Weird process names in activity monitor (maybe)?

Discussion in 'macOS' started by Eggtastic, Jun 13, 2017.

  1. Eggtastic macrumors 6502a

    Eggtastic

    Joined:
    Jun 9, 2009
    Location:
    NJ
    #1
    So I have been trying to diagnose my battery issue because I am not getting much on just safari with 50-70% battery life (2015 rMB m5). I opened activity monitor and discovered this unknown process name that when I google it there is NOTHING on it. It takes up on average 30 gb of processor memory and around 50% total of cpu usage.

    The only questionable thing I may have download was a rom for the openemu emulator which I thought I deleted (it was sonic the hedgehog 1). Other than that, anyone have any advice?
     

    Attached Files:

  2. MC6800 macrumors 6502

    Joined:
    Jun 29, 2016
    #2
    I haven't heard of it either. You might be able to find out more about it with some Terminal commands:

    top -u

    will display in a manner similar to Activity Monitor. Find that process and look at the PPID (Parent Process ID) column and note if it's any process other than 1. If so, you can search for that parent process using (replace x with the number):

    ps axu | grep x

    Ignore the extra "grep" process it finds.

    In any case, you should can try killing the process with:

    sudo kill -9 17360
     
  3. MC6800 macrumors 6502

    Joined:
    Jun 29, 2016
    #3
    Forgot to add: you exit 'top' with a Control-C. That will make the results disappear, so write down the PPID first (or open a second window with Command-N).

    Before you kill it, another command that's useful is 'lsof'. It shows which files the process currently has open:

    lsof -p 17360
     
  4. Eggtastic thread starter macrumors 6502a

    Eggtastic

    Joined:
    Jun 9, 2009
    Location:
    NJ
    #4
    Just an update, I ran malware bytes as a first line of defense and nothing killed that weird activity. Second I took your advice MC6800 and nothing happened either.

    I included some screen shots as to what is happening as it runs and once I close it the significant dip in memory pressure. Of course once I force kill this it pops right back up. Should I take this to an apple store or can anyone else recommend software or other ways to figure out what this is?

    Screen Shot 2017-06-20 at 1.45.04 PM.png
     
  5. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #5
    Select the item like you have there in Activity Monitor then hit command-i (both keys at once) and you will get a window like this where you can click on Open Files and Ports to see what files are making that process appear.

    Screen_Shot_2017-06-20_at_11_08_09_AM.png
     
  6. Eggtastic thread starter macrumors 6502a

    Eggtastic

    Joined:
    Jun 9, 2009
    Location:
    NJ
    #6
    Alright here is what I found, what do you think?
     

    Attached Files:

  7. DeltaMac macrumors 604

    DeltaMac

    Joined:
    Jul 30, 2003
    Location:
    Delaware
    #7
    Your screen shot shows the location of that app. Drag it to the trash, then restart.

    If it immediately re-appears in that same location, despite being in the trash - download and run EtreCheck.
    Post the results here, and someone may help you determine if that is something that is reported there.
    You may even find that EtreCheck helps you remove it, or may even give you some information that it may not be safe.

    Or - restart in Safe Boot mode, then remove that file, and restart once more.
     
  8. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #8
    I think you have installed the malware called Pirrit or VSearch.

    The big clue is searching Google for an app called "wursistf.app" finds nothing. That is because the malware makes up a random name for that app when it is installed.

    See this thread and this thread for more info.

    Look in the folder /Library/LaunchDaemons/ and I bet you see a plist there called wursistf that is launching this.

    Do a safe mode boot by restarting while holding the shift key, then run MalwareBytes to get rid of the Malware.
     
  9. DeltaMac macrumors 604

    DeltaMac

    Joined:
    Jul 30, 2003
    Location:
    Delaware
    #9
    OP stated in post #4 that he already tried malwarebytes
     
  10. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #10
    Thanks I missed that. But it sure does look like the same thing. I wonder if MWB has not been updated to catch this variant.
     
  11. Eggtastic thread starter macrumors 6502a

    Eggtastic

    Joined:
    Jun 9, 2009
    Location:
    NJ
    #11
    Alright, first and foremost thank you MC6800, Weaselboy, and DeltaMac. With your help I was able to locate and delete the mysterious file. Once I deleted it (moved to trash and emptied trash) it was still running. However, once I killed the activity for that particular process, it never came back and the memory pressure is back down to normal levels!

    Again, thank you all for the help. Now one more question: should I still run etrecheck? I already ran malwarebytes and got rid of a few files from that.
     
  12. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #12
    Given what happened here, I think it would be worth running Etrecheck and posting the report here for us to have a look. The report is anonymized, so you can just post the whole thing.

    Did you find anything in /Library/LaunchDaemons/ folder? Or maybe MWB already removed it?
     
  13. Eggtastic, Jun 21, 2017
    Last edited by a moderator: Jun 21, 2017

    Eggtastic thread starter macrumors 6502a

    Eggtastic

    Joined:
    Jun 9, 2009
    Location:
    NJ
    #13
    Here's what I got: I already deleted the "clean up" files. Now the "possible adware" tab shows one file I didn't delete yet.

    Code:
    EtreCheck version: 3.4 (420)
    
    Report generated 2017-06-21 10:33:57
    
    Download EtreCheck from https://etrecheck.com
    
    Runtime: 2:05
    
    Performance: Excellent
    
    
    
    Click the [Lookup] links for more information from Apple Support Communities.
    
    Click the [Details] links for more information about that line.
    
    Click the [Remove/Report] links to remove adware or update the whitelist of legitimate software.
    
    Click the [Clean up] link to delete unused files.
    
    
    
    Problem: No problem - just checking
    
    
    
    Hardware Information: ⓘ
    
        MacBook (Retina, 12-inch, Early 2016)
    
        [Technical Specifications] - [User Guide] - [Warranty & Service]
    
        MacBook - model: MacBook9,1
    
        1 1.2 GHz Intel Core m5 (m5-6Y54) CPU: 2-core
    
        8 GB RAM Not upgradeable
    
            BANK 0/DIMM0
    
                4 GB LPDDR3 1867 MHz ok
    
            BANK 1/DIMM0
    
                4 GB LPDDR3 1867 MHz ok
    
        Bluetooth: Good - Handoff/Airdrop2 supported
    
        Wireless:  en0: 802.11 a/b/g/n/ac
    
        Battery: Health = Normal - Cycle count = 76
    
        iCloud Quota: 4.62 GB available
    
    
    Video Information: ⓘ
    
        Intel HD Graphics 515 - VRAM: 1536 MB
    
            Color LCD 2560 x 1600
    
    
    Disk Information: ⓘ
    
    Disk Information: ⓘ
    
        APPLE SSD AP0512J disk0: (500.28 GB) (Solid State - TRIM: Yes)
    
            (disk0s1) <not mounted>  [EFI]: 315 MB
    
            (disk0s2) <not mounted>  [CoreStorage Container]: 499.31 GB
    
            Recovery HD (disk0s3 - Journaled HFS+) <not mounted>  [Recovery]: 650 MB
    
    
    USB Information: ⓘ
    
        USB30Bus
    
    
    Virtual disks: ⓘ
    
        Macintosh HD (disk1 - Journaled HFS+) /  [Startup]: 498.94 GB (376.22 GB free)
    
            Physical disk: disk0s2 499.31 GB Online
    
    
    
    System Software: ⓘ
    
        macOS Sierra  10.12.5 (16F73) - Time since boot: about one day
    
    
    Gatekeeper: ⓘ
    
        Mac App Store and identified developers
    
    
    Possible adware: ⓘ
    
        Unknown file: /Users/[redacted]/Library/LaunchAgents/com.yuynswvadjci.plist
    
            /Users/[redacted]/Library/yuynswvadjci/yuynswvadjci
    
        One possible adware file found. [Remove/Report]
    
    
    Clean up: ⓘ
    
        /Library/LaunchAgents/com.splashtop.streamer.SRServiceAgent.plist
    
            /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceAgent
    
            Executable not found!
    
        /Library/LaunchDaemons/com.splashtop.streamer.SRServiceDaemon.plist
    
            /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceDaemon
    
            Executable not found!
    
        /Users/[redacted]/Library/LaunchAgents/com.WUrSIsTF.plist
    
            /Users/[redacted]/Library/WUrSIsTF/WUrSIsTF.app/Contents/MacOS/WUrSIsTF
    
            Executable not found!
    
        /Users/[redacted]/Library/LaunchAgents/com.apple.CSConfigDotMacCert-[redacted][USER=249266]@me.com[/USER]-SharedServices.Agent.plist
    
            /System/Library/Frameworks/CoreServices.framework/Frameworks/OSServices.framework/Versions/A/Support/CSConfigDotMacCert -l /Users/[redacted]/Library/Logs/CSConfigDotMacCert.log -u [redacted][USER=249266]@me.com[/USER] -t SharedServices -s
    
            Executable not found!
    
        /Users/[redacted]/Library/LaunchAgents/com.google.GoogleContactSyncAgent.plist
    
            /System/Library/PrivateFrameworks/GoogleContactSync.framework/Versions/A/Resources/gconsync --sync com.google.ContactSync --periodic
    
            Executable not found!
    
        /Users/[redacted]/Library/LaunchAgents/com.leapfrog.connect.monitor.plist
    
            /Users/[redacted]/Library/Application Support/LeapFrogConnect/LeapFrogMonitor.app/Contents/MacOS/LeapFrogMonitor
    
            Executable not found!
    
        6 orphan files found. [Clean up]
    
    
    Kernel Extensions: ⓘ
    
            /Library/Extensions
    
        [not loaded]    com.vestigl.driver.Xone-Driver (1.0 - SDK 10.10) [Lookup]
    
    
    
            /System/Library/Extensions
    
        [not loaded]    com.Cycling74.driver.Soundflower (1.5.2) [Lookup]
    
        [not loaded]    com.devguru.driver.SamsungComposite (1.4.18 - SDK 10.6) [Lookup]
    
        [not loaded]    com.leapfrog.codeless.kext (2.0) [Lookup]
    
        [not loaded]    com.leapfrog.driver.LfConnectDriver (1.10.5 - SDK 10.8) [Lookup]
    
        [loaded]    com.rim.driver.BlackBerryUSBDriverInt (0.0.74) [Lookup]
    
        [not loaded]    com.rim.driver.BlackBerryUSBDriverVSP (0.0.74) [Lookup]
    
        [not loaded]    net.pocketmac.driver.BlackberryUSB (3.1.7) [Lookup]
    
        [not loaded]    net.pocketmac.driver.BlackberryUSBDev (3.1.7) [Lookup]
    
    
    
            /System/Library/Extensions/ssuddrv.kext/Contents/PlugIns
    
        [not loaded]    com.devguru.driver.SamsungACMControl (1.4.18 - SDK 10.6) [Lookup]
    
        [not loaded]    com.devguru.driver.SamsungACMData (1.4.18 - SDK 10.6) [Lookup]
    
        [not loaded]    com.devguru.driver.SamsungMTP (1.4.18 - SDK 10.5) [Lookup]
    
        [not loaded]    com.devguru.driver.SamsungSerial (1.4.18 - SDK 10.6) [Lookup]
    
    
    
    System Launch Agents: ⓘ
    
        [not loaded]    6 Apple tasks
    
        [loaded]    169 Apple tasks
    
        [running]    94 Apple tasks
    
        [killed]    13 Apple tasks
    
        13 processes killed due to insufficient RAM
    
    
    System Launch Daemons: ⓘ
    
        [not loaded]    41 Apple tasks
    
        [loaded]    172 Apple tasks
    
        [running]    93 Apple tasks
    
        [killed]    10 Apple tasks
    
        10 processes killed due to insufficient RAM
    
    
    Launch Agents: ⓘ
    
        [running]    com.rim.BBAlbumArtCacher.plist (? e61f56c4 1a15c7cd - installed 2012-04-19) [Lookup]
    
        [running]    com.rim.BBLaunchAgent.plist (? dcf2726d 325bafa3 - installed 2012-07-07) [Lookup]
    
        [failed]    com.splashtop.streamer.SRServiceAgent.plist (? 86b529f9 0 - installed 2012-12-13) [Lookup] - /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceAgent: Executable not found!
    
    
    Launch Daemons: ⓘ
    
        [loaded]    com.adobe.fpsaud.plist (? 2afb3af7 a0305b84 - installed 2017-06-14) [Lookup]
    
        [loaded]    com.leapfrog.connect.authdaemon.plist (? 115eb318 be5a5f52 - installed 2014-07-17) [Lookup]
    
        [loaded]    com.malwarebytes.HelperTool.plist (Malwarebytes Corporation - installed 2017-06-20) [Lookup]
    
        [loaded]    com.microsoft.autoupdate.helper.plist (Microsoft Corporation - installed 2016-12-08) [Lookup]
    
        [loaded]    com.microsoft.office.licensing.helper.plist (? 6d8cb30e 442fdde9 - installed 2011-03-10) [Lookup]
    
        [loaded]    com.microsoft.office.licensingV2.helper.plist (Microsoft Corporation - installed 2016-11-15) [Lookup]
    
        [running]    com.rim.BBDaemon.plist (? 9f895e8a b21e1422 - installed 2012-04-19) [Lookup]
    
        [failed]    com.splashtop.streamer.SRServiceDaemon.plist (? a86addce 0 - installed 2012-12-13) [Lookup] - /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceDaemon: Executable not found!
    
    
    User Launch Agents: ⓘ
    
        [failed]    com.WUrSIsTF.plist (? e79a0ca1 0 - installed 2017-05-27) [Lookup] - /Users/[redacted]/Library/WUrSIsTF/WUrSIsTF.app/Contents/MacOS/WUrSIsTF: Executable not found!
    
        [failed]    com.apple.CSConfigDotMacCert-[redacted][USER=249266]@me.com[/USER]-SharedServices.Agent.plist (? ? ? - installed 2011-07-27) - /System/Library/Frameworks/CoreServices.framework/Frameworks/OSServices.framework/Versions/A/Support/CSConfigDotMacCert: Executable not found!
    
        [loaded]    com.divx.agent.postinstall.plist (? e4878fa f8208157 - installed 2012-08-18) [Lookup]
    
        [failed]    com.google.GoogleContactSyncAgent.plist (? d5fb572a 0 - installed 2012-07-19) [Lookup] - /System/Library/PrivateFrameworks/GoogleContactSync.framework/Versions/A/Resources/gconsync: Executable not found!
    
        [loaded]    com.google.keystone.agent.plist (Google, Inc. - installed 2017-03-28) [Lookup]
    
        [failed]    com.leapfrog.connect.monitor.plist (? e7cfd17d 0 - installed 2014-07-17) [Lookup] - /Users/[redacted]/Library/Application Support/LeapFrogConnect/LeapFrogMonitor.app/Contents/MacOS/LeapFrogMonitor: Executable not found!
    
        [running]    com.spotify.webhelper.plist (Spotify - installed 2017-06-20) [Lookup]
    
        [running]    com.yuynswvadjci.plist (? c9ec6e71 2375f353 - installed 2017-05-27) [Lookup]
    
    
    User Login Items: ⓘ
    
        ToneSync    Application
    
            (/Applications/ToneSync.app)
    
        Google Drive    Application
    
            (/Applications/Google Drive.app)
    
        fuspredownloader    Application - Hidden
    
            (/Users/[redacted]/Library/Application Support/.FUS/fuspredownloader.app)
    
    
    Internet Plug-ins: ⓘ
    
        FlashPlayer-10.6: 26.0.0.131 (installed 2017-06-17) [Lookup]
    
        QuickTime Plugin: 7.7.3 (installed 2017-06-01)
    
        Flash Player: 26.0.0.131 (installed 2017-06-17) [Lookup]
    
        AdobePDFViewer: 10.1.1 (installed 2011-12-11) [Lookup]
    
        DivXBrowserPlugin: 2.2 (installed 2012-07-26) [Lookup]
    
        OVSHelper: 1.1 (installed 2012-01-17) [Lookup]
    
        SharePointBrowserPlugin: 14.1.4 (installed 2012-02-20) [Lookup]
    
        JavaAppletPlugin: 15.0.1 (installed 2011-11-23) Check version
    
    
    
    User internet Plug-ins: ⓘ
    
        Google Earth Web Plug-in: 7.1 (installed 2013-10-07) [Lookup]
    
    
    
    Safari Extensions: ⓘ
    
        [disabled]    AdBlock - BetaFish, Inc. - https://getadblock.com (installed 2017-06-20)
    
        [enabled]    DivX Plus Web Player HTML5 <video> - © 2000-2011 DivX, LLC. - http://divx.com (installed 2012-08-18)
    
        [disabled]    ClickToFlash - Marc Hoyois - http://hoyois.github.com/safariextensions/clicktoplugin/ (installed 2016-12-18)
    
    
    3rd Party Preference Panes: ⓘ
    
        Flash Player (installed 2017-06-14) [Lookup]
    
    
    Time Machine: ⓘ
    
        Mobile backups: OFF
    
        Auto backup: YES
    
        Volumes being backed up:
    
        Destinations:
    
            Time Machine Backups [Local]
    
            Total size: 499.36 GB
    
            Total number of backups: 26
    
            Oldest backup: 8/1/11, 9:40 PM
    
            Last backup: 12/7/16, 4:07 PM
    
            Size of backup disk: Excellent
    
                Backup size 499.36 GB > (Disk size 0 B X 3)
    
    
    Top Processes by CPU: ⓘ
    
            5%       WindowServer
    
            4%       mds
    
            2%       kernel_task
    
            2%       mdworker
    
            1%       mdworker
    
    
    Top Processes by Memory: ⓘ
    
        832 MB        kernel_task
    
        732 MB        com.apple.WebKit.WebContent
    
        170 MB        com.apple.WebKit.WebContent
    
        163 MB        WindowServer
    
        147 MB        Safari
    
    
    Top Processes by Network Use: ⓘ
    
        Input         Output        Process name
    
        598 KB        15 KB         com.apple.WebKit.Networking
    
        412 KB        126 KB        mDNSResponder
    
        43 KB         22 KB         netbiosd
    
        10 KB         11 KB         apsd
    
        5 KB          5 KB          ntpd
    
    
    Top Processes by Energy Use: ⓘ
    
        18.72    WindowServer
    
          8.02    Activity Monitor
    
          2.44    hidd
    
          1.52    Dock
    
    
    Virtual Memory Information: ⓘ
    
        4.07 GB       Available RAM
    
        2.55 GB       Free RAM
    
        3.93 GB       Used RAM
    
        1.52 GB       Cached files
    
        73 MB         Swap Used
    
    
    Software installs: ⓘ
    
        Evernote: 6.11.1 (installed 2017-06-01)
    
        Battery Health: 5.4 (installed 2017-06-10)
    
        Adobe Flash Player:  (installed 2017-06-13)
    
        Adobe Flash Player:  (installed 2017-06-17)
    
        PassMaker: 2.0.1 (installed 2017-06-20)
    
    
    
        Install information may not be complete.
    
    
    Diagnostics Information: ⓘ
    
        2017-06-20 22:26:58    WUrSIsTF.app High CPU use [Open] [Details]
    
        2017-06-20 13:46:12    Spotlight.app Crash [Open]
    
        2017-06-18 23:53:46    WUrSIsTF High CPU use [Open] [Details]
    --- Post Merged, Jun 21, 2017 ---
    I found the files via etrecheck but they didn't appear to be anything suspicious, just past applications I downloaded and some I deleted in the past. I removed them via etrecheck. I have one adware file that I haven't removed yet because I was unsure if it was truly adware or something that was needed to run the macOS properly.
     
  14. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #14
    Yeah... I'm still pretty sure you got that Pirrit malware, and this is more evidence of it. If you Google "yuynswvadjci", you won't find anything because this was randomly generated by the malware. This plist is what would launch the malware yuynswvadjci.app


    This is the plist I was talking about that was launching that app. You need to delete the plist.

    This error is here because the plist is trying to launch the app you already deleted.

    This is showing the malware app is likely still there and running and you need to find and delete it.

    Other than that, I don't see any other malware, but you sure have a ton of third party items running.
     
  15. Eggtastic thread starter macrumors 6502a

    Eggtastic

    Joined:
    Jun 9, 2009
    Location:
    NJ
    #15
    Alright, was removing these items via the etrecheck app enough to get rid of everything you mentioned? When I search for these things on spotlight (searching for library/launchdaemons) nothing comes up now and everything looks normal on activity monitor.

    So do you think my mac is in better shape? Also you said a lot of 3rd party things... what types of apps do you mean? I have a battery monitor, google drive, etc but unless I am not seeing something extra that I don't need.
     
  16. DeltaMac macrumors 604

    DeltaMac

    Joined:
    Jul 30, 2003
    Location:
    Delaware
    #16
    Restart your Mac, then...
    Run EtreCheck again --- check that those few items that you need to remove, are actually gone (and not reported by EtreCheck now)
    Last check, run MalwareBytes again, make sure that runs clear.
     
  17. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #17
    If you don't see those items is Activity Monitor after a restart, you are probably okay. But it would still be good to get rid of all traces of this junk. It won't show in Spotlight, you need to go to the folders in Finder.

    Code:
    ~/Library/LaunchAgents (~ is your users folder)
    /Library/LaunchAgents
    /Library/LaunchDaemons
    /Library/StartupItems
    /System/Library/Extensions/
    Everything will be in one of these folders. Just triple click to select, then right click then in Services pick Reveal in Finder.

    I don't see anything particularly wrong with any of those third party items, I was just commenting that you have a lot of them. Sometimes some of these items will cause conflicts with the OS. But not an issue if you are having no problems.
     
  18. Eggtastic thread starter macrumors 6502a

    Eggtastic

    Joined:
    Jun 9, 2009
    Location:
    NJ
    #18
    Alright everything looks good and running fine. Restarted my mac, ran both etrecheck and malwarebytes and nothing suspicious came up. I appreciate the help!
     

Share This Page