I think I have a trojan horse, what to do?

Similar Messages

• I have  at trojan horse.norton can not remove or quarrantine.virus is 36c09694-167c0775.Help

  I have a trojan horse virus.36c09694-167c0775 Norton can not remove or quarrantine.Help

  I don't think anyone here will be able to identify which trojan that is, or whether, even, it's a Mac trojan. I would contact them. Only they will know what that code is supposed to mean.
  BTW, there is no such animal as a trojan horse virus. There are trojans and viruses, two entirely different things. Thre are no viruses at all for Mac.

• TS1338 I have 4 Trojan Horse viruses on my external drive I use for Time Machine.  My MacBook Pro hard drive is clean.  I have eased the external drive 3 times using Disk Utility and it still has the 4 Trojan Horse viruses. How do I get rid of them. Wayne

  I have 4 Trojan Horse viruses on my external drive I use for Time Machine.  My MacBook Pro hard drive is clean.  I have eased the external drive 3 times using Disk Utility and it still has the 4 Trojan Horse viruses. How do I get rid of them. I am using 10.8.3  Wayne

  ksu62 wrote:
  The infection names are:  classload.jar-719ef6a5.zip
                                            classload.jar-5db452le31.zip
                                            ar3.jar-6ce3b2f-45l483f.zip
                                            classload.jar-lef99412-63bsd3fl.zip
  Those look alot like file names and not infection names. I don't find any reference to anything like that on Norton or VirusTotal. Since you said these were Trojans, I would expect to see "Trojan" as part of the infection name.
  ".jar" files are executable Java applets. The random alpha-numerics would seem to indicate a cache file, likely from a browser with Java enabled. And we all know what ".zip" means.
  Worst case is that you had Java enabled in a browser and were infected by one of the late variants of the Flashback Trojan over a year ago or one of a couple of other attacks using the same vulnerability but targetted against a small number of political sympathizers. Much more probable is that thes were Windows only Trojans. Hopefully you have a fully up-to-date OS X, including Java, and have disabled Java in all your browsers by now.

• Please please help me I forgot my security questions and I don't think I have a rescue email what should I do . Please help

  Please please help me I forgot my security questions and I don't think I have a rescue email what should I do . Please help

  You need to contact Apple. Click here, phone them, and ask for the Account Security team, or fill out and submit this form.
  (90015)

• Help - I think I have a trojan on my macbook pro

  I think my macbook pro is infected with something. It's circa 2010 and OS is up to date and current, however I first started noticing issues when the trackpad wouldn't respond as normal (the mouse would be very slow and jump). I updated the software and it seemed to help but now applications open up on their own and the mouse has a life of it's own. I was watching a movie, wasn't connected to the internet, and watched as the mouse proceeded to close the movie, open up photobooth and the webcam came to life.
  Please help, I have no idea what to do and have not turned on my macbook since it happened.

  I have encountered a similar problem a few months ago .  I did a complete shut down, took a small amount of glass cleaner on a paper towel and wiped down my MBP.  I left it open to dry completely, and booted back up. Problem free since. 
  If this doesn't help then I would definitely stick with Linc Davis. 
  A few questions to ask yourself to consider before jumping to the conclusion that you've been cracked.
  A you a high profile individual?
  Do you frequent open networks?   For example coffee shops.
  Have you recently entered your admin password for no apparent reason?
  As a White Hat Skiddie I have read it is more difficult to install and open a Trojan on a Mac than on other OS's. Not impossible, but unlikely.
  Ds Store really puts out some good user tips.  here are 2 I like.
  https://discussions.apple.com/docs/DOC-3047
  My only disagreement about this one is, yes WPA2 can be cracked.  However it is much more secure.  wish I could PM Ds store.
  https://discussions.apple.com/docs/DOC-3291
  Hang in there.

• I have a Trojan horse virus in my iPad 2 , my iPhone, and my desktop pc. My antivirus from my desktop got rid of it on my PC, how do I rid it from my IPad , and phone??

  I know I am not supposed to get a virus on apple products , but here I am. How do I rid myself of it. ??? How did  I get it in the fist place? Does apple make virus protection???if so where and how do I get it?

  So let me understand this.
  Not only are you the first person to have discovered a virus for Mac OS X, but this is also a miracle type of virus that can also be cross-compatible not just from a desktop, but also across both the iPad and even iPhone too?  Ammazing.
  Oh wait, better yet, this magical virus is even capable of working in both Microsoft windows environments, AND mac os X environments, AND iOS environments!
  What an ammazing feat instead! That author of the virus deserves the nobel prize of the century award I would think!
  However, I would first try to use a tiny bit of logic and reasoning before jumping to conclusions about magical viruses here. Just because something tells you a man has walked on water, doesn't mean it's really possible.

• I think I have a Trojan in my system

  I am using Firefox V29.0.1 running under Windows 7. I am not technically adept.
  For the last 2 weeks browsing the response has got slower and slower.
  My ISP says the connection is fine.
  I have been running AVG, Spybot, Malware Anti Malware Bytes and Super Anti Spyware (They are all up to date regarding data and software.) None of these have detected anything.
  I have been using Task manager / Resource Manager to see what is happening and to try and identify the problem. The problem seems to be a series of downloads via Remote Port 80, which seem to start without my knowledge and are associated with Firefox (or so the Task Manager says). When I close Firefox, these downloads continue until I close down my PC.
  The downloads seem to be associated with a series of IP addresses starting with 88.208... I found out these are in the Ukraine (not that that helps me !). My PC always seems to be receiving vast amounts of data from these sites, but I have yet to see any transmissions back from my PC to these sites.
  The Windows resource monitor allows me to do a search on the sites, this I did and it says it couldn't do anything as it hit a 'ROBOTS.TXT' file.
  Sorry if this is the wrong forum, I'd be grateful for redirection if somebody could help.
  Thanks,
  Chris

  Can you restart Firefox in safe mode.
  Safe Mode is a special Firefox mode that can be used to troubleshoot and fix problems. Safe Mode temporarily resets some settings and disables add-ons that might be causing problems.
  see:
  [[Troubleshoot Firefox issues using Safe Mode]]
  Please scan with all programs because each program detects different malware.
  All these programs have free versions.
  Make sure that you update each program to get the latest version of their databases before doing a scan.
  * Malwarebytes' Anti-Malware:
  http://www.malwarebytes.org/mbam.php
  * AdwCleaner:
  http://www.bleepingcomputer.com/download/adwcleaner/
  http://www.softpedia.com/get/Antivirus/Removal-Tools/AdwCleaner.shtml
  *SuperAntispyware:
  http://www.superantispyware.com/
  *Microsoft Safety Scanner:
  http://www.microsoft.com/security/scanner/en-us/default.aspx
  *Windows Defender: Home Page:
  http://www.microsoft.com/windows/products/winfamily/defender/default.mspx
  *Spybot Search & Destroy:
  http://www.safer-networking.org/en/index.html
  *Kasperky Free Security Scan:
  http://www.kaspersky.com/security-scan
  You can also do a check for a rootkit infection with TDSSKiller.
  *Anti-rootkit utility TDSSKiller:
  http://support.kaspersky.com/5350?el=88446
  *[[Troubleshoot Firefox issues caused by malware]]

• Trojan Horse pakes?

  I have some sort of Trojan horse on my iMAC (running Mavericks 10.9.5). When I check the console, there are 1000s of processes going on per second and they repetitively say:
  "10/13/14 7:51:53.579 AM proxyhost[22202]: 67.198.140.250:2122 - - [13/Oct/2014:07:51:53 -0700] "GET http://us-u.openx.net/w/1.0/sd?id=537073142&val=RUIDdzr1pcqq7bm659gajgpbbd5mgaxr 8t4yzbrfwht3uyidafrw9hqy==== HTTP/1.1" 302 401 895"
  10/13/14 7:51:53.505 AM proxyhost[22200]: Made direct (non-proxy) connection to syndication.exoclick.com:80
  10/13/14 7:51:53.000 AM kernel[0]: proc: table is full
  for example. The websites keep changing.
  I've scanned for malware with ClamXV and MacScan and found nothing. I have been blocked from my network. They said I have a trojan horse "pakes".
  Here is the etrecheck report (I'm no longer connected to the ethernet so the processes have stopped. I'm not sure if this matters for what people want to see):
  EtreCheck version: 1.9.15 (52)
  Report generated October 13, 2014 at 7:52:18 AM PDT
  Hardware Information: ?
    iMac (27-inch, Mid 2011) (Verified)
    iMac - model: iMac12,2
    1 3.4 GHz Intel Core i7 CPU: 4 cores
    8 GB RAM
  Video Information: ?
    AMD Radeon HD 6970M - VRAM: 1024 MB
    iMac 2560 x 1440
  System Software: ?
    OS X 10.9.5 (13F34) - Uptime: 2 days 19:28:14
  Disk Information: ?
    Hitachi HDS722020ALA330 disk0 : (2 TB)
    S.M.A.R.T. Status: Verified
    EFI (disk0s1) <not mounted>: 209.7 MB
    Macintosh HD (disk0s2) / [Startup]: 2 TB (1.19 TB free)
    Recovery HD (disk0s3) <not mounted>: 650 MB
    OPTIARC DVD RW AD-5680H
  USB Information: ?
    Apple Computer, Inc. IR Receiver
    Apple Internal Memory Card Reader
    Apple Inc. BRCM2046 Hub
    Apple Inc. Bluetooth USB Host Controller
    Apple Inc. FaceTime HD Camera (Built-in)
  Thunderbolt Information: ?
    Apple Inc. thunderbolt_bus
  Gatekeeper: ?
    Anywhere
  Problem System Launch Daemons: ?
    [failed] com.apple.security.syspolicy.plist
  Launch Daemons: ?
    [loaded] com.adobe.fpsaud.plist Support
    [loaded] com.adobe.SwitchBoard.plist Support
    [loaded] com.barebones.authd.plist Support
    [loaded] com.bombich.ccc.plist Support
    [running] com.bombich.ccc.scheduledtask.4CD02F29-DEED-4CEF-AB0E-270D9AAA53AB.plist Support
    [invalid] com.landesk.broker.plist
    [invalid] com.landesk.cba8.plist
    [invalid] com.landesk.ldwatch.plist
    [invalid] com.landesk.msgsys.plist
    [invalid] com.landesk.pds.plist
    [invalid] com.landesk.pds1.plist
    [loaded] com.landesk.pds2.plist Support
    [invalid] com.landesk.remote.plist
    [loaded] com.microsoft.office.licensing.helper.plist Support
    [loaded] com.oracle.java.JavaUpdateHelper.plist Support
  Launch Agents: ?
    [not loaded] com.adobe.AAM.Updater-1.0.plist Support
  User Launch Agents: ?
    [loaded] com.adobe.AAM.Updater-1.0.plist Support
    [loaded] com.adobe.ARM.[...].plist Support
    [loaded] com.adobe.ARM.[...].plist Support
    [running] com.bombich.ccc-user-agent.plist Support
    [loaded] com.google.keystone.agent.plist Support
    [not loaded] com.spotify.webhelper.plist Support
  User Login Items: ?
    Dropbox
  Internet Plug-ins: ?
    FlashPlayer-10.6: Version: 15.0.0.152 - SDK 10.6 Support
    Default Browser: Version: 537 - SDK 10.9
    AdobePDFViewerNPAPI: Version: 10.1.3 Support
    CouponPrinter-FireFox_v2: Version: Version 1.1.6 Support
    AdobePDFViewer: Version: 9.5.5 Support
    Flash Player: Version: 15.0.0.152 - SDK 10.6 Support
    QuickTime Plugin: Version: 7.7.3
    SharePointBrowserPlugin: Version: 14.1.4 - SDK 10.6 Support
    JavaAppletPlugin: Version: Java 7 Update 55 Check version
  Audio Plug-ins: ?
    BluetoothAudioPlugIn: Version: 1.0 - SDK 10.9
    AirPlay: Version: 2.0 - SDK 10.9
    AppleAVBAudio: Version: 203.2 - SDK 10.9
    iSightAudio: Version: 7.7.3 - SDK 10.9
  iTunes Plug-ins: ?
    Quartz Composer Visualizer: Version: 1.4 - SDK 10.9
  User Internet Plug-ins ?
    WebEx64: Version: 1.0 - SDK 10.6 Support
    Aspera Web 3.3.3.81344: Version: (null) - SDK 10.6 Support
    npBcsMcTcIO: Version: (null) Support
    Picasa: Version: 1.0 - SDK 10.6 Support
  3rd Party Preference Panes: ?
    Flash Player  Support
    Growl  Support
    LANDesk Agent  Support
    TeXDistPrefPane  Support
  Time Machine: ?
    Time Machine not configured!
  Top Processes by CPU: ?
        4% WindowServer
        1% hidd
        1% Console
        1% notifyd
        0% Microsoft Word
  Top Processes by Memory: ?
    311 MB com.apple.IconServicesAgent
    205 MB mds_stores
    180 MB Finder
    172 MB Microsoft Word
    156 MB softwareupdated
  Virtual Memory Information: ?
    1.49 GB Free RAM
    3.57 GB Active RAM
    1.67 GB Inactive RAM
    1.25 GB Wired RAM
    2.74 GB Page-ins
    400 KB Page-outs
  Message was edited by: biomed2014

  1. This procedure is a diagnostic test. It changes nothing, for better or worse, and therefore will not, in itself, solve the problem. But with the aid of the test results, the solution may take a few minutes, instead of hours or days.
  Don't be put off by the complexity of these instructions. The process is much less complicated than the description. You do harder tasks with the computer all the time.
  2. If you don't already have a current backup, back up all data before doing anything else. The backup is necessary on general principle, not because of anything in the test procedure. Backup is always a must, and when you're having any kind of trouble with the computer, you may be at higher than usual risk of losing data, whether you follow these instructions or not.
  There are ways to back up a computer that isn't fully functional. Ask if you need guidance.
  3. Below are instructions to run a UNIX shell script, a type of program. As I wrote above, it changes nothing. It doesn't send or receive any data on the network. All it does is to generate a human-readable report on the state of the computer. That report goes nowhere unless you choose to share it. If you prefer, you can act on it yourself without disclosing the contents to me or anyone else.
  You should be wondering whether you can believe me, and whether it's safe to run a program at the behest of a stranger. In general, no, it's not safe and I don't encourage it.
  In this case, however, there are a couple of ways for you to decide whether the program is safe without having to trust me. First, you can read it. Unlike an application that you download and click to run, it's transparent, so anyone with the necessary skill can verify what it does.
  You may not be able to understand the script yourself. But variations of the script have been posted on this website thousands of times over a period of years. The site is hosted by Apple, which does not allow it to be used to distribute harmful software. Any one of the millions of registered users could have read the script and raised the alarm if it was harmful. Then I would not be here now and you would not be reading this message.
  Nevertheless, if you can't satisfy yourself that these instructions are safe, don't follow them. Ask for other options.
  4. Here's a summary of what you need to do, if you choose to proceed:
  ☞ Copy a line of text in this window to the Clipboard.
  ☞ Paste into the window of another application.
  ☞ Wait for the test to run. It usually takes a few minutes.
  ☞ Paste the results, which will have been copied automatically, back into a reply on this page.
  The sequence is: copy, paste, wait, paste again. You don't need to copy a second time. Details follow.
  5. You may have started the computer in "safe" mode. Preferably, these steps should be taken in “normal” mode, under the conditions in which the problem is reproduced. If the system is now in safe mode and works well enough in normal mode to run the test, restart as usual. If you can only test in safe mode, do that.
  6. If you have more than one user, and the one affected by the problem is not an administrator, then please run the test twice: once while logged in as the affected user, and once as an administrator. The results may be different. The user that is created automatically on a new computer when you start it for the first time is an administrator. If you can't log in as an administrator, test as the affected user. Most personal Macs have only one user, and in that case this section doesn’t apply. Don't log in as root.
  7. The script is a single long line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, though you may not see all of it in the browser window, and you can then copy it. If you try to select the line by dragging across the part you can see, you won't get all of it.
  Triple-click anywhere in the line of text below on this page to select it:
  PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/libexec;clear;cd;p=(Software Hardware Memory Diagnostics Power FireWire Thunderbolt USB Fonts SerialATA 4 1000 25 5120 KiB/s 1024 85 \\b%% 20480 1 MB/s 25000 ports ' com.clark.\* \*dropbox \*genieo\* \*GoogleDr\* \*k.AutoCAD\* \*k.Maya\* vidinst\* ' DYLD_INSERT_LIBRARIES\ DYLD_LIBRARY_PATH -86 "` route -n get default|awk '/e:/{print $2}' `" 25 N\\/A down up 102400 25600 recvfrom sendto CFBundleIdentifier 25 25 25 1000 MB com.apple.AirPortBaseStationAgent 464843899 51 5120 files );N5=${#p[@]};p[N5]=` networksetup -listnetworkserviceorder|awk ' NR>1 { sub(/^\([0-9]+\) /,"");n=$0;getline;} $NF=="'${p[26]}')" { sub(/.$/,"",$NF);print n;exit;} ' `;f=('\n%s: %s\n' '\n%s\n\n%s\n' '\nRAM details\n%s\n' %s\ %s '%s\n-\t%s\n' );S0() { echo ' { q=$NF+0;$NF="";u=$(NF-1);$(NF-1)="";gsub(/^ +| +$/,"");if(q>='${p[$1]}') printf("%s (UID %s) is using %s '${p[$2]}'",$0,u,q);} ';};s=(' s/[0-9A-Za-z._]+@[0-9A-Za-z.]+\.[0-9A-Za-z]{2,4}/EMAIL/g;/\/Shared/!s/(\/Users\/)[^ /]+/\1USER/g;s/[-0-9A-Fa-f]{22,}/UUID/g;' ' s/^ +//;/de: S|[nst]:/p;' ' {sub(/^ +/,"")};/er:/;/y:/&&$2<'${p[10]} ' 1s/://;3,6d;/[my].+:/d;s/^ {4}//;H;${ g;s/\n$//;/s: [^EO]|x([^08]|02[^F]|8[^0])/p;} ' ' 5h;6{ H;g;/P/!p;} ' ' ($1~/^Cy/&&$3>'${p[11]}')||($1~/^Cond/&&$2!~/^N/) ' ' /:$/{ N;/:.+:/d;s/ *://;b0'$'\n'' };/^ *(V.+ [0N]|Man).+ /{ s/ 0x.... //;s/[()]//g;s/(.+: )(.+)/ (\2)/;H;};$b0'$'\n'' d;:0'$'\n'' x;s/\n\n//;/Apple[ ,]|Genesy|Intel|SMSC/d;s/\n.*//;/\)$/p;' ' s/^.*C/C/;H;${ g;/No th|pms/!p;} ' '/= [^GO]/p' '{$1=""};1' ' /Of/!{ s/^.+is |\.//g;p;} ' ' $0&&!/ / { n++;print;} END { if(n<200) print "com.apple.";} ' ' $3~/[0-9]:[0-9]{2}$/ { gsub(/:[0-9:a-f]{14}/,"");} { print|"tail -n'${p[12]}'";} ' ' NR==2&&$4<='${p[13]}' { print $4;} ' ' END { $2/=256;if($2>='${p[15]}') print int($2) } ' ' NR!=13{next};{sub(/[+-]$/,"",$NF)};'"`S0 21 22`" 'NR!=2{next}'"`S0 37 17`" ' NR!=5||$8!~/[RW]/{next};{ $(NF-1)=$1;$NF=int($NF/10000000);for(i=1;i<=3;i++){$i="";$(NF-1-i)="";};};'"`S0 19 20`" 's:^:/:p' '/\.kext\/(Contents\/)?Info\.plist$/p' 's/^.{52}(.+) <.+/\1/p' ' /Launch[AD].+\.plist$/ { n++;print;} END { print "'${p[41]}'";if(n<200) print "/System/";} ' '/\.xpc\/(Contents\/)?Info\.plist$/p' ' NR>1&&!/0x|\.[0-9]+$|com\.apple\.launchctl\.(Aqua|Background|System)$|'${p[41]}'/ { print $3;} ' ' /\.(framew|lproj)|\):/d;/plist:|:.+(Mach|scrip)/s/:[^:]+//p ' '/^root$/p' ' !/\/Contents\/.+\/Contents|Applic|Autom|Frameworks/&&/Lib.+\/Info.plist$/ { n++;print;} END { if(n<1100) print "/System/";} ' '/^\/usr\/lib\/.+dylib$/p' ' /Temp|emac/{next};/(etc|Preferences|Launch[AD].+)\// { sub(".(/private)?","");n++;print;} END { print "'${p[41]}'.plist\t'${p[42]}'";if(n<500) print "Launch";} ' ' /\/(Contents\/.+\/Contents|Frameworks)\/|\.wdgt\/.+\.([bw]|plu)/d;p;' 's/\/(Contents\/)?Info.plist$//;p' ' { gsub("^| |\n","\\|\\|kMDItem'${p[35]}'=");sub("^...."," ") };1 ' p '{print $3"\t"$1}' 's/\'$'\t''.+//p' 's/1/On/p' '/Prox.+: [^0]/p' '$2>'${p[43]}'{$2=$2-1;print}' ' BEGIN { i="'${p[26]}'";M1='${p[16]}';M2='${p[18]}';M3='${p[31]}';M4='${p[32]}';} !/^A/{next};/%/ { getline;if($5<M1) a="user "$2"%, system "$4"%";} /disk0/&&$4>M2 { b=$3" ops/s, "$4" blocks/s";} $2==i { if(c) { d=$3+$4+$5+$6;next;};if($4>M3||$6>M4) c=int($4/1024)" in, "int($6/1024)" out";} END { if(a) print "CPU: "a;if(b) print "I/O: "b;if(c) print "Net: "c" (KiB/s)";if(d) print "Net errors: "d" packets/s";} ' ' /r\[0\] /&&$NF!~/^1(0|72\.(1[6-9]|2[0-9]|3[0-1])|92\.168)\./ { print $NF;exit;} ' ' !/^T/ { printf "(static)";exit;} ' '/apsd|BKAg|OpenD/!s/:.+//p' ' (/k:/&&$3!~/(255\.){3}0/ )||(/v6:/&&$2!~/A/ ) ' ' $1~"lR"&&$2<='${p[25]}';$1~"li"&&$3!~"wpa2";' ' BEGIN { FS=":";p="uniq -c|sed -E '"'s/ +\\([0-9]+\\)\\(.+\\)/\\\2 x\\\1/;s/x1$//'"'";} { n=split($3,a,".");sub(/_2[01].+/,"",$3);print $2" "$3" "a[n]$1|p;b=b$1;} END { close(p);if(b) print("\n\t* Code injection");} ' ' NR!=4{next} {$NF/=10240} '"`S0 27 14`" ' END { if($3~/[0-9]/)print$3;} ' ' BEGIN { L='${p[36]}';} !/^[[:space:]]*(#.*)?$/ { l++;if(l<=L) f=f"\n   "$0;} END { F=FILENAME;if(!F) exit;if(!f) f="\n   [N/A]";"file -b "F|getline T;if(T!~/^(AS.+ (En.+ )?text$|(Bo|PO).+ sh.+ text ex)/) F=F" ("T")";printf("\nContents of %s\n%s\n",F,f);if(l>L) printf("\n   ...and %s more line(s)\n",l-L);} ' ' s/^ ?n...://p;s/^ ?p...:/-'$'\t''/p;' 's/0/Off/p' ' END{print NR} ' ' /id: N|te: Y/{i++} END{print i} ' ' / / { print "'"${p[28]}"'";exit;};1;' '/ en/!s/\.//p' ' NR!=13{next};{sub(/[+-M]$/,"",$NF)};'"`S0 39 40`" ' $10~/\(L/&&$9!~"localhost" { sub(/.+:/,"",$9);print $1": "$9;} ' '/^ +r/s/.+"(.+)".+/\1/p' 's/(.+\.wdgt)\/(Contents\/)?Info\.plist$/\1/p' 's/^.+\/(.+)\.wdgt$/\1/p' ' /l: /{ /DVD/d;s/.+: //;b0'$'\n'' };/s: /{ /V/d;s/^ */- /;H;};$b0'$'\n'' d;:0'$'\n'' x;/APPLE [^:]+$/d;p;' ' /^find: /d;p;' "`S0 44 45`" ' BEGIN{FS="= "} /Path/{print $2} ' ' /^ *$/d;s/^ */   /;' );c1=(system_profiler pmset\ -g nvram fdesetup find syslog df vm_stat sar ps sudo\ crontab sudo\ iotop top pkgutil 'PlistBuddy 2>&1 -c "Print' whoami cksum kextstat launchctl sudo\ launchctl crontab 'sudo defaults read' stat lsbom mdfind ' for i in ${p[24]};do ${c1[18]} ${c2[27]} $i;done;' defaults\ read scutil sudo\ dtrace sudo\ profiles sed\ -En awk /S*/*/P*/*/*/C*/*/airport networksetup mdutil sudo\ lsof test osascript\ -e );c2=(com.apple.loginwindow\ LoginHook '" /L*/P*/loginw*' "'tell app \"System Events\" to get properties of login items'|tr , \\\n" 'L*/Ca*/com.ap*.Saf*/E*/* -d 1 -name In*t -exec '"${c1[14]}"' :CFBundleDisplayName" {} \;|sort|uniq' '~ $TMPDIR.. \( -flags +sappnd,schg,uappnd,uchg -o ! -user $UID -o ! -perm -600 \)' '.??* -path .Trash -prune -o -type d -name *.app -print -prune' :${p[35]}\" :Label\" '{/,}L*/{Con,Pref}* -type f ! -size 0 -name *.plist -exec plutil -s {} \;' "-f'%N: %l' Desktop L*/Keyc*" therm sysload boot-args status " -F '\$Time \$Message' -k Sender kernel -k Message Req 'bad |Beac|caug|corru|dead[^bl]|FAIL|fail|GPU |hfs: Ru|inval|jnl:|last value [1-9]|n Cause: -|NVDA\(|pagin|proc: t|Roamed|rror|ssert|Thrott|tim(ed? ?|ing )o|WARN' -k Message Rne 'Goog|ksadm|SMC:| VALI|xpma' -o -k Sender fseventsd -k Message Req 'SL' " '-du -n DEV -n EDEV 1 10' 'acrx -o comm,ruid,%cpu' '-t1 10 1' '-f -pfc /var/db/r*/com.apple.*.{BS,Bas,Es,J,OSXU,Rem,up}*.bom' '{/,}L*/Lo*/Diag* -type f -regex .\*[cgh] ! -name *ag \( -exec grep -lq "^Thread c" {} \; -exec printf \* \; -o -true \) -execdir stat -f:%Sc:%N -t%F {} \;|sort -t: -k2 |tail -n'${p[38]} '/S*/*/Ca*/*xpc* >&- ||echo No' '-L /{S*/,}L*/StartupItems -type f -exec file {} +' '-L /S*/L*/{C*/Sec*A,E}* {/,}L*/{A*d,Ca*/*/Ex,Co{mpon,reM},Ex,In{p,ter},iTu*/*P,Keyb,Mail/B,Pr*P,Qu*T,Scripti,Sec,Servi,Spo,Widg}* -path \\*s/Resources -prune -o -type f -name Info.plist' '/usr/lib -type f -name *.dylib' `awk "${s[31]}"<<<${p[23]}` "/e*/{auto,{cron,fs}tab,hosts,{[lp],sy}*.conf,pam.d/*,ssh{,d}_config,*.local} {,/usr/local}/etc/periodic/*/* /L*/P*{,/*}/com.a*.{Bo,sec*.ap}*t {/S*/,/,}L*/Lau*/*t .launchd.conf" list getenv /Library/Preferences/com.apple.alf\ globalstate --proxy '-n get default' -I --dns -getdnsservers\ "${p[N5]}" -getinfo\ "${p[N5]}" -P -m\ / '' -n1 '-R -l1 -n1 -o prt -stats command,uid,prt' '--regexp --only-files --files com.apple.pkg.*|sort|uniq' -kl -l -s\ / '-R -l1 -n1 -o mem -stats command,uid,mem' '+c0 -i4TCP:0-1023' com.apple.dashboard\ layer-gadgets '-d /L*/Mana*/$USER&&echo On' '-app Safari WebKitDNSPrefetchingEnabled' "+c0 -l|awk '{print(\$1,\$3)}'|sort|uniq -c|sort -n|tail -1|awk '{print(\$2,\$3,\$1)}'" );N1=${#c2[@]};for j in {0..9};do c2[N1+j]=SP${p[j]}DataType;done;N2=${#c2[@]};for j in 0 1;do c2[N2+j]="-n ' syscall::'${p[33+j]}':return { @out[execname,uid]=sum(arg0) } tick-10sec { trunc(@out,1);exit(0);} '";done;l=(Restricted\ files Hidden\ apps 'Elapsed time (s)' POST Battery Safari\ extensions Bad\ plists 'High file counts' User Heat System\ load boot\ args FileVault Diagnostic\ reports Log 'Free space (MiB)' 'Swap (MiB)' Activity 'CPU per process' Login\ hook 'I/O per process' Mach\ ports kexts Daemons Agents XPC\ cache Startup\ items Admin\ access Root\ access Bundles dylibs Apps Font\ issues Inserted\ dylibs Firewall Proxies DNS TCP/IP Wi-Fi Profiles Root\ crontab User\ crontab 'Global login items' 'User login items' Spotlight Memory Listeners Widgets Parental\ Controls Prefetching SATA Descriptors );N3=${#l[@]};for i in 0 1 2;do l[N3+i]=${p[5+i]};done;N4=${#l[@]};for j in 0 1;do l[N4+j]="Current ${p[29+j]}stream data";done;A0() { id -G|grep -qw 80;v[1]=$?;((v[1]==0))&&sudo true;v[2]=$?;v[3]=`date +%s`;clear >&-;date '+Start time: %T %D%n';};for i in 0 1;do eval ' A'$((1+i))'() { v=` eval "${c1[$1]} ${c2[$2]}"|'${c1[30+i]}' "${s[$3]}" `;[[ "$v" ]];};A'$((3+i))'() { v=` while read i;do [[ "$i" ]]&&eval "${c1[$1]} ${c2[$2]}" \"$i\"|'${c1[30+i]}' "${s[$3]}";done<<<"${v[$4]}" `;[[ "$v" ]];};A'$((5+i))'() { v=` while read i;do '${c1[30+i]}' "${s[$1]}" "$i";done<<<"${v[$2]}" `;[[ "$v" ]];};';done;A7(){ v=$((`date +%s`-v[3]));};B2(){ v[$1]="$v";};for i in 0 1;do eval ' B'$i'() { v=;((v['$((i+1))']==0))||{ v=No;false;};};B'$((3+i))'() { v[$2]=`'${c1[30+i]}' "${s[$3]}"<<<"${v[$1]}"`;} ';done;B5(){ v[$1]="${v[$1]}"$'\n'"${v[$2]}";};B6() { v=` paste -d: <(printf "${v[$1]}") <(printf "${v[$2]}")|awk -F: ' {printf("'"${f[$3]}"'",$1,$2)} ' `;};B7(){ v=`grep -Fv "${v[$1]}"<<<"$v"`;};C0() { [[ "$v" ]]&&sed -E "$s"<<<"$v";};C1() { [[ "$v" ]]&&printf "${f[$1]}" "${l[$2]}" "$v";};C2() { v=`echo $v`;[[ "$v" != 0 ]]&&C1 0 $1;};C3() { v=`sed -E "${s[63]}"<<<"$v"`&&C1 1 $1;};for i in 1 2;do for j in 0 2 3;do eval D$i$j'(){ A'$i' $1 $2 $3; C'$j' $4;};';done;done;{ A0;D20 0 $((N1+1)) 2;D10 0 $N1 1;B0;C2 27;B0&&! B1&&C2 28;D12 15 37 25 8;A1 0 $((N1+2)) 3;C0;D13 0 $((N1+3)) 4 3;D23 0 $((N1+4)) 5 4;D13 0 $((N1+9)) 59 50;for i in 0 1 2;do D13 0 $((N1+5+i)) 6 $((N3+i));done;D13 1 10 7 9;D13 1 11 8 10;D22 2 12 9 11;D12 3 13 10 12;D23 4 19 44 13;D23 5 14 12 14;D22 6 36 13 15;D22 7 37 14 16;D23 8 15 38 17;D22 9 16 16 18;B1&&{ D22 35 49 61 51;D22 11 17 17 20;for i in 0 1;do D22 28 $((N2+i)) 45 $((N4+i));done;};D22 12 44 54 45;D22 12 39 15 21;A1 13 40 18;B2 4;B3 4 0 19;A3 14 6 32 0;B4 0 5 11;A1 17 41 20;B7 5;C3 22;B4 4 6 21;A3 14 7 32 6;B4 0 7 11;B3 4 0 22;A3 14 6 32 0;B4 0 8 11;B5 7 8;B1&&{ A2 19 26 23;B7 7;C3 23;};A2 18 26 23;B7 7;C3 24;D13 4 21 24 26;B4 4 12 26;B3 4 13 27;A1 4 22 29;B7 12;B2 14;A4 14 6 52 14;B2 15;B6 14 15 4;B3 0 0 30;C3 29;A1 4 23 27;B7 13;C3 30;D13 24 24 32 31;D13 25 37 32 33;A2 23 18 28;B2 16;A2 16 25 33;B7 16;B3 0 0 34;B2 21;A6 47 21&&C0;B1&&{ D13 21 0 32 19;D13 10 42 32 40;D22 29 35 46 39;};D23 14 1 62 42;D12 34 43 53 44;D12 22 20 32 25;D22 0 $((N1+8)) 51 32;D13 4 8 41 6;D12 26 28 35 34;D13 27 29 36 35;A2 27 32 39&&{ B2 19;A2 33 33 40;B2 20;B6 19 20 3;};C2 36;D23 33 34 42 37;B1&&D23 35 45 55 46;D23 32 31 43 38;D12 36 47 32 48;D13 20 42 32 41;D13 37 2 48 43;D13 4 5 32 1;D13 4 3 60 5;D12 26 48 49 49;B3 4 22 57;A1 26 46 56;B7 22;B3 0 0 58;C3 47;D22 4 4 50 0;D23 22 9 37 7;A7;C2 2;} 2>/dev/null|pbcopy;exit 2>&-
  Copy the selected text to the Clipboard by pressing the key combination command-C.
  8. Launch the built-in Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Click anywhere in the Terminal window and paste by pressing command-V. The text you pasted should vanish immediately. If it doesn't, press the return key.
  9. If you see an error message in the Terminal window such as "Syntax error" or "Event not found," enter
  exec bash
  and press return. Then paste the script again.
  10. If you're logged in as an administrator, you'll be prompted for your login password. Nothing will be displayed when you type it. You will not see the usual dots in place of typed characters. Make sure caps lock is off. Type carefully and then press return. You may get a one-time warning to be careful. If you make three failed attempts to enter the password, the test will run anyway, but it will produce less information. In most cases, the difference is not important. If you don't know the password, or if you prefer not to enter it, press the key combination control-C or just press return  three times at the password prompt. Again, the script will still run.
  If you're not logged in as an administrator, you won't be prompted for a password. The test will still run. It just won't do anything that requires administrator privileges.
  11. The test may take a few minutes to run, depending on how many files you have and the speed of the computer. A computer that's abnormally slow may take longer to run the test. While it's running, there will be nothing in the Terminal window and no indication of progress. Wait for the line
  [Process completed]
  to appear. If you don't see it within half an hour or so, the test probably won't complete in a reasonable time. In that case, close the Terminal window and report what happened. No harm will be done.
  12. When the test is complete, quit Terminal. The results will have been copied to the Clipboard automatically. They are not shown in the Terminal window. Please don't copy anything from there. All you have to do is start a reply to this comment and then paste by pressing command-V again.
  At the top of the results, there will be a line that begins with the words "Start time." If you don't see that, but instead see a mass of gibberish, you didn't wait for the "Process completed" message to appear in the Terminal window. Please wait for it and try again.
  If any private information, such as your name or email address, appears in the results, anonymize it before posting. Usually that won't be necessary.
  13. When you post the results, you might see an error message on the web page: "You have included content in your post that is not permitted," or "You are not authorized to post." That's a bug in the forum software. Please post the test results on Pastebin, then post a link here to the page you created.
  14. This is a public forum, and others may give you advice based on the results of the test. They speak only for themselves, and I don't necessarily agree with them.
  Copyright © 2014 by Linc Davis. As the sole author of this work, I reserve all rights to it except as provided in the Use Agreement for the Apple Support Communities website ("ASC"). Readers of ASC may copy it for their own personal use. Neither the whole nor any part may be redistributed.

• Trojan horse backdoor

  For the past two days AVG virus is telling me I have a Trojan Horse BackDoor.Generic13.LZX in the firefox.exe process object c:\windows\system32\autochk.exe my only options in AVG is to ignore. What do I do?

  why would a host be editing my post? Is someone from the Apple company doing this? Why would you have to edit my post? Whta right do you have logging into my account to make changes to anything i make?

• Trojan horse in lenovo file

  My virus scanner found the trojan horse Trojan.Magania-9679 in C:\SWTOOLS\Apps\Lenovoidea\Idealink.exe.
  I think this file is made by lenovo.
  Is this an error by the scanner or is the file really infected?

  Hi,
  Are you using AVG Free antivirus?
  I had two problems of a similar nature. One was with a Brand A computer where a game file installed by the manufacturer was reported to have a Trojan Horse and one was when I downloaded two scanner driver files from HP which were reported to have viruses. I contacted HP and they said that the files had no viruses. I downloaded the the files on another computer and checked them with Avira Free Antivitus program and Avira reported no viruses.
  Try copying the suspect file to a flash drive and checking it on a different machine with a different AV program.
  Regards 

• HT202456 Trojan horse

  My laptop boots up and I get the message I have a trojan horse virus. What do I do to remove it?

  This is a scam. If there is any telephone number given, please don't call these people.
  1. Force Quit .
      Press command + option + esc keys together at the same time. Wait.
      When Force Quit window appears, select  Safari if not already.
      Press Force Quit button at the bottom of the window.   Wait.
      Safari will quit.
  2. Relaunch Safari holding the shift key down.
  3. Turn off wifi and turn it back on.
      Turn off Wifi. Click Wifi icon in the menu bar and select “Turn Wifi off”.
      Visit another website.
      You won’t have internet connection.
      Turn on Wifi. Click Wifi icon in the menu bar and select “Turn Wifi on”.
      Select your Network.
  4. Safari > Preferences > Security > Privacy
      Cookies and website data:
      Click “Details” button.
      Remove the cookie related to this, if there is one.
  For more info:
  http://www.adwaremedic.com/kb/scampopups.php

• Trojan horse virus..can't remove

  Greetings,
  recently I downloaded a video reader from a website.....but since I've done this it's taken over all the google, yahoo, and ask paid links and instead launched a website that directs me away from the paid links.
  I've tried a few virus removers but they don't seem to remove the virus. Tried to clear all my cookies and cache..but it still comes back..need Help!
  Any ideas??
  best regards

  You downloaded a file claiming it was a video codec from a **** site, which is why you now have a Trojan Horse. To remove it, download and run this program: DNSChanger Removal Tool, then reboot your Mac and the problem should be gone.
  To avoid this problem in the future, don't visit **** sites, and definitely don't download things that are not from trusted sources, or at least legitimate sources. All legitimate video codecs come from real companies with real names and information about their codec.
  Mulder

• I think I have  some Malware/Trojan Horse on MacBook Pro. How to get rid of it?

  My MacBook Pro has worked perfect for the last 2 years, but over the last 2 days when I am on Chrome it has started clicking onto random websites when I click other links, and showing certain words as underlined and as hotlinks. I think I recognise that from having a PC as Malware or Trojan Horse? What is the best way to remove this as I have read through a few threads on here and they advise not downloading any anti virus software as it slows down your Mac instead of helping.
  <Post Edited By Host>

  You installed the "VSearch" trojan, perhaps under a different name. Remove it as follows.
  Malware is constantly changing to get around the defenses against it. The instructions in this comment are valid as of now, as far as I know. They won't necessarily be valid in the future. Anyone finding this comment a few days or more after it was posted should look for more recent discussions or start a new one.
  Back up all data before proceeding.
  Triple-click anywhere in the line below on this page to select it:
  /Library/LaunchAgents/com.vsearch.agent.plist
  Right-click or control-click the line and select
            Services ▹ Reveal in Finder (or just Reveal)
  from the contextual menu.* A folder should open with an item named "com.vsearch.agent.plist" selected. Drag the selected item to the Trash. You may be prompted for your administrator login password.
  Repeat with each of these lines:
  /Library/LaunchDaemons/com.vsearch.daemon.plist
  /Library/LaunchDaemons/com.vsearch.helper.plist
  /Library/LaunchDaemons/Jack.plist
  Restart the computer and empty the Trash. Then delete the following items in the same way:
  /Library/Application Support/VSearch
  /Library/PrivilegedHelperTools/Jack
  /System/Library/Frameworks/VSearch.framework
  ~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
  Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.
  From the Safari menu bar, select
            Safari ▹ Preferences... ▹ Extensions
  Uninstall any extensions you don't know you need, including any that have the word "Spigot," "Trovi," or "Conduit" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.
  Reset the home page and default search engine in all the browsers, if it was changed.
  This trojan is distributed on illegal websites that traffic in pirated content. If you, or anyone else who uses the computer, visit such sites and follow prompts to install software, you can expect much worse to happen in the future.
  You may be wondering why you didn't get a warning from Gatekeeper about installing software from an unknown developer, as you should have. The reason is that this Internet criminal has a codesigning certificate issued by Apple, which causes Gatekeeper to give the installer a pass. Apple could revoke the certificate, but as of this writing, has not done so, even though it's aware of the problem. This failure of oversight has compromised both Gatekeeper and the Developer ID program. You can't rely on Gatekeeper alone to protect you from harmful software.
  *If you don't see the contextual menu item, copy the selected text to the Clipboard by pressing the key combination  command-C. In the Finder, select
            Go ▹ Go to Folder...
  from the menu bar and paste into the box that opens by pressing command-V. You won't see what you pasted because a line break is included. Press return.

• I have received an email from a friend with a link which I clicked. It directed me to the google home page and I am now suspicious that it is a virus  or a Trojan horse. I would know what to do on my PC but am new to Ipad. How can I check?

  I have received an email from a friend with a link which I clicked. It took me to the google home page. I am now suspicious that my friend's email account has been hijacked and the link contained a virus or a Trojan horse. I would know what to do on my PC but am new to the IPad. Can any form of Trojan horse be planted on IOS 6 or am I worrying unnecessarily? Reassurance would be most welcome as I do use the IPad for checking bank details and web purchases. Thanks for any help.

  PC virus won't run on iPad.

• If I have Trojan horse (or virus?), will clean install resolve it?

  Answered what turned out to be a scam ad on craigslist for an Apple product and downloaded photos the scammer had sent of the supposed computer. I now find that, while I'm able to get to all other sites, when I put craigslist.com or craigslist.org into my browser, nothing happens. I feel like the scammer's photos had a virus or trojan horse to prevent me from going back on craigslist to post a warning of the scam. Luckily, just a couple of days ago I backed up all my data twice, on two separate drives -- so would a clean install resolve this? If so, how do I do such a thing? (Please explain in simple terms since I'm not a techie.)
  Thanks!

  I'm thinking your problem is something else, and that At this point I think you should get Applejack...
  http://www.versiontracker.com/dyn/moreinfo/macosx/19596
  After installing, reboot holding down CMD+s, then when the DOS like prompt shows, type in...
  applejack AUTO
  Then let it do all 5 of it's things.
  At least it'll eliminate some questions if it doesn't fix it.
  The 5 things it does are...
  Correct any Disk problems.
  Repair Permissions.
  Clear out Cache Files.
  Repair/check several plist files.
  Dump the VM files for a fresh start.