Apple Event: May 7th at 7 am PT
DrWeb has detected Backdoor.wirenet.2 on my Mac.
The Location is /Users/grazia/.Install?Host.app/Contents/MacOs
but when I go there I can not find it.
Any help??
removing the malware does not ensure a clean system
All indications, including those given by the OP, are that it's not a rootkit. It runs with user privileges. It is not, therefore, going to do anything too clever such as replacing system binaries. Besides the login item, there's no sign of any hooks that would start a background process or inject code into an existing one.
As for your disparaging remarks about anti-virus software, and about the intelligence of anyone who gets infected with malware
I made no disparaging remarks about the intelligence of anyone who gets infected with malware. I could have made some disparaging remarks about the intelligence of others, but I've resisted the temptation to do so.
people having problems like these need education, not condescension
Which is precisely my point. You're the one who thinks decent people are outclassed intellectually by the scumbags who infest the Pirate Bay. That's condescension.
I could have made some disparaging remarks about the intelligence of others, but I've resisted the temptation to do so.
I don't think there's anything productive to be gained by continuing this discussion when you're going to resort to such insults. I prefer to discuss the facts.
I wasn't referring to you, if that's what you're thinking. I don't agree with a lot of your positions, but I don't think you're stupid. If I did think that, I'd just ignore you.
Round 200+ of a continuing pointless, usually unproductive, running sore of a discussion. All about superior attitude, not intelligence (which would appear to be a completely misunderstood concept.) And there is a distinct difference between intelligence and wisdom, which someone in this thread appears not to have learned.
This doesn't help you at this point, but I just thought you deserved to know that you should be protected from this malware in the future. Apple updated XProtect yesterday, and now it blocks the samples of Wirenet.2 that I submitted to them on Thursday.
Hi Linc Davis,
I followed your advice and I removed (hopefully) all the treaths of my Mac.
Could you please check if I really succede?
Thanks lot for your help.
System Version: OS X 10.9.2 (13C64)
Kernel Version: Darwin 13.1.0
Boot Mode: Normal
Model: MacBookPro9,2
System diagnostics
2014-03-29 CVMServer,gamed,launchd shutdownStall
User diagnostics
2014-03-24 Skype crash
2014-03-24 Skype crash
Kernel messages
Mar 24 07:03:55 Sound assertion in AppleHDAFunctionGroup at line 1042
--- last message repeated 1 time ---
Mar 24 22:43:49 wl0: Roamed or switched channel, reason #8, bssid 9c:97:26:9f:cd:ef
Mar 29 08:42:19 MacAuthEvent en1 Auth result for: 9c:97:26:9f:cd:ef Auth timed out
Mar 29 09:27:36 wl0: Roamed or switched channel, reason #8, bssid 9c:97:26:9f:cd:ef
Mar 29 09:44:35 process AAM Updates Noti[312] caught causing excessive wakeups. Observed wakeups rate (per sec): 10316; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 45641
Mar 29 11:58:06 [IOBluetoothHCIController][EnqueueRequestForController] -- SendHCIRequestToTransport failed, error (0xE00002D8) -- kIOReturnNotReady
Mar 29 11:58:06 [SendHCIRequestFormatted] ### ERROR: EnqueueRequestForController failed (err=0xe00002d8 (kIOReturnNotReady)) for opCode 0x0c3f (Set AFH Host Channel Classification)
Mar 30 08:04:14 MacAuthEvent en1 Auth result for: 9c:97:26:9f:cd:ef Auth timed out
Extrinsic daemons
com.microsoft.office.licensing.helper
com.adobe.SwitchBoard
com.adobe.fpsaud
Extrinsic agents
com.adobe.PDApp.AAMUpdatesNotifier.35056.UUID
com.adobe.CS5ServiceManager
com.zeobit.MacKeeper.Helper
launchd items
/Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist
(com.adobe.AAM.Startup-1.0)
/Library/LaunchAgents/com.adobe.CS5ServiceManager.plist
(com.adobe.CS5ServiceManager)
/Library/LaunchDaemons/com.adobe.fpsaud.plist
(com.adobe.fpsaud)
/Library/LaunchDaemons/com.adobe.SwitchBoard.plist
(com.adobe.SwitchBoard)
/Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist
(com.microsoft.office.licensing.helper)
Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist
(com.adobe.AAM.Scheduler-1.0)
Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist
(com.zeobit.MacKeeper.Helper)
Extrinsic loadable bundles
/Library/Internet Plug-Ins/Flash Player.plugin
(com.macromedia.Flash Player.plugin)
/Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin
(com.microsoft.sharepoint.browserplugin)
/Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin
(com.microsoft.sharepoint.webkitplugin)
/Library/PreferencePanes/Flash Player.prefPane
(com.adobe.flashplayerpreferences)
/Library/PreferencePanes/Growl.prefPane
(com.growl.prefpanel)
/Library/ScriptingAdditions/Adobe Unit Types.osax
(No bundle ID)
Library/Address Book Plug-Ins/SkypeABDialer.bundle
(com.skype.skypeabdialer)
Library/Address Book Plug-Ins/SkypeABSMS.bundle
(com.skype.skypeabsms)
User login items
iTunesHelper
Restricted user files: 101
Font problems: 37
Desktop file count: 31
Elapsed time (s): 141
You removed "DownLite," and you also removed the login item part of "NetWeird." If you also removed the .Install folder, then you should be OK as far as malware goes. You still have "MacKeeper," which is not malware but is useless junk, and you should remove that too. I posted instructions on the first page of this thread.
The script ran about three times as fast without "DrWeb" also running.
Please take to heart what I wrote about changing the way you use the computer.
I guess I'd have to say that I'm not as confident as Linc that you've removed all of the threat (which is quite unusual). We know that NetWeird / WireNet is capable of downloading and installing additional malware, but have not yet seen any evidence of any nor what it might be capable of. Just watch for any strange things that occur going forward.
Also, you should recall that we have seen evidence that it is capable of harvesting userid/password credentials that you have entered into a browser, so be sure to change any passwords that you may have used in that manner.
How do I remove Backdoor.wirenet.2 from my Mac. DrWeb has detected it but can not remove.
