Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Software - Troubleshooting and Discussion > macOS > Strange files recreated automatically (malware?)

Strange files recreated automatically (malware?)
Thread Tools
Laurence
Mac Enthusiast
Join Date: Mar 1999
Location: Portland, Oregon, United States
Status: Offline
Reply With Quote
Apr 8, 2011, 08:18 PM
 
A few weeks ago I received a warning in the Drive Pulse Event Viewer about three possible corrupt preferences. I deleted them but they keep coming back. Normally, I'd just assume that some program that I use is creating them, however when searching for them I find absolutely no references in Google or Bing which seems odd to me.

The files are as follows:

com.Seard.DataStandard.plist
com.incincgroup.linkspectrum.plist
com.bigdiamonds.compress.plist

Does anyone have any idea what application(s) is creating these files?

If I open them in a text editor they don't contain any readable text. The strange thing is that all three files look identical when viewing from the command line…

mac-pro:~ laurence$ cd Library/Preferences
mac-proreferences laurence$ more com.incincgroup.linkspectrum.plist
"com.incincgroup.linkspectrum.plist" may be a binary file. See it anyway?
^@^@^A^@^@^@^A^@^@^@^@^@^@^@^@^^^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^@^@^@
^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@^@ ^@^@^@^@^@^@^@^@^@^A^@^@^@^A^@^@^@^@^@^@^@^@^^^@^@ ^@^@^@^@^@^@^@^\^@^^<FF><FF>
mac-proreferences laurence$

Should I be worried about this? Is there any easy way to find out when the files are created? The filesystem is journaled so could I somehow review the journal to see when they were created?

Thanks!
--Laurence
     
larkost
Mac Elite
Join Date: Oct 1999
Location: San Jose, Ca
Status: Offline
Reply With Quote
Apr 8, 2011, 10:25 PM
 
First, the Journal on HFS+ is not going to contain the information you are looking for. You can look at the file creation and modification times to get you that, but it is not necessarily going to get you much.

The files claim to be plists, and there is a binary form of plist that is not going to show up nicely with 'more' or TextEdit. Rather if you use the 'defaults' command you can get the information (or Properly List Editor from the XCode 3 tools, or XCode 4, since it is built in there). The 'defaults' command is a little odd, so you will want to use absolute paths, and not include the '.plist' at the end of the path. For example:
Code:

defaults read /Users/USERNAME/Library/Preferences/com.apple.finder
     
Art Vandelay
Professional Poster
Join Date: Sep 2002
Location: New York, NY
Status: Offline
Reply With Quote
Apr 9, 2011, 01:42 AM
 
Or you can simply use QuickLook to view plist files.
Vandelay Industries
     
AKcrab
Moderator Emeritus
Join Date: Apr 2001
Location: Wasilla, Alaska
Status: Offline
Reply With Quote
Apr 9, 2011, 02:03 AM
 
Awesome. People totally overlook the things that QuickLook can do.

Don't have Office or iWork but want to look at a boring powerpoint presentation? QuickLook.
     
Laurence  (op)
Mac Enthusiast
Join Date: Mar 1999
Location: Portland, Oregon, United States
Status: Offline
Reply With Quote
Apr 9, 2011, 04:36 AM
 
Quicklook just shows a generic icon and nothing more. The defaults read command is also giving useless info about the files in question…


mac-pro:~ laurence$ defaults read /Users/laurence/Library/Preferences/com.incincgroup.linkspectrum
2011-04-09 01:32:58.859 defaults[94943:903]
Domain com.incincgroup.linkspectrum does not exist
mac-pro:~ laurence$ defaults read /Users/laurence/Library/Preferences/com.bigdiamonds.compress
2011-04-09 01:33:05.694 defaults[94946:903]
Domain com.bigdiamonds.compress does not exist
mac-pro:~ laurence$ defaults read /Users/laurence/Library/Preferences/com.Seard.DataStandard
2011-04-09 01:33:14.309 defaults[94950:903]
Domain com.Seard.DataStandard does not exist
mac-pro:~ laurence$ ls /Users/laurence/Library/Preferences/com.Sea*
/Users/laurence/Library/Preferences/com.Seard.DataStandard.plist
mac-pro:~ laurence$ ls /Users/laurence/Library/Preferences/com.big*
/Users/laurence/Library/Preferences/com.bigdiamonds.compress.plist
mac-pro:~ laurence$ ls /Users/laurence/Library/Preferences/com.inc*
/Users/laurence/Library/Preferences/com.incincgroup.linkspectrum.plist
mac-pro:~ laurence$

As you can see, the files exist, but don't contain the normal plist data.

Is there any way to determine which program created the files? Could I install something that would watch for their creation once I delete them again?

Thanks!
--Laurence
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Apr 9, 2011, 05:08 AM
 
Look through the Login items, and in the system and top-level library folders, check launch demons, startupitems, etc.
     
   
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 01:54 PM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,