[josepa]

Hi everyone,

 

It seems that I am experiencing an infection adware. I run a macbook and windows laptop on the same home network network with an ipad and iphone. Everything started with chrome (the only client i use) and then spread to other computer via chrome (i think). I was able to remove infection from windows with stopzilla and by changing modem dns to a secure one. But on macbook i was unable to locate and clear the system. Double clicking on any website after opening reveals another tab of youradexchange.

 

I reset chrome settings, removed all extensions and checked system several times with sophos and malwarebytes tools but nothing revealed.

 

My system snapshop of the mac is as follows:

 

What should I do?

 

Thanks folks.

 

Malwarebytes Anti-Malware for Mac 1.0.2.8 system report - 15 Ekim 2015 Perşembe @ 22:34:03

Mac OS X version 10.10.5

22:34  up 2 days, 21:19, 1 user, load averages: 1.43 1.94 2.44

 

Safari extensions

---------------

/Users/haldunakoglu/Library/Safari/Extensions/AdBlock.safariextz

     Name: AdBlock

     Modified: 17 Ağustos 2015 Pazartesi @ 02:43:59

/Users/haldunakoglu/Library/Safari/Extensions/feedly-2.safariextz

     Name: feedly

     Modified: 27 Ekim 2013 Pazar @ 02:36:39

/Users/haldunakoglu/Library/Safari/Extensions/OpenIE.safariextz

     Name: Open in Internet Explorer

     Modified: 5 Mayıs 2014 Pazartesi @ 22:39:20

/Users/haldunakoglu/Library/Safari/Extensions/Reload Button.safariextz

     Name: Reload Button

     Modified: 23 Haziran 2014 Pazartesi @ 13:11:20

/Users/haldunakoglu/Library/Safari/Extensions/RSS Menu.safariextz

     Name: RSS Menu

     Modified: 23 Haziran 2014 Pazartesi @ 13:12:03

/Users/haldunakoglu/Library/Safari/Extensions/Save to Pocket-2.safariextz

     Name: Save to Pocket

     Modified: 25 Temmuz 2015 Cumartesi @ 00:33:23

/Users/haldunakoglu/Library/Safari/Extensions/Shortcuts for Google™ Products.safariextz

     Name: Shortcuts for Google™ Products

     Modified: 7 Nisan 2015 Salı @ 23:05:56

/Users/haldunakoglu/Library/Safari/Extensions/Stop-Reload Button.safariextz

     Name: Stop/Reload Button

     Modified: 7 Nisan 2015 Salı @ 23:05:56

/Users/haldunakoglu/Library/Safari/Extensions/Turn Off the Lights.safariextz

     Name: Turn Off the Lights

     Modified: 11 Mayıs 2015 Pazartesi @ 15:57:05

 

Chrome extensions

---------------

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/bnmhlagmhphkifplfbhianbopacehadb

     Name: Java for Chrome

     Modified: 17 Ocak 2015 Cumartesi @ 18:25:25

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/cdpobfbhbdlpbloccjokjgekjnmifbng

     Name: Scholar H-Index Calculator for Google Chrome™

     Modified: 10 Şubat 2015 Salı @ 02:09:22

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/cfhdojbkjhnklbpkdaibdccddilifddb

     Name: Adblock Plus

     Modified: 30 Eylül 2015 Çarşamba @ 01:32:18

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/ejidjjhkpiempkbhmpbfngldlkglhimk

     Name: [error finding localized extension name: NilObjectException, error 0 : ]

     Modified: 6 Şubat 2015 Cuma @ 23:16:51

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/ejjicmeblgpmajnghnpcppodonldlgfn

     Name: Google Calendar

     Modified: 13 Ekim 2015 Salı @ 01:16:28

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/epfcdciapgkgjdjkmijgdekgfmocneid

     Name: Live Stylesheets

     Modified: 24 Nisan 2013 Çarşamba @ 13:48:51

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/fomlbefjpamblimccfdomfgpgokdljcg

     Name: Web page captures from browser

     Modified: 3 Haziran 2014 Salı @ 02:17:44

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/gadejlgldipfmkjhgcggdbjmhogbekge

     Name: Papers Online

     Modified: 6 Eylül 2015 Pazar @ 03:07:33

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/gbchcmhmhahfdphkhkmpfmihenigjmpp

     Name: Chrome Remote Desktop

     Modified: 30 Eylül 2015 Çarşamba @ 21:59:53

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/gcbommkclmclpchllfjekcdonpmejbdp

     Name: HTTPS Everywhere

     Modified: 30 Eylül 2015 Çarşamba @ 21:56:18

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/gcmhlmapohffdglflokbgknlknnmogbb

     Name: The QR Code Generator

     Modified: 6 Mayıs 2014 Salı @ 00:39:01

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/ghbmnnjooekpmoecnnnilnnbdlolhkhi

     Name: Google Docs Offline

     Modified: 6 Eylül 2015 Pazar @ 02:40:51

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/gmbmikajjgmnabiglmofipeabaddhgne

     Name: [error finding localized extension name: NilObjectException, error 0 : ]

     Modified: 6 Şubat 2015 Cuma @ 23:16:54

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/gplegfbjlmmehdoakndmohflojccocli

     Name: PageSpeed Insights (by Google)

     Modified: 21 Aralık 2014 Pazar @ 22:57:04

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/hbdpomandigafcibbmofojjchbcdagbl

     Name: TweetDeck by Twitter

     Modified: 17 Ağustos 2015 Pazartesi @ 15:06:18

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/hmdcmlfkchdmnmnmheododdhjedfccka

     Name: Eye Dropper

     Modified: 10 Şubat 2015 Salı @ 02:09:28

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/iblijlcdoidgdpfknkckljiocdbnlagk

     Name: goo.gl URL Shortener

     Modified: 30 Eylül 2015 Çarşamba @ 21:57:54

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/icmaknaampgiegkcjlimdiidlhopknpk

     Name: Pixlr Editor

     Modified: 13 Ekim 2015 Salı @ 01:15:49

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/jlpkojjdgbllmedoapgfodplfhcbnbpn

     Name: Page Ruler

     Modified: 6 Şubat 2015 Cuma @ 23:17:03

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/lbfehkoinhhcknnbdgnnmjhiladcgbol

     Name: Evernote Web

     Modified: 30 Nisan 2015 Perşembe @ 15:01:48

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/ldipcbpaocekfooobnbcddclnhejkcpn

     Name: Google Scholar Button

     Modified: 30 Eylül 2015 Çarşamba @ 21:58:27

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/lmjegmlicamnimmfhcmpkclmigmmcbeh

     Name: Application Launcher for Drive (by Google)

     Modified: 27 Kasım 2014 Perşembe @ 22:23:56

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/loljledaigphbcpfhfmgopdkppkifgno

     Name: Lazarus: Form Recovery

     Modified: 6 Şubat 2015 Cuma @ 23:17:02

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/mcbpblocgmgfnpjjppndjkmgjaogfceg

     Name: Capture Webpage Screenshot Entirely. FireShot

     Modified: 6 Eylül 2015 Pazar @ 02:41:41

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/mdanidgdpmkimeiiojknlnekblgmpdll

     Name: Boomerang for Gmail

     Modified: 6 Şubat 2015 Cuma @ 23:16:56

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/mgijmajocgfcbeboacabfgobmjgjcoja

     Name: Google Dictionary (by Google)

     Modified: 30 Eylül 2015 Çarşamba @ 21:56:25

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/nnnmhgkokpalnmbeighfomegjfkklkle

     Name: Cite This For Me: Web Citer

     Modified: 8 Eylül 2015 Salı @ 12:48:09

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/noojglkidnpfjbincgijbaiedldjfbhh

     Name: Buffer

     Modified: 30 Eylül 2015 Çarşamba @ 01:32:18

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/pioclpoplcdbaefihamjohnefbikjilc

     Name: Evernote Web Clipper

     Modified: 30 Eylül 2015 Çarşamba @ 01:32:19

/Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Extensions/Temp

     Name: 

     Modified: 13 Ekim 2015 Salı @ 01:16:28

/Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/lmjegmlicamnimmfhcmpkclmigmmcbeh.json

     Name: [Unknown error extracting extension in CChromeExtension.GetNameFromCRX]

     Modified: 27 Kasım 2014 Perşembe @ 22:02:16

 

Firefox extensions

---------------

/Library/Application Support/Mozilla/Extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/[email protected]

     Name: Adobe Acrobat - Create PDF

     Modified: 24 Eylül 2012 Pazartesi @ 07:34:13

 

Login items

---------------

Citations, iTunesHelper, Google Drive, Mail, Caffeine, Buffer, Evernote, InfiniteHD, Spotify, AppCleaner Helper, XtraFinder

 

Startup items

---------------

None

 

System startup items

---------------

None

 

User launch agents

---------------

total 64

-rw-r--r--  1 haldunakoglu  staff  697 May  7  2014 com.adobe.AAM.Updater-1.0.plist

-rw-r--r--  1 haldunakoglu  staff  603 Dec 19  2013 com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

-rw-r--r--  1 haldunakoglu  staff  631 Apr  7  2013 com.adobe.ARM.de23d1e3aa2d00ce38d73f10fcbdc8dcaaaf6be989610710a1ddda77.plist

-rw-r--r--  1 haldunakoglu  staff  626 Sep 26 01:05 com.akamai.single-user-client.plist

-rw-r--r--  1 haldunakoglu  staff  425 Oct 15 22:34 com.apple.FolderActions.enabled.plist

-rw-r--r--  1 haldunakoglu  staff  517 Jan  9  2015 com.apple.FolderActions.folders.plist

-rw-r--r--  1 haldunakoglu  staff  810 Aug 13  2014 com.facebook.videochat.haldunakoglu.plist

-rw-r--r--@ 1 haldunakoglu  staff  539 Oct 13 01:16 com.spotify.webhelper.plist

 

System launch agents

---------------

total 72

-rw-r--r--  1 root  wheel  612 Sep 27 20:05 com.adobe.AAM.Updater-1.0.plist

-rw-r--r--@ 1 root  wheel  588 Jun 17  2008 com.epson.epw.agent.plist

-rw-r--r--  1 root  wheel  539 Jul 22  2014 com.epson.esua.launcher.plist

-rw-r--r--@ 1 root  wheel  792 Sep 26 01:04 com.google.keystone.agent.plist

lrwxr-xr-x  1 root  wheel  104 Jan  8  2015 com.oracle.java.Java-Updater.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Java-Updater.plist

-r--r--r--  1 root  wheel  563 Sep 26 00:54 com.sophos.uiserver.plist

-rwxr-xr-x  1 root  wheel  688 Oct 13 01:14 com.teamviewer.teamviewer.plist

-rwxr-xr-x  1 root  wheel  779 Oct 13 01:14 com.teamviewer.teamviewer_desktop.plist

 

System launch daemons

---------------

total 88

-rw-r--r--  1 root  wheel  617 May  7  2014 com.adobe.SwitchBoard.plist

-rw-r--r--  1 root  wheel  462 Sep 27 04:06 com.adobe.fpsaud.plist

-rw-r--r--  1 root  wheel  809 Mar  4  2015 com.ea.origin.ESHelper.plist

-rw-r--r--  1 root  wheel  537 Sep  6 03:33 com.freemacsoft.appcleanerd.plist

-rw-r--r--@ 1 root  wheel  818 Sep 26 01:04 com.google.keystone.daemon.plist

-r--r--r--  1 root  wheel  568 Mar 11  2015 com.microsoft.office.licensing.helper.plist

lrwxr-xr-x  1 root  wheel  103 Jan  8  2015 com.oracle.java.Helper-Tool.plist -> /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/com.oracle.java.Helper-Tool.plist

-r--r--r--  1 root  wheel  658 Sep 26 00:54 com.sophos.common.servicemanager.plist

-rw-r--r--  1 root  wheel  544 Jul 14 12:13 com.teamviewer.Helper.plist

-rwxr-xr-x  1 root  wheel  612 Oct 13 01:14 com.teamviewer.teamviewer_service.plist

-rw-r--r--  1 root  wheel  592 Nov 29  2014 net.sourceforge.MonolingualHelper.plist

 

Third-party kernel extensions

---------------

com.squirrels.driver.AirParrotSpeakers (1.8) <87 5 4 3>

com.squirrels.airparrot.framebuffer (5) <76 5 4 3>

com.sophos.nke.swi (9.4.50) <4 1>

com.sophos.kext.sav (9.4.50) <5 4 1>

 

launchd.conf contents

---------------

None

 

DNS settings

---------------

Server: 209.244.0.3

 

Hosts file

---------------

##

# Host Database

#

# localhost is used to configure the loopback interface

# when the system is booting.  Do not change this entry.

##

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1             localhost 

fe80::1%lo0 localhost

# Adobe Blocker

 

127.0.0.1 lmlicenses.wip4.adobe.com

127.0.0.1 lm.licenses.adobe.com

 

Scan log

---------------

2015-09-30 01:27:24: ----- Scan Started -----

2015-09-30 01:27:24: Scanning with signatures version 19

2015-09-30 01:27:27: Adware.Spigot : /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/hbcennhacfaagdopikcegfcobcadeocj.json , /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/hjalolmjgklbjgaomjjofphdjnajmnim.json , /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/icdlfehblmklkikfigmjhbmmpmkmpooj.json , /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/mhkaekfpcppmmioggniknbnbdbcigpkk.json , /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/pfndaklgolladniicklehhancnlgocpp.json

2015-09-30 01:27:27: Adware.Spigot : /Users/haldunakoglu/Library/Application Support/Spigot

2015-09-30 01:28:19: Adware.Vidx/MacVX : /Users/haldunakoglu/Library/Safari/Extensions/extension.safariextz

2015-09-30 01:28:24: Adware.Vidx/MacVX : /Users/haldunakoglu/Library/Safari/Extensions/extension.safariextz

2015-09-30 01:28:24: Adware.Vidx/MacVX : /Users/haldunakoglu/Library/Safari/Extensions/extension.safariextz

2015-09-30 01:28:24: Adware.Awesome Screenshot : /Users/haldunakoglu/Library/Safari/Extensions/Awesome Screenshot-2.safariextz

2015-09-30 01:28:52: ----- Scan Ended -----

 

2015-09-30 01:32:44: ----- Scan Started -----

2015-09-30 01:32:44: Scanning with signatures version 19

2015-09-30 01:32:46: Adware.Spigot : /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/hbcennhacfaagdopikcegfcobcadeocj.json , /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/hjalolmjgklbjgaomjjofphdjnajmnim.json , /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/icdlfehblmklkikfigmjhbmmpmkmpooj.json , /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/mhkaekfpcppmmioggniknbnbdbcigpkk.json , /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/pfndaklgolladniicklehhancnlgocpp.json

2015-09-30 01:32:46: Adware.Spigot : /Users/haldunakoglu/Library/Application Support/Spigot

2015-09-30 01:33:28: Adware.Vidx/MacVX : /Users/haldunakoglu/Library/Safari/Extensions/extension.safariextz

2015-09-30 01:33:31: Adware.Vidx/MacVX : /Users/haldunakoglu/Library/Safari/Extensions/extension.safariextz

2015-09-30 01:33:31: Adware.Vidx/MacVX : /Users/haldunakoglu/Library/Safari/Extensions/extension.safariextz

2015-09-30 01:33:31: Adware.Awesome Screenshot : /Users/haldunakoglu/Library/Safari/Extensions/Awesome Screenshot-2.safariextz

2015-09-30 01:33:54: ----- Scan Ended -----

 

2015-09-30 01:34:18: +++++ Attempting to remove adware +++++

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Application Support/Spigot/saebay_1.0.crx

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/hbcennhacfaagdopikcegfcobcadeocj.json

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Application Support/Spigot/Searchme.chromeextension.crx

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/hjalolmjgklbjgaomjjofphdjnajmnim.json

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Application Support/Spigot/ErrorAssistant_1.1.crx

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/icdlfehblmklkikfigmjhbmmpmkmpooj.json

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Application Support/Spigot/coupons_2.4.crx

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/mhkaekfpcppmmioggniknbnbdbcigpkk.json

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Application Support/Spigot/saamazon_1.0.crx

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Application Support/Google/Chrome/External Extensions/pfndaklgolladniicklehhancnlgocpp.json

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Application Support/Spigot

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Safari/Extensions/extension.safariextz

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Safari/Extensions/extension.safariextz

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Safari/Extensions/extension.safariextz

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Preferences

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Safari/Extensions/Awesome Screenshot-2.safariextz

2015-09-30 01:34:18: /Users/haldunakoglu/Library/Application Support/Google/Chrome/Default/Preferences

2015-09-30 01:34:18: +++++ File removal complete +++++

 

2015-09-30 01:34:32: ----- Scan Started -----

2015-09-30 01:34:32: Scanning with signatures version 19

2015-09-30 01:35:20: No malware found

2015-09-30 01:35:20: ----- Scan Ended -----

 

2015-09-30 01:42:06: ----- Scan Started -----

2015-09-30 01:42:06: Scanning with signatures version 19

2015-09-30 01:45:15: No malware found

2015-09-30 01:45:15: ----- Scan Ended -----

 

2015-10-15 21:58:42: ----- Scan Started -----

2015-10-15 21:58:42: Scanning with signatures version 22

2015-10-15 21:59:57: No malware found

2015-10-15 21:59:57: ----- Scan Ended -----

 

2015-10-15 22:16:46: ----- Scan Started -----

2015-10-15 22:16:46: Scanning with signatures version 22

2015-10-15 22:33:58: No malware found

2015-10-15 22:33:58: ----- Scan Ended -----

 

 

[Advertisements]

As I see you have a cracked Adobe Version. You get only support from here if you completely remove it.

 

The same here: http://www.geekstogo...gleadsg-disqus/

Edited by aido, 15 October 2015 - 03:27 PM.

[aido]

As I see you have a cracked Adobe Version. You get only support from here if you completely remove it.

 

The same here: http://www.geekstogo...gleadsg-disqus/

Edited by aido, 15 October 2015 - 03:27 PM.

[phillpower2]

Redundant thread closed to prevent any further spam posts.