glennhaste

Q: I believe that my Mac Pro is infected with mal ware. How to request help?

Hello

    I believe that my Mac Pro (Early 2008) is infected with mal ware. ( I’ve deliberately used the 2 word spelling to try to distinguish between the unknown entity I believe I have, and the free software one can - maybe - download).  I am not conversant with the various ‘bad actors’, so I’ll  just refer to it as “my entity”.  I believe that it is a sophisticated malware,because, among other things, I think it modifies the Malwarebytes  application/utility.  A brief description of why I say that.

    I had, earlier, downloaded and run Malwarebytes.  My recollection is that Malwarebytes did not find any serious problems.  I also ran Sophos, and that it had found two threats, which Sophos dealt with.  Sorry, I don’t recall their names.  But, as I’m sure that you’re aware that Sophos takes something like 8 - 12 hours to run, so I haven’t used it again, recently.  But, I do have something called Malwarebytes in my Utilities folder.  When I clicked on it, I got a window labeled Users. and which had folders Apple, Guest, and Shared.  I decided to download Malwarebytes again (but without deleting the Malwarebytes I just described), thinking that the the new, good Malwarebytes would replace the phony one.  Well, it didn’t.  So I can’t say whether the download didn’t happen, or that it did happen, but was immediately converted into Users.  So, I have ‘something’ with the title ‘Malwarebytes Anti-Malware’ that is in fact, User.

   Other indication: when I want to search, I can use either Safari or Chrome.  But after I enter the item I’m looking for, I see (something like) kuklorist searching for ………..    if I ask spotlight where is kuklorist?, there is no answer.  So, whatever kuklorist is, it  can hide very well. 

   I notice that Farbar Recovery Scan Tool and Malwarebytes Chameleon are available for PC’s.  Is there something like them for Macs?

   I suspect that screen shots would help in my descriptions, but I don’t know how to make them. I Also suspect that I’m not following the correct procedures in initiating the case.   Could you tell me how to do these?

   ******* @gmail.com

 

<Email Edited by Host>

Mac Pro, Mac OS X (10.6.8), Early '06, Also use OS 10.5 & 10.7

Posted on Dec 15, 2015 12:40 PM

Close

Q: I believe that my Mac Pro is infected with mal ware. How to request help?

  • All replies
  • Helpful answers

Page 1 Next
  • by lllaass,

    lllaass lllaass Dec 15, 2015 10:59 AM in response to glennhaste
    Level 10 (189,790 points)
    Desktops
    Dec 15, 2015 10:59 AM in response to glennhaste
  • by John Galt,

    John Galt John Galt Dec 15, 2015 12:15 PM in response to glennhaste
    Level 8 (49,777 points)
    Mac OS X
    Dec 15, 2015 12:15 PM in response to glennhaste

    The very first thing you must do is to stop downloading and installing magical cure-all solutions. There are now a plethora of one-click "anti-malware" solutions to be found for the Mac, and they are all likely to exacerbate whatever undesirable conditions exist or to create new problems of their own. Uninstall whatever it was you installed according to the developer's instructions. For "Sophos" use the Remove Sophos Anti-Virus program. It will be installed in your Mac's Applications folder, unless you moved or deleted it. In that case, follow their uninstallation instructions here: https://www.sophos.com/support/knowledgebase/122710.aspx

     

    You inadvertently installed adware. "Kuklorest" is an "InstallMac" variant. You do not need to download or install anything to fix it.

     

    Navigate to the following folder, and post its contents in a screenshot.

     

    ~/Library/LaunchAgents

     

    To open that folder, copy the entire line above and paste it in the Finder's Go menu > Go to Folder... field. It should look like this:

     

    gt.png

     

     

    Take a screenshot showing all that folder's contents, and post it in a reply. To take a screenshot read the Appendix in the following User Tip: Writing an effective Apple Support Communities question. There will be additional instructions to follow.

     

    For a description of how this may have occurred, how to avoid it in the future, and for Apple's recommended actions read How to install adware. Apple's instructions are linked in the Recovery Procedure near the end of that document. Read and follow them carefully. Pay particular attention to the easily overlooked passages directing you to restart your Mac when required.

     

    Review your Gatekeeper settings: OS X : About Gatekeeper - Apple Support. Gatekeeper is designed to help prevent you from inadvertently installing garbage software.

  • by Linc Davis,

    Linc Davis Linc Davis Dec 15, 2015 12:40 PM in response to glennhaste
    Level 10 (208,000 points)
    Applications
    Dec 15, 2015 12:40 PM in response to glennhaste

    Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

    You installed one or more variants of the "InstallMac" trojan. Please take the steps below to disable it.

    The criminal behind this attack tries to make the malware hard to remove by varying the names of the files it installs. This procedure works as of now, as far as I know. It may not work in the future. Anyone finding this comment a few days or more after it was posted should look for a more recent discussion, or start a new one.

    Back up all data before continuing.

    1. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

    ~/Library/LaunchAgents

    In the Finder, select

              Go â–¹ Go to Folder...

    from the menu bar and paste into the box that opens by pressing command-V. You may not see what you pasted because a line break is included. Press return. A folder named "LaunchAgents" will open.

    2. Inside the folder you just opened, there may be files with a name of any of these forms:

              gUpdater.plist

              something.AppRemoval.plist

              something.download.plist

              something.ltvbit.plist

              something.update.plist

    Here something is usually a meaningless string, such as any of the following:

              Epolife

              InstallMac

              Javeview

              Kuklorest

              Manroling

              Otwexplain

    These are examples, not a complete list. The string could be anything. The point is that the same string will usually appear in the name of three or four files.

    You could have more than one copy of the malware, with different values of something.

    Move all such items to the Trash. If there are any other files with a name that begins with something, move those to the Trash also. After you've done that, there may not be anything left in the LaunchAgents folder; in that case, you can delete the folder, but otherwise don't delete it. Other files in the folder are not necessarily malicious (though they could be, if you also installed some other kind of malware.)

    Log out or restart the computer. The trojan should now be inactive.

    3. This step is optional. Open the following folder as in Step 1:

    ~/Library/Application Support

    and move to the Trash any subfolders with the name something that you found in Step 2.

    Don't move the Application Support folder or anything else inside it.

    4. Open the Applications folder. If there is an item named something, or "Zip Devil," or with any of the other names listed in Step 2, drag it to the Trash.

    If in doubt, press the key combination option-command-4 to arrange the apps by date added. Look at the apps that have been added since you first noticed the problem. If there is one you don't recognize, drag it to the Trash.

    Empty the Trash.

    If you get an alert that the application is in use, force it to quit.

    5. From the Safari menu bar, select

              Safari â–¹ Preferences... â–¹ Extensions

    Uninstall all extensions you don't know you need. If in doubt, remove all of them. None is required for normal operation. Do the equivalent in the Chrome and Firefox browsers, if you use either of those.

    6. Reset the home page in each of your browsers, if it was changed. In Safari, first load the home page you want, then select

              Safari â–¹ Preferences... â–¹ General

    and click

              Set to Current Page

  • by thomas_r.,

    thomas_r. thomas_r. Dec 15, 2015 2:01 PM in response to glennhaste
    Level 7 (30,929 points)
    Mac OS X
    Dec 15, 2015 2:01 PM in response to glennhaste

    glennhaste wrote:

     

    I do have something called Malwarebytes in my Utilities folder.  When I clicked on it, I got a window labeled Users. and which had folders Apple, Guest, and Shared.  I decided to download Malwarebytes again (but without deleting the Malwarebytes I just described), thinking that the the new, good Malwarebytes would replace the phony one.  Well, it didn’t.  So I can’t say whether the download didn’t happen, or that it did happen, but was immediately converted into Users.  So, I have ‘something’ with the title ‘Malwarebytes Anti-Malware’ that is in fact, User.

     

    What you're describing is not at all normal, and not anything that Malwarebytes Anti-Malware for Mac will do. When you downloaded Malwarebytes Anti-Malware for Mac again and copied it into the Applications folder, are you saying that the result was that a folder called "Malwarebytes Anti-Malware" was created in the Applications folder, with a Users folder inside it? If so, can you provide a screenshot showing this?

     

    Make a screenshot by following the directions here:

     

    http://support.apple.com/kb/HT5775

     

    Be sure no sensitive personal information is displayed. To add that image to a post here, click the camera icon in the post editor toolbar.

     

    In addition, it would be very helpful if you could start up your computer in safe mode:

     

    Try safe mode if your Mac doesn't finish starting up - Apple Support

     

    Once in safe mode, download a fresh copy of Malwarebytes Anti-Malware for Mac from here:

     

    https://malwarebytes.org/antimalware/mac

     

    (This link goes to my employer's site. I am not paid for posting this link, and the product is free, but you should be aware of the association.)

     

    Before downloading, be sure that your Downloads folder is cleaned out so you can identify the fresh copy.

     

    Next, open the Malwarebytes Anti-Malware.dmg file. In the window that opens, rather than copying the app to Applications, just open it from there. Then, choose Take System Snapshot from the Scanner menu. In the window that opens, select all the text (Edit Select All), copy it and paste into a reply to this message. Alternately, if you'd prefer not to post that information here, you can use the Contact Support item in the Help menu to get one-on-one help from Malwarebytes techs. If you mention my name in your request, I'll see it as well.

     

    Thomas Reed

    Director of Mac Offerings, Malwarebytes

  • by glennhaste,

    glennhaste glennhaste Dec 16, 2015 9:29 AM in response to thomas_r.
    Level 1 (12 points)
    Accessibility
    Dec 16, 2015 9:29 AM in response to thomas_r.

    Thanks for the response !   I’ll try to provide what I think  is relevant.  First guess at what may be relevant :  Yesterday, when I was composing my appeal, I was using OS 10.11.1.  An update was available so I’m now using OS 10.11.2 (15C50).  I don’t yet know whether the will affect things, so will type as I learn.

        1st Screenshot - Part of Applications folder, showing Malwarebytes entry.

        

       2nd Screenshot - result of clicking on the Malwarebytes entry

       Today, I trashed the Malwarebytes you see up above, and downloaded the Mac version.  The Screenshot below shows where I’m stymied, dragging the download into the Applications folder doesn’t work.  Am I doing something silly?  I don’t see any other Malwarebytes other that this ‘blue’ window. Searching doesn’t reveal anything.  Help “

  • by thomas_r.,

    thomas_r. thomas_r. Dec 16, 2015 11:25 AM in response to glennhaste
    Level 7 (30,929 points)
    Mac OS X
    Dec 16, 2015 11:25 AM in response to glennhaste

    I don't see that your screenshots got included in your post. Can you try again? You need to drag the images into the text editing area, or click the camera icon in the text editor toolbar.

     

    Screen Shot 2015-12-16 at 2.24.37 PM.png

  • by glennhaste,

    glennhaste glennhaste Dec 16, 2015 11:51 AM in response to thomas_r.
    Level 1 (12 points)
    Accessibility
    Dec 16, 2015 11:51 AM in response to thomas_r.

      Thanks for the response !   I’ll try to provide what I think  is relevant.  First guess at what may be relevant :  Yesterday, when I was composing my appeal, I was using OS 10.11.1.  An update was available so I’m now using OS 10.11.2 (15C50).  I don’t yet know whether the will affect things, so will type as I learn.

        1st Screenshot - Part of Applications folder, showing Malwarebytes entry.

       Pasted Graphic.tiff

       2nd Screenshot - result of clicking on the Malwarebytes entryPasted Graphic 1.tiff

       Today, I trashed the Malwarebytes you see up above, and downloaded the Mac version.  The Screenshot below shows where I’m stymied, dragging the download into the Applications folder doesn’t work.  Am I doing something silly?  I don’t see any other Malwarebytes other that this ‘blue’ window. Searching doesn’t reveal anything.  Help “Screen Shot 2015-12-16 at 12.05.31 PM.png

  • by glennhaste,

    glennhaste glennhaste Dec 16, 2015 11:59 AM in response to glennhaste
    Level 1 (12 points)
    Accessibility
    Dec 16, 2015 11:59 AM in response to glennhaste

    It looks like I can't includeScreen shots, so I'll tell.in words.   I have a window that say, among other things, "To install, drag Malwarebytes to your application folder".  When I do so the window sits in the Applications folder, but it just sits there, and does not get included in that folder.  So, I'm stuck at that point.

  • by Mac_Cat,

    Mac_Cat Mac_Cat Dec 16, 2015 2:37 PM in response to glennhaste
    Level 1 (54 points)
    Mac OS X
    Dec 16, 2015 2:37 PM in response to glennhaste

    No. No. No!

     

    Please read the 3rd post here by John Gault !!!  PLEASE !


    Do not install Malwarebytes, either!

    Reboot, if you have to!

     

    You have to go find this adware manually and delete or hire someone else to do it for you.

     

    Trust me - I've got the same computer and I've made the same mistakes.

     

    The way they snagged me was when I went to download a perfectly good, well known and trusted app, only to have the second splash screen popup and promote me to Click again.  The second screen looked exactly like the original, although the product had changed.

     

    You DO NOT NEED Anti-Malware or Anti-Adware software !

    You need to read splash screens presented to you and avoid the ones that don't look right or offer unfamiliar software.

    Otherwise, you are making your problems worse !


    Adware is presented in a deceitful manner.

    It anticipated people will not read the details and then agree and habitually click to download things they don't need or want.

     

    Just stop downloaded this stuff, even though you may have found it on a perfectly legitimate web site.

  • by Mac_Cat,

    Mac_Cat Mac_Cat Dec 16, 2015 2:42 PM in response to Mac_Cat
    Level 1 (54 points)
    Mac OS X
    Dec 16, 2015 2:42 PM in response to Mac_Cat

    Screenshots:

     

    There is a tool called Grab  (~Applications/Utilities/Grab) which you should have on your Dock.

     

    Grab allows you to use SELECT to highlight a part of the desktop screen to save as a picture file or you can choose a specific WINDOW.

    That's how you get a screen shot.  Don't choose the entire desktop, just that popup window or the LaunchAgents directory listing.


    Then copy it to your forum post and paste it into the new post.

  • by lllaass,

    lllaass lllaass Dec 16, 2015 2:45 PM in response to Mac_Cat
    Level 10 (189,790 points)
    Desktops
    Dec 16, 2015 2:45 PM in response to Mac_Cat

    As already stated there is nothing wrong with Malwarebytes. You run it, not install it. It does not provide any protection, it just identifies possible Malware and the time you run it and gives you the option to delete individually malware that it finds.. It does nothing automatically.

    If one wants to poke around your library files and delete files you can do that but if you delete necessary files that can cause problems.

  • by Linc Davis,

    Linc Davis Linc Davis Dec 16, 2015 3:14 PM in response to glennhaste
    Level 10 (208,000 points)
    Applications
    Dec 16, 2015 3:14 PM in response to glennhaste

    The comment of Mac_Cat is correct. You do not need, and should not use, the "malwarebytes" product or anything else like it. No matter what it does, relying on it for protection will give you a false sense of security that leaves you more vulnerable to malware attack. It has already cost you more in wasted time than a malware attack would.

  • by thomas_r.,

    thomas_r. thomas_r. Dec 16, 2015 6:47 PM in response to glennhaste
    Level 7 (30,929 points)
    Mac OS X
    Dec 16, 2015 6:47 PM in response to glennhaste

    I'm not sure what's going wrong without being able to see what you're doing. Are you trying to drag the icon circled in red here into the Applications folder?

     

    Screen Shot 2015-12-16 at 9.39.56 PM.png

     

    If that doesn't work, try dragging it to the desktop instead. Does that work? If not, you can even just double-click the Malwarebytes Anti-Malware icon within that window to run it from there, without copying it into another location.

     

    Once you've opened it, choose Take System Snapshot from the Scanner menu. In the window that opens, select all the text (Edit Select All), copy it and paste into a reply to this message. Alternately, if you'd prefer not to post that information here, you can use the Contact Support item in the Help menu to get one-on-one help from Malwarebytes techs. If you mention my name in your request, I'll see it as well.

     

    Thomas Reed

    Director of Mac Offerings, Malwarebytes

  • by glennhaste,

    glennhaste glennhaste Dec 19, 2015 6:18 PM in response to Linc Davis
    Level 1 (12 points)
    Accessibility
    Dec 19, 2015 6:18 PM in response to Linc Davis

      Boy, I don't know what's going on with the replies that I see on my Mac.  Yesterday I replied to Linc Davis, showing that I couldn't complete the eradication of Kuklorist - I even included a screenshot showing why not - the window that showed Kuklorist also included the phrase "File could not be found"

      Then today, I found, again, the prescription by Linc Davis, which I followed, and saw that Kuklorist showed up, but this time without  that phrase.  That let me trash Kuklorist (twice).  Afterwards, I used Safari to browse, and it did just that - i.e. with no Kuklorist ever appearing.  So, I'm claiming success.  But, Im concerned about the replies I see.  After using Linc's prescription I can no longer find the reply that contained it !

Page 1 Next