User profile for user: Cal1950
Cal1950 Author
User level: Level 1
5 points

f-secure

How did f-secure browser protection get in my Safari extensions without my knowledge? I began to notice annoying "update software" notices coming in on the corner of my screen that looked like a malware had landed in my system, and when I shut down/re-start my computer and open Safari, I see their program come up for a moment on my browser. I am bothered by something that lands in my system without my knowledge, and yet when I do a search on f-secure, it looks like a reputable company. I went to safari/preferences/extensions and eliminated the program, but it makes me wonder still how it got there. It behaved like Malware, so I dumped it. But to read the blogs, f-secure is a good thing. Help me understand this.


Cal

iMac 27" 2011

3.4 Ghz Intel Core i7

macOS High Sierra 10.13

iMac, macOS Sierra (10.12.1), 27" Mid 2011 3.4 GHz Intel Core i7

Posted on Oct 12, 2017 10:47 AM

Reply
12 replies
User profile for user: Cal1950
Cal1950 Author
User level: Level 1
5 points

Oct 12, 2017 12:56 PM in response to dominic23

Thanks for the help. In response to your suggestion of doing EtreCheck, a copy of the report follows:

EtreCheck version: 3.4.6 (460)

Report generated 2017-10-12 12:47:38

Download EtreCheck from https://etrecheck.com

Runtime: 3:07

Performance: Good


Click the [Lookup] links for more information from Apple Support Communities.

Click the [Details] links for more information about that line.

Click the [Remove/Report] links to remove adware or update the whitelist of legitimate software.

Click the [Clean up] link to delete unused files.


Problem: Other problem

Description:

Suspected malware.


Hardware Information:

iMac (27-inch, Mid 2011)

[Technical Specifications] - [User Guide] - [Warranty & Service]

iMac - model: iMac12,2

1 3.4 GHz Intel Core i7 (i7-2600) CPU: 4-core

16 GB RAM Upgradeable - [Instructions]

BANK 0/DIMM0

4 GB DDR3 1333 MHz ok

BANK 1/DIMM0

4 GB DDR3 1333 MHz ok

BANK 0/DIMM1

4 GB DDR3 1333 MHz ok

BANK 1/DIMM1

4 GB DDR3 1333 MHz ok

Handoff/Airdrop2: not supported

Wireless: en1: 802.11 a/b/g/n

iCloud Quota: 110.65 GB available


Video Information:

AMD Radeon HD 6970M - VRAM: 1 GB

iMac 2560 x 1440


Disk Information:

ST31000528AS disk0: (1 TB) (Rotational)

[Show SMART report]

EFI (disk0s1 - MS-DOS FAT32) <not mounted> [EFI]: 210 MB

Macintosh HD (disk0s2 - Journaled HFS+) / [Startup]: 999.35 GB (473.40 GB free)

Recovery HD (disk0s3 - HFS+) <not mounted> [Recovery]: 650 MB


HL-DT-STDVDRW GA32N ()


USB Information:

USB20Bus

Apple Inc. FaceTime HD Camera (Built-in)

hub_device

General USB Flash Disk

USB Flash Disk disk2: (1.01 GB)

USB DISK (disk2s1 - MS-DOS FAT32) /Volumes/USB DISK : 1.01 GB (390 MB free)

USB2.0 Hub

HP Photosmart C5200 series

EPSON EPSON Scanner

Apple Inc. BRCM2046 Hub

Apple Inc. Bluetooth USB Host Controller

USB20Bus

hub_device

Seagate FreeAgent GoFlex

FreeAgent GoFlex disk1: (1 TB)

EFI (disk1s1 - MS-DOS FAT32) <not mounted> [EFI]: 210 MB

FreeAgent GoFlex Drive (disk1s2 - Case-sensitive Journaled HFS+) /Volumes/FreeAgent GoFlex Drive : 999.86 GB (126.27 GB free)

Apple Computer, Inc. IR Receiver

Apple Internal Memory Card Reader


Thunderbolt Information:

Apple Inc. thunderbolt_bus


System Software:

macOS High Sierra 10.13 (17A405) - Time since boot: about 2 hours


Configuration files:

/etc/hosts - Corrupt!


Gatekeeper:

Mac App Store and identified developers


Possible adware:

Adware: /Library/LaunchDaemons/com.iobit.AMCDaemon.plist

One possible adware file found. [Remove/Report]


Clean up:

com.adobe.ARM.[...].plist

/Applications/Adobe Reader.app/Contents/MacOS/Updater/Adobe Reader Updater Helper.app/Contents/MacOS/Adobe Reader Updater Helper semi-auto

Executable not found!

One orphan file found. [Clean up]


Kernel Extensions:

/System/Library/Extensions

[loaded] com.f-secure.kext.fsauth (0.5.0) [Lookup]

[not loaded] com.sony.driver.dsccamFirmwareUpdaterType00 (1.1.0.10240 - SDK 10.6) [Lookup]


System Launch Agents:

[not loaded] 9 Apple tasks

[loaded] 166 Apple tasks

[running] 113 Apple tasks


System Launch Daemons:

[not loaded] 35 Apple tasks

[loaded] 183 Apple tasks

[running] 112 Apple tasks


Launch Agents:

[not loaded] com.adobe.AAM.Updater-1.0.plist (Adobe Systems, Inc. - installed 2013-10-29) [Lookup]

[failed] com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d.plist (Adobe Systems, Inc. - installed 2017-01-13) [Lookup]

[loaded] com.f-secure.relauncher.plist (Shell Script bd439549 - installed 2015-03-02) [Lookup]

[loaded] com.f-secure.trasher.plist (? db9f591e afc98041 - installed 2015-03-02) [Lookup]

[loaded] com.google.keystone.agent.plist (Google, Inc. - installed 2017-07-10) [Lookup]

[loaded] com.oracle.java.Java-Updater.plist (? dcf773c2 72ac4dde - installed 2017-08-31) [Lookup]

[running] com.robohippo.HippoConnectAgent.plist (RoboHippo LLC - installed 2015-06-10) [Lookup]

[running] com.sony.SonyAutoLauncher.agent.plist (? a756a1bd 2d86074a - installed 2013-11-02) [Lookup]


Launch Daemons:

[loaded] com.adobe.ARMDC.Communicator.plist (Adobe Systems, Inc. - installed 2017-01-13) [Lookup]

[loaded] com.adobe.ARMDC.SMJobBlessHelper.plist (Adobe Systems, Inc. - installed 2017-01-13) [Lookup]

[loaded] com.adobe.SwitchBoard.plist (? 68cad67 0 - installed 2012-12-28) [Lookup]

[loaded] com.adobe.fpsaud.plist (? 2afb3af7 ebe01993 - installed 2017-09-25) [Lookup]

[not loaded] com.apple.installer.cleanupinstaller.plist (? 1963bf56 0 - installed 2017-10-08)

[loaded] com.f-secure.fsavd.dbhelper.plist (? 4eb45576 56ffdb01 - installed 2015-03-02) [Lookup]

[running] com.f-secure.fsavd.plist (? e79c8422 722d540 - installed 2015-03-02) [Lookup]

[loaded] com.f-secure.fsmac.firewall.plist (? 1bf81563 1e7f70cf - installed 2015-03-02) [Lookup]

[loaded] com.f-secure.fsmac.fsupdated_guts2.plist (Shell Script 783d8cd7 - installed 2015-03-02) [Lookup]

[loaded] com.f-secure.fsmac.licensetool.plist (? 38629c09 4c50fa5e - installed 2015-03-02) [Lookup]

[running] com.f-secure.orspclient.plist (Shell Script 4d2e8df8 - installed 2015-03-02) [Lookup]

[loaded] com.google.keystone.daemon.plist (Google, Inc. - installed 2017-07-26) [Lookup]

[running] com.iobit.AMCDaemon.plist (? ce7f599b 71907915 - installed 2014-09-08) Adware! [Remove/Report]

/Library/Application Support/AMC/AMCDaemon

[loaded] com.microsoft.autoupdate.helper.plist (Microsoft Corporation - installed 2017-04-18) [Lookup]

[loaded] com.microsoft.office.licensing.helper.plist (? 6d8cb30e 8b29c3ef - installed 2012-04-02) [Lookup]

[loaded] com.oracle.java.Helper-Tool.plist (Shell Script e3fefdd2 - installed 2017-07-21) [Lookup]

[not loaded] com.robohippo.HippoConnectDaemon.plist (RoboHippo LLC - installed 2015-06-10) [Lookup]


User Launch Agents:

[loaded] com.adobe.AAM.Updater-1.0.plist (Adobe Systems, Inc. - installed 2013-10-29) [Lookup]

[failed] com.adobe.ARM.[...].plist (? 560d19c8 0 - installed 2013-01-15) [Lookup] - /Applications/Adobe Reader.app/Contents/MacOS/Updater/Adobe Reader Updater Helper.app/Contents/MacOS/Adobe Reader Updater Helper: Executable not found!

[running] com.akamai.single-user-client.plist (? 120f4368 f4f704a9 - installed 2017-09-26) [Lookup]

[loaded] com.dropbox.DropboxMacUpdate.agent.plist (Dropbox, Inc. - installed 2017-09-11) [Lookup]

[loaded] com.skype.skype.shareagent.plist (Skype Communications S.a.r.l - installed 2017-09-29) [Lookup]


User Login Items:

iTunesHelper Application (Apple, Inc. - installed 2017-09-13)

(/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

Dropbox Application

(/Applications/Dropbox.app)


Internet Plug-ins:

AdobeExManDetect: AdobeExManDetect 1.0.0.0 (installed 2012-12-28) [Lookup]

FlashPlayer-10.6: 27.0.0.159 (installed 2017-10-10) [Lookup]

QuickTime Plugin: 7.7.3 (installed 2017-10-02)

AdobePDFViewerNPAPI: 17.012.20098 (installed 2017-08-30) [Lookup]

AdobePDFViewer: 17.012.20098 (installed 2017-08-30) [Lookup]

Flash Player: 27.0.0.159 (installed 2017-10-10) [Lookup]

o1dbrowserplugin: 5.41.3.0 (installed 2015-12-15) [Lookup]

SharePointBrowserPlugin: 14.7.3 (installed 2017-04-18) [Lookup]

googletalkbrowserplugin: 5.41.3.0 (installed 2015-12-11) [Lookup]

Silverlight: 5.1.10411.0 (installed 2013-03-22) [Lookup]

JavaAppletPlugin: Java 8 Update 144 build 01 (installed 2017-08-31) Check version


User internet Plug-ins:

WebEx64: 1.0 (installed 2013-07-11) [Lookup]

ZoomUsPlugIn: 3.0.46193.0828 (installed 2014-08-28) [Lookup]


Safari Extensions:

None


3rd Party Preference Panes:

Akamai NetSession Preferences (installed 2017-09-11) [Lookup]

Safe Anywhere Mac Settings (installed 2015-04-03) [Lookup]

Flash Player (installed 2017-09-25) [Lookup]

Java (installed 2017-08-31) [Lookup]


Time Machine:

Skip System Files: NO

Mobile backups: OFF

Auto backup: YES

Volumes being backed up:

Macintosh HD: Disk size: 999.35 GB Disk used: 525.94 GB

Destinations:

FreeAgent GoFlex Drive [Local]

Total size: 999.86 GB

Total number of backups: 187

Oldest backup: 9/17/14, 12:49 AM

Last backup: 10/12/17, 11:22 AM

Size of backup disk: Too small

Backup size 999.86 GB < (Disk used 525.94 GB X 3)


Top Processes by CPU:

3% WindowServer

1% kernel_task

0% fontd

0% mds

0% mdworker


Top Processes by Memory:

1.06 GB kernel_task

464 MB com.apple.WebKit.WebContent

425 MB com.apple.WebKit.WebContent

321 MB mds_stores

238 MB Safari


Top Processes by Network Use:

Input Output Process name

1 MB 537 KB Mail

350 KB 107 KB mDNSResponder

310 KB 82 KB com.apple.WebKit.Networking

143 KB 177 KB Dropbox

221 KB 16 KB CalendarAgent


Top Processes by Energy Use:

5.82 WindowServer

0.74 fsavd

0.62 netsession_mac

0.26 Dropbox


Virtual Memory Information:

9.53 GB Available RAM

3.83 GB Free RAM

6.47 GB Used RAM

5.71 GB Cached files

0 B Swap Used


Software installs (last 30 days):

iFax: 3.11 (installed 2017-09-17)

iFax: 3.12 (installed 2017-10-06)

Adobe Flash Player: (installed 2017-10-10)


Install information may not be complete.


Diagnostics Events (last 3 days for minor events):

2017-10-10 07:26:01 mdworker Crash [Open]

Cause: import fstype:hfs fsflag:480D000 flags:40000005E diag:0 isXCode:0 uti:com.apple.mail.emlx plugin:/Library/Spotlight/Mail.mdimporter - find suspect file using: sudo mdutil -t 30448965

Reply
User profile for user: Eric Root
Eric Root
User level: Level 10
685,245 points

Oct 12, 2017 8:31 PM in response to Cal1950

Possible adware:

Adware: /Library/LaunchDaemons/com.iobit.AMCDaemon.plist

One possible adware file found. [Remove/Report]


Clean up:

com.adobe.ARM.[...].plist

/Applications/Adobe Reader.app/Contents/MacOS/Updater/Adobe Reader Updater Helper.app/Contents/MacOS/Adobe Reader Updater Helper semi-auto

Executable not found!

One orphan file found. [Clean up]


Run the report again and click [Remove/Report] and [Clean up].


Post a new Etrecheck report to see if f=secure is gone.

Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
32,031 points

Oct 13, 2017 2:09 PM in response to Cal1950

Displaying update notifications is not malware behavior. If it were, macOS would be malware, since it will show you update notifications for the system and any third-party software downloaded from the App Store. It's important to understand that keeping your system and software up-to-date is probably the single most important thing you can do to keep your computer secure.


F-Secure is legitimate software. It could not have gotten onto your computer unless you, or someone else, installed it there.

Reply
User profile for user: Cal1950
Cal1950 Author
User level: Level 1
5 points

Oct 12, 2017 8:42 PM in response to Eric Root

Thanks, I'll do that. I'll run and post a new etrecheck report later tonight.


I have a related question, one that I've posed in my posts, above. I'm just very curious. This company, f-secure, is a reputable company, yet in my case has apparently installed something that signals me with software update notices. This pirating of my browser is malware behavior. Do you, or anyone reading this thread, know if this is normal for a company with a good reputation to do? Or am I too bothered by something that has become a common marketing gimmick, even for good companies?

Reply
User profile for user: dominic23
dominic23
User level: Level 10
84,018 points

Oct 12, 2017 11:42 AM in response to Cal1950

Run EtreCheck and a copy of it


Please run EtreCheck and post the report here.

https://etrecheck.com


Click “Free Download” button, open Downloads folder, click on it to open, and then select ”Open”.

Click on the bouncing EtreCheck icon in the Dock.

“Choose a problem” from the popup menu box, and then “Start EtreCheck” in the dialog.


Click “Share Report” button in the toolbar, select “Copy to Clipboard” .

Paste it into the reply.


Remove Malware.

1. Use Malwarebytes Anti-Malware for Mac to remove adware/malware.


https://www.malwarebytes.org/antimalware/mac/


Download, install , open, and run it by clicking “Scan” button to remove adware.

Once done, quit Malwarebytes Anti-Malware.

Installer guide: https://support.malwarebytes.com/docs/DOC-1817


The installer may ask you to allow it in System Preferences > Security & Privacy. Allow it.

Keep the Uninstaller to remove the application whenever you decide to remove it.



2. Check extensions again. Disable Extensions if any and test.


Safari > Preferences > Extensions

Select, disable all extensions and test.

Enable Extensions one by one and test.

To uninstall any extension, select it and click the “Uninstall” button.


3. Safari > Preferences > Search > Search engine:

Select your preferred search engine.


4. Visit the site you want it to be the Home page

Safari > Preferences > General > Homepage

Click the button “Set to Current Page” button.


5. Restart your Mac.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

f-secure

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up