My Safari 8 was hijacked by Open-Search.com after updating OS to Yosemite (10.10). The effect was two fold, my home page was hijacked by Open-Search/MacKeeper and the CPU started to load spikes at regular intervals.
After a lot of digging I've removed the resources for Open-Search/MacKeeper ending the hijack. However distnoted, SubPubAgent and nsurlstoraged are showing up in the Activity Monitor and dumping the following log entry in the Message log file.
11/3/14 12:58:35.657 PM nsurlstoraged[233]: DiskCookieStorage changing policy from 2 to 0, cookie file: ///Users/<username>/Library/Cookies/Cookies.binarycookies
11/3/14 12:58:35.658 PM nsurlstoraged[233]: DiskCookieStorage changing policy from 0 to 2, cookie file: ///Users/<username>/Library/Cookies/Cookies.binarycookies
This entry repeats about 4000 times (seriously) spiking the CPU over 300% and actuating the fan. Once I quit out of Safari, the process ends and everything runs as expected.
I followed this answer posted last November but it's specific to emacs: http://apple.stackexchange.com/questions/111197/runaway-distnoted-process.
By adding the file /var/log/do_dnserver_log this seems to have MINIMIZED the problem but hasn't fixed it. The CPU is still load spiking and the above processes are being spawned intermittently.
Any thoughts would be much appreciated.
Thought it might be helpful to post the full log entry after launching Safari.
11/3/14 3:28:46.598 PM nsurlstoraged[232]: DiskCookieStorage changing policy from 0 to 2, cookie file: file:///Users/username/Library/Cookies/Cookies.binarycookies
11/3/14 3:28:46.613 PM storeaccountd[285]: AccountServiceDelegate: Accepting new connection <NSXPCConnection: 0x7fb9bd818dd0> connection from pid 538 with interface <AccountServiceInterface: 0x7fb9bd81fbe0> (PID 538)
11/3/14 3:28:46.728 PM com.apple.xpc.launchd[1]: (com.apple.imfoundation.IMRemoteURLConnectionAgent) The _DirtyJetsamMemoryLimit key is not available on this platform.
11/3/14 3:28:46.765 PM com.apple.xpc.launchd[1]: (com.apple.imfoundation.IMRemoteURLConnectionAgent) The _DirtyJetsamMemoryLimit key is not available on this platform.
11/3/14 3:28:46.927 PM locationd[55]: Couldn't find a requirement string for masquerading client /System/Library/PrivateFrameworks/Parsec.framework
11/3/14 3:28:46.928 PM locationd[55]: could not get apple languages array, assuming english
11/3/14 3:28:46.930 PM com.apple.xpc.launchd[1]: (com.apple.imfoundation.IMRemoteURLConnectionAgent) The _DirtyJetsamMemoryLimit key is not available on this platform.
11/3/14 3:21:19.295 PM com.apple.xpc.launchd[1]: (com.apple.PubSub.Agent[503]) Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.pubsub.ipc
11/3/14 3:21:19.295 PM com.apple.xpc.launchd[1]: (com.apple.PubSub.Agent[503]) Endpoint has been activated through legacy launch(3) APIs. Please switch to XPC or bootstrap_check_in(): com.apple.pubsub.notification
11/3/14 3:21:56.010 PM CoreServicesUIAgent[240]: unexpected message <OS_xpc_error: <error: 0x7fff7bd13c60> { count = 1, contents = "XPCErrorDescription" => <string: 0x7fff7bd13f70> { length = 18, contents = "Connection invalid" }}>
11/3/14 3:22:29.019 PM nsurlstoraged[232]: DiskCookieStorage changing policy from 0 to 2, cookie file: file:///Users/username/Library/Cookies/Cookies.binarycookies
11/3/14 3:22:29.020 PM nsurlstoraged[232]: DiskCookieStorage changing policy from 2 to 0, cookie file: file:///Users/username/Library/Cookies/Cookies.binarycookies
Last entry repeats 4000 times
hope that helps.
ran ps auxw > pbefore.txt then again at the spike ps auxw > pspike.txt then ran diff pbefore.txt pspike.txt the following were the difference:
> root 31 0.0 0.0 2518116 7808 ?? SNs 2:01PM 0:00.16 /usr/libexec/warmd
> username 721 0.0 0.4 3797960 60316 ?? Ss 5:06PM 0:02.11 /System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
> username 720 0.0 0.2 3613208 26316 ?? Ss 5:06PM 0:00.10 /System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent
> username 717 0.0 0.1 3590548 15744 ?? Ss 5:06PM 0:00.20 /System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.Networking.xpc/Contents/MacOS/com.apple.WebKit.Networking
> username 710 0.0 0.0 2514028 6748 ?? S 5:05PM 0:00.09 /usr/libexec/webinspectord
> username 709 0.0 0.0 2521108 7636 ?? S 5:05PM 0:00.05 /System/Library/PrivateFrameworks/AOSKit.framework/Versions/A/XPCServices/com.apple.iCloudHelper.xpc/Contents/MacOS/com.apple.iCloudHelper
> username 708 0.0 0.1 2537796 15316 ?? S 5:05PM 0:00.22 /System/Library/PrivateFrameworks/SyncedDefaults.framework/Support/syncdefaultsd
Best Answer
Was able to clean the malware after following a couple post etc etc. Before you start, download Find Any File from the app store. This is a free utility allowing you to search the system files (among others) through a GUI interface. Also it allows you to easily delete the files too.
Note: your malware may have different file names, however, the resource locations should be the same.
Then try the following (credit to Linc Davis linc davis profile):
Step 1: From the Safari menu bar, select Safari ▹ Preferences... ▹ Extensions Uninstall any extensions you don't know you need, including any that have the word "Spigot," "Trovi," or "Conduit" in the description. If in doubt, uninstall all extensions. Do the equivalent for the Firefox and Chrome browsers, if you use either of those.
Reset the home page and default search engine in all the browsers, if it was changed.
Step 2 (or use Find Any File search bar): Triple-click anywhere in the line below on this page to select it: /Library/LaunchAgents/com.vsearch.agent.plist
Right-click or control-click the line and select Services ▹ Reveal in Finder (or just Reveal)
from the contextual menu.* A folder should open with an item named "com.vsearch.agent.plist" selected.
Drag the selected item to the Trash. You may be prompted for your administrator login password. Repeat with each of these lines:
/Library/LaunchDaemons/com.vsearch.daemon.plist /Library/LaunchDaemons/com.vsearch.helper.plist
Step 3: Restart the computer and empty the Trash. Then delete the following items in the same way:
/Library/Application Support/VSearch /System/Library/Frameworks/VSearch.framework ~/Library/Internet Plug-Ins/ConduitNPAPIPlugin.plugin
Some of these items may be absent, in which case you'll get a message that the file can't be found. Skip that item and go on to the next one.
I had to do the following in addition to Linc D. above. Your situation may have different name, but the process and where the malware files are located will likely be the same.
Step 1:
sudo rm -f ~/Library/Cookies/Cookies.binarycookies enter password
Step 2: Select Clear History and Website Data from Safari menu; click Clear History button in dialog box. This resets Safari
Step 3: Then force quit Safari from the context menu by clicking Cnt + icon in the dock.
Step 4: Finally, fully power down (Shut Down not Restart) the machine and then restart.