Sophos is telling me I need to remove this file manually, which is protected. After a reboot I now have two of these txt files detected.
/.Spotlight-V100/Store-V2/442310BF-DE1C-46A8-A5E7-E7B860C7460C/Cache/0000/0000/0 1b8/28848371.txt
Can anyone help to confirm of this could be malware?
Thanks
MacBook Pro (Retina, 13-inch, Mid 2014), macOS Sierra (10.12.6)
cobra6184 wrote:
Sophos is telling me I need to remove this file manually, which is protected. After a reboot I now have two of these txt files detected.
/.Spotlight-V100/Store-V2/442310BF-DE1C-46A8-A5E7-E7B860C7460C/Cache/0000/0000/0 1b8/28848371.txt
That is a plain text file, which cannot be malware. Further, it's in the /.Spotlight-V100/ folder on your hard drive, which is where all the Spotlight search mechanism on your Mac stores all its data. That folder should not be messed with.
I'd report this as a false positive to Sophos.
cobra6184 wrote:
Sophos is telling me I need to remove this file manually, which is protected. After a reboot I now have two of these txt files detected.
/.Spotlight-V100/Store-V2/442310BF-DE1C-46A8-A5E7-E7B860C7460C/Cache/0000/0000/0 1b8/28848371.txt
That is a plain text file, which cannot be malware. Further, it's in the /.Spotlight-V100/ folder on your hard drive, which is where all the Spotlight search mechanism on your Mac stores all its data. That folder should not be messed with.
I'd report this as a false positive to Sophos.
I think you should remove Sophos first. However to thoroughly check why not download and apply this program which will help us to locate any malware you may have.
Publish the report it produces as a reply.
Hi See report below;
EtreCheck version: 3.4.4 (448)
Report generated 2017-09-10 12:39:01
Download EtreCheck from https://etrecheck.com
Runtime: 3:40
Performance: Good
Click the [Lookup] links for more information from Apple Support Communities.
Click the [Details] links for more information about that line.
Click the [Remove/Report] links to remove adware or update the whitelist of legitimate software.
Click the [Clean up] link to delete unused files.
Problem: Other problem
Description:
Malware in V100
MacBook Pro (Retina, 13-inch, Mid 2014)
[Technical Specifications] - [User Guide] - [Warranty & Service]
MacBook Pro - model: MacBookPro11,1
1 2.6 GHz Intel Core i5 (i5-4278U) CPU: 2-core
8 GB RAM Not upgradeable
BANK 0/DIMM0
4 GB DDR3 1600 MHz ok
BANK 1/DIMM0
4 GB DDR3 1600 MHz ok
Handoff/Airdrop2: supported
Wireless:
en0: 802.11 a/b/g/n/ac
Battery: Health = Normal - Cycle count = 363
iCloud Quota: 81.65 GB available
Intel Iris - VRAM: 1536 MB
Color LCD 2560 x 1600
APPLE SSD SM0256F disk0: (251 GB) (Solid State - TRIM: Yes)
EFI (disk0s1 - MS-DOS FAT32) <not mounted>
[EFI]: 210 MB
(disk0s2) <not mounted>
[CoreStorage Container]: 250.14 GB
Recovery HD (disk0s3 - Journaled HFS+) <not mounted>
[Recovery]: 650 MB
USB30Bus
Apple Inc. Apple Internal Keyboard / Trackpad
MOSART Semi. 2.4G Keyboard Mouse
Apple Inc. thunderbolt_bus
Macintosh HD (disk1 - Journaled HFS+) /
[Startup]: 249.82 GB (20.66 GB free)
Physical disk: disk0s2 250.14 GB Online
Malwarebytes (disk2s1 - HFS+) /Volumes/Malwarebytes : 25 MB (10 MB free)
Physical disk: Disk Image 25 MB (10 MB free)
Avast Security (disk3s9 - HFS+) /Volumes/Avast Security : 139 MB (107 MB free)
Physical disk: Disk Image 139 MB (107 MB free)
macOS Sierra
10.12.6 (16G29) - Time since boot: about one hour
Mac App Store and identified developers
Unknown file: ~/Library/LaunchAgents/com.cisco.videoguard8.plist
sh -c $HOME/Library/Cisco/VideoGuardPlayer/VideoGuard8/VideoGuard8.bundle/Contents/Re sources/setupServer.sh
Unknown file: ~/Library/LaunchAgents/com.cisco.videoguard8.uninstall.plist
sh ~/.cisco/VideoGuard/uninstall/cisco_videoguard8/condUninstall.sh
2 possible adware files found. [Remove/Report]
/Library/LaunchDaemons/org.wireshark.ChmodBPF.plist
/Library/Application Support/Wireshark/ChmodBPF/ChmodBPF
Executable not found!
~/Library/LaunchAgents/com.bittorrent.BitTorrent.plist
/usr/bin/open -n /Applications/BitTorrent.app
Executable not found!
2 orphan files found. [Clean up]
/Applications/BlueStacks.app
[not loaded] com.bluestacks.kext.Hypervisor (4.3.26) [Lookup]
/Applications/ExpressVPN.app
[not loaded] com.expressvpn.splittunnel (1.0.2 - SDK 10.12) [Lookup]
/Applications/VMware Fusion.app
[not loaded] com.vmware.kext.vmci (8.5.8) [Lookup]
[not loaded] com.vmware.kext.vmioplug.15.2.1 (8.5.8) [Lookup]
[not loaded] com.vmware.kext.vmnet (8.5.8) [Lookup]
[not loaded] com.vmware.kext.vmx86 (8.5.8) [Lookup]
/Applications/zoom.us.app
[not loaded] zoom.us.ZoomAudioDevice (1.1 - SDK 10.8) [Lookup]
/Library/Application Support/VirtualBox
[loaded] org.virtualbox.kext.VBoxDrv (5.1.22) [Lookup]
[loaded] org.virtualbox.kext.VBoxNetAdp (5.1.22) [Lookup]
[loaded] org.virtualbox.kext.VBoxNetFlt (5.1.22) [Lookup]
[loaded] org.virtualbox.kext.VBoxUSB (5.1.22) [Lookup]
/Library/Extensions
[not loaded] com.asix.driver.ax88179-178a (1.9.0 - SDK 10.10) [Lookup]
[loaded] com.malwarebytes.mbam.rtprotection (3.0 - SDK 10.12) [Lookup]
[loaded] com.sophos.kext.oas (9.6.51 - SDK 10.11) [Lookup]
[loaded] com.sophos.nke.swi (9.6.50 - SDK 10.11) [Lookup]
/Library/Extensions/HuaweiDataCardDriver_10_9.kext/Contents/PlugIns
[not loaded] com.MBB.driver.MBBACMData (5.01.01.00 - SDK 10.8) [Lookup]
[not loaded] com.MBB.driver.MBBActivateDriver (5.01.00 - SDK 10.8) [Lookup]
[not loaded] com.MBB.driver.MBBEthernetData (5.01.01.00 - SDK 10.8) [Lookup]
/System/Library/Extensions
[not loaded] com.madcatz.driver.CyborgRAT (1.0.69 - SDK 10.8) [Lookup]
[not loaded] org.dungeon.driver.SATSMARTDriver (0.10 - SDK 10.6) [Lookup]
HW_CreateNetwork: Path: /Library/StartupItems/HW_CreateNetwork
HWPortDetect_driver: Path: /Library/StartupItems/HWPortDetect_driver
Startup items no longer function in OS X Yosemite or later
[not loaded] 6 Apple tasks
[loaded] 180 Apple tasks
[running] 96 Apple tasks
[failed] com.apple.watchdogd.plist (Apple, Inc. - installed 2017-07-15)
[not loaded] 42 Apple tasks
[loaded] 171 Apple tasks
[running] 103 Apple tasks
[running] com.MadCatz.MadCatzSmartTechnology.plist (Mad Catz, Inc. - installed 2015-11-03) [Lookup]
[not loaded] com.adobe.AAM.Updater-1.0.plist (Adobe Systems, Inc. - installed 2015-02-13) [Lookup]
[failed] com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d.plist (Adobe Systems, Inc. - installed 2017-07-10) [Lookup]
[loaded] com.adobe.AdobeCreativeCloud.plist (Adobe Systems, Inc. - installed 2015-02-13) [Lookup]
[running] com.malwarebytes.mbam.frontend.agent.plist (Malwarebytes Corporation - installed 2017-09-10) [Lookup]
[loaded] com.oracle.java.Java-Updater.plist (? 8f8ebc76 72ac4dde - installed 2017-08-04) [Lookup]
[running] com.sophos.uiserver.plist (Sophos - installed 2017-02-24) [Lookup]
[not loaded] com.teamviewer.teamviewer.plist (TeamViewer GmbH - installed 2017-09-10) [Lookup]
[not loaded] com.teamviewer.teamviewer_desktop.plist (TeamViewer GmbH - installed 2017-09-10) [Lookup]
[loaded] org.gpgtools.Libmacgpg.xpc.plist (Lukas Pitschl - installed 2016-06-28) [Lookup]
[loaded] org.gpgtools.gpgmail.enable-bundles.plist (Shell Script d032aea - installed 2015-09-21) [Lookup]
[loaded] org.gpgtools.gpgmail.patch-uuid-user.plist (? 84ce07f2 410547e5 - installed 2015-09-21) [Lookup]
[loaded] org.gpgtools.macgpg2.fix.plist (Shell Script d7ac5146 - installed 2016-06-28) [Lookup]
[running] org.gpgtools.macgpg2.shutdown-gpg-agent.plist (Shell Script df7bd0cf - installed 2016-06-28) [Lookup]
[loaded] org.gpgtools.updater.plist (Lukas Pitschl - installed 2016-07-04) [Lookup]
[loaded] org.macosforge.xquartz.startx.plist (Apple Inc. - XQuartz - installed 2015-10-16) [Lookup]
[loaded] com.BlueStacks.AppPlayer.bstservice_helper.plist (BlueStack Systems, Inc. - installed 2015-08-16) [Lookup]
[loaded] com.adobe.ARMDC.Communicator.plist (Adobe Systems, Inc. - installed 2017-07-10) [Lookup]
[loaded] com.adobe.ARMDC.SMJobBlessHelper.plist (Adobe Systems, Inc. - installed 2017-07-10) [Lookup]
[loaded] com.adobe.fpsaud.plist (? 2afb3af7 e92009a9 - installed 2017-07-25) [Lookup]
[running] com.easeus.dataprotectbackup.plist (? ? ? - installed 2017-09-10) [Lookup]
[running] com.malwarebytes.mbam.rtprotection.daemon.plist (Malwarebytes Corporation - installed 2017-09-10) [Lookup]
[running] com.malwarebytes.mbam.settings.daemon.plist (Malwarebytes Corporation - installed 2017-09-10) [Lookup]
[loaded] com.oracle.java.Helper-Tool.plist (Shell Script e3fefdd2 - installed 2017-07-22) [Lookup]
[running] com.sophos.common.servicemanager.plist (Sophos - installed 2017-02-24) [Lookup]
[loaded] com.teamviewer.Helper.plist (TeamViewer GmbH - installed 2017-07-27) [Lookup]
[not loaded] com.teamviewer.teamviewer_service.plist (TeamViewer GmbH - installed 2017-09-10) [Lookup]
[running] com.tenablesecurity.nessusd.plist (Tenable Network Security, Inc. - installed 2015-05-04) [Lookup]
[loaded] org.gpgtools.gpgmail.patch-uuid.plist (? 42fc83f8 410547e5 - installed 2015-09-21) [Lookup]
[loaded] org.macosforge.xquartz.privileged_startx.plist (Apple Inc. - XQuartz - installed 2015-10-16) [Lookup]
[not loaded] org.virtualbox.startup.plist (Shell Script 700b9385 - installed 2017-07-11) [Lookup]
[loaded] org.wireshark.ChmodBPF.plist (? d4207e05 0 - installed 2015-06-05) [Lookup] - /Library/Application Support/Wireshark/ChmodBPF/ChmodBPF: Executable not found!
[loaded] com.BlueStacks.AppPlayer.Service.plist (BlueStack Systems, Inc. - installed 2015-08-16) [Lookup]
[loaded] com.BlueStacks.AppPlayer.UninstallWatcher.plist (Shell Script 3fbd4d67 - installed 2017-04-29)
[failed] com.BlueStacks.AppPlayer.Updater.plist (BlueStack Systems, Inc. - installed 2015-08-16) [Lookup]
[loaded] com.adobe.AAM.Updater-1.0.plist (Adobe Systems, Inc. - installed 2015-03-11) [Lookup]
[loaded] com.cisco.videoguard8.plist (Shell Script e4704a32 - installed 2017-08-29)
[loaded] com.cisco.videoguard8.uninstall.plist (Shell Script 421c6031 - installed 2017-08-29)
[running] com.cisco.videoguardmonitor.plist (Shell Script 8744f150 - installed 2017-08-29)
[loaded] com.citrixonline.GoToMeeting.G2MUpdate.plist (Citrix Online LLC - installed 2016-09-05) [Lookup]
[loaded] com.dropbox.DropboxMacUpdate.agent.plist (Dropbox, Inc. - installed 2017-08-10) [Lookup]
[loaded] com.google.keystone.agent.plist (Google, Inc. - installed 2017-07-10) [Lookup]
[loaded] com.skype.skype.shareagent.plist (Skype Communications S.a.r.l - installed 2017-05-19) [Lookup]
[running] com.srib.pssddaemon.plist (Samsung Electronics - installed 2017-07-29) [Lookup]
[not loaded] org.virtualbox.vboxwebsrv.plist (Oracle America, Inc. - installed 2017-07-11) [Lookup]
iTunesHelper Application (Apple, Inc. - installed 2017-07-21)
(/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)
Knowhow Cloud Application
(/Applications/Knowhow Cloud.app/Contents/Resources/Knowhow Cloud.app)
Dropbox Application
(/Applications/Dropbox.app)
VMware Fusion Start Menu Application
(/Applications/VMware Fusion.app/Contents/Library/VMware Fusion Start Menu.app)
AdobeResourceSynchronizer Application - Hidden
(/Applications/Adobe Acrobat Reader DC.app/Contents/Helpers/AdobeResourceSynchronizer.app)
ExpressVPN Application
(/Applications/ExpressVPN.app)
DRWTray Application (? 0 - installed 2017-09-10)
(/Applications/EaseUS Data Recovery Wizard.app/Contents/MacOS/DRWTray.app)
AdobeAAMDetect: AdobeAAMDetect 2.0.0.0 (installed 2015-02-13) [Lookup]
FlashPlayer-10.6: 26.0.0.151 (installed 2017-08-08) [Lookup]
QuickTime Plugin: 7.7.3 (installed 2017-07-21)
AdobePDFViewerNPAPI: 17.012.20095 (installed 2017-08-13) [Lookup]
AdobePDFViewer: 17.012.20095 (installed 2017-08-13) [Lookup]
Flash Player: 26.0.0.151 (installed 2017-08-08) [Lookup]
SiteAdvisor: 2.0 (installed 2014-12-05) [Lookup]
PepperFlashPlayer: 26.0.0.151 (installed 2017-08-08) [Lookup]
Silverlight: 5.1.50901.0 (installed 2017-02-26) [Lookup]
JavaAppletPlugin: Java 8 Update 144 build 01 (installed 2017-08-04) Check version
CitrixOnlineWebDeploymentPlugin: 1.0.105 (installed 2013-04-26) [Lookup]
ZoomUsPlugIn: 4.0.38982.0714 (installed 2017-08-14) [Lookup]
[not loaded] SiteAdvisor - McAfee - http://www.siteadvisor.com (installed 2015-09-29)
[enabled] ExpressVPN - ExpressVPN - https://www.expressvpn.com (installed 2017-09-02)
Flash Player (installed 2017-07-25) [Lookup]
GPGPreferences (installed 2016-07-04) [Lookup]
Java (installed 2017-08-04) [Lookup]
Nessus.Preferences (installed 2015-05-04) [Lookup]
RAT (installed 2014-03-13) [Lookup]
Time Machine not configured!
9%
Google Chrome
8%
mdworker
7%
Google Chrome Helper
6%
WindowServer
6%
kernel_task
833 MB kernel_task
421 MB Google Chrome Helper
348 MB com.apple.WebKit.WebContent
326 MB firefox
315 MB Google Chrome Helper
Top Processes by Network Use: ⓘ
Input Output Process name
86 MB 13 MB openvpn
52 KB 59 KB Dropbox
38 KB 17 KB mDNSResponder
11 KB 11 KB SophosScanD
7 KB 6 KB SophosSXLD
Top Processes by Energy Use: ⓘ
13.94 Google Chrome
11.74 WindowServer
9.00 Google Chrome Helper
4.18 Google Chrome Helper
1.82 GB
Available RAM
93 MB Free RAM
6.18 GB
Used RAM
1.73 GB
Cached files
0 B Swap Used
Adobe Acrobat Reader DC (17.012.20095):
(installed 2017-08-13)
Microsoft OneNote: 15.37 (installed 2017-08-17)
ExpressVPN:
(installed 2017-09-02)
Evernote: 6.12 (installed 2017-09-04)
Media Player: 2.1.0 (installed 2017-09-06)
Malwarebytes for Mac:
(installed 2017-09-10)
Install information may not be complete.
2017-09-10 11:12:49 SophosScanD.app High CPU use [Open] [Details]
2017-09-10 10:03:17 Trend Micro Antivirus.app Crash [Open]
2017-08-14 12:45:31 Kernel Panic [Open] [Details]
3rd Party Kernel Extensions:
org.virtualbox.kext.VBoxNetAdp 5.1.22
com.vmware.kext.vmx86 0582.40.40
org.virtualbox.kext.VBoxNetFlt 5.1.22
com.sophos.kext.oas 9.6.51
com.vmware.kext.vmioplug.15.2.1 15.2.1
org.virtualbox.kext.VBoxUSB 5.1.22
com.vmware.kext.vmnet 0582.40.40
com.vmware.kext.vmci 90.8.1
com.sophos.nke.swi 9.6.50
org.virtualbox.kext.VBoxDrv 5.1.22
2017-09-10 11:05:11 - ~/Library/LaunchAgents/com.spigot.ApplicationManager.plist - Unknown
Remove Avast security, Sophos and the bittorrent files and follow any other instructions to remove. Then test.
Uninstall all third party apps that claim to protect, clean, boost performance etc. AVAST and Sophos would be examples of such apps.
Thanks for all the replies.
The reason why I think Sophos may be picking up on something is I left the mac unlocked with someone by accident.
The files then appeared and although the txt message won't be a virus it could be being written because a keylogger or USB device was plugged in and the files deleted.
So my theory is Sophos which has been installed for a year has noticed new indexes that were added/removed.
Does this make any sense or am I off course completely?
cobra6184 wrote:
Thanks for all the replies.
The reason why I think Sophos may be picking up on something is I left the mac unlocked with someone by accident.
The files then appeared and although the txt message won't be a virus it could be being written because a keylogger or USB device was plugged in and the files deleted.
So my theory is Sophos which has been installed for a year has noticed new indexes that were added/removed.
Does this make any sense or am I off course completely?
You are off course completely.
If I remove Sophos then I wont see the file being detected in the first place?
Bittorrent is more important than Sophos.. You can always put Sophos back but it truly isn't necessary..
Do I have Malware?
