Trojan.MAC.SpyAgent.C

Apple recently removed Dr. Unarchiver and a number of other apps from the Mac App Store after reports that they were scraping private data and uploading it to servers in China.

Here is one of many stories about the issue: Trend Micro tools tossed from Apple's Mac App Store after spewing fans' browser histories • The Register

It is legit and it is an attempt to take over your camera and microphone. However, it is a exe. file so it will most likely have a hard time executing it's task. Hackers are now embedding iframes into browsers, especially on **** sites where you'll see what appears to be from the browser asking "allow" or "deny" no matter which button you click you're downloading the trojan. After that it'll find a place to hide. Like inside your Dr. Cleaner.app you posted.

I don't care what that other poster said about Bitdefender, it is a solid app and great if you don't know how to use terminal. Just delete that Dr. Cleaner app. Apple has removed it from their repository and it is no longer allowed now.

Sophos is, literally, is one of only two places on the entire Internet that even mentions Trojan.MAC.SpyAgent. A and P being know variants. No mention of C. Supposedly old, from around 2005.

They don't say what it does, but label it spyware. As a Trojan, you installed it. That wouldn't be something you could easily get. It would pretty much have to be from an illegal software download, shared software from a P2P site, etc.

True, uninstalling an app that may have the virus makes everything better. However, knocking an app like Bitdefender that works for people who don't know how to use Terminal (to run commands to search out viruses) is not something I would do. If you know how to help folks, you know the best way to find viruses is thru Terminal.

"I don't care what that other poster said about Bitdefender, it is a solid app and great if you don't know how to use terminal."

It has been my experience when called into help with problems on a Mac, uninstall it has only made things better. I also find your comment about Terminal to be difficult to understand. How does an antivirus package have anything to do with Terminal?

Hello Allan

I have just seen this post. I have Adware Medic and Malware bytes showing up in my Launchpad on my 2011 iMac.

Are these two things that should be uninstalled (and if so, please let me know the steps to that as I have had trouble with this type of process before)?

Additionally I have been trying to get my iMac to load faster and have run another Etrecheck (latest version) just a few minutes ago, and wonder if that shows anything that would be related to the trojan issue.

Here it is, thanks very much for any help which is shown to be necessary.

EtreCheck version: 5.0.6 (5A017)

Report generated: 2018-10-22 11:03:25

Download EtreCheck from https://etrecheck.com

Runtime: 3:36

Performance: Good

Problem: Computer is too slow

Description:

some pages take a long time to load.

Major Issues: None

Minor Issues:

These issues do not need immediate attention but they may indicate future problems.

Apps crashing - There have been numerous app crashes.

Clean up - There are orphan files that could be removed.

Unsigned files - There are unsigned software files installed. They appear to be legitimate but should be reviewed.

32-bit Apps - This machine has 32-bits apps that may have problems in the future.

Abnormal shutdown - Your machine shut down abnormally.

Hardware Information:

iMac (21.5-inch, Mid 2011)

iMac Model: iMac12,1

1 2.5 GHz Intel Core i5 (i5-2400S) CPU: 4-core

8 RAM - Upgradeable

BANK 0/DIMM0 - 4 GB DDR3 1333 ok

BANK 1/DIMM0 - 4 GB DDR3 1333 ok

BANK 0/DIMM1 - Empty

BANK 1/DIMM1 - Empty

Video Information:

AMD Radeon HD 6750M - VRAM: 512 MB

iMac 1920 x 1080

Drives:

disk0 - ST3500418AS 500.11 GB (Mechanical - 7200 RPM)

Internal SATA 3 Gigabit Serial ATA

disk0s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk0s2 [Core Storage Container] 499.25 GB

disk1 - Macintosh HD (Journaled HFS+) 498.88 GB (52.91 GB used)

disk0s3 - Recovery HD [Recovery] 650 MB

disk2 - ST950032 5AS 500.11 GB

External USB 480 Mbit/s USB

disk2s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk2s2 [Core Storage Container] 499.76 GB

disk3 - L***e (Journaled HFS+) 499.39 GB (196.00 GB used)

disk2s3 - B*******X (Journaled HFS+) 134 MB

Mounted Volumes:

disk1 - Macintosh HD 498.88 GB (445.71 GB free)

Journaled HFS+

Mount point: /

Encrypted

disk3 - L***e 499.39 GB (303.39 GB free)

Journaled HFS+

Mount point: /Volumes/L***e

Encrypted

Network:

Interface en1: Wi-Fi

802.11 a/b/g/n

Proxy Auto Discovery

Interface en0: Ethernet

Interface en4: iPad

Interface fw0: FireWire

Interface en3: Bluetooth PAN

Interface bridge0: Thunderbolt Bridge

iCloud Quota: 28.14 GB available

System Software:

macOS High Sierra 10.13.6 (17G65)

Time since boot: Less than an hour

Security:

System Status

Gatekeeper Enabled

System Integrity Protection Enabled

Unsigned Files:

Launchd: ~/Library/LaunchAgents/com.apple.FolderActions.folders.plist

Executable: /usr/bin/osascript -e 'tell application "Folder Actions Dispatcher" to tick'

Details: Exact match found in the whitelist - probably OK

32-bit Applications:

7 32-bit apps

Kernel Extensions:

/Library/Extensions

MB_MBAM_Protection.kext (3.2 - SDK 10.13)

/System/Library/Extensions

LaCieScsiType00.kext (1.9.1 - SDK 10.5)

Startup Items:

ChmodBPF Path: /Library/StartupItems/ChmodBPF

System Launch Agents:

[Not Loaded] 9 Apple tasks

[Loaded] 178 Apple tasks

[Running] 106 Apple tasks

[Other] One Apple task

System Launch Daemons:

[Not Loaded] 35 Apple tasks

[Loaded] 185 Apple tasks

[Running] 116 Apple tasks

[Other] One Apple task

Launch Agents:

[Running] com.lacie.LaCieDesktopManagerAgent.plist (? 1d7977d3 - installed 2018-10-22)

[Other] com.adobe.ARMDCHelper.cc24aef4a1b90ed56a725c38014c95072f92651fb65e1bf9c8e43c37a 23d420d.plist (Adobe Systems, Inc. - installed 2018-10-02)

[Loaded] com.google.keystone.agent.plist (Google, Inc. - installed 2018-07-18)

[Running] com.malwarebytes.mbam.frontend.agent.plist (Malwarebytes Corporation - installed 2018-02-26)

Launch Daemons:

[Loaded] com.lacie.LaCieDesktopManagerDaemon.plist (? f806c6ee - installed 2016-09-13)

[Running] com.malwarebytes.mbam.rtprotection.daemon.plist (Malwarebytes Corporation - installed 2018-02-26)

[Loaded] com.adobe.fpsaud.plist (Adobe Systems, Inc. - installed 2018-09-21)

[Running] com.malwarebytes.mbam.settings.daemon.plist (Malwarebytes Corporation - installed 2018-02-26)

[Loaded] com.adobe.ARMDC.Communicator.plist (Adobe Systems, Inc. - installed 2018-10-02)

[Loaded] com.adobe.acc.installer.v2.plist (Adobe Systems, Inc. - installed 2018-10-05)

[Loaded] com.google.keystone.daemon.plist (Google, Inc. - installed 2018-07-18)

[Loaded] com.apple.installer.osmessagetracing.plist (Apple - installed 2018-07-04)

[Running] com.fitbit.galileod.plist (Fitbit, Inc. - installed 2018-02-07)

[Loaded] com.adobe.ARMDC.SMJobBlessHelper.plist (Adobe Systems, Inc. - installed 2018-10-02)

User Launch Agents:

[Not Loaded] com.apple.FolderActions.enabled.plist (? 0 - installed 2012-12-04)

[Not Loaded] com.google.keystone.agent.plist (? 0 - installed 2012-07-21)

[Not Loaded] com.apple.CSConfigDotMacCert-***@***-SharedServices.Agent.plist (? 0 - installed 2012-04-18)

[Not Loaded] com.apple.FolderActions.folders.plist (? 0 - installed 2018-03-28)

User Login Items:

OpenDNS Updater.app (? - installed 2010-06-16)

(/Applications/OpenDNS Updater.app)

OpenDNS Updater (? - installed 2010-06-16)

(/Applications/OpenDNS Updater.app/Contents/MacOS/OpenDNS Updater)

Internet Plug-ins:

AdobePDFViewerNPAPI: 17.012.20098 (installed 2018-10-13)

FlashPlayer-10.6: 31.0.0.122 (installed 2018-10-13)

QuickTime Plugin: 7.7.3 (installed 2018-07-10)

AdobePDFViewer: 19.008.20074 (installed 2018-10-13)

Flash Player: 31.0.0.122 (installed 2018-10-13)

Silverlight: 5.1.50901.0 (installed 2017-05-13)

3rd Party Preference Panes:

Flash Player (installed 2018-09-21)

Time Machine:

Skip System Files: No

Mobile backups: No

Auto backup: Yes

Volumes being backed up:

Macintosh HD: Disk size: 498.88 GB - Disk used: 53.17 GB

Destinations:

L***e [Local] (Last used)

Total size: 499.39 GB

Total number of backups: 360

Oldest backup: 2012-05-09 10:28:59

Last backup: 2018-10-22 09:56:46

Performance:

System Load: 1.23 (1 min ago) 1.54 (5 min ago) 1.16 (15 min ago)

Nominal I/O speed: 4.36 MB/s

File system: 32.74 seconds

Write speed: 89 MB/s

Read speed: 101 MB/s

CPU Usage:

Type Overall Individual cores

System 4 % 6 % 3 % 3 % 2 %

User 2 % 5 % 2 % 2 % 1 %

Idle 94 % 89 % 96 % 96 % 96 %

Top Processes by CPU:

Process (count) Source CPU Location

kernel_task Apple 5.92 %

EtreCheckPro Etresoft, Inc. 4.36 %

backupd Apple 4.12 %

WindowServer Apple 3.04 %

mds_stores Apple 1.50 %

Top Processes by Memory:

Process (count) Source RAM usage Location

kernel_task Apple 785 MB

mdworker (20) Apple 460 MB

EtreCheckPro Etresoft, Inc. 449 MB

mds_stores Apple 264 MB

backupd Apple 150 MB

Top Processes by Network Use:

Process Source Input Output Location

mDNSResponder Apple 167 KB 97 KB

apsd Apple 10 KB 13 KB

cloudd Apple 7 KB 2 KB

com.apple.geod Apple 3 KB 2 KB

netbiosd Apple 756 B 354 B

Virtual Memory Information:

Available RAM 4.97 GB

Free RAM 846 MB

Used RAM 3.03 GB

Cached files 4.14 GB

Swap Used 0 B

Software Installs (past 30 days):

Name Version Install Date

Adobe Acrobat Reader DC (Continuous) 19.008.20071 2018-10-02

Adobe Acrobat Reader DC (19.008.20074) 19.008.20074 2018-10-13

Adobe Flash Player 31.0.0.122 2018-10-13

EtreCheck 5.0.1 2018-10-22

Pages 7.0 2018-10-22

Clean up:

~/Library/LaunchAgents/com.apple.FolderActions.enabled.plist

/System/Library/CoreServices/Folder Actions Dispatcher.app/Contents/MacOS/Folder Actions Dispatcher

Executable not found

~/Library/LaunchAgents/com.google.keystone.agent.plist

~/Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle/Contents/Reso urces/GoogleSoftwareUpdateAgent.app/Contents/MacOS/GoogleSoftwareUpdateAgent

Executable not found

~/Library/LaunchAgents/com.apple.CSConfigDotMacCert-***@***-SharedServices.Agen t.plist

/System/Library/Frameworks/CoreServices.framework/Frameworks/OSServices.framewo rk/Versions/A/Support/CSConfigDotMacCert

Executable not found

Diagnostics Information (past 7 days):

2018-10-22 10:40:44 Last Shutdown Cause: -128 - Unknown

2018-10-15 15:56:03 logind Crash

/System/Library/CoreServices/logind

*** multi-threaded process forked ***

crashed on child side of fork pre-exec

2018-10-15 15:11:40 Security.prefPane Crash

/System/Library/PreferencePanes/Security.prefPane

End of report

I would not trust anything that Bitdefender has to say.

It is most likely just some FUD to make you think it is doing something.

Since there are no virus that can effect Macs, searching for them with either the Terminal or an app is a waste of time.