User profile for user: juliairwin
juliairwin Author
User level: Level 1
8 points

Redirect Virus on MacBook Air

Hello,


I play an online game, hosted by a UK-based website. I have been using this site for almost ten years, no problem, but it is located at an unsecured site (i.e. http rather than https). When I tried to go to the link today, unfortunately, my computer redirected me to a website called chillcardiac[dot]com, which then started downloading files without permission. This was happening in a Chrome browser, so I switched to Safari; it happened there as well. The friend with whom I was playing, however, is not having a problem on her computer. I also contacted the administrator of the website, and he sent me the Norton virus scan, showing that it is clean on his end.


After doing a bit of research, I am guessing that my Mac might have something called a "redirect virus," but I have no idea how to remove it. I downloaded and ran Malwarebytes, but its report says that my computer is clean. I also deleted the files that were downloaded from the website and emptied the trash. Does anyone have any other thoughts on what to try next?


Thanks in advance for any insights.


Julia

MacBook Air, iOS 10.1.1

Posted on Sep 6, 2018 12:15 PM

Reply

Similar questions

12 replies
User profile for user: Tesserax
Tesserax
User level: Level 10
157,692 points

Sep 6, 2018 2:55 PM in response to juliairwin

Ok, just wanted to bring this to your attention as a possible culprit.


The next step I would suggest it to run an EtreCheck report and post it here so we can try to assist you further.

(Note: The EtreCheck report does NOT contain any personal information.)

  • You can download EtreCheck fromhere.
  • Start EtreCheck from a normal user account. Optionally, you can run it from a user account with Administrator privileges.
  • Select a problem from the drop-down menu to enable the "Start EtreCheck" button. Optionally, you can add comments on what issues your Mac is experiencing, especially to aide others with similar Mac issues.
  • Click on Start EtreCheck
  • Allow the program to run to completion.
  • When done, select Report from the left-side window to display it.
  • Select the "Share Report" icon.

    Select Copy Report

  • Paste the report to your reply post.


Ref: Using EtreCheck - ASC (etresoft)

Reply
User profile for user: Tesserax
Tesserax
User level: Level 10
157,692 points

Sep 6, 2018 5:37 PM in response to juliairwin

Ok a few things stand out and here are a few suggestions for you to consider:

  1. Remove Avast anti-virus. Mac do not get viruses. They may be "infected" by adware or malware, but so far, no viruses. Most AV apps cause more problems than they resolve, especially those that run in the background.
  2. Keep Malwarebytes, but don't let it run in the background. Use it periodically when you suspect adware infections.
  3. Remove MacKeeper. It's been reported here as a potential type of malware and numerous users post here to ask how to remove it.
  4. IDrive seems to be problematic. I suggest that if you really don't need it, to remove it.
  5. Carefully review all of your Internet plug-ins. Remove any you don't really use.
  6. Clear the Google Chrome caches. Also review any Chrome plug-ins or extensions. Again, if you really don't use them, remove them.
  7. Finally, your MBA is a bit short on RAM ... and available drive space. Both are symptomatic with the limited available to begin with this notebook line. This wouldn't help with the "virus" issue, but could help boost overall performance.
Reply
User profile for user: juliairwin
juliairwin Author
User level: Level 1
8 points

Sep 6, 2018 3:13 PM in response to Tesserax

Terrific! Tesserax, thank you so much for your help. Here is the EtreCheck report. Thank you in advance for further thoughts you may have!!

EtreCheck version: 4.3.6 (4D041)

Report generated: 2018-09-06 18:08:19

Download EtreCheck from https://etrecheck.com

Runtime: 4:35

Performance: Good


Problem: Other problem

Description:

I play an online game, hosted by a UK-based website. I have been using this site for almost ten years, with no problem, but it is located at an unsecured site (i.e. http rather than https).

When I tried to go to the link today, unfortunately, my computer redirected me to a website called chillcardiac[dot]com, which then started downloading files without permission. This was happening in a Chrome browser, so I switched to Safari; it happened there as well. The friend with whom I was playing, however, is not having a problem on her computer. I also contacted the administrator of the website, and he sent me the Norton virus scan, showing that it is clean on his end.

I have run both Malwarebytes and Avast Security and that has not helped. I also tried to restore the host file. And finally, I tried to set parental controls to block the offending website. None of this has worked, unfortunately. I suspect (having done some research) that I have a redirect virus, but I do not know how to remove it from my computer.

Thank you for your help!


Major Issues:

Anything that appears on this list needs immediate attention.


No Time Machine backup - Time Machine backup not found.

More than one antivirus app - This machine has multiple antivirus apps installed.


Minor Issues:

These issues do not need immediate attention but they may indicate future problems.


Clean up - There are orphan files that could be removed.

Unsigned files - There are unsigned software file installed. They appear to be legitimate but should be reviewed.

Insufficient permissions - EtreCheck running under a standard user. Diagnostic information may not be available.

32-bit Apps - This machine has 32-bits apps that may have problems in the future.


Hardware Information:

MacBook Air (11-inch, Early 2015)

MacBook Air Model: MacBookAir7,1

1 1.6 GHz Intel Core i5 (i5-5250U) CPU: 2-core

4 GB RAM - Not upgradeable

BANK 0/DIMM0 - 2 GB DDR3 1600 ok

BANK 1/DIMM0 - 2 GB DDR3 1600 ok

Battery: Health = Normal - Cycle count = 130


Video Information:

Intel HD Graphics 6000 - VRAM: 1536 MB

Color LCD 1366 x 768


Drives:

disk0 - APPLE SSD AP0256H 251.00 GB (Solid State - TRIM: Yes)

Internal PCI-Express 5.0 GT/s x4 NVM Express

disk0s1 - EFI [EFI] 315 MB

disk0s2 250.69 GB

disk1s1 - Macintosh HD (APFS) 250.69 GB (181.16 GB used)

disk1s2 - Preboot (APFS) [APFS Preboot] 250.69 GB (22 MB used)

disk1s3 - Recovery (APFS) [Recovery] 250.69 GB (519 MB used)

disk1s4 - VM (APFS) [APFS VM] 250.69 GB (2.15 GB used)


Mounted Volumes:

disk1s1 - Macintosh HD 250.69 GB (66.70 GB free)

APFS

Mount point: /

Encrypted


disk1s4 - VM [APFS VM] 250.69 GB (66.70 GB free)

APFS

Mount point: /private/var/vm


Network:

Interface en2: Thunderbolt Ethernet

Interface en4: iPhone

Interface en0: Wi-Fi

802.11 a/b/g/n/ac

One IPv4 address

Interface en3: Bluetooth PAN

Interface bridge0: Thunderbolt Bridge


System Software:

macOS High Sierra 10.13.6 (17G65)

Time since boot: Less than an hour

System Load: 1.89 (1 min ago) 1.56 (5 min ago) 2.23 (15 min ago)


Security:

System Status
Gatekeeper Mac App Store and identified developers
System Integrity Protection Enabled


Unsigned Files:

Launchd: /Library/LaunchDaemons/com.avast.init.plist

Executable: /Library/Application Support/Avast/hub/init.sh

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.adobe.fpsaud.plist

Executable: /Library/Application Support/Adobe/Flash Player Install Manager/fpsaud

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.avast.uninstall.plist

Executable: /Library/Application Support/Avast/hub/autouninstall.sh

Details: Exact match found in the whitelist - probably OK

Launchd: ~/Library/LaunchAgents/com.skype.skype.shareagent.plist

Executable: /Applications/Skype.app/Contents/Library/LaunchServices/com.skype.skype.shareag ent.bundle/Contents/MacOS/com.skype.skype.shareagent

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchAgents/com.avast.userinit.plist

Executable: /Library/Application Support/Avast/hub/userinit.sh

Details: Exact match found in the whitelist - probably OK

Launchd: /Library/LaunchDaemons/com.avast.update.plist

Executable: /Library/Application Support/Avast/components/update/update.sh

Details: Exact match found in the whitelist - probably OK


32-bit Applications:

19 32-bit apps


Kernel Extensions:

/Library/Application Support/Avast/components/fileshield/signed

[Loaded] AvastFileShield.kext (AVAST Software a.s., 4.0.0 - SDK 10.12)


/Library/Application Support/Avast/components/proxy/signed

[Loaded] AvastPacketForwarder.kext (AVAST Software a.s., 2.1 - SDK 10.12)


/Library/Application Support/Malwarebytes/MBAM/Kext

[Loaded] MB_MBAM_Protection.kext (Malwarebytes Corporation, 3.4 - SDK 10.13)


System Launch Agents:

[Not Loaded] 9 Apple tasks
[Loaded] 182 Apple tasks
[Running] 102 Apple tasks
[Other] One Apple task


System Launch Daemons:

[Not Loaded] 37 Apple tasks
[Loaded] 186 Apple tasks
[Running] 112 Apple tasks


Launch Agents:

[Loaded] com.microsoft.update.agent.plist (Microsoft Corporation - installed 2018-08-22)
[Loaded] com.avast.userinit.plist (? bb25154c - installed 2018-09-06)
[Not Loaded] com.adobe.AAM.Updater-1.0.plist (? ffb65062 - installed 2018-02-19)
[Not Loaded] com.adobe.GC.Invoker-1.0.plist (Adobe Systems, Inc. - installed 2018-05-24)
[Other] com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a2 3d420d.plist (Adobe Systems, Inc. - installed 2018-02-16)
[Running] com.malwarebytes.mbam.frontend.agent.plist (Malwarebytes Corporation - installed 2018-08-06)


Launch Daemons:

[Loaded] com.adobe.ARMDC.SMJobBlessHelper.plist (Adobe Systems, Inc. - installed 2018-02-16)
[Running] com.malwarebytes.mbam.settings.daemon.plist (Malwarebytes Corporation - installed 2018-08-06)
[Loaded] com.microsoft.autoupdate.helper.plist (Microsoft Corporation - installed 2018-08-22)
[Running] com.prosoftnet.idrivedaemon.plist (IDrive Incorporated - installed 2018-08-09)
[Loaded] com.avast.uninstall.plist (? 22f94791 - installed 2018-09-06)
[Loaded] com.avast.init.plist (? fc55b6fa - installed 2018-09-06)
[Loaded] com.apple.installer.osmessagetracing.plist (Apple - installed 2018-07-04)
[Running] com.malwarebytes.mbam.rtprotection.daemon.plist (Malwarebytes Corporation - installed 2018-08-06)
[Loaded] com.prosoftnet.idsyncdaemon.plist (IDrive Incorporated - installed 2018-08-09)
[Loaded] com.adobe.fpsaud.plist (? 2afb3af7 - installed 2017-09-26)
[Running] com.adobe.agsservice.plist (Adobe Systems, Inc. - installed 2018-05-24)
[Other] com.prosoftnet.idwebdaemon.plist (? b83462ff - installed 2014-01-15)
[Loaded] com.adobe.ARMDC.Communicator.plist (Adobe Systems, Inc. - installed 2018-02-16)
[Running] com.adobe.agmservice.plist (Adobe Systems, Inc. - installed 2018-05-24)
[Loaded] com.microsoft.office.licensingV2.helper.plist (Microsoft Corporation - installed 2017-06-10)
[Loaded] com.avast.update.plist (? 5c6ac355 - installed 2018-09-06)
[Running] com.prosoftnet.idwifimanager.plist (IDrive Incorporated - installed 2018-08-09)


User Launch Agents:

[Loaded] com.google.keystone.agent.plist (Google, Inc. - installed 2018-07-18)
[Loaded] com.dropbox.DropboxMacUpdate.agent.plist (Dropbox, Inc. - installed 2018-08-21)
[Not Loaded] com.adobe.GC.Invoker-1.0.plist (Adobe Systems, Inc. - installed 2018-05-24)
[Loaded] com.skype.skype.shareagent.plist (? 0 - installed 2017-12-02)


User Login Items:

IDriveMonitor Application (IDrive Incorporated - installed 2018-08-18)

(/Library/Application Support/IDriveforMac/IDriveHelperTools/IDriveMonitor.app)

AdobeResourceSynchronizer Application (Adobe Systems, Inc. - installed 2018-08-19)

(/Applications/Adobe Acrobat 2015/Adobe Acrobat.app/Contents/Helpers/AdobeResourceSynchronizer.app)

Dropbox Application (Dropbox, Inc. - installed 2018-08-29)

(/Applications/Dropbox.app)


Internet Plug-ins:

AdobePDFViewerNPAPI: (installed 2018-08-18)

FlashPlayer-10.6: (installed 2017-10-12)

AdobePDFViewer: (installed 2018-08-18)

QuickTime Plugin: (installed 2018-08-19)

Flash Player: (installed 2017-10-12)

AdobeAAMDetect: (installed 2018-02-19)


3rd Party Preference Panes:

Flash Player (installed 2017-09-26)


Time Machine:

Time Machine Not Configured!


Top Processes by CPU:

Process (count) Source % of CPU Location
Microsoft Word Microsoft Corporation 29
RTProtectionDaemon Malwarebytes Corporation 23
AddressBookSourceSync Apple 21
kernel_task Apple 16
Google Chrome Helper (10) Google, Inc. 10


Top Processes by Memory:

Process (count) Source RAM usage Location
Google Chrome Helper (10) Google, Inc. 656 MB
kernel_task Apple 548 MB
Microsoft Word Microsoft Corporation 175 MB
mdworker (10) Apple 163 MB
Google Chrome Google, Inc. 150 MB


Top Processes by Network Use:

Process Source Input Output Location
webfilterproxyd Apple 825 KB 2 MB
mDNSResponder Apple 317 KB 46 KB
Dropbox Dropbox, Inc. 261 KB 27 KB
IDriveDaemon IDrive Incorporated 38 KB 157 KB
com.avast.proxy AVAST Software a.s. 72 KB 66 KB


Top Processes by Energy Use:

Process (count) Source Energy (0-100) Location
Microsoft Word Microsoft Corporation 3
RTProtectionDaemon Malwarebytes Corporation 2
WindowServer Apple 1
Google Chrome Helper (10) Google, Inc. 0
mdworker (10) Apple 0


Virtual Memory Information:

Available RAM 952 MB
Free RAM 20 MB
Used RAM 3.07 GB
Cached files 932 MB
Swap Used 464 MB


Software Installs (past 30 days):

Name Version Install Date
Microsoft Outlook for Mac 16.16.18081201 2018-08-14
Microsoft OneNote for Mac 16.16.18081201 2018-08-14
Microsoft PowerPoint for Mac 16.16.18081201 2018-08-14
Microsoft Excel for Mac 16.16.18081402 2018-08-18
Microsoft Word for Mac 16.16.18081201 2018-08-18
Adobe Acrobat Reader DC (18.011.20058) 18.011.20058 2018-08-18
IDrive 1.0 2018-08-18
Adobe Acrobat DC (15.006.30448) 15.006.30448 2018-08-19
Microsoft AutoUpdate 4.2.18081201 2018-08-22
Gatekeeper Configuration Data 154 2018-09-05
Malwarebytes for Mac 1.0 2018-09-06
MacKeeper 1.0 2018-09-06
Avast Security 13.9 2018-09-06


Clean up:

/Library/LaunchDaemons/com.prosoftnet.idwebdaemon.plist

/Applications/IDriveforMac/IDWebManagement.app/Contents/MacOS/IDWebManagement

Executable not found


Diagnostics Information (past 7 days):

2018-09-06 17:26:09 ParentalControls.prefPane Crash

/System/Library/PreferencePanes/ParentalControls.prefPane


Directory /Library/Logs/DiagnosticReports is not accessible.

Run as an administrator account to see more information.


End of report

Reply
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
68,268 points

Sep 7, 2018 6:40 AM in response to juliairwin

Good you noticed the clue when the issue crossed to both of your devices. Most people wouldn't get that connection.


To prevent that from happening again, go into your router's web setup pages and turn any remote access features off. That's how the perps got into your router to change its settings in the first place.


Additional note. Don't reinstall any of the items Tesserax noted to remove. All AV software is nothing but a drain on system resources. There are no Mac viruses. Trojans go right through. I've lost count of how many people have installed malware, and their AV software only alerted them after it was already too late, or didn't even notice it then. MacKeeper is practically malware itself. Never even think about using that again.


MalwareBytes is different, and actually is useful. Its main purpose is to clean up malware you've already installed. The one thing it does actively is to watch for apps trying to encrypt your data (ransomware), and then does what it can to stop the app and shut it down. Ransomware is rare for the Mac (only three known items exist) and you almost have to go out of your way to get one on your Mac.

Reply
User profile for user: juliairwin
juliairwin Author
User level: Level 1
8 points

Sep 7, 2018 6:43 AM in response to Kurt Lang

Great, thanks so much! I hadn't had any of those until yesterday (I'd always heard there were no Mac viruses) but then downloaded them in desperation. I've removed both the MacKeeper and Avista -- what a racket! My first clue that MacKeeper was no good was when the Malwarebytes quarantined it as a threat. Subsequent posts have definitely confirmed that.


Thanks again. This forum is terrific and I am grateful for everyone's suggestions.

Reply
User profile for user: Kurt Lang
Kurt Lang
User level: Level 9
68,268 points

Sep 7, 2018 7:29 AM in response to juliairwin

My first clue that MacKeeper was no good was when the Malwarebytes quarantined it as a threat. Subsequent posts have definitely confirmed that.

The company that owns MacKeeper has been subjected to two lawsuits for their highly deceptive practices. I know they lost one, and likely the other. One of the main complaints is the massive scare tactics they use to try and convince users to purchase their junk. You can install MacKeeper on a brand new Mac out of the box, and it will claim to have found hundred of serious issues.

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Redirect Virus on MacBook Air

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up