grazgar
Level 1 (0 points)

Q: How do I remove Backdoor.wirenet.2 from my Mac. DrWeb has detected it but can not remove.

DrWeb has detected Backdoor.wirenet.2 on my Mac.

The Location is /Users/grazia/.Install?Host.app/Contents/MacOs

but when I go there I can not find it.

Any help??

Posted on Mar 25, 2014 4:31 AM

by Linc Davis,Solvedanswer
Linc Davis Linc Davis
Level 10 (208,037 points)
Applications
A:

You removed "DownLite," and you also removed the login item part of "NetWeird." If you also removed the .Install folder, then you should be OK as far as malware goes. You still have "MacKeeper," which is not malware but is useless junk, and you should remove that too. I posted instructions on the first page of this thread.

 

The script ran about three times as fast without "DrWeb" also running.

 

Please take to heart what I wrote about changing the way you use the computer.

Posted on Mar 29, 2014 5:24 PM

Close
grazgar

Q: How do I remove Backdoor.wirenet.2 from my Mac. DrWeb has detected it but can not remove.

  • All replies
  • Helpful answers

first Previous Page 3 of 3

  • by thomas_r.,

    thomas_r. thomas_r. Mar 27, 2014 8:00 AM in response to Linc Davis
    Level 7 (30,944 points)
    Mac OS X
    Mar 27, 2014 8:00 AM in response to Linc Davis

    I believe you can inactivate it as follows.

     

    Yes, that will remove the malware itself. However, as I have already pointed out, this malware provides backdoor functionality, so removing the malware does not ensure a clean system.

     

    As for your disparaging remarks about anti-virus software, and about the intelligence of anyone who gets infected with malware -- people having problems like these need education, not condescension.

  • by Linc Davis,

    Linc Davis Linc Davis Mar 27, 2014 8:29 AM in response to thomas_r.
    Level 10 (208,037 points)
    Applications
    Mar 27, 2014 8:29 AM in response to thomas_r.

    removing the malware does not ensure a clean system

     

    All indications, including those given by the OP, are that it's not a rootkit. It runs with user privileges. It is not, therefore, going to do anything too clever such as replacing system binaries. Besides the login item, there's no sign of any hooks that would start a background process or inject code into an existing one.

     

    As for your disparaging remarks about anti-virus software, and about the intelligence of anyone who gets infected with malware

     

    I made no disparaging remarks about the intelligence of anyone who gets infected with malware. I could have made some disparaging remarks about the intelligence of others, but I've resisted the temptation to do so.

     

    people having problems like these need education, not condescension

     

    Which is precisely my point. You're the one who thinks decent people are outclassed intellectually by the scumbags who infest the Pirate Bay. That's condescension.

  • by thomas_r.,

    thomas_r. thomas_r. Mar 27, 2014 8:46 AM in response to Linc Davis
    Level 7 (30,944 points)
    Mac OS X
    Mar 27, 2014 8:46 AM in response to Linc Davis

    I could have made some disparaging remarks about the intelligence of others, but I've resisted the temptation to do so.

     

    I don't think there's anything productive to be gained by continuing this discussion when you're going to resort to such insults. I prefer to discuss the facts.

  • by Linc Davis,

    Linc Davis Linc Davis Mar 27, 2014 8:54 AM in response to thomas_r.
    Level 10 (208,037 points)
    Applications
    Mar 27, 2014 8:54 AM in response to thomas_r.

    I wasn't referring to you, if that's what you're thinking. I don't agree with a lot of your positions, but I don't think you're stupid. If I did think that, I'd just ignore you.

  • by WZZZ,

    WZZZ WZZZ Mar 27, 2014 9:01 AM in response to thomas_r.
    Level 6 (13,112 points)
    Mac OS X
    Mar 27, 2014 9:01 AM in response to thomas_r.

    Round 200+ of a continuing pointless, usually unproductive, running sore of a discussion. All about superior attitude, not intelligence (which would appear to be a completely misunderstood concept.) And there is a distinct difference between intelligence and wisdom, which someone in this thread appears not to have learned.

  • by thomas_r.,

    thomas_r. thomas_r. Mar 29, 2014 6:51 AM in response to grazgar
    Level 7 (30,944 points)
    Mac OS X
    Mar 29, 2014 6:51 AM in response to grazgar

    This doesn't help you at this point, but I just thought you deserved to know that you should be protected from this malware in the future. Apple updated XProtect yesterday, and now it blocks the samples of Wirenet.2 that I submitted to them on Thursday.

     

    New NetWeird variants added to XProtect

  • by grazgar,

    grazgar grazgar Mar 29, 2014 4:14 PM in response to Linc Davis
    Level 1 (0 points)
    Mar 29, 2014 4:14 PM in response to Linc Davis

    Hi Linc Davis,

    I followed your advice and I removed (hopefully) all the treaths of my Mac.

    Could you please check if I really succede?

    Thanks lot for your help.

     

     

     

     

     

     

    System Version: OS X 10.9.2 (13C64)

    Kernel Version: Darwin 13.1.0

    Boot Mode: Normal

     

     

    Model: MacBookPro9,2

     

     

    System diagnostics

     

     

       2014-03-29 CVMServer,gamed,launchd shutdownStall

     

     

    User diagnostics

     

     

       2014-03-24 Skype crash

       2014-03-24 Skype crash

     

     

    Kernel messages

     

     

       Mar 24 07:03:55   Sound assertion in AppleHDAFunctionGroup at line 1042

       --- last message repeated 1 time ---

       Mar 24 22:43:49   wl0: Roamed or switched channel, reason #8, bssid 9c:97:26:9f:cd:ef

       Mar 29 08:42:19   MacAuthEvent en1 Auth result for: 9c:97:26:9f:cd:ef Auth timed out

       Mar 29 09:27:36   wl0: Roamed or switched channel, reason #8, bssid 9c:97:26:9f:cd:ef

       Mar 29 09:44:35   process AAM Updates Noti[312] caught causing excessive wakeups. Observed wakeups rate (per sec): 10316; Maximum permitted wakeups rate (per sec): 150; Observation period: 300 seconds; Task lifetime number of wakeups: 45641

       Mar 29 11:58:06   [IOBluetoothHCIController][EnqueueRequestForController] -- SendHCIRequestToTransport failed, error (0xE00002D8) -- kIOReturnNotReady

       Mar 29 11:58:06   [SendHCIRequestFormatted] ### ERROR: EnqueueRequestForController failed (err=0xe00002d8 (kIOReturnNotReady)) for opCode 0x0c3f (Set AFH Host Channel Classification)

       Mar 30 08:04:14   MacAuthEvent en1 Auth result for: 9c:97:26:9f:cd:ef Auth timed out

     

     

    Extrinsic daemons

     

     

       com.microsoft.office.licensing.helper

       com.adobe.SwitchBoard

       com.adobe.fpsaud

     

     

    Extrinsic agents

     

     

       com.adobe.PDApp.AAMUpdatesNotifier.35056.UUID

       com.adobe.CS5ServiceManager

       com.zeobit.MacKeeper.Helper

     

     

    launchd items

     

     

       /Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist

                 (com.adobe.AAM.Startup-1.0)

       /Library/LaunchAgents/com.adobe.CS5ServiceManager.plist

                 (com.adobe.CS5ServiceManager)

       /Library/LaunchDaemons/com.adobe.fpsaud.plist

                 (com.adobe.fpsaud)

       /Library/LaunchDaemons/com.adobe.SwitchBoard.plist

                 (com.adobe.SwitchBoard)

       /Library/LaunchDaemons/com.microsoft.office.licensing.helper.plist

                 (com.microsoft.office.licensing.helper)

       Library/LaunchAgents/com.adobe.AAM.Updater-1.0.plist

                 (com.adobe.AAM.Scheduler-1.0)

       Library/LaunchAgents/com.zeobit.MacKeeper.Helper.plist

                 (com.zeobit.MacKeeper.Helper)

     

     

    Extrinsic loadable bundles

     

     

       /Library/Internet Plug-Ins/Flash Player.plugin

                 (com.macromedia.Flash Player.plugin)

       /Library/Internet Plug-Ins/SharePointBrowserPlugin.plugin

                 (com.microsoft.sharepoint.browserplugin)

       /Library/Internet Plug-Ins/SharePointWebKitPlugin.webplugin

                 (com.microsoft.sharepoint.webkitplugin)

       /Library/PreferencePanes/Flash Player.prefPane

                 (com.adobe.flashplayerpreferences)

       /Library/PreferencePanes/Growl.prefPane

                 (com.growl.prefpanel)

       /Library/ScriptingAdditions/Adobe Unit Types.osax

                 (No bundle ID)

       Library/Address Book Plug-Ins/SkypeABDialer.bundle

                 (com.skype.skypeabdialer)

       Library/Address Book Plug-Ins/SkypeABSMS.bundle

                 (com.skype.skypeabsms)

     

     

    User login items

     

     

       iTunesHelper

     

     

    Restricted user files: 101

     

     

    Font problems: 37

     

     

    Desktop file count: 31

     

     

    Elapsed time (s): 141

  • by Linc Davis,Solvedanswer

    Linc Davis Linc Davis Mar 29, 2014 5:24 PM in response to grazgar
    Level 10 (208,037 points)
    Applications
    Mar 29, 2014 5:24 PM in response to grazgar

    You removed "DownLite," and you also removed the login item part of "NetWeird." If you also removed the .Install folder, then you should be OK as far as malware goes. You still have "MacKeeper," which is not malware but is useless junk, and you should remove that too. I posted instructions on the first page of this thread.

     

    The script ran about three times as fast without "DrWeb" also running.

     

    Please take to heart what I wrote about changing the way you use the computer.

  • by MadMacs0,

    MadMacs0 MadMacs0 Mar 29, 2014 5:48 PM in response to grazgar
    Level 5 (4,801 points)
    Mar 29, 2014 5:48 PM in response to grazgar

    I guess I'd have to say that I'm not as confident as Linc that you've removed all of the threat (which is quite unusual). We know that NetWeird / WireNet is capable of downloading and installing additional malware, but have not yet seen any evidence of any nor what it might be capable of. Just watch for any strange things that occur going forward.

     

    Also, you should recall that we have seen evidence that it is capable of harvesting userid/password credentials that you have entered into a browser, so be sure to change any passwords that you may have used in that manner.

first Previous Page 3 of 3