com.xucoqhphiygs.plist (? 0 ? - installed 2016-11-24) [Lookup]


User Launch Agents:β“˜

[loaded] com.adobe.ARM.[...].plist (? 560d19c8 6f08ab03 - installed 2017-04-13) [Lookup]

[running] com.oristic.plist (? fac8c593 cecdcb33 - installed 2017-06-12) [Lookup]

[running] com.spotify.webhelper.plist (Spotify - installed 2017-06-09) [Lookup]

[loaded] com.valvesoftware.steamclean.plist (? 821d71e2 c0939638 - installed 2016-07-07) [Lookup]


User Login Items:β“˜

MacClient Application

(/Applications/UniFLOW/MacClient.app)

AdobeResourceSynchronizer Application - Hidden

(/Applications/Adobe Reader.app/Contents/Support/AdobeResourceSynchronizer.app)

SpeechSynthesisServer Application

(/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks /SpeechSynthesis.framework/Versions/A/SpeechSynthesisServer.app)

Google Chrome Application - Hidden

(/Applications/Google Chrome.app)


Internet Plug-ins:β“˜

FlashPlayer-10.6: 26.0.0.126 (installed 2017-06-13) [Lookup]

QuickTime Plugin: 7.7.3 (installed 2016-09-14)

AdobePDFViewerNPAPI: 11.0.19 (installed 2017-02-16) [Lookup]

AdobePDFViewer: 11.0.19 (installed 2017-02-16) [Lookup]

Flash Player: 26.0.0.126 (installed 2017-06-13) [Lookup]

SharePointBrowserPlugin: 14.4.8 (installed 2015-03-25) [Lookup]

Google Earth Web Plug-in: 7.1 (installed 2015-08-31) [Lookup]

Unity Web Player: UnityPlayer version 5.1.2f1 (installed 2015-10-20) [Lookup]

JavaAppletPlugin: Java 8 Update 31 (installed 2017-06-08) Check version


User internet Plug-ins:β“˜

NPRoblox: 1, 2, 8, 25 (installed 2017-04-07) [Lookup]


Safari Extensions:β“˜

[not loaded] Grammarly for Safari - Grammarly - https://www.grammarly.com (installed 2016-09-19)


3rd Party Preference Panes:β“˜

Flash Player (installed 2017-06-10) [Lookup]

Java (installed 2015-02-11) [Lookup]

MacClientConfig (installed 2014-10-15) [Lookup]


Time Machine:β“˜

Time Machine not configured!


Top Processes by CPU:β“˜

61% secd

13% WindowServer

9% com.apple.WebKit.WebContent

8% mds

8% Safari


Top Processes by Memory:β“˜

1.44 GB kernel_task

133 MB Microsoft Word

98 MB com.apple.WebKit.WebContent

77 MB com.apple.WebKit.WebContent

69 MB Safari


Top Processes by Network Use:β“˜

Input Output Process name

227 MB 18 MB mDNSResponder

36 MB 125 KB netbiosd

9 KB 24 KB apsd

27 KB 5 KB com.apple.WebKit.Networking

0 B 14 KB SystemUIServer


Top Processes by Energy Use:β“˜

55.00 secd

27.80 launchd

25.80 UserEventAgent

10.44 opendirectoryd

6.24 notifyd


Virtual Memory Information:β“˜

433 MB Available RAM

49 MB Free RAM

3.58 GB Used RAM

384 MB Cached files

480 MB Swap Used


Software installs:β“˜

Kaspersky Virus Scanner: 15.0.2 (installed 2017-05-25)

VPN Unlimited: 4.13 (installed 2017-06-05)

Adobe Flash Player: (installed 2017-06-13)


Install information may not be complete.


Diagnostics Information:β“˜

2017-06-13 10:12:20 Firefox.app Crash [Open]

2017-06-12 17:39:06 Microsoft Word.app Hang [Open]

When the first check was done, I clicked the remove button on the report and that sent to my trash bin and I emptied that. There was still those "possible adware" in the report when I did the scan again (there wasn't any confirmed adware in the list). The pop-ups weren't popping up later that night so I thought that I got rid of the problem, but the next day the pop-ups started popping up again, so hopefully that if I delete these "possible adware" files I can get rid of the problem altogether.

Reply
User profile for user: etresoft
etresoft
User level: Level 9
58,190 points

Jun 14, 2017 4:00 AM in response to Nayr101

Hello Nayr101,

Unfortunately there is a lot of legitimate software that makes no effort to distinguish itself from adware. They don't care or don't realize that adware makes use of this confusion to masquerade as legitimate software. The goal of that dialog is to encourage you to post your question here so we can help.


All those files are adware and should be removed.


However, I am curious about what happened when you said the pop ups stopped after using EtreCheck and then returned. Did you install more adware? Or did you not remove all of the adware the first time?


It would really be helpful if you posted your full EtreCheck report. Ideally, post both the current report and the first one you ran. You can access previous reports under EtreCheck's File > Open Recent menu. Old reports will open in TextEdit but you can select all and copy the entire report from there. Thanks!

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Possible adware found on my MacBook air! Please help!

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up