Weird process names in activity monitor (maybe)?

[Eggtastic]

So I have been trying to diagnose my battery issue because I am not getting much on just safari with 50-70% battery life (2015 rMB m5). I opened activity monitor and discovered this unknown process name that when I google it there is NOTHING on it. It takes up on average 30 gb of processor memory and around 50% total of cpu usage.

The only questionable thing I may have download was a rom for the openemu emulator which I thought I deleted (it was sonic the hedgehog 1). Other than that, anyone have any advice?

 

[MC6800]

I haven't heard of it either. You might be able to find out more about it with some Terminal commands:

top -u

will display in a manner similar to Activity Monitor. Find that process and look at the PPID (Parent Process ID) column and note if it's any process other than 1. If so, you can search for that parent process using (replace x with the number):

ps axu | grep x

Ignore the extra "grep" process it finds.

In any case, you should can try killing the process with:

sudo kill -9 17360

 

[MC6800]

Forgot to add: you exit 'top' with a Control-C. That will make the results disappear, so write down the PPID first (or open a second window with Command-N).

Before you kill it, another command that's useful is 'lsof'. It shows which files the process currently has open:

lsof -p 17360

 

[Eggtastic]

Just an update, I ran malware bytes as a first line of defense and nothing killed that weird activity. Second I took your advice MC6800 and nothing happened either.

I included some screen shots as to what is happening as it runs and once I close it the significant dip in memory pressure. Of course once I force kill this it pops right back up. Should I take this to an apple store or can anyone else recommend software or other ways to figure out what this is?

 

[Weaselboy]

Should I take this to an apple store or can anyone else recommend software or other ways to figure out what this is?

Select the item like you have there in Activity Monitor then hit command-i (both keys at once) and you will get a window like this where you can click on Open Files and Ports to see what files are making that process appear.

 

[Eggtastic]

Select the item like you have there in Activity Monitor then hit command-i (both keys at once) and you will get a window like this where you can click on Open Files and Ports to see what files are making that process appear.

View attachment 704925

Alright here is what I found, what do you think?

 

[DeltaMac]

Alright here is what I found, what do you think?

Your screen shot shows the location of that app. Drag it to the trash, then restart.

If it immediately re-appears in that same location, despite being in the trash - download and run EtreCheck.
Post the results here, and someone may help you determine if that is something that is reported there.
You may even find that EtreCheck helps you remove it, or may even give you some information that it may not be safe.

Or - restart in Safe Boot mode, then remove that file, and restart once more.

 

[Weaselboy]

Alright here is what I found, what do you think?

I think you have installed the malware called Pirrit or VSearch.

The big clue is searching Google for an app called "wursistf.app" finds nothing. That is because the malware makes up a random name for that app when it is installed.

See this thread and this thread for more info.

Look in the folder /Library/LaunchDaemons/ and I bet you see a plist there called wursistf that is launching this.

Do a safe mode boot by restarting while holding the shift key, then run MalwareBytes to get rid of the Malware.

 

[DeltaMac]

I think you have installed the malware called Pirrit or VSearch.

The big clue is searching Google for an app called "wursistf.app" finds nothing. That is because the malware makes up a random name for that app when it is installed.

See this thread and this thread for more info.

Look in the folder /Library/LaunchDaemons/ and I bet you see a plist there called wursistf that is launching this.

Do a safe mode boot by restarting while holding the shift key, then run MalwareBytes to get rid of the Malware.

OP stated in post #4 that he already tried malwarebytes

 

[Weaselboy]

OP stated in post #4 that he already tried malwarebytes

Thanks I missed that. But it sure does look like the same thing. I wonder if MWB has not been updated to catch this variant.

 

[Eggtastic]

Alright, first and foremost thank you MC6800, Weaselboy, and DeltaMac. With your help I was able to locate and delete the mysterious file. Once I deleted it (moved to trash and emptied trash) it was still running. However, once I killed the activity for that particular process, it never came back and the memory pressure is back down to normal levels!

Again, thank you all for the help. Now one more question: should I still run etrecheck? I already ran malwarebytes and got rid of a few files from that.

 

[Weaselboy]

should I still run etrecheck?

Given what happened here, I think it would be worth running Etrecheck and posting the report here for us to have a look. The report is anonymized, so you can just post the whole thing.

Did you find anything in /Library/LaunchDaemons/ folder? Or maybe MWB already removed it?

 

[Eggtastic]

Here's what I got: I already deleted the "clean up" files. Now the "possible adware" tab shows one file I didn't delete yet.

EtreCheck version: 3.4 (420)

Report generated 2017-06-21 10:33:57

Download EtreCheck from https://etrecheck.com

Runtime: 2:05

Performance: Excellent



Click the [Lookup] links for more information from Apple Support Communities.

Click the [Details] links for more information about that line.

Click the [Remove/Report] links to remove adware or update the whitelist of legitimate software.

Click the [Clean up] link to delete unused files.



Problem: No problem - just checking



Hardware Information: ⓘ

    MacBook (Retina, 12-inch, Early 2016)

    [Technical Specifications] - [User Guide] - [Warranty & Service]

    MacBook - model: MacBook9,1

    1 1.2 GHz Intel Core m5 (m5-6Y54) CPU: 2-core

    8 GB RAM Not upgradeable

        BANK 0/DIMM0

            4 GB LPDDR3 1867 MHz ok

        BANK 1/DIMM0

            4 GB LPDDR3 1867 MHz ok

    Bluetooth: Good - Handoff/Airdrop2 supported

    Wireless:  en0: 802.11 a/b/g/n/ac

    Battery: Health = Normal - Cycle count = 76

    iCloud Quota: 4.62 GB available


Video Information: ⓘ

    Intel HD Graphics 515 - VRAM: 1536 MB

        Color LCD 2560 x 1600


Disk Information: ⓘ

Disk Information: ⓘ

    APPLE SSD AP0512J disk0: (500.28 GB) (Solid State - TRIM: Yes)

        (disk0s1) <not mounted>  [EFI]: 315 MB

        (disk0s2) <not mounted>  [CoreStorage Container]: 499.31 GB

        Recovery HD (disk0s3 - Journaled HFS+) <not mounted>  [Recovery]: 650 MB


USB Information: ⓘ

    USB30Bus


Virtual disks: ⓘ

    Macintosh HD (disk1 - Journaled HFS+) /  [Startup]: 498.94 GB (376.22 GB free)

        Physical disk: disk0s2 499.31 GB Online



System Software: ⓘ

    macOS Sierra  10.12.5 (16F73) - Time since boot: about one day


Gatekeeper: ⓘ

    Mac App Store and identified developers


Possible adware: ⓘ

    Unknown file: /Users/[redacted]/Library/LaunchAgents/com.yuynswvadjci.plist

        /Users/[redacted]/Library/yuynswvadjci/yuynswvadjci

    One possible adware file found. [Remove/Report]


Clean up: ⓘ

    /Library/LaunchAgents/com.splashtop.streamer.SRServiceAgent.plist

        /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceAgent

        Executable not found!

    /Library/LaunchDaemons/com.splashtop.streamer.SRServiceDaemon.plist

        /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceDaemon

        Executable not found!

    /Users/[redacted]/Library/LaunchAgents/com.WUrSIsTF.plist

        /Users/[redacted]/Library/WUrSIsTF/WUrSIsTF.app/Contents/MacOS/WUrSIsTF

        Executable not found!

    /Users/[redacted]/Library/LaunchAgents/com.apple.CSConfigDotMacCert-[redacted][USER=249266]@me.com[/USER]-SharedServices.Agent.plist

        /System/Library/Frameworks/CoreServices.framework/Frameworks/OSServices.framework/Versions/A/Support/CSConfigDotMacCert -l /Users/[redacted]/Library/Logs/CSConfigDotMacCert.log -u [redacted][USER=249266]@me.com[/USER] -t SharedServices -s

        Executable not found!

    /Users/[redacted]/Library/LaunchAgents/com.google.GoogleContactSyncAgent.plist

        /System/Library/PrivateFrameworks/GoogleContactSync.framework/Versions/A/Resources/gconsync --sync com.google.ContactSync --periodic

        Executable not found!

    /Users/[redacted]/Library/LaunchAgents/com.leapfrog.connect.monitor.plist

        /Users/[redacted]/Library/Application Support/LeapFrogConnect/LeapFrogMonitor.app/Contents/MacOS/LeapFrogMonitor

        Executable not found!

    6 orphan files found. [Clean up]


Kernel Extensions: ⓘ

        /Library/Extensions

    [not loaded]    com.vestigl.driver.Xone-Driver (1.0 - SDK 10.10) [Lookup]



        /System/Library/Extensions

    [not loaded]    com.Cycling74.driver.Soundflower (1.5.2) [Lookup]

    [not loaded]    com.devguru.driver.SamsungComposite (1.4.18 - SDK 10.6) [Lookup]

    [not loaded]    com.leapfrog.codeless.kext (2.0) [Lookup]

    [not loaded]    com.leapfrog.driver.LfConnectDriver (1.10.5 - SDK 10.8) [Lookup]

    [loaded]    com.rim.driver.BlackBerryUSBDriverInt (0.0.74) [Lookup]

    [not loaded]    com.rim.driver.BlackBerryUSBDriverVSP (0.0.74) [Lookup]

    [not loaded]    net.pocketmac.driver.BlackberryUSB (3.1.7) [Lookup]

    [not loaded]    net.pocketmac.driver.BlackberryUSBDev (3.1.7) [Lookup]



        /System/Library/Extensions/ssuddrv.kext/Contents/PlugIns

    [not loaded]    com.devguru.driver.SamsungACMControl (1.4.18 - SDK 10.6) [Lookup]

    [not loaded]    com.devguru.driver.SamsungACMData (1.4.18 - SDK 10.6) [Lookup]

    [not loaded]    com.devguru.driver.SamsungMTP (1.4.18 - SDK 10.5) [Lookup]

    [not loaded]    com.devguru.driver.SamsungSerial (1.4.18 - SDK 10.6) [Lookup]



System Launch Agents: ⓘ

    [not loaded]    6 Apple tasks

    [loaded]    169 Apple tasks

    [running]    94 Apple tasks

    [killed]    13 Apple tasks

    13 processes killed due to insufficient RAM


System Launch Daemons: ⓘ

    [not loaded]    41 Apple tasks

    [loaded]    172 Apple tasks

    [running]    93 Apple tasks

    [killed]    10 Apple tasks

    10 processes killed due to insufficient RAM


Launch Agents: ⓘ

    [running]    com.rim.BBAlbumArtCacher.plist (? e61f56c4 1a15c7cd - installed 2012-04-19) [Lookup]

    [running]    com.rim.BBLaunchAgent.plist (? dcf2726d 325bafa3 - installed 2012-07-07) [Lookup]

    [failed]    com.splashtop.streamer.SRServiceAgent.plist (? 86b529f9 0 - installed 2012-12-13) [Lookup] - /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceAgent: Executable not found!


Launch Daemons: ⓘ

    [loaded]    com.adobe.fpsaud.plist (? 2afb3af7 a0305b84 - installed 2017-06-14) [Lookup]

    [loaded]    com.leapfrog.connect.authdaemon.plist (? 115eb318 be5a5f52 - installed 2014-07-17) [Lookup]

    [loaded]    com.malwarebytes.HelperTool.plist (Malwarebytes Corporation - installed 2017-06-20) [Lookup]

    [loaded]    com.microsoft.autoupdate.helper.plist (Microsoft Corporation - installed 2016-12-08) [Lookup]

    [loaded]    com.microsoft.office.licensing.helper.plist (? 6d8cb30e 442fdde9 - installed 2011-03-10) [Lookup]

    [loaded]    com.microsoft.office.licensingV2.helper.plist (Microsoft Corporation - installed 2016-11-15) [Lookup]

    [running]    com.rim.BBDaemon.plist (? 9f895e8a b21e1422 - installed 2012-04-19) [Lookup]

    [failed]    com.splashtop.streamer.SRServiceDaemon.plist (? a86addce 0 - installed 2012-12-13) [Lookup] - /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceDaemon: Executable not found!


User Launch Agents: ⓘ

    [failed]    com.WUrSIsTF.plist (? e79a0ca1 0 - installed 2017-05-27) [Lookup] - /Users/[redacted]/Library/WUrSIsTF/WUrSIsTF.app/Contents/MacOS/WUrSIsTF: Executable not found!

    [failed]    com.apple.CSConfigDotMacCert-[redacted][USER=249266]@me.com[/USER]-SharedServices.Agent.plist (? ? ? - installed 2011-07-27) - /System/Library/Frameworks/CoreServices.framework/Frameworks/OSServices.framework/Versions/A/Support/CSConfigDotMacCert: Executable not found!

    [loaded]    com.divx.agent.postinstall.plist (? e4878fa f8208157 - installed 2012-08-18) [Lookup]

    [failed]    com.google.GoogleContactSyncAgent.plist (? d5fb572a 0 - installed 2012-07-19) [Lookup] - /System/Library/PrivateFrameworks/GoogleContactSync.framework/Versions/A/Resources/gconsync: Executable not found!

    [loaded]    com.google.keystone.agent.plist (Google, Inc. - installed 2017-03-28) [Lookup]

    [failed]    com.leapfrog.connect.monitor.plist (? e7cfd17d 0 - installed 2014-07-17) [Lookup] - /Users/[redacted]/Library/Application Support/LeapFrogConnect/LeapFrogMonitor.app/Contents/MacOS/LeapFrogMonitor: Executable not found!

    [running]    com.spotify.webhelper.plist (Spotify - installed 2017-06-20) [Lookup]

    [running]    com.yuynswvadjci.plist (? c9ec6e71 2375f353 - installed 2017-05-27) [Lookup]


User Login Items: ⓘ

    ToneSync    Application

        (/Applications/ToneSync.app)

    Google Drive    Application

        (/Applications/Google Drive.app)

    fuspredownloader    Application - Hidden

        (/Users/[redacted]/Library/Application Support/.FUS/fuspredownloader.app)


Internet Plug-ins: ⓘ

    FlashPlayer-10.6: 26.0.0.131 (installed 2017-06-17) [Lookup]

    QuickTime Plugin: 7.7.3 (installed 2017-06-01)

    Flash Player: 26.0.0.131 (installed 2017-06-17) [Lookup]

    AdobePDFViewer: 10.1.1 (installed 2011-12-11) [Lookup]

    DivXBrowserPlugin: 2.2 (installed 2012-07-26) [Lookup]

    OVSHelper: 1.1 (installed 2012-01-17) [Lookup]

    SharePointBrowserPlugin: 14.1.4 (installed 2012-02-20) [Lookup]

    JavaAppletPlugin: 15.0.1 (installed 2011-11-23) Check version



User internet Plug-ins: ⓘ

    Google Earth Web Plug-in: 7.1 (installed 2013-10-07) [Lookup]



Safari Extensions: ⓘ

    [disabled]    AdBlock - BetaFish, Inc. - https://getadblock.com (installed 2017-06-20)

    [enabled]    DivX Plus Web Player HTML5 <video> - © 2000-2011 DivX, LLC. - http://divx.com (installed 2012-08-18)

    [disabled]    ClickToFlash - Marc Hoyois - http://hoyois.github.com/safariextensions/clicktoplugin/ (installed 2016-12-18)


3rd Party Preference Panes: ⓘ

    Flash Player (installed 2017-06-14) [Lookup]


Time Machine: ⓘ

    Mobile backups: OFF

    Auto backup: YES

    Volumes being backed up:

    Destinations:

        Time Machine Backups [Local]

        Total size: 499.36 GB

        Total number of backups: 26

        Oldest backup: 8/1/11, 9:40 PM

        Last backup: 12/7/16, 4:07 PM

        Size of backup disk: Excellent

            Backup size 499.36 GB > (Disk size 0 B X 3)


Top Processes by CPU: ⓘ

        5%       WindowServer

        4%       mds

        2%       kernel_task

        2%       mdworker

        1%       mdworker


Top Processes by Memory: ⓘ

    832 MB        kernel_task

    732 MB        com.apple.WebKit.WebContent

    170 MB        com.apple.WebKit.WebContent

    163 MB        WindowServer

    147 MB        Safari


Top Processes by Network Use: ⓘ

    Input         Output        Process name

    598 KB        15 KB         com.apple.WebKit.Networking

    412 KB        126 KB        mDNSResponder

    43 KB         22 KB         netbiosd

    10 KB         11 KB         apsd

    5 KB          5 KB          ntpd


Top Processes by Energy Use: ⓘ

    18.72    WindowServer

      8.02    Activity Monitor

      2.44    hidd

      1.52    Dock


Virtual Memory Information: ⓘ

    4.07 GB       Available RAM

    2.55 GB       Free RAM

    3.93 GB       Used RAM

    1.52 GB       Cached files

    73 MB         Swap Used


Software installs: ⓘ

    Evernote: 6.11.1 (installed 2017-06-01)

    Battery Health: 5.4 (installed 2017-06-10)

    Adobe Flash Player:  (installed 2017-06-13)

    Adobe Flash Player:  (installed 2017-06-17)

    PassMaker: 2.0.1 (installed 2017-06-20)



    Install information may not be complete.


Diagnostics Information: ⓘ

    2017-06-20 22:26:58    WUrSIsTF.app High CPU use [Open] [Details]

    2017-06-20 13:46:12    Spotlight.app Crash [Open]

    2017-06-18 23:53:46    WUrSIsTF High CPU use [Open] [Details]

[doublepost=1498056325][/doublepost]

Given what happened here, I think it would be worth running Etrecheck and posting the report here for us to have a look. The report is anonymized, so you can just post the whole thing.

Did you find anything in /Library/LaunchDaemons/ folder? Or maybe MWB already removed it?

I found the files via etrecheck but they didn't appear to be anything suspicious, just past applications I downloaded and some I deleted in the past. I removed them via etrecheck. I have one adware file that I haven't removed yet because I was unsure if it was truly adware or something that was needed to run the macOS properly.

 

[Weaselboy]

Possible adware: ⓘ

Unknown file: /Users/[redacted]/Library/LaunchAgents/com.yuynswvadjci.plist

/Users/[redacted]/Library/yuynswvadjci/yuynswvadjci

One possible adware file found. [Remove/Report]

Yeah... I'm still pretty sure you got that Pirrit malware, and this is more evidence of it. If you Google "yuynswvadjci", you won't find anything because this was randomly generated by the malware. This plist is what would launch the malware yuynswvadjci.app

Executable not found!

/Users/[redacted]/Library/LaunchAgents/com.WUrSIsTF.plist

/Users/[redacted]/Library/WUrSIsTF/WUrSIsTF.app/Contents/MacOS/WUrSIsTF

This is the plist I was talking about that was launching that app. You need to delete the plist.

User Launch Agents: ⓘ

[failed] com.WUrSIsTF.plist (? e79a0ca1 0 - installed 2017-05-27) [Lookup] - /Users/[redacted]/Library/WUrSIsTF/WUrSIsTF.app/Contents/MacOS/WUrSIsTF: Executable not found!

This error is here because the plist is trying to launch the app you already deleted.

[running] com.yuynswvadjci.plist (? c9ec6e71 2375f353 - installed 2017-05-27) [Lookup]

This is showing the malware app is likely still there and running and you need to find and delete it.

Other than that, I don't see any other malware, but you sure have a ton of third party items running.

 

[Eggtastic]

Yeah... I'm still pretty sure you got that Pirrit malware, and this is more evidence of it. If you Google "yuynswvadjci", you won't find anything because this was randomly generated by the malware. This plist is what would launch the malware yuynswvadjci.app




This is the plist I was talking about that was launching that app. You need to delete the plist.



This error is here because the plist is trying to launch the app you already deleted.



This is showing the malware app is likely still there and running and you need to find and delete it.

Other than that, I don't see any other malware, but you sure have a ton of third party items running.

Alright, was removing these items via the etrecheck app enough to get rid of everything you mentioned? When I search for these things on spotlight (searching for library/launchdaemons) nothing comes up now and everything looks normal on activity monitor.

So do you think my mac is in better shape? Also you said a lot of 3rd party things... what types of apps do you mean? I have a battery monitor, google drive, etc but unless I am not seeing something extra that I don't need.

 

[DeltaMac]

Restart your Mac, then...
Run EtreCheck again --- check that those few items that you need to remove, are actually gone (and not reported by EtreCheck now)
Last check, run MalwareBytes again, make sure that runs clear.

 

[Weaselboy]

When I search for these things on spotlight (searching for library/launchdaemons) nothing comes up now and everything looks normal on activity monitor.

If you don't see those items is Activity Monitor after a restart, you are probably okay. But it would still be good to get rid of all traces of this junk. It won't show in Spotlight, you need to go to the folders in Finder.

~/Library/LaunchAgents (~ is your users folder)
/Library/LaunchAgents
/Library/LaunchDaemons
/Library/StartupItems
/System/Library/Extensions/

Everything will be in one of these folders. Just triple click to select, then right click then in Services pick Reveal in Finder.

I don't see anything particularly wrong with any of those third party items, I was just commenting that you have a lot of them. Sometimes some of these items will cause conflicts with the OS. But not an issue if you are having no problems.

 

[Eggtastic]

Alright everything looks good and running fine. Restarted my mac, ran both etrecheck and malwarebytes and nothing suspicious came up. I appreciate the help!

 

[brisingrbrandon]

Can anyone tell me how to get rid of this process that keeps taking all my CPU? If I quit it, it comes back about three-five minutes later.

 

[DeltaMac]

Can anyone tell me how to get rid of this process that keeps taking all my CPU? If I quit it, it comes back about three-five minutes later.

Have you tried Malwarebytes?

 

[brisingrbrandon]

Have you tried Malwarebytes?

You're saying this could be a virus? Downloading now, I'll let you know if that fixes it.

 

[DeltaMac]

You're saying this could be a virus? Downloading now, I'll let you know if that fixes it.

Virus?
no...
More likely just some adware that has found you.

 

[brisingrbrandon]

You're saying this could be a virus? Downloading now, I'll let you know if that fixes it.

It worked!!! Thanks
[doublepost=1540839682][/doublepost]

Virus?
no...
More likely just some adware that has found you.

Its working great! Thanks