pgonzalez
Level 1 (8 points)
Mac OS X

Q: system breached?

I have a friend using Mac 10.10.5 and it's infected with numerous malware ie. genieo,vsearch,trovi and I thoroughly followed procedures to remove all the mentioned malware both manually and with the app Malwarebytes for mac, although is not normal after removing the malware. The below items are very odd to me and can someone tell me if what I'm reporting could be signs that the system has been compromised? please see below and Thanks!

 

1)The Trovi search page still returns in Safari and hyperlinks are redirected when clicked to adware sites.

 

2)A rogue apple script called "InstallExtension_8" tries to launch during or when I quit Safari in the Finder (in any user acct) but fails and shows this error:

Screen Shot 2016-06-05 at 9.23.18 PM.png

While still open I inspected this script process in Activity Monitor > Info > Open Files and Ports the below items are shown:

/

/Library/Trovi/BrowserEnhancer.app/Contents/MacOS/InstallExtension_8.app/Content s/MacOS/applet

/usr/share/icu/icudt53l.dat

 

*** Note: I cannot locate /Library/Trovil directory, it does not exists

 

$ cd /Library/Trovi

-bash: cd: /Library/Trovi: No such file or directory


/System/Library/Components/AppleScript.component/Contents/MacOS/AppleScript

/System/Library/PrivateFrameworks/AppleScript.framework/Versions/A/AppleScript

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/SystemAp pearance.car

/System/Library/ColorSync/Profiles/Generic RGB Profile.icc

/System/Library/ColorSync/Profiles/sRGB Profile.icc

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Graphite DarkAppearance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Accessib ilityDarkGraphiteAppearance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Accessib ilityVibrantLightAppearance.car

/System/Library/ColorSync/Profiles/Generic Gray Gamma 2.2 Profile.icc

/private/var/folders/_4/_gs3tgj15g97k31wg49nlf200000gp/0/com.apple.LaunchService s-107502.csstore

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Graphite Appearance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Accessib ilityAppearance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Accessib ilityGraphiteAppearance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/DarkAppe arance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Accessib ilityDarkAppearance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/VibrantL ightAppearance.car

/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.fram ework/Versions/A/Resources/Extras2.rsrc

/System/Library/PrivateFrameworks/CoreUI.framework/Versions/A/Resources/SArtFile .bin

/System/Library/Fonts/HelveticaNeueDeskInterface.ttc

/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.fram ework/Versions/A/Resources/HIToolbox.rsrc

/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.fram ework/Versions/A/Resources/English.lproj/Localized.rsrc

/System/Library/Frameworks/OpenCL.framework/Versions/A/Libraries/ImageFormats/un orm8_bgra.dylib

/System/Library/ColorSync/Profiles/Generic Gray Profile.icc

/System/Library/Keyboard Layouts/AppleKeyboardLayouts.bundle/Contents/Resources/AppleKeyboardLayouts-L.d at

/System/Library/Fonts/Helvetica.dfont

/private/var/folders/_4/_gs3tgj15g97k31wg49nlf200000gp/C/com.apple.iconservices/ store.index

/Library/Caches/com.apple.iconservices.store/FCBC3F77-4294-4419-BEF4-81170C782B6 0.isdata

/usr/lib/dyld

/private/var/db/dyld/dyld_shared_cache_x86_64

/dev/null

/dev/null

/dev/null

count=2, state=0x2

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/SystemAp pearance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Graphite Appearance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Accessib ilityAppearance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Accessib ilityGraphiteAppearance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/DarkAppe arance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Graphite DarkAppearance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Accessib ilityDarkAppearance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Accessib ilityDarkGraphiteAppearance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/VibrantL ightAppearance.car

/System/Library/CoreServices/SystemAppearance.bundle/Contents/Resources/Accessib ilityVibrantLightAppearance.car

/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.fram ework/Versions/A/Resources/Extras2.rsrc

/Library/Trovi/BrowserEnhancer.app/Contents/MacOS/InstallExtension_8.app/Content s/Resources/applet.rsrc

/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.fram ework/Versions/A/Resources/HIToolbox.rsrc

/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.fram ework/Versions/A/Resources/English.lproj/Localized.rsrc

 

3)As soon as the system is started up, there are a bunch of processes running by very unusually named users, i.e. below shows user "unrelatedness" running:

 

$ id unrelatedness

uid=401(unrelatedness) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),403(com.apple.sharepoint.group. 2),100(_lpoperator),402(com.apple.sharepoint.group.1)

Screen Shot 2016-06-05 at 9.31.44 PM.png

 

 

4)there are very mysterious folders in /Library: mostly all in shown below in red bold text and contain .conf and .sh files and are run by those mysterious users:

 

$ ls -la /Library

total 12216

drwxr-xr-x+  98 root  wheel     3332 Jun  5 20:54 .

drwxr-xr-x   36 root  wheel     1292 Jun  5 17:01 ..

-rw-r--r--    1 root  wheel        0 Sep  9  2014 .localized

drwxr-xr-x   20 root  admin      680 Jun  5 16:54 Application Support

drwxr-xr-x   10 root  wheel      340 Sep 17  2015 Audio

drwxrwxr-x   96 root  admin     3264 Sep 17  2015 Automator

drwxr-xr-x@   3 root  wheel      102 Jun  5 20:54 Babel

drwxrwxrwt    9 root  admin      306 Jun  5 20:52 Caches

drwxr-xr-x    2 root  wheel       68 Sep  9  2014 ColorPickers

drwxr-xr-x    4 root  wheel      136 Sep 17  2015 ColorSync

drwxr-xr-x    2 root  wheel       68 Mar  6  2015 Components

drwxr-xr-x    3 root  wheel      102 Sep  9  2014 Compositions

drwxr-xr-x    2 root  wheel       68 Mar  6  2015 Contextual Menu Items

drwxr-xr-x    3 root  wheel      102 Jul 29  2015 CoreMediaIO

drwxr-xr-x   84 root  wheel     2856 Sep 17  2015 Desktop Pictures

drwxr-xr-x   23 root  wheel      782 Sep 17  2015 Dictionaries

drwxr-xr-x    3 root  wheel      102 Mar  6  2015 DirectoryServices

drwxr-xr-x    9 root  wheel      306 Sep 17  2015 Documentation

drwxr-xr-x    5 root  wheel      170 Jun  5 17:01 DropboxHelperTools

drwxr-xr-x   13 root  wheel      442 Jun  3 10:11 Extensions

drwxr-xr-x    5 root  wheel      170 Sep 17  2015 Filesystems

drwxrwxr-t  242 root  admin     8228 Sep 17  2015 Fonts

drwxr-xr-x   18 root  admin      612 Sep 17  2015 Fonts Disabled

drwxr-xr-x   15 root  wheel      510 Sep 17  2015 Frameworks

drwxr-xr-x    4 root  wheel      136 Sep 17  2015 Graphics

drwxr-xr-x    7 root  wheel      238 Sep 17  2015 Image Capture

drwxr-xr-x    2 root  wheel       68 Feb 20  2015 Input Methods

drwxr-xr-x   12 root  wheel      408 Jun  2 08:01 Internet Plug-Ins

drwxr-xr-x@   3 root  wheel      102 Jun  5 17:02 Isurus

drwxr-xr-x    4 root  wheel      136 Sep 17  2015 Java

drwxr-xr-x    2 root  wheel       68 Sep  9  2014 Keyboard Layouts

drwxr-xr-x    9 root  wheel      306 Jun  5 20:51 Keychains

drwxr-xr-x    6 root  wheel      204 Jun  5 16:54 LaunchAgents

drwxr-xr-x   29 root  wheel      986 Jun  5 20:54 LaunchDaemons

drwxr-xr-x    5 root  wheel      170 Jun  5 11:30 Logs

drwxr-xr-x    3 root  wheel      102 Jun  5 16:58 Managed Preferences

drwxr-xr-x    3 root  wheel      102 Jul 22  2015 Messages

drwxr-xr-x   37 root  wheel     1258 Sep 17  2015 Modem Scripts

drwxr-xr-x    5 root  wheel      170 May 12  2015 OpenDirectory

drwxr-xr-x    6 root  wheel      204 Sep 17  2015 PDF Services

drwxrwxr-x    7 root  admin      238 Sep 17  2015 Parallels

drwxr-xr-x    4 root  wheel      136 Sep  9  2014 Perl

drwxr-xr-x    4 root  wheel      136 Jun  2 08:01 PreferencePanes

drwxr-xr-x  108 root  wheel     3672 Jun  5 20:54 Preferences

drwxr-xr-x@   3 root  wheel      102 Oct 15  2015 PrenanthesUpd

drwxr-xr-x   10 root  admin      340 Jun  5 06:49 Printers

drwxr-xr-t    4 root  wheel      136 Jun  5 16:49 PrivilegedHelperTools

drwxr-xr-x    4 root  wheel      136 Sep 17  2015 Python

drwxr-xr-x    5 root  wheel      170 Sep 17  2015 QuickLook

drwxr-xr-x    4 root  wheel      136 Sep 17  2015 QuickTime

drwxrwxr-x   12 root  admin      408 Sep 17  2015 Receipts

drwxr-xr-x    4 root  wheel      136 Sep 17  2015 Ruby

drwxr-xr-x    3 root  wheel      102 Sep  9  2014 Sandbox

drwxr-xr-x    3 root  wheel      102 Sep 17  2015 Screen Savers

drwxr-xr-x    2 root  wheel       68 Sep  9  2014 ScriptingAdditions

drwxr-xr-x   10 root  wheel      340 Sep 17  2015 Scripts

drwxr-xr-x    4 root  wheel      136 Sep 17  2015 Security

drwxr-xr-x    3 root  wheel      102 Sep 17  2015 Server

drwxr-xr-x    3 root  wheel      102 Sep 17  2015 Speech

drwxr-xr-x    2 root  wheel       68 Sep  9  2014 Spelling

drwxr-xr-x    7 root  wheel      238 Sep 17  2015 Spotlight

drwxr-xr-x    2 root  wheel       68 Sep  9  2014 StartupItems

drwxr-xr-x    4 root  wheel      136 Sep 17  2015 SystemMigration

drwxr-xr-x    2 root  wheel       68 Sep  9  2014 SystemProfiler

drwxr-xr-x    5 root  wheel      170 Jun  5 06:51 Updates

drwxr-xr-x    8 root  wheel      272 Sep  9  2014 User Pictures

drwxr-xr-x    4 root  wheel      136 Sep 17  2015 Video

drwxr-xr-x    5 root  wheel      170 Jul 23  2015 WebServer

drwxr-xr-x   18 root  wheel      612 Sep 17  2015 Widgets

drwxr-xr-x@   3 root  wheel      102 Jun  3 10:22 anonyma

drwxr-xr-x@   3 root  wheel      102 Jun  2 11:04 arthroncus

-rw-r--r--    1 root  wheel  6118473 May 27 07:56 backup.zip

drwxr-xr-x@   3 root  wheel      102 Sep 21  2015 carobUpd

drwxr-xr-x@   3 root  wheel      102 Jun  2 11:09 carpetweb

drwxr-xr-x@   3 root  wheel      102 Jun  5 09:50 chidden

drwxr-xr-x@   3 root  wheel      102 Jun  3 08:11 chun

drwxr-xr-x@   3 root  wheel      102 Jun  5 11:33 cystosarcoma

drwxr-xr-x@   3 root  wheel      102 Oct 15  2015 discoverableUpd

drwxr-xr-x@   3 root  wheel      102 Jun  3 08:49 dooley

drwxr-xr-x@   3 root  wheel      102 Jun  5 16:06 endocyclic

drwxr-xr-x@   3 root  wheel      102 Jun  5 20:54 exosporal

drwxr-xr-x    3 root  wheel      102 Feb 12  2015 iTunes

drwxr-xr-x@   3 root  wheel      102 Jun  3 11:49 madhouse

drwxr-xr-x@   3 root  wheel      102 Jun  3 10:22 misdeed

-rwxrwxrwx@   1 root  wheel   126680 May 27 07:56 morkim

drwxr-xr-x@   3 root  wheel      102 Jun  3 08:11 nonidealist

drwxr-xr-x@   3 root  wheel      102 Jun  3 11:49 noropianic

drwxr-xr-x@   3 root  wheel      102 Oct 15  2015 physiologizeUpd

drwxr-xr-x@   3 root  wheel      102 Jun  5 06:46 replenishment

-rw-------    1 root  wheel      258 May 27 07:56 settings.dat

drwxr-x---    3 root  wheel      102 Jun  2 11:05 stimulancyUpd

drwxr-xr-x@   3 root  wheel      102 Jun  3 10:22 superintellectual

drwxr-xr-x@   3 root  wheel      102 Jun  5 09:48 symphyostemonous

drwxr-xr-x@   3 root  wheel      102 Jun  5 16:10 tambac

drwxr-xr-x@   3 root  wheel      102 Jun  2 11:06 tricosylic

drwxr-x---    3 root  wheel      102 May 12 13:40 uelmeld

drwxr-xr-x@   3 root  wheel      102 Jun  2 12:09 unprecocious

-rw-r--r--    1 root  wheel      156 Jun  5 21:15 watch.log

Posted on Jun 5, 2016 6:51 PM

Close
pgonzalez

Q: system breached?

  • All replies
  • Helpful answers

  • by Esquared,

    Esquared Esquared Jun 6, 2016 12:10 AM in response to pgonzalez
    Level 6 (8,518 points)
    Mac OS X
    Jun 6, 2016 12:10 AM in response to pgonzalez

    Malware is getting more ingenious these days. Ans malware removal tools are having trouble keeping up. For now you'll have to rely on manual removal strategies: see this topic, especially the contributions by Linc Davies: How do I remove the TopDeal / Deal Top virus?

  • by greg sahli,

    greg sahli greg sahli Jun 6, 2016 4:56 AM in response to Esquared
    Level 7 (25,400 points)
    Jun 6, 2016 4:56 AM in response to Esquared

    Try:

    cd ~/Library

     

    (the ~ means : within my home directory)

  • by pgonzalez,

    pgonzalez pgonzalez Jun 6, 2016 6:03 AM in response to greg sahli
    Level 1 (8 points)
    Mac OS X
    Jun 6, 2016 6:03 AM in response to greg sahli

    greg sahli wrote:

     

    Try:

    cd ~/Library

     

    (the ~ means : within my home directory)

    Hi Greg, I'm aware tilde refers to ones home dir, but what are you suggesting I look for there?

     

    Activity Monitor > Info > Open Files and Ports points to this path:

    /Library/Trovi/BrowserEnhancer.app/Contents/MacOS/InstallExtension_8.app/Content s/MacOS/applet

    /usr/share/icu/icudt53l.dat


    (also there is no ~/Library/Trovi folder either)


    Esquared, thanks for the post containing Linc Davis's sage advice. I've already performed most of those steps but I'll give it another go as this system is riddled with adware/malware.


    Thanks all.

  • by Eric Root,

    Eric Root Eric Root Jun 6, 2016 9:51 AM in response to pgonzalez
    Level 9 (74,064 points)
    iTunes
    Jun 6, 2016 9:51 AM in response to pgonzalez

    Try running this program and then copy and paste the output in a reply. The program was created by Etresoft, a frequent contributor.  Please use copy and paste as screen shots can be hard to read. This will show what is running on your computer. No personal information is shown. If it does show adware, click the Remove link.
     

    Etrecheck – System Information

  • by AstroMelly,

    AstroMelly AstroMelly Jun 9, 2016 11:58 AM in response to pgonzalez
    Level 1 (4 points)
    Jun 9, 2016 11:58 AM in response to pgonzalez

    Hi there

     

    Sounds like my mac book pro just got hit with the same thing.  I noticed many shell processes running (process name 'sh') as spurious users.  After much digging around, I found that there were scripts being created on the fly in the /etc/ directory with randomized names 'statesmanese', 'ratcatcherUpd' etc.

     

    I followed some instructions for removing the VSearch malware, also Genieo - which you say you have done. I thought the problem was cleared up but after my final reboot, I saw the processes reappearing.

     

    I used a free app called LaunchControl to inspect the processes that were being started after a reboot.  Most I could identify but there were a few that sounded a bit odd.  In particular there was a binary 'etaio' (I think it was) in the /Library/ folder and another in the same folder (maybe named elmia - it was uelmeld - it's listed in your directory listing of /Library) that were both being started as daemon processes.  I removed these as well and after a final reboot the processes were no longer starting.

     

    I also removed all the scripts from the /etc/ folder - they were just clones of each other with different names.  If you find yourself with this problem you can go into terminal:

     

    sudo -s

    <password>

    cd /etc/

    ls -latr

     

    This will list all files in chronological order of the date/time they were created - you should see a pattern with strange scripts being created after a certain date or time.  My first spurious script was June 3rd so I am thinking that this might be a mutation of the VSearch/Genieo or other malware.

     

    If you are unsure about whether a script is intrusive or not - each of the scripts should also have a .conf file.  I deleted all the scripts and conf files and once confirmed that no more were being produced, I deleted the users that had been created to run them.

     

    I used dscl to delete the users that had obviously been created by the malware.  To find out which users may have been created you can (in terminal):

     

    sudo -s

    cd /var/db/dslocal/nodes/Default/users

    ls -latr

     

    This should tell you which users were created and when.  There is probably a 'better' way but this is what I did.  Then you can use dscl to delete them one by one.  You could probably just delete the plist files but I used dscl.

     

    Here's a page I found useful about dscl.

     

    http://superuser.com/questions/202814/what-is-an-equivalent-of-the-adduser-comma nd-on-mac-os-x

     

    No idea what this malware was doing - the one thing that was happening (apart from ludicrously slow performance and slow startup) was I was getting extra tabs opened in Firefox nearly every time I clicked a link.  Putting this out there in the hope it helps someone else - don't shoot me down if you know of a better method - just post it.  I'm running Yosemite 10.10.5 on a late 2008 MacBookPro 15".

     

    Cheers

    Iain

  • by AstroMelly,

    AstroMelly AstroMelly Jun 9, 2016 12:11 PM in response to AstroMelly
    Level 1 (4 points)
    Jun 9, 2016 12:11 PM in response to AstroMelly

    Incidentally, that file 'watch.log' seems to belong to the malware.

     

    Here's the head of my copy of that file:

     

    1.3.3: Initializing... etiao

    1.3.3: Initializing... rek

    Not yet logged in

    Not yet logged in

    Ping-“****p://t.trkitok.com/track/surl?mid=DBAD193A-54B2-5211-9E35-7E79F32B9434&ht=******p://www.trovi.com/?n=DP2040&searchsource=55&UM=8&gd=SY1000250&nt=****://ww w.trovi.com/?n=DP2040&searchsource=69&UM=8&gd=SY1000250&su=****://www.trovi.com/Results.aspx?n=DP2040&searchsource=58&UM=8&gd=SY1000250"

    Ping-“****://t.trkitok.com/track/surl?mid=DBAD193A-54B2-5211-9E35-7E79F32B9434&ht=****p://www.trovi.com/?n=DP2040&searchsource=55&UM=8&gd=SY1000250&nt=****p://www .trovi.com/?n=DP2040&searchsource=69&UM=8&gd=SY1000250&su=****p://www.trovi.com/ Results.aspx?n=DP2040&searchsource=58&UM=8&gd=SY1000250"

    rek Iain *****ww.trovi.com/?n=DP2040&searchsource=55&UM=8&gd=SY1000250****tp://www.trovi. com/?n=DP2040&searchsource=69&UM=8&gd=SY1000250 ****w.trovi.com/Results.aspx?n=DP2040&searchsource=58&UM=8&gd=SY1000250 Trovi DP2040--DBAD193A-54B2-5211-9E35-7E79F32B9434 omnikey.safariextension

    Chrome Browser Installed...

    Firefox Browser Installed...

    Safari Browser Installed...

     

     

    etiao and rek were two other offenders that were removed from either the LauchAgents and/or LaunchDaemons folders.

     

    HTH

     

    Iain

     

    <Links Edited by Host>