Joely

Thank you. Found the correct tab, though my reports have expired since it's been over 30 days. Now I know for next time.

Oldest backup is March 15. I'll look into this. I'm aware of the hourly, daily, and weekly backups that Time Machine automatically makes. I just assumed 6 weeks or so was the limit of Time Machine based on my 3 TB Airport; never imagined it could go back a year. I have a MacBook Air going to the same Airport, there is not much on it. I use iCloud for some things and that won't be on the TM backups (geez or will they), saving some space. Thanks so much.

edit - Thank you for all those answers. Backup is a 3TB Airport 285 GB free. MacIntosh HD 650 GB used with 460 GB of that iOS, and 1.35 TB free. My Time Machine backups go back over a month but in some situations I need an older file, so I like to back up to an external drive every so often.

Thank you for all those answers. Backup is a 3TB Airport 285 GB free. MacIntosh HD 650 GB used with 460 GB of that iOS, and 1.35 TB free. My Time Machine backups go back over a month but in some situations, so I like to back up to an external drive every so often.

Thomas - Thank you that helps a lot. I am so wary of googling a potential threat and going to a website that I have no idea about. I figure those that write malware would target these very sites to distribute their malware, so virustotal will be very useful to me. Under reports, I don't see any blue links in the history at all. Is it because my Premium trial ran out? Wish I could do another 14-day trial because it ran out before I could finish evaluating it and other options. My big concern is the amount of crap still on my system after running it. Total 20 threats, 18 remediated, 2 failed, 13 quarantined: OperatorMac, Crossrider, and a Booking.app PUP that still has remnants on my system. Real-time scans were only the first 2x, after that through today the scans are all scheduled or manual. Not sure what the difference between real-time and scheduled scans are. The feel I get is that the premium version operates in real time to prevent threats (blocks me from visiting bad sites? and not sure what else it does) and you could schedule scans as well with premium. I deleted the 5 apps from my Applications folder via Finder before installing Norton. They appeared to be user apps, and not in Utilities. After much searching and yielding virtually nothing on Apple Discussions and elsewhere using Google, Bing, and DuckDuckGo using search operators etc., I concluded it wasn't system software. Had to reinstall MacOS due to a prohibitory symbol a month or so back. Before then I was careful about what I deleted and installed. Now I am overly cautious. I've been backing up to Time Machine; and a La Cie for full backups. May get CCC again. Time Machine deletes old backups so by the time you find an issue the backup you need may be gone is one problem. Many thanks.

Wow thank you! I found a good recent table that compares quite a few AV programs I’ll post trow since I shut down my Mac. They rated Norton very highly, though I found it to be cumbersome and not terribly effective. Malwarebytes was reviewed positively, except for something about not being certified or accredited if I remember correctly.

My Premium trial ran out before I could finish investigating it. Being more careful about installing programs that run in real-time, after a bad experience with Norton.

Thanks for the link you posted https://www.malwarebytes.com/remediationmap/. It's so interesting, even if it is Windows! Would have liked to see ClamXav stats in there. I am likely going to look at Kaspersky and BitDefender, which have stats posted along with so many other antimalware programs.

Very helpful thank you. To your point Malwarebytes scan speed is extremely fast. Norton was extremely slow, never found anything, caused a ton of faults, so I uninstalled it. When I can come up for air I may take a look at Kaspersky and BitDefender. BTW I took another look at the free AlienVault OTX at https://otx.alienvault.com and it is proving very useful for looking up suspected threats or simply unknown items. Everything I searched for so far was whitelisted, and that was a relief, using Browse -> Malware Families and Browse -> Indicators. You can search for IP addresses, domains, much more.

Will it stop me from visiting sites that could potentially be harmful? I've read that malware can be injected just by visiting a site without downloading from it. Does it use blacklists or whitelists? What are the limitations of Malwarebytes Premium? Are there recommended solutions to any limitations that the user should take to address infections that are outside the scope of the software? What does the software excel at compared to top competitors? Is there anything that Malwarebytes does that competitors do not? Thank you.

Thomas - thank you. I admit I am all over the place. I'm very new to malware and have many more questions than answers. This all started with a browser redirect that affected Safari & Chrome on my MacBook and iMac. Once Malwarebytes found 13 quarantines (mostly mitmproxy, TopicLookup, Crossrider), I started to look at how I got infected, how to remove leftovers, and how to best prevent getting infected again. Went down the path of Malwarebytes, Norton, Etrecheck, AlienVault, looking at browser caches for clues etc. What I would love to do is be able to search a trusted repository to help identify a potential threat on my network or devices without googling or going to the website. Just a few examples: vap1ord1.lijit.com, confiant-interactions.global.ssl.fastly.net (my browser redirect had a related url), and the apps ExploreTask, EngineCache, EngineDiscovery, ProcessLocator and WebScheduler. I trashed these 5 apps, have no idea where they came from, they still have files all over my iMac, and even tried to put back one of them to further investigate and it will not put back from the trash. That's why I started looking at AlienVault. I uninstalled Norton because it had not detected a single threat in a month, and it did not seem to be working properly. There were a ton of errors and faults in the Console msgs. In just a month of running it, upon launching it said Pending and took several minutes to launch. I would like to learn more about Malwarebytes Premium.

Thanks again. I appreciate your responses and your time. So much to learn!

Thank you so very much. I misunderstood the scope of this forum; the forum description reads "A forum dedicated to cleaning infected Mac computers. Get personalized help removing adware, malware, spyware, ransomware, trojans, viruses and more from tech experts.". If it is just for topics related to removing malware discovered by Malwarebytes for Macs, the description should be updated. I reviewed the link you sent me and Malwarebytes premium looks good. I like that it blocks threats before they are installed and that it is an adblocker as well. I need to look into whether it will work well with Norton which has real-time anti-malware (doesn't seem to be blocking anything though). I read you shouldn't have two real-time programs installed. I'm very concerned about inadvertently navigating to websites that may cause damage. In trying to remove malware, it seems logical that I am increasing my chances of getting infected by visiting sites with potential solutions. Appreciate your input on AlienVault. I'll hold off. Had hoped it would help me better identify existing threats. Glad to learn the browser cache can't hurt me, not so glad to think about the damage from visiting those sites is already done. I was using the browser cache/cookies/local storage/data to get clues on where existing threats came from so that I can remove them and prevent them from happening again. Some examples: My network security (xFi from xfinity) blocks 4-10 threats weekly on my devices and network. It only gives me the originating url or IP. Today it stopped a "suspicious site visit" to vap1ord1.lijit.com on one of my routers, and I remember clearing browser caches on my iMac from lijit.com a while back. Today it also blocked 76.116.301.16 from accessing port 56724 on my son's laptop. Safari browser redirects. Chrome is wrongly saying "Managed by your organization" when it should not be. Also had redirects; after some effort these appear to be fixed. Nervous about inputting my admin pw to delete Flash Player from the preference pane, since can't find any indication of Flash being installed from Adobe, and you said that was the only way that Flash would be in the preference pane. My iMac's Installation history says "Source: 3rd Party" with monthly updates after the initial Flash install. I must have entered my pw to get rid of Flash from my MacBook, there it originated via a macromedia.Flash Player.plugin on com.google.Safari; com, PlugInPageURL = "http://purchase.tickets.com/"), which was troublesome. Deleted every Flash reference I could find. I guess I will just go ahead and delete this last vestige from my Preference Pane and be done with it. I bought the premium version of EtreCheck and will go through those channels for support. I've seen some of etresoft's posts on Apple communities. He seems very knowledgeable and helpful to his users. Nice to have friends in high places Thanks again. Have a good night.

Hi everyone this is my first post! Happy to have found this forum. I'm just starting to learn about malware removal. My main question is should I join AlienVault Open Threat Exchange? I'd like to be able to more easily identify threats that are found on my devices and network. The website is https://otx.alienvault.com . I'd also like to learn how to identify who an IP address belongs to and if it is safe. Below are details related to the malware on my iMac (Mojave 10.14.6. If anyone cares to delve in and comment on any of it, that would be fantastic. Thank you in advance. My Safari (v13.1) cache has 50+ websites in it that I have not navigated to, and if I delete each cache individually, some automatically come back. I've looked into a few of these cached sites, but am extremely hesitant to continue to go to these websites or even to google them to investigate because it may raise my risk of getting infected. I've run EasyFind (Devon Technologies app) searches on some of the websites in the cache, and it is not finding them despite searching all files and volumes. 1st run of the Premium trial of Malwarebytes found Crossrider, mitmproxy, a browser extension in Chrome (adware), several files and directories related to TopicLookup, and a couple other files and directories. Screenshot attached of quarantined items. Nothing else found since then and my trial has run out; should I upgrade to Premium? Flash Player was installed and updated multiple times from a 3rd party. This was over a year ago; I don't remember doing it but it updated monthly for some time. Adobe cannot find it on my iMac to uninstall it; I'm assuming that is because Flash Player was not installed from Adobe to begin with. I've started to manually find and delete the Flash files. Deleting Flash Player from the system preferences pane requires me to put in my admin password, which I haven't done yet (again, hesitant). EtreCheck report below. I am new to EtreCheck and am still deciphering the report. I have a runaway process and kernel panics that could be related to 3rd party software. Also, I downloaded Norton from my Internet provider (xfinity) on 4-9-2020, and EtreCheck shows Norton for Mac and Norton Security were both installed. The app is Norton Security; I can't find Norton For Mac anywhere on my iMac. At any rate, Norton Security has been useless in finding threats. EtreCheck version: 5.5.4 (5106) Report generated: 2020-04-28 03:34:46 Download EtreCheck from https://etrecheck.com Runtime: 2:04 Performance: Excellent Sandbox: Enabled Full drive access: Enabled Problem: Other problem Description: Remove Flash Player, adware, malware Major Issues: Anything that appears on this list needs immediate attention. Runaway process - A process is using a large percentage of your CPU. Kernel panics - This system has experienced kernel panics that could be related to 3rd party software. Minor Issues: These issues do not need immediate attention but they may indicate future problems or opportunities for improvement. Heavy network usage - This machine has recently restarted and has high network usage. Apps crashing - There have been numerous app crashes. Unsigned files - There are unsigned software files installed. Apple has said that unsigned software will not run by default in a future version of the operating system. 32-bit Apps - This machine has 32-bits apps will not work on macOS 10.15 "Catalina". Kernel extensions present - This machine has kernel extensions that may not work in the future. Hardware Information: iMac (Retina 5K, 27-inch, 2017) iMac Model: iMac18,3 4.2 GHz Intel Core i7 (i7-7700K) CPU: 4-core 8 GB RAM - Upgradeable BANK 0/DIMM0 - 4 GB DDR4 2400 BANK 0/DIMM1 - Empty BANK 1/DIMM0 - 4 GB DDR4 2400 BANK 1/DIMM1 - Empty Video Information: Radeon Pro 580 - VRAM: 8 GB iMac (built-in) 5120 x 2880 Drives: disk0 - APPLE SSD SM2048L 2.00 TB (Solid State - TRIM: Yes) Internal PCI-Express 8.0 GT/s x4 NVM Express disk0s1 - EFI [EFI] 315 MB disk0s2 [APFS Container] 2.00 TB disk1 [APFS Virtual drive] 2.00 TB (Shared by 4 volumes) disk1s1 - Macintosh HD (APFS) (Shared - 653.85 GB used) disk1s2 - Preboot (APFS) [APFS Preboot] (Shared) disk1s3 - Recovery (APFS) [Recovery] (Shared) disk1s4 - VM (APFS) [APFS VM] (Shared - 5.37 GB used) Mounted Volumes: disk1s1 - Macintosh HD 2.00 TB (Shared - 653.85 GB used, 1.35 TB available, 1.34 TB free) APFS Mount point: / disk1s4 - VM [APFS VM] 2.00 TB (Shared - 5.37 GB used, 1.34 TB free) APFS Mount point: /private/var/vm Network: Interface en0: Ethernet Interface en5: iPhone Interface en1: Wi-Fi 802.11 a/b/g/n/ac Interface en4: Bluetooth PAN Interface bridge0: Thunderbolt Bridge System Software: macOS Mojave 10.14.6 (18G4032) Time since boot: About 4 hours Notifications: EtreCheck.app 5 notifications Safari.app 4 notifications Security: Gatekeeper: Enabled System Integrity Protection: Enabled Antivirus software: Apple and Malwarebytes Unsigned Files: Launchd: /Library/LaunchDaemons/jp.co.canon.MasterInstaller.plist Executable: /Library/PrivilegedHelperTools/jp.co.canon.MasterInstaller Details: Exact match found in the whitelist - probably OK Launchd: /Library/LaunchDaemons/com.symantec.sharedsettings.MES.plist Executable: /Library/Application Support/Symantec/Silo/MES/DomainSettings/SymSharedSettingsd Details: Executable file is not accessible without Full Drive Access 32-bit Applications: 5 32-bit apps Kernel Extensions: /Library/Application Support/Malwarebytes/MBAM/Kext MB_MBAM_Protection.kext (Malwarebytes Corporation, 4.4 - SDK 10.11) /Library/Extensions SymXIPS.kext (Symantec, 9.0.1 - SDK 10.10) SymInternetSecurity.kext (Symantec, 9.0.3 - SDK 10.10) SymIPS.kext (Symantec, 9.0.2 - SDK 10.10) NortonForMac.kext (Symantec, 9.0.1 - SDK 10.10) System Launch Agents: [Not Loaded] 15 Apple tasks [Loaded] 187 Apple tasks [Running] 97 Apple tasks [Other] One Apple task System Launch Daemons: [Not Loaded] 38 Apple tasks [Loaded] 199 Apple tasks [Running] 97 Apple tasks Launch Agents: [Running] com.malwarebytes.mbam.frontend.agent.plist (Malwarebytes Corporation - installed 2020-04-21) [Loaded] com.microsoft.update.agent.plist (Microsoft Corporation - installed 2020-04-21) [Running] com.symantec.uiagent.application.MES.plist (Symantec - installed 2020-03-26) Launch Daemons: [Loaded] com.apple.installer.osmessagetracing.plist (Apple - installed 2020-03-18) [Running] com.malwarebytes.mbam.rtprotection.daemon.plist (Malwarebytes Corporation - installed 2020-04-27) [Running] com.malwarebytes.mbam.settings.daemon.plist (Malwarebytes Corporation - installed 2020-04-21) [Loaded] com.microsoft.OneDriveUpdaterDaemon.plist (Microsoft Corporation - installed 2019-01-23) [Loaded] com.microsoft.autoupdate.helper.plist (Microsoft Corporation - installed 2020-04-21) [Loaded] com.microsoft.office.licensingV2.helper.plist (Microsoft Corporation - installed 2019-01-15) [Loaded] com.symantec.SymLUHelper.MES.plist (Symantec - installed 2020-03-26) [Loaded] com.symantec.UninstallerToolHelper.MES.plist (Symantec - installed 2020-03-26) [Loaded] com.symantec.deepsightdownload.MES.plist (Symantec - installed 2020-03-26) [Loaded] com.symantec.dsp.nortonaggregatord.MES.plist (Symantec - installed 2020-03-26) [Running] com.symantec.kexthelper.MES.plist (Symantec - installed 2020-03-26) [Loaded] com.symantec.liveupdate.daemon.MES.plist (Symantec - installed 2020-03-26) [Running] com.symantec.sharedsettings.MES.plist (? 84ffa067 - installed 2020-03-26) [Running] com.symantec.symdaemon.MES.plist (Symantec - installed 2020-03-26) [Loaded] com.symantec.symqual.detail.MES.plist (Symantec - installed 2020-03-26) [Loaded] com.symantec.symqual.panicreporter.MES.plist (Symantec - installed 2020-03-26) [Loaded] com.symantec.symqual.submit.MES.plist (Symantec - installed 2020-03-26) [Loaded] jp.co.canon.MasterInstaller.plist (? d0637166 - installed 2019-03-24) User Launch Agents: [Other] com.google.keystone.agent.plist (Google, Inc. - installed 2020-04-27) [Loaded] com.google.keystone.xpcservice.plist (Google, Inc. - installed 2020-04-27) User Login Items: [Running] CIJSULAgent (Canon Inc. - installed 2019-03-24) Modern Login Item /Applications/Canon Utilities/IJ Scan Utility/Canon IJ Scan Utility Lite.app/Contents/Library/LoginItems/CIJSULAgent.app [Not Loaded] Launcher Disabler (Microsoft Corporation - installed 2019-01-23) Modern Login Item /Applications/OneDrive.app/Contents/Library/LoginItems/Launcher Disabler.app [Not Loaded] OneDrive Launcher (Microsoft Corporation - installed 2019-01-23) Modern Login Item /Applications/OneDrive.app/Contents/Library/LoginItems/OneDrive Launcher.app [Not Loaded] StartUpHelper (Spotify - installed 2019-05-16) Modern Login Item /Applications/Spotify.app/Contents/Library/LoginItems/StartUpHelper.app [Not Loaded] HP Device Monitor (HP Inc. - installed 2019-01-08) Modern Login Item /Library/Printers/hp/Frameworks/HPDeviceMonitoring.framework/Versions/1.0/Helpers/HP Device Monitor Manager.app/Contents/Library/LoginItems/HP Device Monitor.app [Not Loaded] HP Product Research (HP Inc. - installed 2019-01-08) Modern Login Item /Library/Printers/hp/Utilities/HPPU Plugins/ProductImprovementStudy.hptask/Contents/Helpers/HP Product Research Manager.app/Contents/Library/LoginItems/HP Product Research.app [Not Loaded] HP Data Uploader (HP Inc. - installed 2019-01-08) Modern Login Item /Library/Printers/hp/Utilities/HPPU Plugins/ProductImprovementStudy.hptask/Contents/Helpers/HP Product Research Manager.app/Contents/Library/LoginItems/HP Product Research.app/Contents/Resources/HP Data Uploader.app Audio Plug-ins: AppleTimeSyncAudioClock: 1.0 (Apple - installed 2019-09-20) BluetoothAudioPlugIn: 6.0.14 (Apple - installed 2020-04-15) AirPlay: 2.0 (Apple - installed 2020-04-15) AppleAVBAudio: 760.6 (Apple - installed 2019-09-20) BridgeAudioSP: 5.52 (Apple - installed 2020-04-15) iSightAudio: 7.7.3 (Apple - installed 2019-09-20) 3rd Party Preference Panes: Flash Player (Adobe Systems, Inc. - installed 2020-02-25) Time Machine: Auto backup: Yes Volumes being backed up: Macintosh HD: Disk size: 2.00 TB - Disk used: 660.08 GB Destinations: Data [Network] (Last used) Total size: 2.85 TB Total number of backups: 20 Oldest backup: 2020-03-15 10:45:32 Last backup: 2020-04-28 03:13:43 16 local snapshots Oldest local snapshot: 2020-04-27 03:11:25 Last local snapshot: 2020-04-28 03:08:02 Performance: System Load: 3.20 (1 min ago) 2.51 (5 min ago) 2.26 (15 min ago) Nominal I/O speed: 7.97 MB/s File system: 30.11 seconds Write speed: 2267 MB/s Read speed: 2832 MB/s CPU Usage Snapshot: Type Overall System: 3 % User: 18 % Idle: 78 % Top Processes Snapshot by CPU: Process (count) CPU (Source - Location) Other processes 127.13 % (?) Console 25.05 % (Apple) EasyFind 7.43 % (App Store) Safari 4.80 % (Apple) EtreCheck 2.89 % (App Store) Top Processes Snapshot by Memory: Process (count) RAM usage (Source - Location) EtreCheck 443 MB (App Store) Console 246 MB (Apple) Safari 183 MB (Apple) Finder 177 MB (Apple) EasyFind 122 MB (App Store) Top Processes Snapshot by Network Use: Process Input / Output (Source - Location) Other processes 638 MB / 1.13 GB (?) com.apple.WebKit.Networking 2 MB / 408 KB (Apple) SystemUIServer 873 B / 36 B (Apple) Terminal 0 B / 0 B (Apple) diagnostics_agent 0 B / 0 B (Apple) Virtual Memory Information: Physical RAM: 8 GB Free RAM: 23 MB Used RAM: 7.02 GB Cached files: 982 MB Available RAM: 1006 MB Swap Used: 1.76 GB Software Installs (past 30 days): Install Date Name (Version) 2020-04-01 Numbers (10.0) 2020-04-01 Pages (10.0) 2020-04-01 Keynote (10.0) 2020-04-02 Safari (13.1) 2020-04-02 MRTConfigData (1.58) 2020-04-09 Norton For Mac (8.5.5.277.277) 2020-04-09 Norton Security SKU (8.5.5.277.277) 2020-04-15 Security Update 2020-002 (10.14.6) 2020-04-15 Mobile Device (1.0.0.0) 2020-04-15 Microsoft Excel (16.36.20041300) 2020-04-15 Microsoft OneNote (16.36.20041300) 2020-04-15 Microsoft Outlook (16.36.20041300) 2020-04-15 Microsoft PowerPoint (16.36.20041300) 2020-04-16 XProtectPlistConfigData (2119) 2020-04-21 Microsoft AutoUpdate (4.22.20042003) 2020-04-27 EasyFind (4.9.3) 2020-04-27 EtreCheck (5.5.4) 2020-04-27 Microsoft Word (16.36.20041300) 2020-04-27 Malwarebytes for Mac (1.0) Diagnostics Information (past 7-30 days): 2020-04-28 03:19:47 Safari.app - Crash (15 times) Executable: /Applications/Safari.app Details: dyld: launch, loading dependent libraries 2020-04-27 23:43:59 coreservicesd - High CPU Use (2 times) Executable: /System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/CarbonCore.framework/Versions/A/Support/coreservicesd 2020-04-26 06:07:30 com.apple.WebKit.WebContent - High CPU Use Executable: /System/Library/StagedFrameworks/Safari/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent 2020-04-25 22:53:44 backupd - High CPU Use Executable: /System/Library/CoreServices/backupd.bundle/Contents/Resources/backupd 2020-04-22 13:44:47 Kernel Panic (2 times) Details: panic(cpu 0 caller 0xffffff8013205446): "a freed zone element has been modified in zone kalloc.128: expected 0xdeadbeefdeadbeef but found 0x ffffff803a83c250, bits changed 0x2152416fe42e7cbf, at offset 88 of 128 in element 0xffffff803a83b800, cookies 0x3f00119a67238ab8 0x53521dd0d 22eb3d"@/BuildRoot/Library/Caches/com.apple.xbs/Sources/xnu/xnu-4903.2 78.28/osfmk/kern/zalloc.c:1206 3rd party kernel extensions: com.malwarebytes.mbam.rtprotection com.symantec.SymXIPS com.symantec.internetSecurity.kext com.symantec.ips.kext com.symantec.nfm.kext End of report If you got this far, I am indebted to your kindness. Thank you!