Pirrit - how to custom restore your data without infecting an erased MacBookPro?

On 31 May 2016 I started to get pop-up ads. The next day as the problem got worse I bought Bitdefender and downloaded MalwareBytes both of which found and deleted adware/malware. However, as CJ706 says, Bitdefender has continued to find Pirrit malware despite detecting and clearing it and despite restarts. I keep getting pop-up ads and discrete words in articles that I am reading are highlighted green sand link to ad sites. My MacBookPro is working much more slowly and the webpages regularly freeze. Re-launching Safari with the shift button held down has at least stopped the new advertising webpages opening up .

I am now backing up my data onto a newly purchased external hard disk drive so as not to risk corrupting my standard back up drives and will do an erase and reinstall. Can anyone advise me how to migrate my data and applications and apps on Time Machine without doing an automatic reinstall that would bring the malware across?

Also, I have been advised (from someone not familiar with Macs) to install Bitdefender and MalwareBytes before migrating any data. How can I bring these across from my Time Machine back up before migrating any other data?

Finally, I think that I downloaded Pirrit when trying to play a video within a news story from the BBC or the Daily Mail. I had repeated pop up windows saying that my version of Flash was not up to date and I had to repeatedly download Flash from what I thought was the Adobe website. The video still didn't play after I had downloaded Flash. From what I have read Pirrit comes via a false Flash pop-up ad. Is it possible that I could have downloaded Pirrit from malign pop-up ads on these sites which I thought that I could trust?

Thanks

Posted on Jun 4, 2016 1:33 PM

26 replies

etresoft

Level 9

56,698 points

Jun 7, 2016 12:46 PM in response to Belfast MacUser

Hello again Belfast MacUser,

Perhaps I should change that animation now that EtreCheck is slowly turning into an anti-malware tool. The animations don't have anything to do with adware or malware. The devil is actually a "daemon" and the other image is an "agent". It is more a play on words than anything else.

I didn't expect the malware removal to be successful the first time. It is never a good idea to try to do this kind of work manually. With the new malware that is circulating, it is virtually impossible for most people to manually remove. You need software that knows how to do the steps properly. In theory, a program like MalwareBytes has the ability to easily remove malware. Most Mac anti-malware tools fail completely. MalwareBytes was the only effective tool. But recently, people have reported that it no longer works on modern Mac malware. I know EtreCheck doesn't work on the malware from the past couple of weeks. But I work on it part-time and I won't have time for a new release for at least 3 weeks.

My biggest complaint with MalwareBytes is that we have no idea if it worked or not. While EtreCheck might not be able to remove recent malware, it will still identify it as either adware or unknown files. So I suggest you post another EtreCheck report and then we can tell you if all the malware is truly gone.

Linc Davis

Level 10

209,739 points

Jun 7, 2016 1:05 PM in response to Belfast MacUser

What functional problem do you have now? If your web browsers are working as expected, there is no active malware. I suggest that you get rid of any third-party software that serves no useful purpose.

Jun 7, 2016 1:08 PM in response to etresoft

Thank you Etrecheck.

I have just completed another Etrecheck and the report is below. If I am allowed to, I will also include a screenshot showing that the daemon icon appeared which suggested that it found malware or adware (and the agent icon appeared just after that - both of these appeared just after the printers had been checked). Yet you will see that unlike on previous occasions when suspect files were identified, the Etrecheck report does not highlight any suspect files (in red). It may be that we will all just have to wait for your update when you have the time to do it. Malwarebytes identifies files but doesn't tell you where they are coming from - today (and I think previously) those files ended in .sh - so I am not sure that it is clearing the root of the problem.

EtreCheck version: 2.9.12 (265)
Report generated 2016-06-07 21:02:32
Download EtreCheck from https://etrecheck.comRuntime 1:27
Performance: Excellent

Click the [Support] links for help with non-Apple products. Click the [Details] links for more information about that line.

Problem: No problem - just checking Description: malware

Hardware Information: MacBook Pro (Retina, 15-inch, Mid 2015) [Technical Specifications] - [User Guide] - [Warranty & Service] MacBook Pro - model: MacBookPro11,5
1 2.8 GHz Intel Core i7 CPU: 4-core
16 GB RAM Not upgradeable

BANK 0/DIMM0
8 GB DDR3 1600 MHz ok

BANK 1/DIMM0
8 GB DDR3 1600 MHz ok

Bluetooth: Good - Handoff/Airdrop2 supported Wireless: en0: 802.11 a/b/g/n/ac
Battery: Health = Normal - Cycle count = 46

Video Information: AMD Radeon R9 M370X - VRAM: 2048 MB

Color LCD 2880 x 1800 Intel Iris Pro

System Software: OS X El Capitan 10.11.5 (15F34) - Time since boot: about 5 hours

Disk Information: APPLE SSD SM1024G disk0 : (1 TB) (Solid State - TRIM: Yes)

EFI (disk0s1) <not mounted> : 210 MB

Recovery HD (disk0s3) <not mounted> [Recovery]: 650 MB

Macintosh HD (disk1) / : 999.32 GB (331.74 GB free) Core Storage: disk0s2 999.70 GB Online

USB Information: Apple Inc. Apple Internal Keyboard / Trackpad

Broadcom Corp. Bluetooth USB Host Controller

Thunderbolt Information: Apple Inc. thunderbolt_bus

Gatekeeper: Mac App Store and identified developers

Kernel Extensions: /Applications/Elgato Video Capture.app

[not loaded] com.elgato.driver.Pluto2 (1.1 - 2015-12-03) [Support] /Applications/security software/DiskWarrior.app

[not loaded] com.alsoft.Preview (4.1 - 2012-11-18) [Support]

System Launch Agents: [not loaded] 7 Apple tasks [loaded] 159 Apple tasks [running] 72 Apple tasks

System Launch Daemons: [not loaded] 45 Apple tasks [loaded] 152 Apple tasks [running] 93 Apple tasks

Launch Daemons: [loaded] com.malwarebytes.MBAMHelperTool.plist (2016-06-02) [Support]

User Login Items: CleanMyMac 3 Menu Application (~/.Trash/CleanMyMac 3.app/Contents/MacOS/CleanMyM

Menu.app)
Launch Nikon Message Center 2 Application (/Applications/Nikon Software/Nikon Message

Nikon Message Center 2.app/Contents/SharedSupport/Launch Nikon Message Center 2.app)

Other Apps: [running] com.etresoft.EtreCheck.378592 [loaded] 398 Apple tasks [running] 192 Apple tasks

Internet Plug-ins: AmazonMP3DownloaderPlugin1017287: AmazonMP3DownloaderPlugin 1.0.17 (2012-11-18) [

FlashPlayer-10.6: 21.0.0.242 - SDK 10.6 (2016-05-22) [Support] Default Browser: 601 - SDK 10.11 (2016-06-06)
AdobePDFViewerNPAPI: 15.010.20060 - SDK 10.8 (2016-05-08) [Support]

a C

AdobePDFViewer: 15.010.20060 - SDK 10.8 (2016-05-08) [Support] QuickTime Plugin: 7.7.3 (2016-06-06)
Flash Player: 21.0.0.242 - SDK 10.6 (2016-05-22) [Support] EPPEX Plugin: 10.0 (2013-09-13) [Support]

Flip4Mac WMV Plugin: 3.3.1.3 - SDK 10.8 (2014-09-12) [Support] SharePointBrowserPlugin: 14.6.3 - SDK 10.6 (2016-04-26) [Support] Silverlight: 5.1.41212.0 - SDK 10.6 (2016-05-08) [Support]

User internet Plug-ins: Google Earth Web Plug-in: 7.1 (2015-12-03) [Support]

Safari Extensions: AdBlock - BetaFish, Inc. - https://getadblock.com(2016-06-02) Ghostery - GHOSTERY, Inc. - https://www.ghostery.com/(2016-06-02)

3rd Party Preference Panes: Flash Player (2016-05-09) [Support] Flip4Mac WMV (2014-05-12) [Support] Growl (2015-12-03) [Support]

Time Machine: Skip System Files: NO Auto backup: YES Volumes being backed up:

Macintosh HD: Disk size: 999.32 GB Disk used: 667.59 GB Destinations:

G-DRIVE ev [Local]
Total size: 999.86 GB
Total number of backups: 13 Oldest backup: 09/05/2016, 18:41 Last backup: 27/05/2016, 16:21 Size of backup disk: Too small

Backup size 999.86 GB < (Disk used 667.59 GB X 3)

My Passport for Mac [Local]
Total size: 2.00 TB
Total number of backups: 5 Oldest backup: 04/06/2016, 21:58 Last backup: 05/06/2016, 09:54 Size of backup disk: Too small

Backup size 2.00 TB < (Disk used 667.59 GB X 3)

Back up 2 [Local]
Total size: 999.86 GB
Total number of backups: 2

Oldest backup: 24/02/2014, 20:21 Last backup: 24/02/2014, 20:21 Size of backup disk: Too small

Backup size 999.86 GB < (Disk used 667.59 GB X 3)

Back up 1 [Local]
Total size: 999.86 GB
Total number of backups: 2 Oldest backup: 04/06/2014, 10:23 Last backup: 20/08/2014, 08:14 Size of backup disk: Too small

Backup size 999.86 GB < (Disk used 667.59 GB X 3)

Top Processes by CPU: 5% WindowServer

2% fontd
1% kernel_task 0% Dock
0% cloudpaird

Top Processes by Memory:

1.89 GB 1.31 GB 557 MB 524 MB 360 MB

com.apple.WebKit.WebContent(13)

kernel_task mds_stores Finder Preview

Virtual Memory Information: 6.39 GB Free RAM
9.60 GB Used RAM (2.66 GB Cached) 0 B Swap Used

Diagnostics Information: Jun 7, 2016, 03:35:18 PM Self test - passed
Jun 6, 2016, 08:48:44 PM ~/Library/Logs/DiagnosticReports/

com.apple.preferences.icloud.remoteservice_2016-06-06-204844_[redacted].crash /System/Library/PreferencePanes/iCloudPref.prefPane/Contents/XPCServices/

com.apple.preferences.icloud.remoteservice.xpc/Contents/MacOS/ com.apple.preferences.icloud.remoteservice

Jun 6, 2016, 07:38:31 PM ~/Library/Logs/DiagnosticReports/Canon MFScanner_2016-06-06-193831_[redacted].crash

jp.co.canon.ScanGear MF.appl.Canon MFScanner - /Library/Image Capture/Devices/Canon MFScanner.app/Contents/MacOS/Canon MFScanner

Jun 6, 2016, 09:23:38 AM /Library/Logs/DiagnosticReports/ BDLDaemon_2016-06-06-092338_[redacted].cpu_resource.diag [Details]

/Library/Bitdefender/*/antivirus.bundle/BDLDaemon

Jun 6, 2016, 09:15:08 AM ~/Library/Logs/DiagnosticReports/App Store_2016-06-06-091508_[redacted].crash

com.apple.appstore - /Applications/App Store.app/Contents/MacOS/App Store Jun 6, 2016, 08:58:56 AM ~/Library/Logs/DiagnosticReports/Canon

MFScanner_2016-06-06-085856_[redacted].crash

etresoft

Level 9

56,698 points

Jun 7, 2016 7:40 PM in response to Belfast MacUser

Belfast MacUser wrote:

Thank you Etrecheck.

I have just completed another Etrecheck and the report is below. If I am allowed to, I will also include a screenshot showing that the daemon icon appeared which suggested that it found malware or adware (and the agent icon appeared just after that - both of these appeared just after the printers had been checked). Yet you will see that unlike on previous occasions when suspect files were identified, the Etrecheck report does not highlight any suspect files (in red). It may be that we will all just have to wait for your update when you have the time to do it. Malwarebytes identifies files but doesn't tell you where they are coming from - today (and I think previously) those files ended in .sh - so I am not sure that it is clearing the root of the problem.

Hello again Belfast MacUser,

Those icons are only meant to be cute. They don't mean anything except that EtreCheck has about another 45 seconds to run and need to do something to entertain the user.

Even though your last EtreCheck report is corrupted, it doesn't show any active malware. I think you're cured. You have already followed Linc's wise advice. You got rid of the antivirus and "clean up" tools that served no useful purpose. But you found that using EtreCheck and MalwareBytes proved very useful to detect, remove, and verify your malware infection.

Linc Davis

Level 10

209,739 points

Jun 7, 2016 8:38 PM in response to Linc Davis

I guess I should clarify what I mean by software that serves a useful purpose.

Only use software that does something for you—not (as you imagine) for the computer. A word processor, a photo editor, and a game are all examples of software that does something for you. A "cache cleaner" or a "malware scanner" does nothing for you. You didn't buy a computer so you could clean caches or scan for malware. You've already seen that automated scanning for malware doesn't work.

Never install any software, no matter what it purportedly does or where it comes from, unless you—not someone else—decided that you need it, and then only if you—not someone else—have done due diligence to determine whether it's safe. You can reasonably assume that software that you get directly from the Mac App Store or the website of a well-known, long-established developer is safe (though not necessarily that it's of good quality.)

Follow those guidelines and you'll be as safe as you can be from malware attacks.

Jun 8, 2016 2:08 AM in response to etresoft

Thank you Etrecheck

Jun 8, 2016 2:17 AM in response to Linc Davis

Thank you Linc.

Just to let you know though, I did download Bitdefender from the Apple Store and having seen it there I did read reviews recommending it as the best programme for removing malware/adware for the Mac. I also purchased CleanmyMac after reading an online review in MacWorld that gave it 4/5 stars. I had thought that that was due diligence.

In relation to your earlier question about functionality the computer is now functioning as before, thank goodness. I was just concerned at the appearance of adware after removing active malware and am a little concerned at Etrecheck saying that my report last night was corrupted. Both of these could suggest that something may still be at play and raise its head at a later date. I'll wait and see.

Linc Davis

Level 10

209,739 points

Jun 8, 2016 7:35 AM in response to Belfast MacUser

I did download Bitdefender from the Apple Store and having seen it there I did read reviews recommending it as the best programme for removing malware/adware for the Mac.

As I mentioned, a product in the App Store is safe, in the sense that you can assume it's not malware. You can't assume that it does anything useful. That particular product is essentially useless, like all "anti-virus" software. It's worse than useless if you rely on it to protect you or rescue you from a malware attack, and therefore feel free to take risks that you wouldn't take otherwise. As for the reviews, if you search for apps that cast horoscopes or read Tarot cards, you may find one that gets better reviews than the others. That doesn't mean it can predict the future better than the others.

I also purchased CleanmyMac after reading an online review in MacWorld that gave it 4/5 stars. I had thought that that was due diligence.

It's understandable that you would think so, but the truth is that "macworld" is a trash site, and software reviews are bought and paid for all the time. Due diligence in this case would have consisted of seeking out end-user opinions and evaluating them critically. You also have to reach a certain level of sophistication as a user to know that any software that purports to automatically "clean up" or "speed up" a Mac is a scam, and that no software should ever be trusted to delete files that it didn't install.

Don't make blithe assumptions. Always think about the trust that you're reposing in the developers of any software. You don't know them personally. You're giving them at least partial control of your computer. Do you need to give them that control? Do you have a good reason to trust them?

In an ideal world, computer programmers would be licensed, like civil engineers, and there would be means of holding them accountable for their actions. In the real world, anyone can call himself a programmer and there is almost no accountability.

Jun 8, 2016 7:33 AM in response to Linc Davis

Thank you for that advice. I've learned a lot!

etresoft

Level 9

56,698 points

Jun 8, 2016 12:28 PM in response to Belfast MacUser

Hello again Belfast MacUser,

One of the things that you have learned is something that you should have already known - that people on the internet have different opinions and are more than happy to share them. Opinions, just like software, need careful evaluation. For example, when someone speaks in terms of absolutes, their opinions then have less value. The world is subtle and full of details and complications. Why should the Internet be any different?

Eric Root

Level 10

685,257 points

Jun 9, 2016 6:45 AM in response to Belfast MacUser

Try posting another Etrecheck report.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Pirrit - how to custom restore your data without infecting an erased MacBookPro?