Apple Event: May 7th at 7 am PT
DrWeb has detected Backdoor.wirenet.2 on my Mac.
The Location is /Users/grazia/.Install?Host.app/Contents/MacOs
but when I go there I can not find it.
Any help??
Thomas is apparently more current on the subject of this trojan than I am. On the subject of removing "DrWeb," I would only add that it did not save you from being infected, and neither it nor any other "anti-virus" software will save you from being infected again in the future. The only thing that will save you is a drastic change in the way you use the computer, as outlined in my earlier comment. If you wallow in the open sewers of the Internet, you are going to get filthy. Thinking that a deus ex machina like "DrWeb" is going to protect you only puts you at greater risk.
It's likely that you have been infected for more than a year. Whatever damage was going to be done, has been done.
The one thing you can be sure "DrWeb" will do is continue to waste CPU cycles, as it was doing when you ran the test script. At that time, it was using more of the CPU than any other process. I stand by my recommendation that you remove it.
/users/grazia/.install/host.app
Thanks Thomas for your advice.
I think I know when I got infected. My computer started to behave in a strange way just after I installed a program.
grazgar wrote:
My computer started to behave in a strange way just after I installed a program.
And what Thomas and I are trying to get our hands on is that p;rogram. Don't post a link, but can you describe in some way where we can find it? That way we might be able to figure out what beside that host.app has been installed.
On the subject of removing "DrWeb," I would only add that it did not save you from being infected, and neither it nor any other "anti-virus" software will save you from being infected again in the future.
Do you know when Dr. Web was installed and when the infection happened? I don't.
What I can say is that the built-in XProtect system should protect against this at this point. After my findings back on March 5 (Time to re-evaluate safety of Mac OS X), showing that Mac OS X did not actually protect against NetWeird (among other things), and after I submitted two samples of this malware to Apple, it now protects against this. On the 13th, Apple added a definition for OSX.NetWeird.A.
Prior to that point, ONLY anti-virus software would have protected grazgar against this threat. Dr. Web has recgonized it for quite some time. My guess is that either Dr. Web wasn't installed when the infection happened, or Dr. Web Light was installed and not used to scan the downloaded file. (Dr. Web Light is only capable of manual scans, and as such, it is not going to "continue to waste CPU cycles.")
Thomas,
I did not have any idea that Mac could be attacked by Virus before this episode.
I just discovered Dr Web in the last few days when I realised there was something wrong with my Mac and I tried to find a solution.
I think the program that infected by Mac could be associated with the movie 'casablanca' thepiratebay.
My Other MacBook Pro have started to give me problem as well 😟.
I can not use the cursor of the mouse.
The touch pad seems to be broken.
I run the steps reccomanded by Linc Davis and it is the result:
ANY IDEA?
No root access
System Version: Mac OS X 10.6.8 (10K549)
Kernel Version: Darwin 10.8.0
Boot Mode: Normal
Model: MacBookPro7,1
Kernel messages
Tue Mar 25 kernel[0]: Previous Shutdown Cause: -60
Tue Mar 25 kernel[0]: AppleBCM5701Ethernet: 0 0 setFixedSpeed - logic error, speed any?
Wed Mar 26 kernel[0]: AppleBCM5701Ethernet: 0 0 setFixedSpeed - logic error, speed any?
Wed Mar 26 kernel[0]: AppleBCM5701Ethernet: 0 0 setFixedSpeed - logic error, speed any?
Wed Mar 26 kernel[0]: AppleBCM5701Ethernet: 0 0 setFixedSpeed - logic error, speed any?
Thu Mar 27 kernel[0]: PM notification timeout (pid 118, Seagate Storage )
Thu Mar 27 kernel[0]: AppleBCM5701Ethernet: 0 0 setFixedSpeed - logic error, speed any?
Extrinsic agents
edu.mit.Kerberos.KerberosAgent
com.paragon.ntfs.vendor
com.paragon.ntfs.trial
com.seagate.SeagateStorageGauge.plist
com.epson.epw.agent
com.adobe.CS5ServiceManager
edu.mit.Kerberos.CCacheServer
launchd items
/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist
(com.adobe.AAM.Startup-1.0)
/Library/LaunchAgents/com.adobe.CS5ServiceManager.plist
(com.adobe.CS5ServiceManager)
/Library/LaunchAgents/com.epson.epw.agent.plist
(com.epson.epw.agent)
/Library/LaunchAgents/com.seagate.SeagateStorageGauge.plist
(com.seagate.SeagateStorageGauge.plist)
/Library/LaunchDaemons/com.adobe.fpsaud.plist
(com.adobe.fpsaud)
/Library/LaunchDaemons/com.adobe.SwitchBoard.plist
(com.adobe.SwitchBoard)
/Library/LaunchDaemons/com.apple.third_party_32b_kext_logger.plist
(com.apple.third_party_32b_kext_logger)
/Library/LaunchDaemons/com.sierrawireless.SWoCTool.plist
(com.sierrawireless.SWoCTool)
Extrinsic loadable bundles
/System/Library/CoreServices/SecurityAgentPlugins/HomeDirMechanism.bundle
(com.apple.SecurityAgentPlugin.HomeDirMechanism)
/System/Library/CoreServices/SecurityAgentPlugins/loginKC.bundle
(com.apple.loginKC)
/System/Library/CoreServices/SecurityAgentPlugins/loginwindow.bundle
(com.apple.securityAgentPlugin.loginwindowUI2)
/System/Library/CoreServices/SecurityAgentPlugins/MCXMechanism.bundle
(com.apple.securityAgentPlugin.MCXMechanism)
/System/Library/CoreServices/SecurityAgentPlugins/PKINITMechanism.bundle
(com.apple.PKINITMechanism)
/System/Library/CoreServices/SecurityAgentPlugins/RestartAuthorization.bundle
(com.apple.securityAgentPlugin.RestartAuthorization)
/System/Library/Extensions/AppleIntelSNBGraphicsFB.kext
(com.apple.driver.AppleIntelSNBGraphicsFB)
/System/Library/Extensions/AppleIntelSNBVA.bundle
(com.apple.AppleIntelSNBFBVA)
/System/Library/Extensions/AppleMCP89RootPortPM.kext
(com.apple.driver.AppleMCP89RootPortPM)
/System/Library/Extensions/AppleThunderboltDPAdapters.kext
(com.apple.driver.AppleThunderboltDPAdapters)
/System/Library/Extensions/AppleThunderboltEDMService.kext
(com.apple.driver.AppleThunderboltEDMService)
/System/Library/Extensions/AppleThunderboltNHI.kext
(com.apple.driver.AppleThunderboltNHI)
/System/Library/Extensions/AppleThunderboltPCIAdapters.kext
(com.apple.driver.AppleThunderboltPCIAdapters)
/System/Library/Extensions/AppleThunderboltUTDM.kext
(com.apple.iokit.AppleThunderboltUTDM)
/System/Library/Extensions/ATI6000Controller.kext
(com.apple.kext.ATI6000Controller)
/System/Library/Extensions/EPSONUSBPrintClass.kext
(com.epson.print.kext.USBPrintClass)
/System/Library/Extensions/hp_designjet_series.kext
(com.hp.print.hpio.Designjet.kext)
/System/Library/Extensions/hp_Deskjet_io_enabler.kext
(com.hp.print.hpio.Deskjet.kext)
/System/Library/Extensions/hp_Inkjet1_io_enabler.kext
(com.hp.print.hpio.Inkjet1.kext)
/System/Library/Extensions/hp_Inkjet2_io_enabler.kext
(com.hp.print.hpio.Inkjet2.kext)
/System/Library/Extensions/hp_Inkjet3_io_enabler.kext
(com.hp.print.hpio.Inkjet3.kext)
/System/Library/Extensions/hp_Inkjet4_io_enabler.kext
(com.hp.print.hpio.Inkjet4.kext)
/System/Library/Extensions/hp_Inkjet5_io_enabler.kext
(com.hp.print.hpio.Inkjet5.kext)
/System/Library/Extensions/hp_Inkjet7_io_enabler.kext
(com.hp.print.hpio.inkjet7.kext)
/System/Library/Extensions/hp_Inkjet8_io_enabler.kext
(com.hp.print.hpio.inkjet8.kext)
/System/Library/Extensions/hp_Inkjet_io_enabler.kext
(com.hp.print.hpio.Inkjet.kext)
/System/Library/Extensions/hp_io_printerclassdriver_enabler.kext
(com.hp.hpio.hp_io_printerclassdriver_enabler)
/System/Library/Extensions/hp_Laserjet_io_enabler.kext
(com.hp.print.hpio.Laserjet.kext)
/System/Library/Extensions/hp_Officejet_io_enabler.kext
(com.hp.print.hpio.Officejet.kext)
/System/Library/Extensions/hp_Photosmart_io_enabler.kext
(com.hp.print.hpio.Photosmart.kext)
/System/Library/Extensions/hp_PhotosmartPro_io_enabler.kext
(com.hp.print.hpio.PhotosmartPro.kext)
/System/Library/Extensions/hp_psa640_io_enabler.kext
(com.hp.hpio.hp_psa640_io_enabler)
/System/Library/Extensions/hp_qc_io_enabler.kext
(com.hp.hpio.hp_psa530_630_io_enabler)
/System/Library/Extensions/IOThunderboltFamily.kext
(com.apple.iokit.IOThunderboltFamily)
/System/Library/Extensions/LexmarkUSBMerge.kext
(com.lexmark.print.usbmerge)
/System/Library/Extensions/Maxon.kext
(au.com.maxon.driver.MaxonFamily)
/System/Library/Extensions/Option72.kext
(com.option.driver.Option72)
/System/Library/Extensions/OptionMSD.kext
(com.option.driver.OptionMSD)
/System/Library/Extensions/PromiseSTEX.kext
(com.promise.driver.stex)
/System/Library/Extensions/Seagate Storage Driver.kext
(com.seagate.driver.PowSecDriverCore)
/System/Library/Extensions/SierraDevSupport.kext
(com.sierrawireless.driver.SierraDevSupport)
/System/Library/Extensions/SierraDIPSupport.kext
(com.sierrawireless.driver.SierraDIPSupport)
/System/Library/Extensions/SierraFSRSupport.kext
(com.sierrawireless.driver.SierraFSRSupport)
/System/Library/Extensions/SierraHSRSupport.kext
(com.sierrawireless.driver.SierraHSRSupport)
/System/Library/Extensions/SierraIPDirect.kext
(com.sierrawireless.driver.SierraIPDirect)
/System/Library/Extensions/UsbEthernetGadget.kext
(com.tomtom.driver.UsbEthernetGadget)
/System/Library/Extensions/ZTEUSBCDCACMData.kext
(com.ZTE.driver.ZTEUSBCDCACMData)
/System/Library/Extensions/ZTEUSBMassStorageFilter.kext
(com.ZTE.driver.ZTEUSBMassStorageFilter)
/Library/Audio/Plug-Ins/HAL/iSightAudio.plugin
(com.apple.iSightAudio)
/Library/Internet Plug-Ins/DivXBrowserPlugin.plugin
(com.divx.DivXBrowserPlugin)
/Library/Internet Plug-Ins/Flash Player.plugin
(com.macromedia.Flash Player.plugin)
/Library/Internet Plug-Ins/iPhotoPhotocast.plugin
(com.apple.plugin.iPhotoPhotocast)
/Library/Internet Plug-Ins/JavaAppletPlugin.plugin
(com.apple.java.JavaAppletPlugin)
/Library/Internet Plug-Ins/OfficeLiveBrowserPlugin.plugin
(com.microsoft.officelive.browserplugin)
/Library/Internet Plug-Ins/OVSHelper.plugin
(com.divx.OVSHelper)
/Library/Internet Plug-Ins/Quartz Composer.webplugin
(com.apple.QuartzComposer.webplugin)
/Library/Internet Plug-Ins/QuickTime Plugin.plugin
(com.apple.QuickTime Plugin.plugin)
/Library/Internet Plug-Ins/Yahoo! Installer 3.plugin
(com.yahoo.installer.3)
/Library/iTunes/iTunes Plug-ins/Quartz Composer Visualizer.bundle
(com.apple.QuartzComposer.iTunesPlugIn)
/Library/PreferencePanes/DivX.prefPane
(com.divx.divxprefs)
/Library/PreferencePanes/Flash Player.prefPane
(com.adobe.flashplayerpreferences)
/Library/PreferencePanes/Growl.prefPane
(com.growl.prefpanel)
/Library/PreferencePanes/NTFSforMacOSX.prefPane
(com.paragon-software.filesystems.ntfs.prefpanel)
/Library/QuickTime/AppleIntermediateCodec.component
(com.apple.AppleIntermediateCodec)
/Library/QuickTime/AppleMPEG2Codec.component
(com.apple.AppleMPEG2Codec)
/Library/QuickTime/DivX Decoder.component
(com.DivXInc.DivXDecoder)
/Library/QuickTime/DivX Encoder.component
(com.DivXInc.DivXCodec)
/Library/ScriptingAdditions/Adobe Unit Types.osax
(No bundle ID)
/Library/Spotlight/AppleWorks.mdimporter
(com.apple.MDImporter.appleworks)
/Library/Spotlight/GBSpotlightImporter.mdimporter
(com.apple.garageband.spotlightimporter)
/Library/Spotlight/iWork.mdimporter
(com.apple.MDImporter.iWork)
/Library/Spotlight/Microsoft Office.mdimporter
(com.microsoft.MDImporter.Office)
Extrinsic shared libraries
/usr/lib/dtrace/libdtrace_dyld.dylib
/usr/lib/gcc/i686-apple-darwin10/4.0.1/libstdc++.dylib
/usr/lib/gcc/i686-apple-darwin10/4.2.1/libstdc++.dylib
/usr/lib/gcc/powerpc-apple-darwin10/4.0.1/libstdc++.dylib
/usr/lib/gcc/powerpc-apple-darwin10/4.2.1/libstdc++.dylib
/usr/lib/libLTO.dylib
/usr/lib/libneon.27.dylib
/usr/lib/libUFSDNTFS.dylib
/usr/lib/libXplugin.1.dylib
/usr/lib/samba/auth/domain.dylib
/usr/lib/samba/auth/odsam.dylib
/usr/lib/samba/auth/script.dylib
/usr/lib/samba/auth/smbserver.dylib
/usr/lib/samba/auth/unix.dylib
/usr/lib/samba/auth/winbind.dylib
/usr/lib/samba/charset/CP437.dylib
/usr/lib/samba/charset/CP850.dylib
/usr/lib/samba/charset/macosxfs.dylib
/usr/lib/samba/idmap/ad.dylib
/usr/lib/samba/idmap/ldap.dylib
/usr/lib/samba/idmap/odsam.dylib
/usr/lib/samba/idmap/rid.dylib
/usr/lib/samba/libmsrpc.dylib
/usr/lib/samba/libsmbclient.dylib
/usr/lib/samba/libsmbsharemodes.dylib
/usr/lib/samba/pdb/ldapsam.dylib
/usr/lib/samba/pdb/odsam.dylib
/usr/lib/samba/vfs/audit.dylib
/usr/lib/samba/vfs/cacheprime.dylib
/usr/lib/samba/vfs/cap.dylib
/usr/lib/samba/vfs/catia.dylib
/usr/lib/samba/vfs/commit.dylib
/usr/lib/samba/vfs/darwin_streams.dylib
/usr/lib/samba/vfs/darwinacl.dylib
/usr/lib/samba/vfs/default_quota.dylib
/usr/lib/samba/vfs/expand_msdfs.dylib
/usr/lib/samba/vfs/extd_audit.dylib
/usr/lib/samba/vfs/fake_perms.dylib
/usr/lib/samba/vfs/full_audit.dylib
/usr/lib/samba/vfs/netatalk.dylib
/usr/lib/samba/vfs/notify_kqueue.dylib
/usr/lib/samba/vfs/prealloc.dylib
/usr/lib/samba/vfs/readahead.dylib
/usr/lib/samba/vfs/readonly.dylib
/usr/lib/samba/vfs/recycle.dylib
/usr/lib/samba/vfs/shadow_copy.dylib
Restricted user files: 5
Font problems: 34
Elapsed time (s): 119
Actually, I spoke too soon... I've just found three samples of Wirenet.2 that are not currently detected by XProtect. I'll be submitting these to Apple ASAP.
My Other MacBook Pro have started to give me problem as well 😟.
I can not use the cursor of the mouse.
The touch pad seems to be broken.
This is probably not related to a Wirenet infection. However, you could try scanning that machine with Dr. Web Light and see if it finds anything.
thomas_r. wrote:
Actually, I spoke too soon... I've just found three samples of Wirenet.2 that are not currently detected by XProtect. I'll be submitting these to Apple ASAP.
Just moved over more or less completley to ML from Snow (but with dual booting), where I had been running Sophos for a few weeks, as a bit of limited insurance against exploits against the probably more vulnerable OS that Snow, now unsupported, has become. After hearing this from you (and your earlier conclusions about Apple not getting these things into XProtect sooner or even ever), looks like I'll probably be putting Sophos on the ML too, even though I would have preferred not to. I haven't had any issues with Sophos, and not a big deal at all, but it does tend to make things hesitate a tiny bit as it runs its checks, along with a brief spike in CPU usage,
Yup, increasingly, it's looking like anti-virus software may be necessary. It doesn't look like Apple is putting enough resources towards updating XProtect... one of these samples I found was submitted to the security community via VirusTotal back in July of 2013. Apple should have been able to spot that already, but it isn't blocked by XProtect.
First, the problem with the other computer is not related, and if you can't find a solution by searching the site, please start another thread to address it.
You have two different kinds of malware. One, DownLite, is causing the visible manifestations: popup ads. I posted instructions for removing it.
The other, NetWierd or whatever it's called, probably causes no visible manifestations and was designed to be stealthy, so you would not know it was there. It may have been there much longer than DownLite and may have done serious harm by stealing your Internet passwords, or potentially any other kind of data. I don't have a sample of this malware, but based on your information and what I've been able to gather, I believe you can inactivate it as follows.
1. Delete "Hosts" from the list of login items in Users & Groups.
2. Triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:
~/.install
In the Finder, select
Go ▹ Go to Folder...
from the menu bar and paste into the box that opens (command-V). You won't see what you pasted because a line break is included. Press return. A folder named ".install" should open. If it does, move that folder to the Trash. Log out or restart the computer. Empty the Trash.
The comments that are being made in this thread about the need for "anti-virus" software could not be further from the truth. That kind of software has never protected you and will never protect you from the consequences of downloading illegal material from illegal websites, and then blithelyclicking through prompts to install unknown software. If you do things like that, you will continue to be what you are now: meat on the table for Internet criminals. If "DrWeb" makes you feel free to behave that way, then it's making you less safe, not more so.
I've been an active Internet user since long before "XProtect", and I've never used any kind of anti-virus software. Yet somehow I've managed to avoid being infected. Anyone of normal intelligence can, and must, avoid that danger the same way I do.
You have gotten a knee-jerk anti-A-V purist response aimed at what Thomas and I wrote.
Of course, no A-V will protect you against writing blank checks to any site you choose to visit and download from, as you appear to have done, but it may be a useful tool, limited as it is, nevertheless.
You can be the most conscientious and alert practitioner of safe practices on the Internet, but increasingly, even so called "safe" sites, not just the usual obvious places to pick up malware, are being compromised and hacked in various ways, either directly or through the advertising they run.
I believe you can inactivate it as follows.
Yes, that will remove the malware itself. However, as I have already pointed out, this malware provides backdoor functionality, so removing the malware does not ensure a clean system.
As for your disparaging remarks about anti-virus software, and about the intelligence of anyone who gets infected with malware -- people having problems like these need education, not condescension.
How do I remove Backdoor.wirenet.2 from my Mac. DrWeb has detected it but can not remove.
