Suspected malware after installing FileZilla. How much trouble am I in?

Question

Level 1

10 points

Suspected malware after installing FileZilla. How much trouble am I in?

Hey all - I'm trying to help myself as much as possible, and I've been doing a lot of reading, but please accept my apologies if I missed something obvious.

Computer: iMac Pro, running 10.13.3

SITUATION: 

Opened Chrome (which I do not usually use) and received a warning that an extension called "Search Manager 10.1.2.64" is trying to set my default search bar to srchbar.com

Did some digging and found the extension was installed about a week ago, right after I installed FileZilla.

Did some more digging, and found "runChmm" in my login items, also installed at the same time. I haven't restarted since this, so hadn't encountered it yet. This launches something called Chromium that I never installed, which defaults to what seems to be a sketchy knockoff of Yahoo search. 

I've noticed Safari lagging like crazy when typing in the URL box, and now I wonder if this is related.

No extensions show as installed in Safari.

Currently running BitDefender.

Ran MalwareBytes and it came up clean.

QUESTIONS:

• How freaked out should I be?

• Do I need to wipe my system drive?

• Reinstall OS?

• Wipe other stuff? Like, can my personal files be infected?

• Can I trust my Time Machine backup from before the date in question or could that be compromised too, so restoring from it just reinfects me?

• Do I need to worry that passwords and personal data stored on my machine are compromised?

• Is there a way to know for sure what happened, and what else is installed?

THANKS SO MUCH!

Posted on Feb 21, 2018 3:16 PM

Reply

Answer 1

John Galt

Level 10

155,222 points

Feb 21, 2018 5:43 PM in response to perry_k

You appear to be really concerned about this potentially intrusive event. I don't blame you. In those cases what I do is to restore a Time Machine backup preceding that event. You know when it occurred, so deciding upon an appropriate backup to restore will be straightforward.

That's what I do after intentionally installing malware to observe its effects and how to eradicate it, and will eliminate all doubt. Reliance upon "Bitdefender" and such things simply cannot provide that assurance. They will only exacerbate any real problem that may exist—for which there is no evidence.

For an example similar to your experience read Re: threat by trojan.JS.Iframe.BKD on MacBookPro. Don't let that happen to you.

Reply

Answer 2

perry_k Author

Level 1

10 points

Mar 27, 2018 2:11 PM in response to m0thr4

Yeah, this sounds super similar to my situation.

I did a full rewind on Time Machine to the backup before the fateful install. (Pro-tip, on some computers Time Machine drives work really slowly at USB 1 speed during restore unless you plug them in AFTER booting to the restore screen... my restore took 14 hours cause of that)

I'm still not sure how invasive all of this was. The only piece of anecdotal evidence I have is that Safari was SUPER laggy before the wipe (starting around when I installed FileZilla), even like lagging for 1-2 seconds when typing into the URL box, even after restarts, etc., and since the wipe, nothing like that. The paranoid side of me thinks something was mucking up the works, even though no extensions or anything were installed in Safari. It could be a fluke though.

Reply

Answer 3

Feb 21, 2018 3:32 PM in response to perry_k

I suggest you use the program created by Etresoft, a frequent contributor. It will provide a snapshot of your system which we can analyze to possibly determine the cause of your problem. Please use copy and paste as screen shots can be hard to read. On the screen with Options, please open Options and check the bottom 2 boxes before running. Click “Share Report” button in the toolbar, select “Copy to Clipboard” and then paste into a reply. This will show what is running on your computer. No personal information is shown.

Etrecheck – System Information

Reply

Answer 4

John Galt

Level 10

155,222 points

Feb 21, 2018 6:25 PM in response to perry_k

The only option I use and can recommend is the "restore everything" option described in How to use Time Machine to back up or restore your Mac - Apple Support. That literally returns your Mac to its exact state prior to the event. It will be as if nothing ever happened, with the caveat that something malicious like a keylogger may have already lifted some personal information... an extremely minor possibility from what you describe, but I'd be remiss if I didn't mention it.

Once you "restore everything" you will still have subsequent TM backups from which you can selectively restore the personal documents and other files you may need that were created or altered after that event. It's a very flexible option.

Reply

Answer 5

perry_k Author

Level 1

10 points

Feb 21, 2018 3:40 PM in response to Allan Eckert

Here's the Etresoft report! I ran it twice. Never got to a screen with options to select, but hopefully this is it:

EtreCheck version: 4.0.4 (4A149)

Report generated: 2018-02-21 18:37:03

Download EtreCheck from https://etrecheck.com

Runtime: 2:12

Performance: Excellent

Problem: No problem - just checking

Major Issues: None

Minor Issues:

These issues do not need immediate attention but they may indicate future problems.

Clean up - There are orphan files that could be removed.

Small backup drive - Time Machine backup drive is too small.

Unsigned files - There is unsigned software installed. It appears to be legitimate but should be reviewed.

Hardware Information:

iMac Pro (2017)

iMac Pro Model: iMacPro1,1

1 3 GHz Intel Xeon W (W-2150B) CPU: 10-core

32 RAM Upgradeable

NODE 1/CPU1_DIMM_A0

8 GB DDR4 2666 ok

NODE 1/CPU1_DIMM_B0

8 GB DDR4 2666 ok

NODE 1/CPU1_DIMM_C0

8 GB DDR4 2666 ok

NODE 1/CPU1_DIMM_D0

8 GB DDR4 2666 ok

Video Information:

Radeon Pro Vega 64 - VRAM: 16 GB

iMac 5120 x 2880

Drives:

disk0 - APPLE SSD AP2048M 2.00 TB (Solid State - TRIM: Yes)

Internal PCI-Express 8.0 GT/s x4 NVM Express

disk0s1 - EFI [EFI] 315 MB

disk0s2 2.00 TB

disk1s1 - Macintosh HD (APFS) 2.00 TB 736.41 GB

disk1s2 - Preboot (APFS) [APFS Preboot] 2.00 TB 25 MB

disk1s3 - Recovery (APFS) [Recovery] 2.00 TB 515 MB

disk1s4 - VM (APFS) [APFS VM] 2.00 TB 25.77 GB

disk2 - Seagate Expansion Desk 8.00 TB

External USB 5 Gbit/s

disk2s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk2s2 - T********************o (Journaled HFS+) 8.00 TB

disk3 - HGST G-DRIVE USB 6.00 TB

External USB 5 Gbit/s

disk3s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk3s2 - E****r (Journaled HFS+) 6.00 TB

disk4 - GSPD3 4 Bay Base 16.00 TB

External SAS

Mounted Volumes:

disk1s1 - Macintosh HD 2.00 TB (1.24 TB free)

APFS

Mount point: /

Encrypted

disk1s4 - VM [APFS VM] 2.00 TB (1.24 TB free)

APFS

Mount point: /private/var/vm

Encrypted

disk2s2 - T********************o 8.00 TB (5.76 TB free)

Journaled HFS+

Mount point: /Volumes/T********************o

disk3s2 - E****r 6.00 TB (3.78 TB free)

Journaled HFS+

Mount point: /Volumes/E****r

disk4s2 - V****n 16.00 TB (12.64 TB free)

Journaled HFS+

Mount point: /Volumes/V****n

Network:

Interface en0: Ethernet

One IPv4 address

4 IPv6 addresses

Interface en8: iPhone

Interface en1: Wi-Fi

One IPv4 address

Interface en7: Bluetooth PAN

Interface bridge0: Thunderbolt Bridge

iCloud Quota: 82.11 GB available

System Software:

macOS High Sierra 10.13.3 (17D2047)

Time since boot: About 12 days

System Load: 1.56 (1 min ago) 1.77 (5 min ago) 1.68 (15 min ago)

Security:

System	Status
Gatekeeper	Mac App Store and identified developers
System Integrity Protection	Enabled

Unsigned Files:

Launchd: /Library/LaunchDaemons/com.gspeed2.bgaschedg.plist

Executable: /Applications/G-SPEED Software Utility.app/Contents/Resources/bgaschedg

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.gspeed2.emaildg.plist

Executable: /Applications/G-SPEED Software Utility.app/Contents/Resources/emaildg

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.gspeed2.BGPMain_G.plist

Executable: /Applications/G-SPEED Software Utility.app/Contents/Resources/XMLBase/BGPMain_G

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.gspeed2.httpd.plist

Executable: /Applications/G-SPEED Software Utility.app/Contents/Resources/apache2/bin/httpdgs -f /Applications/G-SPEED Software Utility.app/Contents/Resources/apache2/conf/httpd.conf

Details: Exact match found in the whitelist - probably OK

Kernel Extensions:

/Library/Application Support/LogMeIn/drivers

[Loaded] LogMeInSoundDriver.kext (4.1.8963)

/Library/Extensions

[Loaded] GSpeedShuttleIcon.kext (2.0.4 - SDK 10.11)

[Loaded] PromiseSTEX.kext (6.2.11 - SDK 10.11)

System Launch Agents:

[Not Loaded]	7 Apple tasks
[Loaded]	151 Apple tasks
[Running]	131 Apple tasks
[Other]	One Apple task

System Launch Daemons:

[Not Loaded]	36 Apple tasks
[Loaded]	176 Apple tasks
[Running]	122 Apple tasks

Launch Agents:

[Not Loaded]	com.logmein.logmeinguiagentatlogin.plist (LogMeIn, Inc. - installed 2018-01-22)
[Loaded]	com.adobe.AdobeCreativeCloud.plist (Adobe Systems, Inc. - installed 2018-02-20)
[Not Loaded]	com.adobe.AAM.Updater-1.0.plist (Adobe Systems, Inc. - installed 2018-02-13)
[Loaded]	com.adobe.GC.Invoker-1.0.plist (Adobe Systems, Inc. - installed 2018-02-02)
[Running]	com.logmein.logmeinguiagent.plist (LogMeIn, Inc. - installed 2018-01-22)
[Running]	com.logmein.logmeingui.plist (LogMeIn, Inc. - installed 2018-01-22)

Launch Daemons:

[Running]	com.logmein.logmeinserver.plist (LogMeIn, Inc. - installed 2018-01-22)
[Running]	com.gspeed2.BGPMain_G.plist (? 1aae0e5 - installed 2017-11-17)
[Loaded]	com.gspeed2.httpd.plist (? a78dcfdc - installed 2018-02-02)
[Loaded]	com.gspeed2.bgaschedg.plist (? 93e1f63d - installed 2017-11-17)
[Other]	com.imagineersystems.lmgrd.plist (? ef7d90c8 - installed 2013-10-22)
[Loaded]	com.adobe.acc.installer.plist (Adobe Systems, Inc. - installed 2018-02-20)
[Running]	com.adobe.agsservice.plist (Adobe Systems, Inc. - installed 2018-02-02)
[Loaded]	com.gspeed2.emaildg.plist (? 270ba395 - installed 2017-11-17)
[Running]	com.crashplan.engine.plist (Code 42 Software - installed 2018-02-08)
[Loaded]	com.redgiant.LinkUpdateChecker.plist (Red Giant Software - installed 2018-02-06)

User Launch Agents:

[Running]	com.spotify.webhelper.plist (Spotify - installed 2018-01-26)
[Loaded]	com.google.keystone.agent.plist (Google, Inc. - installed 2017-09-27)
[Loaded]	com.dropbox.DropboxMacUpdate.agent.plist (Dropbox, Inc. - installed 2017-08-10)
[Loaded]	com.redgiantsoftware.updater.plist (Apple, Inc. - installed 2017-12-09)
[Loaded]	com.adobe.GC.Invoker-1.0.plist (Adobe Systems, Inc. - installed 2018-02-02)
[Loaded]	com.adobe.AAM.Updater-1.0.plist (Adobe Systems, Inc. - installed 2018-01-30)
[Running]	com.code42.menubar.plist (Code 42 Software - installed 2018-01-27)

User Login Items:

Dropbox Application (Dropbox, Inc.

(/Applications/Dropbox.app)

Google Chrome Application (Google, Inc.

(/Applications/Google Chrome.app)

Internet Plug-ins:

AdobeAAMDetect: 3.0.0.0 (installed 2018-02-20)

QuickTime Plugin: 7.7.3 (installed 2017-12-09)

Time Machine:

Skip System Files: No

Mobile backups:

Auto backup: Yes

Volumes being backed up:

Macintosh HD: Disk size: 2.00 TB - Disk used: 763.02 GB

E****r: Disk size: 6.00 TB - Disk used: 2.22 TB

Destinations:

T********************o [Local] (Last used)

Total size: 8.00 TB

Total number of backups: 37

Oldest backup: 2018-02-09 08:58:45

Last backup: 2018-02-21 17:47:54

Top Processes by CPU:

Process (count)	Source	% of CPU
BitdefenderVirusScanner	Mac App Store	66
photoanalysisd	Apple	18
photolibraryd	Apple	14
WindowServer	Apple	11
mdworker (20)	Apple	6

Top Processes by Memory:

Process (count)	Source	RAM usage
kernel_task	Apple	2.40 GB
BitdefenderVirusScanner	Mac App Store	1.32 GB
com.apple.WebKit.WebContent (6)	Apple	1.01 GB
mds_stores	Apple	629 MB
mdworker (28)	Apple	616 MB

Top Processes by Network Use:

Process	Source	Input	Output
LogMeIn	LogMeIn, Inc.	31 MB	467 MB
Dropbox	Dropbox, Inc.	83 MB	304 MB
mDNSResponder	Apple	69 MB	6 MB
ocspd	Apple	68 MB	792 B
Mail	Apple	47 MB	788 KB

Top Processes by Energy Use:

Process (count)	Source	Energy usage (0-100)
BitdefenderVirusScanner	Mac App Store	32
WindowServer	Apple	4
Mail	Apple	1
mds	Apple	0
com.apple.WebKit.WebContent (6)	Apple	0

Virtual Memory Information:

Available RAM	15.84 GB
Free RAM	15 MB
Used RAM	16.16 GB
Cached files	15.83 GB
Swap Used	6.70 GB

Software Installs (past 30 days):

Name	Version	Install Date
Beauty Box AE 4.1	4.1	2018-02-01
VisualDiffer	1.7.0	2018-02-05
Disk Speed Test	3.1	2018-02-07
Todoist	7.0.11	2018-02-13
Duplicate File Finder	5.2	2018-02-16
Bitdefender Virus Scanner	3.10	2018-02-21

Clean up:

/Library/LaunchDaemons/com.imagineersystems.lmgrd.plist

./netwaitexec

Executable not found

Diagnostics Information (past 7 days):

2018-02-21 17:04:00 BitdefenderVirusScanner.app CPU

2018-02-18 15:26:33 WindowServer CPU

2018-02-09 13:04:48 Last Shutdown Cause: -11 - Unknown

End of report

Reply

Answer 6

John Galt

Level 10

155,222 points

Feb 21, 2018 4:01 PM in response to perry_k

Time since boot: About 12 days

Restart your Mac. That is usually required after removing adware or whatever it is that hijacked your chosen search engine.

Remove "Bitdefender". It is categorically worthless. You can see for yourself how it is monopolizing your Mac while doing nothing to prevent you from installing malware.

• Can I trust my Time Machine backup from before the date in question ...

Yes. That's what it's for.

• Do I need to worry that passwords and personal data stored on my machine are compromised?

That can't be determined, especially if whatever you installed is now gone.

Reply

Answer 7

Kurt Lang

Level 9

68,478 points

Feb 21, 2018 4:52 PM in response to perry_k

It's not impossible, but apps that go as far as stealing passwords (keylogger), or other things worse than simply annoying you with ads aren't likely from SourceForge. Adware is the main problem. And that's only annoying, not dangerous.

Being able to redirect your web browser suggests installing FileZilla added an extension to Safari. Open Safari's preferences and click on the Extensions tab. Disable and remove anything you don't recognize.

Reply

Answer 8

m0thr4

Level 2

309 points

Mar 26, 2018 2:31 PM in response to perry_k

I am looking into this too, after installing uTorrent and clicking through the various "Accept" screens a little too hastily (see attached). uTorrent could argue that you're informed about this software, but the fact is they mention nothing about installing Chromium, and nothing about putting an launcher in Login Items (which I guess tries to reinstall the search engine in all browsers every time you reboot your computer).

Worse, there's no uninstaller for all of this, and if you use something like Clean My Mac to remove uTorrent and Chromium... this "runchmm" thing remains in your Login Items and ~/Library/Application Support. This makes me wonder what else has been installed that I don't know about.

As for how worried we should be... I honestly don't know, and will be performing a complete clean reinstall of MacOS to be safe. And then, I won't be using uTorrent again, except from inside a Virtual Machine.

Chrome did warn me about the extension, and I was able to block it. As far as I can tell, nothing has been installed into Safari (which tends to be my default browser). I haven't yet looked at Firefox.

Reply

Answer 9

macjack

Level 10

111,242 points

Feb 21, 2018 3:32 PM in response to perry_k

If Malwarebytes didn't pick up anything then you probably don't have anything that would compromise your files or passwords.

Force Quit Safari ( command + option + esc keys).Then restart Safari holding the Shift key. If you still have problems Empty Caches (Safari menu > Preferences > Privacy > Remove all website data. (This will also remove history if you do not want to remove History open Safari Preferences > Advanced and check mark “Show Develop Menu” then choose “Empty Caches” from Develop Menu ).

Reply

Answer 10

Kurt Lang

Level 9

68,478 points

Feb 21, 2018 3:42 PM in response to perry_k

I like the sound of this, but is it weird that MalwareBytes also didn't find the two things I *did* find?

Not really. New adware and other garbage is introduced every day. MalwareBytes can't find or recognize what hasn't been added to its list yet.

Filezilla, and many other apps on SourceForge have been plugged up with adware. Something about the owner of SourceForge changing hands when this started. The more popular the title, the more likely adware has been added to the download.

Reply

Answer 11

Feb 21, 2018 4:26 PM in response to perry_k

If Malwarebytes nor Etrecheck finds anything you should be clean.

Reply

Answer 12

perry_k Author

Level 1

10 points

Feb 21, 2018 3:32 PM in response to macjack

If Malwarebytes didn't pick up anything then you probably don't have anything that would compromise your files or passwords.

I like the sound of this, but is it weird that MalwareBytes also didn't find the two things I *did* find?

Reply

Answer 13

perry_k Author

Level 1

10 points

Feb 21, 2018 4:16 PM in response to CountryGirl56

I only installed BitDefender cause the Reddit AppleHelp boards recommended it. It's scanning right now which is why it's using significant cpu resources. Is it actively bad, or just useless?

What scanning programs (if any) CAN I trust?

Reply

Answer 14

Feb 21, 2018 4:22 PM in response to perry_k

I don't run any anti-virus programs. They are both useless and they can degrade performance.

I do have EtreCheck & Malwarebytes installed for testing. I don't use Malwarebytes' background scanning.

Reply

Answer 15

Feb 21, 2018 5:27 PM in response to perry_k

Just in case you need another opinion, I concur with John Galt that you should uninstall Bitdefender Virus Scanner. Beside the fact that is nothing for Bitdefender to do seeing as how there are no virus for it to detect on the Mac, it is doing nothing by using up the most resources on your Mac.

Reply

Suspected malware after installing FileZilla. How much trouble am I in?

Similar questions