Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

eddi80

macrumors newbie
Original poster
Mar 20, 2016
3
0
Hi all,

i found a very strange message in the console - which makes me very nervous.

to the background: yesterday i got a javascript "popup" over an ad-network (don't know on which side, i had several browser-windows open in background): "pay xxx your pc is blocked...." in safari
I am using a MBP Retina 15"; End-2013; All Sec-Updates by apple installed;


i closed Safari via CMD-Q.

I downloaded Malewarebytes for Mac but didn't found anything.

then I tried to research what happened.
i am not sure if this is related to this popup - i found this message in the console
(?????.png is set by me because i don't have the original message anymore. was something like "mini_map" or so...):

SpotlightNetHelper[328]: [SLSUGGESTIONS] could not load URL https://dalk4zrp4jp3q.cloudfront.net/images/mac_YFVkNF/?????????.png: Error Domain=NSURLErrorDomain Code=-1009 "Es besteht anscheinend keine Verbindung zum Internet." UserInfo={NSUnderlyingError=0x7fb14ab75fd0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 "(null)" UserInfo={_kCFStreamErrorCodeKey=8, _kCFStreamErrorDomainKey=12}}, NSErrorFailingURLStringKey=https://dalk4zrp4jp3q.cloudfront.net/images/mac_YFVkNF/?????.png, NSErrorFailingURLKey=https://dalk4zrp4jp3q.cloudfront.net/images/mac_YFVkNF/?????.png, _kCFStreamErrorDomainKey=12, _kCFStreamErrorCodeKey=8, NSLocalizedDescription=Es besteht anscheinend keine Verbindung zum Internet.}


so - because behavior of mac was strange I formatted the disc and reinstalled El-Captain again.
nothing new installed (beside garageband and numbers over app store), i found again these messages in the console (many of them around 10:52am):
MESSAGE 1:
20.03.16 10:52:07,188 SpotlightNetHelper[328]: [SLSUGGESTIONS] could not load URL https://dalk4zrp4jp3q.cloudfront.net/images/mac_YFVkNF/dust.png: Error Domain=NSURLErrorDomain Code=-1009 "Es besteht anscheinend keine Verbindung zum Internet." UserInfo={NSUnderlyingError=0x7fb14ab75fd0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 "(null)" UserInfo={_kCFStreamErrorCodeKey=8, _kCFStreamErrorDomainKey=12}}, NSErrorFailingURLStringKey=https://dalk4zrp4jp3q.cloudfront.net/images/mac_YFVkNF/dust.png, NSErrorFailingURLKey=https://dalk4zrp4jp3q.cloudfront.net/images/mac_YFVkNF/dust.png, _kCFStreamErrorDomainKey=12, _kCFStreamErrorCodeKey=8, NSLocalizedDescription=Es besteht anscheinend keine Verbindung zum Internet.}

also i am getting this message:
MESSAGE 2 in rotation with Message1:

20.03.16 10:52:07,184 SpotlightNetHelper[328]: tcp_connection_get_statistics called with null connection, dumping backtrace:
[x86_64] libnetcore-583.20.10
0 libsystem_network.dylib 0x00007fff94be2ba5 __nw_create_backtrace_string + 123
1 libsystem_network.dylib 0x00007fff94bc9158 tcp_connection_get_statistics + 175
2 CFNetwork 0x00007fff8d710ee5 _ZN15TCPIOConnection28_signalConnectionEstablishedEv + 111
3 libdispatch.dylib 0x00007fff92599871 _dispatch_call_block_and_release + 12
4 libdispatch.dylib 0x00007fff9258e33f _dispatch_client_callout + 8
5 libdispatch.dylib 0x00007fff92592f6f _dispatch_queue_drain + 754
6 libdispatch.dylib 0x00007fff9259963b _dispatch_queue_invoke + 549
7 libdispatch.dylib 0x00007fff92591c87 _dispatch_root_queue_drain + 538
8 libdispatch.dylib 0x00007fff92591a34 _dispatch_worker_thread3 + 91
9 libsystem_pthread.dylib 0x00007fff8b62e68f _pthread_wqthread + 1129
10 libsystem_pthread.dylib 0x00007fff8b62c365 start_wqthread + 13




Can anybody please help me what this means?
I was not surfing around a lot with the laptop, so i am confused why this message comes again.
i formatted the OS Partition - so everything should be new now ????

Why is using spotlight "cloud font.net" (service by amazon, right)?
Spotlight is not allowed to search via internet. Only "pictures, movies, documents, music, pdfs, directories, presentations, programs, calculate, system-settings, charts/tables). In Safari all Search-Options in "Settings" are disabled. So i am confused why this message comes.

Is it a virus or is it a bug?


Thanks a lot for your help
Best regards
Eddi
 
Last edited:

eddi80

macrumors newbie
Original poster
Mar 20, 2016
3
0
Additional Info:
As you can see, around an hour after reinstall of OS X there is a storm of these messages for around half minute.
After this "storm" i could not find such messages again with cloudfront.net

Any ideas??

Messages.png


I found this JASON - which includes such files/pics.
But i have no idea how it is related to eat other:
https://gist.github.com/landonf/51daa1f70cf9962fa141

Need Help :(
 
Last edited:

NoBoMac

Moderator
Staff member
Jul 1, 2014
6,289
4,985
Don't know where it's coming from, but, sounds like you did not do a clean install. Meaning, you've restored items from backup/TimeMachine. Guessing you installed something that's accessing those items. (eg. have you changed the default icons for things on your Mac via a skinning program?).

Reformat the OS X partition, re-install OS, DO NOT install/copy anything else, including your documents, pictures, etc. Do the messages come back? If not, copy over your Documents, Pictures, Music folders from backup. Copy over all BUT Library. If there is something virii-like going on, most likely buried in the home Library folder (where all the user settings/configurations are).

From the github item you provided, appears that MAYBE, that file is being installed by some app at
/System/Library/CoreServices/Spotlight.app/Contents/XPCServices
I do not have that folder or the JSON provided, so, not seeing the messages you are getting.
 

eddi80

macrumors newbie
Original poster
Mar 20, 2016
3
0
hi,

yes, the thread at apple.com helped to find out what the root cause could be.
The Spotlight-Suggestions have to be deactivated in system-settings AND in Safari.
I am not sure, if i did this in safari before i went online first time.

i also saw yesterday (I enabled Spotlight suggestions for a few minutes), if the Spotlight-suggestions is enabled, Safari is loading resources from the internet (e.g. icons of sites and articles,...) when i am entering text in the URL-field to search for something. So i think it is coming from such use-case.

i did not see this messages, which I attached in the post before, since saturday again (or similar ones).

So I assume it was "just" misconfiguration of spotlight.

BTW: Timecapsule is not configured.
I formated "Macintosh HD" and made a fresh install - and only "GarageBand and Numbers" was installed. Skinning tools are not used.
But after the clarification in the apple-board, it was spotlight (suggestions) which was trying to load something. So i don't think it was a virus anymore.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.