Removing hidden folder 'eeraoe' and suspected malware; SoftUtil & Main Service.app, Processor.app, SystemInjector_64Bit.app, Updater.app etc

Question

Level 1

17 points

Removing hidden folder 'eeraoe' and suspected malware; SoftUtil & Main Service.app, Processor.app, SystemInjector_64Bit.app, Updater.app etc

Hey fam,

I've found some super dodgy looking software and files on a work computer:

I found 'SoftUtil.app' in the applications folder. Googling it revealed only this one post about it which was alarming enough, but then I ran EtreCheck as well which revealed a bunch of related files and other .exe and .app files in hidden folders of the operating system, listed here:

.zip

9CAC23D8-3CE0-4E2B-9103-D8A61C9A6113

com.ati.websecurity.json

DmgCleaner

FileFeatures.app

Launcher.exe

Main Service.app

NativeWebSecurity

onbpjbgmafgedakpmkmgcbogfomcpjjd.json

Processor.app

settings-2023709.dat

settings.dat

SystemInjector_32Bit.app

SystemInjector_64Bit.app

Updater.app

WebSecurity.safariextz

WebSecurity_Chrome.crx

websecurity.json

WebSecurity.plugin

websecuritymac@ati.org.xpi

ziUu4psm

I've been able to put the above lot in the Bin but there is at least one other collection of the same files, located in a 'previous system' folder: Macintosh HD/System/Volumes/Macintosh HD/Previous System/

Previous System/Previous System/cores/eeraoe… and if you pay attention to the screenshots you'll see that this older set has files that were modified in January when the parent 'previous system' folder was created.

Certain files in the 'SoftUtil.app' package contents and the eeraoe folder mention a username, 'SameerKadam' and includes the same version number so they are clearly related.

I'm still not absolutely certain they are malicious but I can't identify the developer or any other info online.

I need help with two things:

Determining what I'm removing and whether its legitimate.
I'm having trouble removing the older set of these files from the 'previous system' folder, despite being logged in as the primary admin user. The file called ".zip" is locked and I cannot unlock / adjust its permissions.

Are there any pro's available who can help out with the above? If you want copies of the file sets I'll need to review the website agreement before uploading them here, but I'm open to doing that.

iMac Line (2012 and Later)

Posted on Sep 26, 2021 12:10 AM

Reply

Answer 1

Sep 27, 2021 2:58 AM in response to MrHuman

Please run Etrecheck again, and post the full report here.

Use the "additional text" button

and paste the report into the text box.

Reply

Answer 2

MrHuman Author

Level 1

17 points

Sep 27, 2021 10:23 PM in response to MrHuman

I've since confirmed none of the software components can be removed using Terminal. The permissions of these files can't be modified. Seemingly, the only remaining options are to either:

Use the Installer app offered by the vendor. But something, maybe macOS, Safari or our ISP refuses to download more than 3KB of it.
Do a clean installation of macOS.

I'm not confident the vendor is trustworthy, so I won't be using their Installer tool, even if I could download it.

Not a happy ending, but I'm glad this record is online for the benefit of others.

Reply

Answer 3

MrHuman Author

Level 1

17 points

Sep 27, 2021 12:39 PM in response to Luis Sequeira1

Thanks Luis,

I've since confirmed unequivocally that both the buried/hidden folder 'eeraoe' and the 'SoftUtil' app in the Applications folder combined are software called WebWatcher, made by Awareness Technologies. After ascertaining its marketed name, I've been able to confirm with my employer it was knowingly and intentionally installed. Given its purpose, being hidden is understandable, but having files that I'm unable to access/delete with an admin account via Terminal, is deplorable.

What I need help with now is:

Accessing the buried/hidden folder in Terminal, but it keeps telling me there is no such location. I've tried using 'cd' and pasting in:
1. the entire path starting from the first 'Macintosh HD'. No dice.
2. the entire path starting from the first 'Previous System'. No dice.
3. the entire path starting from the second 'Macintosh HD'. No dice.
4. the entire path starting from the second 'Previous System'. No dice.
Unlocking and deleting the ".zip" file (at the top of the list in my initial post).

Reply

Answer 4

Sep 27, 2021 12:48 PM in response to MrHuman

You probably cannot delete these files, but to make sure that you are accessing with the correct path, try this:

Type

"ls -l "

- that is a lowercase L, a lowercase S, a space, a minus, a lowercase L and another space (but not the quotes!)

do NOT press enter
drag one of the files in question from the Finder to the Terminal
press enter

What do you see?

Reply

Answer 5

MrHuman Author

Level 1

17 points

Sep 27, 2021 1:13 PM in response to Luis Sequeira1

/System/Volumes/Data/Previous\ System/Previous\ System/Previous\ System/cores/eeraoe

Thanks for this, Luis! Now I'm intending to retry the command, 'Sudo chflags -R noschg [path]' but would prefer to see what else you suggest first as I'm not at all fluent with Terminal.

Reply

Answer 6

MrHuman Author

Level 1

17 points

Sep 27, 2021 10:30 PM in response to Luis Sequeira1

Luis Sequeira1 wrote:

• You probably cannot delete these files,

How is this possible? If some installer can put them in, surely there's some technique that can get them off.

Reply

Removing hidden folder 'eeraoe' and suspected malware; SoftUtil & Main Service.app, Processor.app, SystemInjector_64Bit.app, Updater.app etc

Similar questions