User profile for user: SMattson
SMattson Author
User level: Level 1
8 points

Hacked? Etrecheck Shows Bad Sign & Shell Scripts

I have a Macbook Pro using Sierra 10.12.6. It hasn't been running well on and off for the last 6 months. I've had spinning balls of death, freezes, duplication of password entries, multiple entries of the same processes and a general feeling something wasn't right.


This morning, however, I started my day just trying to figure out how to get the Apple mail app to send a gmail message because I keep getting error messages about invalid password... I tried a variety of things to no avail.


Anyway, one search lead to another...I found the Etrecheck program. I ran it, and I'm wondering if I have a reason to be worried well beyond my smtp settings on my gmail account. There are missing signatures and shell scripts, and I just don't know how to interpret that.


I downloaded Malwarebytes today. The scan found and quarantined two PUP programs (Disk Cleaner Pro) it looks like I downloaded in Dec 2016.


Attached are the results from the Etrecheck scan.


EtreCheck version: 3.4.6 (460)

Report generated 2017-11-20 15:44:02

Download EtreCheck from https://etrecheck.com

Runtime: 1:55

Performance: Excellent


Click the [Lookup] links for more information from Apple Support Communities.

Click the [Details] links for more information about that line.

Click the [Clean up] link to delete unused files.


Show signature failures: Enabled


Problem: Other problem

Description:

Hack?


Hardware Information:

MacBook Pro (Retina, 15-inch, Early 2013)

[Technical Specifications] - [User Guide] - [Warranty & Service]

MacBook Pro - model: MacBookPro10,1

1 2.4 GHz Intel Core i7 (i7-3635QM) CPU: 4-core

8 GB RAM Not upgradeable

BANK 0/DIMM0

4 GB DDR3 1600 MHz ok

BANK 1/DIMM0

4 GB DDR3 1600 MHz ok

Handoff/Airdrop2: supported

Wireless: en0: 802.11 a/b/g/n

Battery: Health = Normal - Cycle count = 463

Proxy: ProxyAutoConfig

Proxy: ProxyAutoDiscovery

iCloud Quota: 87.49 GB available


Video Information:

Intel HD Graphics 4000 - VRAM: 1536 MB

Color LCD 2880 x 1800

NVIDIA GeForce GT 650M - VRAM: 1024 MB


Disk Information:

APPLE SSD SD256E disk0: (251 GB) (Solid State - TRIM: Yes)

[Show SMART report]

EFI (disk0s1 - MS-DOS FAT32) <not mounted> [EFI]: 210 MB

(disk0s2) <not mounted> [CoreStorage Container]: 250.14 GB

Recovery HD (disk0s3 - Journaled HFS+) <not mounted> [Recovery]: 650 MB


USB Information:

USB20Bus

hub_device

Apple Inc. FaceTime HD Camera (Built-in)

USB20Bus

hub_device

hub_device

Apple Inc. Apple Internal Keyboard / Trackpad

Apple Inc. BRCM20702 Hub

Apple Inc. Bluetooth USB Host Controller

USB30Bus

Western Digital My Passport 0829

My Passport 0829 disk3: (3 TB)

EFI (disk3s1 - MS-DOS FAT32) <not mounted> [EFI]: 210 MB

My Passport for Mac (disk3s2 - Journaled HFS+) /Volumes/My Passport for Mac : 3.00 TB (231.74 GB free)

Virtual CD 0829 disk2: (36.1 MB)

(disk2s0) <not mounted> [partition_scheme]: 31 MB

(disk2s0s1) <not mounted> [partition_map]: 32 KB

WD Unlocker (disk2s0s2 - HFS+) <not mounted> : 6 MB


Thunderbolt Information:

Apple Inc. thunderbolt_bus


Virtual disks:

Macintosh HD (disk1 - Journaled HFS+) / [Startup]: 249.77 GB (17.07 GB free)

Physical disk: disk0s2 250.14 GB Online


System Software:

macOS Sierra 10.12.6 (16G1036) - Time since boot: about 2 days


Gatekeeper:

Mac App Store and identified developers


Clean up:

/Library/LaunchDaemons/com.wdc.WDPrivilegedHelper.plist

/Library/PrivilegedHelperTools/com.wdc.WDPrivilegedHelper

Executable not found!

One orphan file found. [Clean up]


Kernel Extensions:

/Library/Extensions

[loaded] com.malwarebytes.mbam.rtprotection (3.1 - SDK 10.12) [Lookup]


/System/Library/Extensions

[not loaded] com.seagate.driver.PowSecDriverCore (5.2.6 (26925) - SDK 10.4) [Lookup]

[not loaded] com.wacom.kext.wacomtablet (Wacom Tablet 6.3.9-5 - SDK 10.9) [Lookup]


/System/Library/Extensions/Seagate Storage Driver.kext/Contents/PlugIns

[not loaded] com.seagate.driver.PowSecLeafDriver_10_4 (5.2.6 (26925) - SDK 10.4) [Lookup]

[not loaded] com.seagate.driver.PowSecLeafDriver_10_5 (5.2.6 (26925) - SDK 10.5) [Lookup]

[not loaded] com.seagate.driver.SeagateDriveIcons (5.2.6 (26925) - SDK 10.4) [Lookup]


System Launch Agents:

[loaded] com.apple.FTCleanup.plist (Shell Script 7de8708 - installed 2017-04-28) - Shell script!

[loaded] com.apple.RemoteDesktop.plist (Apple, Inc. - installed 2017-11-09)

[loaded] com.apple.SSInvitationAgent.plist (Apple, Inc. - installed 2017-11-09)

[running] com.apple.SafariBookmarksSyncAgent.plist (Apple, Inc. - installed 2017-11-01)

[loaded] com.apple.SafariHistoryServiceAgent.plist (Apple, Inc. - installed 2017-11-01)

[loaded] com.apple.SafariLaunchAgent.plist (Apple, Inc. - installed 2017-11-01)

[loaded] com.apple.screensharing.MessagesAgent.plist (Apple, Inc. - installed 2017-10-25)

[loaded] com.apple.screensharing.agent.plist (Apple, Inc. - installed 2017-10-25)

[not loaded] 6 Apple tasks

[loaded] 163 Apple tasks

[running] 91 Apple tasks

[killed] 17 Apple tasks

17 processes killed due to insufficient RAM


System Launch Daemons:

[loaded] com.apple.RFBEventHelper.plist (Apple, Inc. - installed 2017-10-25)

[loaded] com.apple.driver.ethcheck.plist (Apple, Inc. - installed 2017-07-14)

[loaded] com.apple.driver.ethcheckthunderbolt.plist (Apple, Inc. - installed 2017-07-14)

[loaded] com.apple.fpsd.plist (Apple, Inc. - installed 2017-10-20)

[not loaded] com.apple.jetsamproperties.Mac.plist (? ee96c1e8 ? - installed 2017-04-20) - Invalid signature!

[not loaded] com.apple.screensharing.plist (Apple, Inc. - installed 2017-10-25)

[loaded] com.apple.xpc.uscwoap.plist (Shell Script 75aced1c - installed 2017-04-28) - Shell script!

[running] com.seagate.TBDecorator.plist (? 595582c 687baee7 - installed 2014-08-15) [Lookup] - No signature!

[loaded] org.cups.cupsd.plist (Apple, Inc. - installed 2017-10-25)

[loaded] org.postfix.master.plist (Apple, Inc. - installed 2017-10-25)

[not loaded] 39 Apple tasks

[loaded] 162 Apple tasks

[running] 96 Apple tasks

[killed] 13 Apple tasks

13 processes killed due to insufficient RAM


Launch Agents:

[not loaded] com.adobe.AAM.Updater-1.0.plist (Adobe Systems, Inc. - installed 2016-02-11) [Lookup]

[loaded] com.malwarebytes.mbam.frontend.agent.plist (Malwarebytes Corporation - installed 2017-11-20) [Lookup]

[loaded] com.oracle.java.Java-Updater.plist (? 17b3c356 72ac4dde - installed 2017-10-11) [Lookup] - No signature!

[running] com.wacom.wacomtablet.plist (Wacom Technology Corp. - installed 2014-10-27) [Lookup]


Launch Daemons:

[running] com.adobe.agsservice.plist (Adobe Systems, Inc. - installed 2017-09-26) [Lookup]

[loaded] com.adobe.fpsaud.plist (? 2afb3af7 a56d5fc2 - installed 2017-10-25) [Lookup] - No signature!

[running] com.fitbit.galileod.plist (Fitbit, Inc. - installed 2015-10-30) [Lookup]

[running] com.malwarebytes.mbam.rtprotection.daemon.plist (Malwarebytes Corporation - installed 2017-11-20) [Lookup]

[running] com.malwarebytes.mbam.settings.daemon.plist (Malwarebytes Corporation - installed 2017-11-20) [Lookup]

[loaded] com.oracle.java.Helper-Tool.plist (Shell Script e3fefdd2 - installed 2017-07-22) [Lookup] - Shell script!

[loaded] com.wdc.WDPrivilegedHelper.plist (? 8ffe9417 0 - installed 2016-12-06) [Lookup] - /Library/PrivilegedHelperTools/com.wdc.WDPrivilegedHelper: Executable not found!


User Launch Agents:

[loaded] com.adobe.AAM.Updater-1.0.plist (Adobe Systems, Inc. - installed 2016-02-11) [Lookup]

[loaded] com.adobe.ARM.[...].plist (? 5c76f5f6 1c9bb8a9 - installed 2015-11-04) [Lookup] - Invalid signature!

[loaded] uk.co.markallan.clamxav.clamscan.plist (? d0c776c6 cb586f2f - installed 2017-04-23) [Lookup] - Invalid signature!

[loaded] uk.co.markallan.clamxav.freshclam.plist (? 6b40b651 cb586f2f - installed 2017-04-23) [Lookup] - Invalid signature!


User Login Items:

iTunesHelper Application (Apple, Inc. - installed 2017-11-01)

(/Applications/iTunes.app/Contents/MacOS/iTunesHelper.app)

WDDriveUtilityHelper Application

(/Applications/WD Drive Utilities.app/Contents/WDDriveUtilityHelper.app)

Photo Stream URL SMLoginItem - Hidden (Apple, Inc. - installed 2038-01-18)

(/Applications/iPhoto.app/Contents/Library/LoginItems/PhotoStreamAgent.app)


Internet Plug-ins:

FlashPlayer-10.6: 27.0.0.187 (installed 2017-11-18) [Lookup]

QuickTime Plugin: 7.7.3 (installed 2017-11-09)

AdobePDFViewerNPAPI: 10.1.16 (installed 2015-11-04) [Lookup]

AdobePDFViewer: 10.1.16 (installed 2015-11-04) [Lookup]

Flash Player: 27.0.0.187 (installed 2017-11-18) [Lookup]

PepperFlashPlayer: 27.0.0.187 (installed 2017-11-18) [Lookup]

Silverlight: 5.1.41212.0 (installed 2016-01-18) [Lookup]

WacomTabletPlugin: WacomTabletPlugin 2.1.0.6 (installed 2014-10-27) [Lookup]

JavaAppletPlugin: Java 8 Update 144 build 01 (installed 2017-10-11) Check version


Safari Extensions:

[disabled] WOT - WOT Services Ltd - http://www.mywot.com/ (installed 2015-04-27)

[enabled] TrafficLight - Bitdefender SRL - http://trafficlight.bitdefender.com/ (installed 2017-05-03)

[disabled] Whova Safari Extension - Whova - http://whova.com (installed 2013-12-26)

[disabled] Cleaner Google - Axianet.ch - Steven Moix - http://www.axianet.ch (installed 2013-12-26)

[enabled] Adblock Plus - Eyeo GmbH - https://adblockplus.org/ (installed 2016-12-22)

[enabled] GoogleMapAdd-On - BH_Lin - http://studiobinghuan.blogspot.com/ (installed 2013-12-26)

[not loaded] AdBlock - BetaFish, Inc. - https://getadblock.com (installed 2015-11-25)

[disabled] Notable - ZURB - http://www.notableapp.com (installed 2015-08-11)

[disabled] Evernote Web Clipper - Evernote Corp. - http://evernote.com (installed 2016-08-28)


3rd Party Preference Panes:

Flash Player (installed 2017-10-25) [Lookup]

Java (installed 2017-10-11) [Lookup]

Seagate Dashboard for Mac OSX (installed 2014-12-16) [Lookup]

WacomTablet (installed 2014-10-27) [Lookup]


Time Machine:

Skip System Files: NO

Auto backup: YES

Volumes being backed up:

Macintosh HD: Disk size: 249.77 GB Disk used: 232.70 GB

Destinations:

Seagate Backup Plus Drive [Local]

Total size: 2.00 TB

Total number of backups: 69

Oldest backup: 9/18/14, 9:42 PM

Last backup: 1/16/17, 3:10 PM

Size of backup disk: Excellent

Backup size 2.00 TB > (Disk size 249.77 GB X 3)


My Passport for Mac [Local]

Total size: 3.00 TB

Total number of backups: 39

Oldest backup: 8/21/16, 7:18 PM

Last backup: 11/18/17, 9:24 PM

Size of backup disk: Excellent

Backup size 3.00 TB > (Disk size 249.77 GB X 3)


Time Machine Backup MBP [Local]

Total size: 500.00 GB

Total number of backups: 13

Oldest backup: 4/29/15, 2:28 PM

Last backup: 1/13/17, 11:32 AM

Size of backup disk: Too small

Backup size 500.00 GB < (Disk used 232.70 GB X 3)


Top Processes by CPU:

14% WindowServer

3% kernel_task

2% com.apple.WebKit.WebContent

1% kextd

0% trustd


Top Processes by Memory:

1.25 GB com.apple.WebKit.WebContent

957 MB kernel_task

306 MB Adobe Photoshop Lightroom 4

301 MB Safari

214 MB Finder


Top Processes by Network Use:

Input Output Process name

2 MB 903 KB Mail

2 MB 282 KB mDNSResponder

1 MB 643 KB com.apple.WebKit.Networking

277 KB 7 KB netbiosd

35 KB 36 KB apsd


Top Processes by Energy Use:

15.94 WindowServer

11.26 Adobe Photoshop Lightroom 4

4.14 com.apple.WebKit.WebContent

0.58 com.apple.WebKit.Networking


Virtual Memory Information:

1.89 GB Available RAM

17 MB Free RAM

6.11 GB Used RAM

1.88 GB Cached files

3.68 GB Swap Used


Software installs (last 30 days):

Adobe Flash Player: (installed 2017-10-24)

Adobe Pepper Flash Player: (installed 2017-10-24)

Adobe Flash Player: (installed 2017-10-27)

Adobe Pepper Flash Player: (installed 2017-10-29)

Adobe Flash Player: (installed 2017-11-18)

Adobe Pepper Flash Player: (installed 2017-11-18)

Malwarebytes for Mac: (installed 2017-11-20)


Install information may not be complete.


Diagnostics Events (last 3 days for minor events):

2017-11-20 14:35:52 spindump Crash [Open]

2017-11-19 11:05:56 Adobe Photoshop Lightroom 4.app High CPU use [Open] [Details]

2017-11-19 10:45:00 suggestd Crash [Open]

Cause: *** Terminating app due to uncaught exception 'NSInternalInconsistencyException', reason: 'Could not read pattern plist from /System/Library/Assets/com_apple_MobileAsset_CoreSuggestions/a0f4488118da8f8806 dfd4e061d5443aecd75263.asset/AssetData/CompiledPatterns.plist: Error Domain=NSCocoaErrorDomain Code=257 "The file “CompiledPatterns.plist” couldn’t be opened because you don’t have permission to view it." UserInfo={NSFilePath=/System/Library/Assets/com_apple_MobileAsset_CoreSuggestio ns/a0f4488118da8f8806dfd4e061d5443aecd75263.asset/AssetData/CompiledPatterns.pli st, NSUnderlyingError=0x7fe3edb0be40 {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"}}'

abort() called

terminating with uncaught exception of type NSException

2017-11-18 19:29:39 mdworker High CPU use [Open] [Details]

2017-11-18 17:53:42 Last shutdown cause: 3 - Hard shutdown


Files deleted by EtreCheck:

2017-11-20 14:31:47 - ~/Library/LaunchAgents/com.seagate.dashboard.plist - Unknown

2017-11-20 14:31:59 - /Library/LaunchDaemons/com.wdc.WDPrivilegedHelper.plist - Unknown

2017-11-20 14:32:44 - /Library/LaunchDaemons/com.wdc.WDPrivilegedHelper.plist - Unknown

MacBook Pro with Retina display

Posted on Nov 20, 2017 2:45 PM

Reply

There are no replies.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Hacked? Etrecheck Shows Bad Sign & Shell Scripts

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up