Xjyuk

Where can I find vomiting people?

Can the UK veto its own extension request?

Is there a reliable way to hide/convey a message in vocal expressions (speech, song,...)

Sol Ⅲ = Earth: What is the origin of this planetary naming scheme?

Random point on a sphere

Linear Programming with additional "if-then"/"Default to zero" constraints?

Why did they ever make smaller than full-frame sensors?

Why does F + F' = 1?

Is it possible to PIVOT on a LIKE statement

How can I fix a framing mistake so I can drywall?

Are there any space probes or landers which regained communication after being lost?

Where can I get an anonymous Rav Kav card issued?

Is there a star over my head?

How to read torque specs off this Nissan service diagram?

Action queue manager to perform action in a FIFO fashion

Do Milankovitch Cycles fully explain climate change?

Why do sellers care about down payments?

Exact Brexit date and consequences

Can I cast Sunbeam if both my hands are busy?

Seized engine due to being run without oil

Is there a standard terminology for female equivalents of terms such as 'Kingdom' and if so, what are the most common terms?

What is a realistic time needed to get a properly trained army?

Does a gnoll speak both Gnoll and Abyssal, or is Gnoll a dialect of Abyssal?

Which ping implementation is Cygwin using?

What's is this random file in Macintosh HD? Malicious?

Tilde (~) File in Macintosh DirectoryIs this a virus?Selecting Random File in AppleScriptWhat's this process 'collision'?Database.db file in Macintosh HDCould ._ files contain malicious software?What's the `._xxx` file in macOS?Why doesn't spotlight return this file?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

3

So I noticed I had this file in the Macintosh HD folder...

And then when I click on it, it shows this

Apparently this file was created in 2017, but I don't remember it...

Any idea what it could be?

#!/bin/bash
func_4() [ "$COUNTRY" == "IN" ]
 
func_4 &

macos finder file malware

share|improve this question

edited 7 hours ago

Monomeeth♦

51.2k88 gold badges107107 silver badges156156 bronze badges

asked 9 hours ago

Friendly SirenFriendly Siren

2122 bronze badges

New contributor

Friendly Siren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Double clicking (aka running the file) is not advisable since you have no idea what it does. This appears to be a shell script of some type so you should edit it and post the contents to your original question so we can see what it contains.
  
  – Allan
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  open it in a text editor, that is what I do. Often these are spurious files created by an app or the OS that can be deleted with no consequence. But if you are curious, peek inside and see what it says...
  
  – Steve Chambers
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  If you want to do this via the terminal, just issue the command cat file | pbcopy and then paste it to the question. Do this from the Macintosh HD folder.
  
  – Allan
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @SteveChambers I tried opening it in Notes but it said it couldn't be opened because it's from an unidentified developer.
  
  – Friendly Siren
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  So, what I was able to uncover is that the script downloads and extracts a file from premiummac.com which is hosted on an AWS server. Issue the command dig premiummac.com in Terminal for the details. searchitdown seems to redirect to a google page. What you’re looking at here is some very questionable script that looks, walks, and quacks like a malware infected duck.
  
  – Allan
  8 hours ago
  

  
  
  
  

 | 
show 2 more comments

3

So I noticed I had this file in the Macintosh HD folder...

And then when I click on it, it shows this

Apparently this file was created in 2017, but I don't remember it...

Any idea what it could be?

#!/bin/bash
func_4() [ "$COUNTRY" == "IN" ]
 
func_4 &

macos finder file malware

share|improve this question

edited 7 hours ago

Monomeeth♦

51.2k88 gold badges107107 silver badges156156 bronze badges

asked 9 hours ago

Friendly SirenFriendly Siren

2122 bronze badges

New contributor

Friendly Siren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Double clicking (aka running the file) is not advisable since you have no idea what it does. This appears to be a shell script of some type so you should edit it and post the contents to your original question so we can see what it contains.
  
  – Allan
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  open it in a text editor, that is what I do. Often these are spurious files created by an app or the OS that can be deleted with no consequence. But if you are curious, peek inside and see what it says...
  
  – Steve Chambers
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  If you want to do this via the terminal, just issue the command cat file | pbcopy and then paste it to the question. Do this from the Macintosh HD folder.
  
  – Allan
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @SteveChambers I tried opening it in Notes but it said it couldn't be opened because it's from an unidentified developer.
  
  – Friendly Siren
  9 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  So, what I was able to uncover is that the script downloads and extracts a file from premiummac.com which is hosted on an AWS server. Issue the command dig premiummac.com in Terminal for the details. searchitdown seems to redirect to a google page. What you’re looking at here is some very questionable script that looks, walks, and quacks like a malware infected duck.
  
  – Allan
  8 hours ago
  

  
  
  
  

 | 
show 2 more comments

So I noticed I had this file in the Macintosh HD folder...

And then when I click on it, it shows this

Apparently this file was created in 2017, but I don't remember it...

Any idea what it could be?

#!/bin/bash
func_4() [ "$COUNTRY" == "IN" ]
 
func_4 &

macos finder file malware

share|improve this question

edited 7 hours ago

Monomeeth♦

51.2k88 gold badges107107 silver badges156156 bronze badges

asked 9 hours ago

Friendly SirenFriendly Siren

2122 bronze badges

New contributor

Friendly Siren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

#!/bin/bash
func_4() [ "$COUNTRY" == "IN" ]
 
func_4 &

share|improve this question

edited 7 hours ago

Monomeeth♦

51.2k88 gold badges107107 silver badges156156 bronze badges

asked 9 hours ago

Friendly SirenFriendly Siren

2122 bronze badges

New contributor

Friendly Siren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited 7 hours ago

Monomeeth♦

51.2k88 gold badges107107 silver badges156156 bronze badges

asked 9 hours ago

Friendly SirenFriendly Siren

2122 bronze badges

New contributor

Friendly Siren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited 7 hours ago

Monomeeth♦

51.2k88 gold badges107107 silver badges156156 bronze badges

edited 7 hours ago

Monomeeth♦

51.2k88 gold badges107107 silver badges156156 bronze badges

asked 9 hours ago

Friendly SirenFriendly Siren

2122 bronze badges

New contributor

Friendly Siren is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 9 hours ago

Friendly SirenFriendly Siren

2122 bronze badges

2 Answers
2

active

oldest

votes

5

This is SilverInstaller, adware to download more adware and ‘potentially unwanted programs’. This was likely distributed through fake Flash popups, which someone on the system clicked on, downloaded, opened, installed and provided administrator credentials to.

Installed software in this package likely includes

MacKeeper, VSearch, A Pirrit injector, BrowserEnhancer, MPlayer

all of which you most certainly don't want.

• https://www.intego.com/mac-security-blog/silverinstaller-uses-new-techniques-to-install-puapup/


• https://www.intego.com/mac-security-blog/silverinstaller-sneakier-than-previously-thought/

I'll break down the code

#!/bin/bash

This code is script to be interpreted by bash, noted by this shebang.

func_4()
func_4 &

Function all ready to go, time to call it.

share|improve this answer

edited 8 hours ago

answered 8 hours ago

grg♦grg

145k2525 gold badges229229 silver badges340340 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This answers these two questions too :)stackoverflow.com/search?q=www.searchitdown.com
  
  – ankiiiiiii
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ankiiiiiii thank you very much for the link! I will check it out
  
  – Friendly Siren
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @grg thank you so much for taking the time to both identify this and break down the code for me to understand it. Any idea what I should do to get rid of it? I already ran malware bytes on my mac
  
  – Friendly Siren
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @FriendlySiren well the link I posted has 2 questions with no answers, so don't check it out. For getting rid of it, the Intego links in this answer have some directions too.
  
  – ankiiiiiii
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ankiiiiiii Okay I'll check out Integro then
  
  – Friendly Siren
  7 hours ago
  

  
  
  
  

add a comment | 

2

That script does everything I would expect malware to do and has been around for a while so the domains it connects could be blocked or shut down now.

• Downloads some files, runs those files and cleans up after itself.

It could be ad(vertising)ware instead of malware, but it’s clearly fingerprinting your mac, reporting a unique identifier for your Mac and intending to change the state of the Mac. Unless you opted in to the tool and wanted it to run, (and even if you did once) downloading and running the MalwareBytes cleaner would be my next step

• https://www.malwarebytes.com/

share|improve this answer

answered 8 hours ago

bmike♦bmike

168k4646 gold badges306306 silver badges663663 bronze badges

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  The output including and following 'logout' is part of Terminal's session management (/etc/bashrc_Apple_Terminal) and unrelated to the file.
  
  – grg♦
  9 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @bmike I've ran malware bytes on my mac many times, it never got rid of this file for some reason. But I'll run it again just to make sure. Thanks :)
  
  – Friendly Siren
  7 hours ago
  

  
  
  
  

add a comment | 

5

This is SilverInstaller, adware to download more adware and ‘potentially unwanted programs’. This was likely distributed through fake Flash popups, which someone on the system clicked on, downloaded, opened, installed and provided administrator credentials to.

Installed software in this package likely includes

MacKeeper, VSearch, A Pirrit injector, BrowserEnhancer, MPlayer

all of which you most certainly don't want.

• https://www.intego.com/mac-security-blog/silverinstaller-uses-new-techniques-to-install-puapup/


• https://www.intego.com/mac-security-blog/silverinstaller-sneakier-than-previously-thought/

I'll break down the code

#!/bin/bash

This code is script to be interpreted by bash, noted by this shebang.

func_4()
func_4 &

Function all ready to go, time to call it.

share|improve this answer

edited 8 hours ago

answered 8 hours ago

grg♦grg

145k2525 gold badges229229 silver badges340340 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This answers these two questions too :)stackoverflow.com/search?q=www.searchitdown.com
  
  – ankiiiiiii
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ankiiiiiii thank you very much for the link! I will check it out
  
  – Friendly Siren
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @grg thank you so much for taking the time to both identify this and break down the code for me to understand it. Any idea what I should do to get rid of it? I already ran malware bytes on my mac
  
  – Friendly Siren
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @FriendlySiren well the link I posted has 2 questions with no answers, so don't check it out. For getting rid of it, the Intego links in this answer have some directions too.
  
  – ankiiiiiii
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ankiiiiiii Okay I'll check out Integro then
  
  – Friendly Siren
  7 hours ago
  

  
  
  
  

add a comment | 

5

This is SilverInstaller, adware to download more adware and ‘potentially unwanted programs’. This was likely distributed through fake Flash popups, which someone on the system clicked on, downloaded, opened, installed and provided administrator credentials to.

Installed software in this package likely includes

MacKeeper, VSearch, A Pirrit injector, BrowserEnhancer, MPlayer

all of which you most certainly don't want.

• https://www.intego.com/mac-security-blog/silverinstaller-uses-new-techniques-to-install-puapup/


• https://www.intego.com/mac-security-blog/silverinstaller-sneakier-than-previously-thought/

I'll break down the code

#!/bin/bash

This code is script to be interpreted by bash, noted by this shebang.

func_4()
func_4 &

Function all ready to go, time to call it.

share|improve this answer

edited 8 hours ago

answered 8 hours ago

grg♦grg

145k2525 gold badges229229 silver badges340340 bronze badges

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This answers these two questions too :)stackoverflow.com/search?q=www.searchitdown.com
  
  – ankiiiiiii
  8 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ankiiiiiii thank you very much for the link! I will check it out
  
  – Friendly Siren
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  @grg thank you so much for taking the time to both identify this and break down the code for me to understand it. Any idea what I should do to get rid of it? I already ran malware bytes on my mac
  
  – Friendly Siren
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @FriendlySiren well the link I posted has 2 questions with no answers, so don't check it out. For getting rid of it, the Intego links in this answer have some directions too.
  
  – ankiiiiiii
  7 hours ago
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @ankiiiiiii Okay I'll check out Integro then
  
  – Friendly Siren
  7 hours ago
  

  
  
  
  

add a comment | 

This is SilverInstaller, adware to download more adware and ‘potentially unwanted programs’. This was likely distributed through fake Flash popups, which someone on the system clicked on, downloaded, opened, installed and provided administrator credentials to.

Installed software in this package likely includes

MacKeeper, VSearch, A Pirrit injector, BrowserEnhancer, MPlayer

all of which you most certainly don't want.

• https://www.intego.com/mac-security-blog/silverinstaller-uses-new-techniques-to-install-puapup/


• https://www.intego.com/mac-security-blog/silverinstaller-sneakier-than-previously-thought/

I'll break down the code

#!/bin/bash

This code is script to be interpreted by bash, noted by this shebang.

func_4()
func_4 &

Function all ready to go, time to call it.

share|improve this answer

edited 8 hours ago

answered 8 hours ago

grg♦grg

145k2525 gold badges229229 silver badges340340 bronze badges

share|improve this answer

edited 8 hours ago

answered 8 hours ago

grg♦grg

145k2525 gold badges229229 silver badges340340 bronze badges

answered 8 hours ago

grg♦grg

145k2525 gold badges229229 silver badges340340 bronze badges

answered 8 hours ago

grg♦grg

145k2525 gold badges229229 silver badges340340 bronze badges

2

That script does everything I would expect malware to do and has been around for a while so the domains it connects could be blocked or shut down now.

• Downloads some files, runs those files and cleans up after itself.

It could be ad(vertising)ware instead of malware, but it’s clearly fingerprinting your mac, reporting a unique identifier for your Mac and intending to change the state of the Mac. Unless you opted in to the tool and wanted it to run, (and even if you did once) downloading and running the MalwareBytes cleaner would be my next step

• https://www.malwarebytes.com/

share|improve this answer

answered 8 hours ago

bmike♦bmike

168k4646 gold badges306306 silver badges663663 bronze badges

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  The output including and following 'logout' is part of Terminal's session management (/etc/bashrc_Apple_Terminal) and unrelated to the file.
  
  – grg♦
  9 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @bmike I've ran malware bytes on my mac many times, it never got rid of this file for some reason. But I'll run it again just to make sure. Thanks :)
  
  – Friendly Siren
  7 hours ago
  

  
  
  
  

add a comment | 

2

That script does everything I would expect malware to do and has been around for a while so the domains it connects could be blocked or shut down now.

• Downloads some files, runs those files and cleans up after itself.

It could be ad(vertising)ware instead of malware, but it’s clearly fingerprinting your mac, reporting a unique identifier for your Mac and intending to change the state of the Mac. Unless you opted in to the tool and wanted it to run, (and even if you did once) downloading and running the MalwareBytes cleaner would be my next step

• https://www.malwarebytes.com/

share|improve this answer

answered 8 hours ago

bmike♦bmike

168k4646 gold badges306306 silver badges663663 bronze badges

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  The output including and following 'logout' is part of Terminal's session management (/etc/bashrc_Apple_Terminal) and unrelated to the file.
  
  – grg♦
  9 hours ago
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @bmike I've ran malware bytes on my mac many times, it never got rid of this file for some reason. But I'll run it again just to make sure. Thanks :)
  
  – Friendly Siren
  7 hours ago
  

  
  
  
  

add a comment | 

That script does everything I would expect malware to do and has been around for a while so the domains it connects could be blocked or shut down now.

• Downloads some files, runs those files and cleans up after itself.

It could be ad(vertising)ware instead of malware, but it’s clearly fingerprinting your mac, reporting a unique identifier for your Mac and intending to change the state of the Mac. Unless you opted in to the tool and wanted it to run, (and even if you did once) downloading and running the MalwareBytes cleaner would be my next step

• https://www.malwarebytes.com/

share|improve this answer

answered 8 hours ago

bmike♦bmike

168k4646 gold badges306306 silver badges663663 bronze badges

share|improve this answer

answered 8 hours ago

bmike♦bmike

168k4646 gold badges306306 silver badges663663 bronze badges

answered 8 hours ago

bmike♦bmike

168k4646 gold badges306306 silver badges663663 bronze badges

answered 8 hours ago

bmike♦bmike

168k4646 gold badges306306 silver badges663663 bronze badges