An open community 
of Macintosh users,
for Macintosh users.

FineTunedMac Dashboard widget now available! Download Here

Topic Options
#38797 - 02/11/16 11:40 AM EtreCheck 2.9.3: Suspected Adware or Malware
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
EtreCheck 2.9.3 just noted these 2 unknown files that may be Adware or Malware (or merely whitelisted):
1. ~/Library/LaunchAgents/com.macupdate.desktop5.scanner.plist
2. ~/Library/LaunchAgents/.dat.nosync022a.rOuyuR (hidden)

But before deleting these 2 files, I would like the advice of the experts here ‘bouts.

FWIW: Malwarebytes does not note this issue.

Waddya think, should I consign these two files to the trash or should they be retained? confused

P.S. While doing a bit of sleuthing/exploring on this issue, I discovered that Little Snitch reports EntreCheck tried to make an outgoing connection with Adobe.com. Maybe that's a clue that I need to dump EntreCheck. confused


Edited by Pendragon (02/11/16 12:19 PM)
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38801 - 02/11/16 02:33 PM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: Pendragon]
artie505 Online


Registered: 08/04/09
com.macupdate.desktop5.scanner.plist apparently has something to do with their app...maybe their "enhanced" downloader.

If you use neither, you can trash it, but I'd search to see if whatever it is has placed other unwanted components on your Mac.

A Google search for your second item found nothing but your post.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38804 - 02/11/16 03:57 PM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: Pendragon]
joemikeb Offline
Moderator

Registered: 08/04/09
Loc: Fort Worth, Texas
Hidden LaunchAgents or Daemons make me itchy. Why would someone go to the trouble of hiding legitimate files? Rather than deleting the files try moving them to a LaunchAgents (Disabled) folder the reboot and see what happens. That way you can always restore them if necessary.
_________________________
joemikeb • moderator

Top
#38805 - 02/11/16 04:09 PM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: joemikeb]
artie505 Online


Registered: 08/04/09
Only the 2nd one is hidden; the MacUpdate item is visible and possibly deliberate on Harv's part...possibly a MU gotcha. (We've discussed MU's spurious d/l wrapper before.)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38811 - 02/12/16 03:59 AM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: artie505]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
I deleted the two "suspect" files with the following result:

1. Upon relaunching MacUpdate Desktop, I had to (re)install my SN & PW. Also, I had to reset a few options/selections. AFAIK, all is (again) normal in that regard.

FWIW, MacUpdate "claims" the nefarious wrapper is not in play for registered MU Desktop users (though I'm not convinced, so I go directly to the developer's site).

Since MU checks for outdated apps upon launch, maybe that's related...

2. As yet, I see no consequence from deleting the ".dat.nosync022a.rOuyuR (hidden)" file. Perhaps I just haven't done anything to prompt it.

As a side note, EtreCheck did not highlight that file on my other machine that has identical applications. Perhaps I installed something on one machine and then deleted it prior to installing it on the other. Curious and curiouser... confused

_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38812 - 02/12/16 04:25 AM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: Pendragon]
artie505 Online


Registered: 08/04/09
Originally Posted By: Pendragon
1. Upon relaunching MacUpdate Desktop, I had to (re)install my SN & PW. Also, I had to reset a few options/selections. AFAIK, all is (again) normal in that regard.

FWIW, MacUpdate "claims" the nefarious wrapper is not in play for registered MU Desktop users (though I'm not convinced, so I go directly to the developer's site).

Since MU checks for outdated apps upon launch, maybe that's related... (Emphasis added)

~/Library/LaunchAgents/com.macupdate.desktop5.scanner.plist certainly seems to fill that bill...deliberate on your part as I guessed it might be.

Your other item may remain a mystery forever.

Edit: Out of curiosity, did you ever install anything that enabled you to view attachments sent by an Outlook user?


Edited by artie505 (02/12/16 04:38 AM)
Edit Reason: Expand +
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38814 - 02/12/16 05:24 AM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: Pendragon]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
Re EtreCheck contacting Adobe- this, just in, from the developer:

"EtreCheck connects to Adobe to check the most recent version of Flash and compare it to what the user has installed. If it is out of date, EtreCheck will print a red warning because Flash is one of the top methods of malware distribution. EtreCheck used to have a similar check for Java but Oracle had a much looser definition of “latest version” and the warning wasn’t useful."

I guess that answers that...
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38817 - 02/12/16 06:48 AM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: Pendragon]
honestone Offline
Banned

Registered: 11/13/15
Loc: Seattle, WA (up in God's Count...
I just ran EtreCheck V 2.9.3 on my mid 2013 13" MacBook Air, and neither of those items showed up. I do have a non-applicable issue with a sudoers file which it flags, and also tells me that "Auto backup: NO - Auto backup turned off",. But that one I am well aware of, as I do not use Time Machine, but prefer the excellent backup/cloning program SuperDuper! for making bootable backups for both of my Macs to two external hard drives.

Also, I do not have the latest version of Adobe Flash on my machine.


Edited by honestone (02/12/16 06:50 AM)
_________________________
Using Macs since 1984
Current Systems:
Mid 2013 13" MacBook Air with 251 gig Samsung SSD
Late 2012 Mac Mini with 256 gig Samsung 840 Pro SSD
Using OS 10.11.5 on both
Make SuperDuper! backups for both machines
Canon Multifunction Inkjet Printer

Top
#38818 - 02/12/16 06:53 AM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: Pendragon]
alternaut Offline

Moderator

Registered: 08/04/09
Originally Posted By: Pendragon
FWIW, MacUpdate "claims" the nefarious wrapper is not in play for registered MU Desktop users (though I'm not convinced, so I go directly to the developer's site).

If you're not convinced, there is no need to wonder, as you can easily make sure. Currently, MacUpdate’s Installers are recognizable by their name (‘Item X’ Installer), and their file size (1.6MB)*. It’s of course possible that a download from a developer also contains the word ‘Installer’ in its name and that the file size is 1.6MB, but that particular combination is considerably less likely.

But suppose it does happen. In that case a file named MacUpdate Installer’ will be present in the downloaded .dmg from MacUpdate, something that's quite unlikely in a download from a developer. So far, double-clicking those MacUpdate .dmg files is still safe: nothing untoward will happen beyond mounting and opening the disk image. In addition to the install (including that of any additional and potentially unwanted items), the MacUpdate Installers perform the actual download of the software they install, hence their standard and rather small size.

*) You can simply monitor this with your Downloads pulldown (Safari), and stop a download in progress, assuming your internet service isn’t so fast that the download completes before you can react. But even if you let the download complete, you can just delete the disk image.

PS. As of today, the number of MacUpdate Installers is still relatively small. Most downloads are ‘normal’, which makes it still worthwhile to use the MU download button before having to resort to the developer.
_________________________
alternaut moderator

Top
#38819 - 02/12/16 09:33 AM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: alternaut]
honestone Offline
Banned

Registered: 11/13/15
Loc: Seattle, WA (up in God's Count...
I used to rely on www.macupdate.com for obtaining updates, but once I had some issues with the MacUpdate Installer, I stopped getting updates that way. I instead go to the site for the product, and download updates from there. (Some software, of course, have the "Check for Updates" feature, and that can be used to get updates directly from the company's site).

Also, MacUpdate is not always up to date with information. For example, the new version of EtreCheck, which came out last week, was finally listed yesterday on MacUpdate. Also, they are definitely behind with updates for Office 2011. Right now, MacUpdate shows version 14.5.8 being available, but version 14.6.0 has been out for at least 2 weeks!

Another example si 1Password. The update for it came out on Monday, but it did not show up on MacUpdate until Tuesday. True, only a 1 day delay, but as I stated, it is worse for a number of other products.
_________________________
Using Macs since 1984
Current Systems:
Mid 2013 13" MacBook Air with 251 gig Samsung SSD
Late 2012 Mac Mini with 256 gig Samsung 840 Pro SSD
Using OS 10.11.5 on both
Make SuperDuper! backups for both machines
Canon Multifunction Inkjet Printer

Top
#38820 - 02/12/16 10:57 AM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: honestone]
Pendragon Offline


Registered: 08/04/09
Loc: Georgetown, Texas, USA
On a few occasions, I mis-clicked and got an updater with the MU installer. Of course, I merely deleted that and then fetched the update directly from the developer's site.

Re the MU site not being up to date, yeah, I too regularly notice that. If I may give MU a wee bit of credit, they have always put things to right within a day or two of my alerting them of their omission.
_________________________
Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38824 - 02/12/16 12:50 PM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: Pendragon]
artie505 Online


Registered: 08/04/09
Unless I'm mistaken, MacUpdate has nothing to do with updates being posted in a timely or untimely manner, rather it's the developers who lag and leave MU to take the hit.
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38825 - 02/12/16 01:13 PM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: Pendragon]
honestone Offline
Banned

Registered: 11/13/15
Loc: Seattle, WA (up in God's Count...
They used to be more timely about the posting of updates. But the recent "glaring" ones I pointed out about EtreCheck and Office 2011 are just plain unacceptable (along with using the MacUpdate "installer"). And, this "late" posting of updates has actually been happening for a while.

No, I'll stick with getting the updates on my own (and also using the "Check For Updates" feature which some apps have).
_________________________
Using Macs since 1984
Current Systems:
Mid 2013 13" MacBook Air with 251 gig Samsung SSD
Late 2012 Mac Mini with 256 gig Samsung 840 Pro SSD
Using OS 10.11.5 on both
Make SuperDuper! backups for both machines
Canon Multifunction Inkjet Printer

Top
#38826 - 02/12/16 01:16 PM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: artie505]
honestone Offline
Banned

Registered: 11/13/15
Loc: Seattle, WA (up in God's Count...
Originally Posted By: artie505
Unless I'm mistaken, MacUpdate has nothing to do with updates being posted in a timely or untimely manner, rather it's the developers who lag and leave MU to take the hit.


That makes no difference, as far as I am concerned. MacUpdate should be looking on their own for updates being available. If I can do it (as I have recently done), they can do it.

Again, though, I am going to stick with getting them on my own. I can get them sooner (WAY sooner, in some cases), and without dealing with the problematic MacUpdate Installer.
_________________________
Using Macs since 1984
Current Systems:
Mid 2013 13" MacBook Air with 251 gig Samsung SSD
Late 2012 Mac Mini with 256 gig Samsung 840 Pro SSD
Using OS 10.11.5 on both
Make SuperDuper! backups for both machines
Canon Multifunction Inkjet Printer

Top
#38827 - 02/12/16 01:37 PM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: honestone]
artie505 Online


Registered: 08/04/09
Originally Posted By: honestone
Originally Posted By: artie505
Unless I'm mistaken, MacUpdate has nothing to do with updates being posted in a timely or untimely manner, rather it's the developers who lag and leave MU to take the hit.

That makes no difference, as far as I am concerned. MacUpdate should be looking on their own for updates being available. If I can do it (as I have recently done), they can do it.

That's freakin' bizarre!

The cost of the resources that would be required for them to keep track of the thousands of apps they host would put them out of business, and for all their shortcomings, they're too useful to lose.

Searching for updates is not, nor should it be, part of their business; their business is providing a platform for developers who either make good or poor use of it.


Edited by artie505 (02/12/16 03:44 PM)
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38857 - 02/13/16 09:20 PM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: artie505]
honestone Offline
Banned

Registered: 11/13/15
Loc: Seattle, WA (up in God's Count...
Originally Posted By: artie505
Originally Posted By: honestone
Originally Posted By: artie505
Unless I'm mistaken, MacUpdate has nothing to do with updates being posted in a timely or untimely manner, rather it's the developers who lag and leave MU to take the hit.

That makes no difference, as far as I am concerned. MacUpdate should be looking on their own for updates being available. If I can do it (as I have recently done), they can do it.

That's freakin' bizarre!

The cost of the resources that would be required for them to keep track of the thousands of apps they host would put them out of business, and for all their shortcomings, they're too useful to lose.

Searching for updates is not, nor should it be, part of their business; their business is providing a platform for developers who either make good or poor use of it.


No, it's not freaking bizarre! MacUpdate needs to provide up to date information, plain and simple. And, their platform must be reliable enough for users to get the most up to date information. I already provided two glaring examples where that is not the case.
_________________________
Using Macs since 1984
Current Systems:
Mid 2013 13" MacBook Air with 251 gig Samsung SSD
Late 2012 Mac Mini with 256 gig Samsung 840 Pro SSD
Using OS 10.11.5 on both
Make SuperDuper! backups for both machines
Canon Multifunction Inkjet Printer

Top
#38863 - 02/14/16 02:11 AM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: honestone]
artie505 Online


Registered: 08/04/09
Originally Posted By: honestone
Originally Posted By: artie505
Originally Posted By: honestone
MacUpdate should be looking on their own for updates being available. If I can do it (as I have recently done), they can do it.

That's freakin' bizarre!

Searching for updates is not, nor should it be, part of their business; their business is providing a platform for developers who either make good or poor use of it.

No, it's not freaking bizarre! MacUpdate needs to provide up to date information, plain and simple. And, their platform must be reliable enough for users to get the most up to date information. I already provided two glaring examples where that is not the case.

Originally Posted By: MacUpdate
All 40,000 apps on MacUpdate have been hand curated. (Emphasis added)

OK, then, how much do you figure it would cost MU to check all 40,000 apps on a regular enough basis to satisfy you and to update their descriptions, etc. as required, and how much of a paid annual membership would you be willing to spring for to defray the cost of new infrastructure and people and the ongoing new costs?

Edit: And how many of MU's current members, paid members included, do you figure wold join you, particularly considering that although they may be the best game in town they're not the only one and that the day they went bust there'd be somebody new dancing on their platform?


Edited by artie505 (02/14/16 02:59 AM)
Edit Reason: Clarify +
_________________________
The new Great Equalizer is the SEND button.

In Memory Of Harv: Those who can make you believe absurdities can make you commit atrocities. ~Voltaire

Top
#38865 - 02/14/16 04:41 AM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: artie505]
honestone Offline
Banned

Registered: 11/13/15
Loc: Seattle, WA (up in God's Count...
Originally Posted By: artie505

OK, then, how much do you figure it would cost MU to check all 40,000 apps on a regular enough basis to satisfy you and to update their descriptions, etc. as required, and how much of a paid annual membership would you be willing to spring for to defray the cost of new infrastructure and people and the ongoing new costs?

Edit: And how many of MU's current members, paid members included, do you figure wold join you, particularly considering that although they may be the best game in town they're not the only one and that the day they went bust there'd be somebody new dancing on their platform?


Blah, blah, blah. The site still must have current information. Also, they should not be including their downloader software when one downloads something from their site. That is just plain sleezy.

Nope, I am going to get my updates on my own. It does not take much time and effort to do that. But, there will always be some folks who are too lazy to do that, and also who do not believe in the KISS philosophy. To those I say "Stupid is as stupid does" (another one of my favorite lines).
_________________________
Using Macs since 1984
Current Systems:
Mid 2013 13" MacBook Air with 251 gig Samsung SSD
Late 2012 Mac Mini with 256 gig Samsung 840 Pro SSD
Using OS 10.11.5 on both
Make SuperDuper! backups for both machines
Canon Multifunction Inkjet Printer

Top
#38871 - 02/14/16 01:20 PM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: Pendragon]
grelber Offline


Registered: 08/05/09
Loc: North of 49th ||
EtreCheck version 2.9.4 (254) is now available. See if that makes a difference.

Top
#38873 - 02/14/16 01:53 PM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: grelber]
honestone Offline
Banned

Registered: 11/13/15
Loc: Seattle, WA (up in God's Count...
Originally Posted By: grelber
EtreCheck version 2.9.4 (254) is now available. See if that makes a difference.


Thanks for that info. I just downloaded and installed it, and it did not make any difference, in my case, at least on my Mac Mini. I'll do it on my MacBook Air soon, but I suspect the same results.

Thanks again!
_________________________
Using Macs since 1984
Current Systems:
Mid 2013 13" MacBook Air with 251 gig Samsung SSD
Late 2012 Mac Mini with 256 gig Samsung 840 Pro SSD
Using OS 10.11.5 on both
Make SuperDuper! backups for both machines
Canon Multifunction Inkjet Printer

Top
#38885 - 02/14/16 07:31 PM Re: EtreCheck 2.9.3: Suspected Adware or Malware [Re: honestone]
honestone Offline
Banned

Registered: 11/13/15
Loc: Seattle, WA (up in God's Count...
As I expected, got the same result on my MacBook Air with the new version of EtreCheck. Everything is good!
_________________________
Using Macs since 1984
Current Systems:
Mid 2013 13" MacBook Air with 251 gig Samsung SSD
Late 2012 Mac Mini with 256 gig Samsung 840 Pro SSD
Using OS 10.11.5 on both
Make SuperDuper! backups for both machines
Canon Multifunction Inkjet Printer

Top

Moderator:  alternaut, cyn