I think I may have an undiscovered mac virus...

[frenchfri]

I own a mid-2014 MacBook Pro running macOS Mojave 10.14.3.

Over the past few months, suspicious things have been happening that I can no longer brush off. I'm starting to become worried about everything I do on my laptop, even logging into my account on this website...

First things first (this has been happening for a few months now), many times when I open my laptop to the lockscreen, there would be a little binoculars icon on the top right of the screen, next to the time and battery. It looks like this:

(this is just a screenshot of it I found online, not my actual computer)

This icon disappears when I reach the desktop screen.

I know that this icon is supposed to indicate activity with Remote Access / screen sharing, but everything involving those things is disabled on the Sharing settings in system preferences.

Gee, wouldn't this really make someone think their computer screen is being watched? I eventually brushed this off as some kind of bug, but as of late, I'm thinking it might be related to this next thing I've discovered:

what in the name of macintosh are these "Macrourus" and "Aguacateca" processes I keep seeing in my activity monitor?

I thought they could just be system processes (considering they come from the "root" user), but google doesn't seem to know anything about them.

I originally discovered them as I was working on a project in Premiere Pro, and noticed that my laptop was really struggling to keep up, more-so than usual. I checked activity monitor, and caught them taking up more than 100% of the CPU. (???)

They always arrive together (never one by itself), and every time I see them, they're there for a few seconds then disappear. Luckily, I managed to catch a screenshot of it and post it here.

Don't a lot of mac viruses take hold of the "root" user? I'm really not sure how a lot of it works, but I'm very skeptical and I'm not sure what to think anymore.

Is this just a paranoia fest, or should I be seriously concerned? I don't want to have to wipe my hard drive again, I'm so sick of doing that LOL. But even if I decide to do a fresh install, and then restore from a backup, couldn't the virus still be kept in the backup?

 

[jbarley]

First thing comes to mind, have you tried running the free version of MalWareBytes?
https://www.macupdate.com/app/mac/52105/malwarebytes

 

[NoBoMac]

Wild guess, but looks a lot like crypto currency mining software running on the machine. And one way for that to happen is downloading suspect software or supposedly cracked software from nefarious sites.

And if have mining software on the machine, could very well have other malware from possibly same downloads/installs.

And might be something as simple as sketchy browser extension.

What @jbarley said: get and run MalWareBytes. Here's the link to their website (not a fan of MacUpdate: seen too many iffy things floating on there, imo).

https://www.malwarebytes.com/mac-download/

 

[frenchfri]

Thanks for the replies! I just ran the malwarebytes scanner and these are my results:

I don't know what to believe anymore, lol. I just wish there was information about what those processes are supposed to be... and why that binoculars icon shows up on my lockscreen unwarranted

 

[Weaselboy]

what in the name of macintosh are these "Macrourus" and "Aguacateca" processes I keep seeing in my activity monitor?

The fact your Google-Fu finds nothing on these is a big clue it is crypto currency mining software that came along for the ride with some app you installed as @NoBoMac mentioned. These apps randomly make up these process names as you discovered.

In Activity Monitor select the process then select Info then Open files and ports and it will show the app that is launching that process.

 

[frenchfri]

The fact your Google-Fu finds nothing on these is a big clue it is crypto currency mining software that came along for the ride with some app you installed as @NoBoMac mentioned. These apps randomly make up these process names as you discovered.

In Activity Monitor select the process then select Info then Open files and ports and it will show the app that is launching that process.

wow, I hadn't considered this. I'll have to keep an eye on activity monitor and wait for those processes to come back up. They're only there around 10-20% of the time I check activity monitor. And they usually leave pretty quickly. This will be tricky..

Thank you for the help!

 

[Weaselboy]

wow, I hadn't considered this. I'll have to keep an eye on activity monitor and wait for those processes to come back up. They're only there around 10-20% of the time I check activity monitor. And they usually leave pretty quickly. This will be tricky..

Thank you for the help!

Did this seem to coincide with some new app you recently installed? That would be your first suspect.

 

[frenchfri]

Did this seem to coincide with some new app you recently installed? That would be your first suspect.

I don't think so. I don't think I've recently installed any new apps. But... at some point in the past few months, I did try installing a cracked version of an autotune plugin. It didn't even seem to install anything anywhere, so I deleted it, but I bet it did install this lovely virus

Also, here's another suspicious thing that I forgot about. On the same day I was working on my Premiere project, this prompt came up on my screen:

I have no idea what iLok is, and it's not in my applications folder. Nor does anything about it show up in finder when I search for it in "this mac".

Why do I have bad luck?

 

[NoBoMac]

Quick Google search, the cracked auto-tune plug-in you tried to install (Antares?) uses iLok for license management, so, appear to still have some pieces in there that are causing issues.

Hopefully lesson learned: that "free" software is not free.

 

[MacDawg]

Why do I have bad luck?

FWIW, installing sketchy software has nothing to do with bad luck

Hopefully lesson learned: that "free" software is not free.

A lot of truth there for software and in life

 

[frenchfri]

Quick Google search, the cracked auto-tune plug-in you tried to install (Antares?) uses iLok for license management, so, appear to still have some pieces in there that are causing issues.

Hopefully lesson learned: that "free" software is not free.

Haha, point taken. Up until this point, I've been successful with pirating softwares for the most part. I guess I made a dumb decision in this instance. But it still could be something else that's causing the sketchy processes and the binoculars icon. I'm pretty sure these things and the autotune installation happened on separate occasions

 

[Apple_Robert]

That is the kind of thing that can happen when you knowingly install stolen software from website X. If you like the app, pay for it.

If you keep engaging in this kind of activity, you will put yourself at risk for some real trouble.

 

[SecuritySteve]

I checked activity monitor, and caught them taking up more than 100% of the CPU. (???)

In Activity Monitor, 100% CPU is equal to 100% of one core of your CPU. If you have a 4 core CPU, for example, you have 400% total resource pool.

This just looks like mining software. You can also make yourself more secure by applying the latest security updates for 10.14, updating to 10.14.5.

 

[BeatCrazy]

Haha, point taken. Up until this point, I've been successful with pirating softwares for the most part. I guess I made a dumb decision in this instance. But it still could be something else that's causing the sketchy processes and the binoculars icon. I'm pretty sure these things and the autotune installation happened on separate occasions

The crux of the problem right here

 

[Weaselboy]

But it still could be something else that's causing the sketchy processes and the binoculars icon.

Run the app Etrecheck to create a report that shows all launch items. Post the report here for us to take a look and we may be able to see what process is launching to cause this.

 

[rpmurray]

Is it possible that you accidentaly started recording? Simply click the “Stop” icon in the menu bar and recording will end and the binoculars icon will disappear from the lock screen.

This’ll also happen if you lock your screen while running Duet Display on a connected iPad.

 

[frenchfri]

The crux of the problem right here

LOL I totally agree and understand, it's really not as bad as I've probably made it seem. I pay for the Adobe creative cloud suite as well as Ableton Live (every program I ever use). In terms of piracy, I've really only ever cracked a few games and small plugins. I know, I'm naughty for that...

Run the app Etrecheck to create a report that shows all launch items. Post the report here for us to take a look and we may be able to see what process is launching to cause this.

Will do!

Is it possible that you accidentaly started recording? Simply click the “Stop” icon in the menu bar and recording will end and the binoculars icon will disappear from the lock screen.

This’ll also happen if you lock your screen while running Duet Display on a connected iPad.

Neither of these are the case... I wish it was something that simple, though

Funny story, actually... Ever since I've posted this thread, I've encountered neither of the things I originally described. It's almost like posting about it fixed everything, lol
[doublepost=1560626373][/doublepost]Here's my Etrecheck report (just copied and pasted, I wasn't sure how to post it in a less clunky way)

EtreCheck version: 5.2 (5029)

Report generated: 2019-06-15 15:11:14

Download EtreCheck from https://etrecheck.com

Runtime: 2:07

Performance: Excellent

Sandbox: Enabled

Full drive access: Disabled


Problem: Other problem


Major Issues:

Anything that appears on this list needs immediate attention.


System Integrity Protection disabled - System Integrity Protection is disabled. This computer is at risk of malware infection.


Minor Issues:

These issues do not need immediate attention but they may indicate future problems or opportunities for improvement.


High battery cycle count - Your battery may be losing capacity.

Clean up - There are orphan files that could be removed.

Unsigned files - There are unsigned software files installed. They appear to be legitimate but should be reviewed.

32-bit Apps - This machine has 32-bits apps will not work after macOS 10.14 “Mojave”.

Limited drive access - More information may be available with Full Drive Access.


Hardware Information:

MacBook Pro (Retina, 13-inch, Mid 2014)

MacBook Pro Model: MacBookPro11,1

1 2.6 GHz Intel Core i5 (i5-4278U) CPU: 2-core

8 GB RAM - Not upgradeable

BANK 0/DIMM0 - 4 GB DDR3 1600 ok

BANK 1/DIMM0 - 4 GB DDR3 1600 ok

Battery: Health = Normal - Cycle count = 894


Video Information:

Intel Iris - VRAM: 1536 MB

Color LCD 2560 x 1600


Drives:

disk0 - APPLE SSD SM0256F 251.00 GB (Solid State - TRIM: Yes)

Internal PCI 5.0 GT/s x2 Serial ATA

disk0s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

disk0s2 [APFS Container] 181.79 GB

disk1 [APFS Virtual drive] 181.79 GB (Shared by 4 volumes)

disk1s1 - m********i (APFS) (Shared - 150.73 GB used)

disk1s2 - Preboot (APFS) [APFS Preboot] (Shared)

disk1s3 - Recovery (APFS) [Recovery] (Shared)

disk1s4 - VM (APFS) [APFS VM] (Shared - 1.07 GB used)

disk0s3 - B******P (MS-DOS FAT12) 69.00 GB (67.88 GB used)


Mounted Volumes:

disk0s3 - B******P 69.00 GB (1.12 GB free)

MS-DOS FAT12

Mount point: /Volumes/B******P


disk1s1 - m********i 181.79 GB (29.30 GB free)

APFS

Mount point: /

Encrypted


disk1s4 - VM [APFS VM] (Shared - 1.07 GB used)

APFS

Mount point: /private/var/vm


Network:

Interface en5: iPad

Interface en4: iPhone

Interface en0: Wi-Fi

802.11 a/b/g/n/ac

Interface en3: Bluetooth PAN

Interface bridge0: Thunderbolt Bridge


System Software:

macOS Mojave 10.14.3 (18D109)

Time since boot: Less than an hour


Notifications:

Notifications not available without Full Drive Access.


Security:

Gatekeeper: Enabled

System Integrity Protection: Disabled


Unsigned Files:

Launchd: ~/Library/LaunchAgents/com.valvesoftware.steamclean.plist

Executable: ~/Library/Application Support/Steam/SteamApps/steamclean Public

Details: Exact match found in the whitelist - probably OK


Launchd: /Library/LaunchDaemons/com.Disa.plist

Executable: /usr/local/bin/Clypeastroida

Details: Executable file is not accessible without Full Disk Access


Launchd: ~/Library/Application Support/Steam/com.valvesoftware.steam.ipctool.plist

Executable: ~/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/ipcserver

Details: Exact match found in the whitelist - probably OK


32-bit Applications:

11 32-bit apps


Kernel Extensions:

/Library/Extensions

Soundflower.kext (MATT INGALLS, 2.0b2 - SDK 10.10)


System Launch Agents:

[Not Loaded] 17 Apple tasks

[Loaded] 166 Apple tasks

[Running] 116 Apple tasks


System Launch Daemons:

[Not Loaded] 37 Apple tasks

[Loaded] 189 Apple tasks

[Running] 108 Apple tasks

[Other] One Apple task


Launch Agents:

[Running] com.adobe.AdobeCreativeCloud.plist (Adobe Systems, Inc. - installed 2019-05-27)

[Running] com.adobe.GC.AGM.plist (Adobe Systems, Inc. - installed 2019-05-16)

[Not Loaded] com.adobe.GC.Invoker-1.0.plist (Adobe Systems, Inc. - installed 2019-05-16)


Launch Daemons:

[Running] com.Disa.plist (? ac4858da - installed 2019-04-27)

[Not Loaded] com.Epicaridea.plist (? edb2a65b - installed 2019-04-27)

[Not Loaded] com.Pelobates.plist (? e72d60e6 - installed 2019-04-27)

[Running] com.adobe.acc.installer.v2.plist (Adobe Systems, Inc. - installed 2019-05-27)

[Running] com.adobe.agsservice.plist (Adobe Systems, Inc. - installed 2019-05-16)

[Loaded] com.apple.installer.osmessagetracing.plist (Apple - installed 2019-02-05)


User Launch Agents:

[Loaded] com.adobe.GC.Invoker-1.0.plist (Adobe Systems, Inc. - installed 2018-12-10)

[Running] com.amazon.music.plist (AMZN Mobile LLC - installed 2019-06-15)

[Loaded] com.google.keystone.agent.plist (Google, Inc. - installed 2019-05-09)

[Loaded] com.google.keystone.xpcservice.plist (Google, Inc. - installed 2019-05-09)

[Loaded] com.valvesoftware.steamclean.plist (? 0 - installed 2019-06-15)


Internet Plug-ins:

AdobeAAMDetect: 3.0.0.0 (Adobe Systems, Inc. - installed 2019-05-27)


Audio Plug-ins:

AppleTimeSyncAudioClock: 1.0 (Apple - installed 2018-11-30)

BluetoothAudioPlugIn: 6.0.10 (Apple - installed 2019-02-13)

AirPlay: 2.0 (Apple - installed 2019-02-13)

AppleAVBAudio: 710.1 (Apple - installed 2018-11-30)

BridgeAudioSP: 5.2 (Apple - installed 2019-02-13)

iSightAudio: 7.7.3 (Apple - installed 2018-11-30)


Time Machine:

Time Machine information not available without Full Drive Access.


Performance:

System Load: 4.23 (1 min ago) 3.20 (5 min ago) 3.47 (15 min ago)

Nominal I/O speed: 4.35 MB/s

File system: 29.18 seconds

Write speed: 548 MB/s

Read speed: 756 MB/s


CPU Usage Snapshot:

Type Overall

System 3 %

User 3 %

Idle 94 %


Top Processes Snapshot by CPU:

Process (count) CPU (Source - Location)

Other processes 14.77 % (?)

EtreCheck 6.48 % (App Store)

Adobe Desktop Service 0.64 % (Adobe Systems, Inc.)

Creative Cloud 0.60 % (Adobe Systems, Inc.)

Adobe CEF Helper 0.40 % (Adobe Systems, Inc.)


Top Processes Snapshot by Memory:

Process (count) RAM usage (Source - Location)

EtreCheck 533 MB (App Store)

Adobe Desktop Service 268 MB (Adobe Systems, Inc.)

Brave Browser 216 MB (Brave Software, Inc.)

Brave Browser Helper 109 MB (Brave Software, Inc.)

NotificationCenter 99 MB (Apple)


Top Processes Snapshot by Network Use:

Process Input / Output (Source - Location)

mDNSResponder 260 KB / 17 KB (Apple)

apsd 108 KB / 35 KB (Apple)

netbiosd 103 KB / 1 KB (Apple)

rapportd 367 B / 437 B (Apple)

SystemUIServer 0 B / 64 B (Apple)


Virtual Memory Information:

Physical RAM: 8 GB


Free RAM: 672 MB

Used RAM: 4.35 GB

Cached files: 3.00 GB


Available RAM: 3.65 GB

Swap Used: 0 B


Software Installs (past 30 days):

Install Date Name (Version)

2019-05-17 SketchUp 8.0

2019-06-03 Gatekeeper Configuration Data (167)

2019-06-14 Malwarebytes for Mac

2019-06-14 "Malwarebytes for Mac Uninstaller"

2019-06-15 EtreCheck (5.2)


Clean up:

/Library/LaunchDaemons/com.Pelobates.plist

/Library/Application Support/Aguacateca/Dinocerata

Executable not found

/Library/LaunchDaemons/com.Epicaridea.plist

/Library/Application Support/Macrourus/Tardenoisian

Executable not found



Diagnostics Information (past 7 days):

Directory /Library/Logs/DiagnosticReports is not accessible.

Enable Full Drive Access to see more information.


End of report

 

[allan.nyholm]

You should get rid of some of those malware.

Examples:

/Library/Application Support/Macrourus/Tardenoisian

/Library/LaunchDaemons/com.Epicaridea.plist


/Library/Application Support/Aguacateca/Dinocerata

[Not Loaded] com.Epicaridea.plist (? edb2a65b - installed 2019-04-27)

[Not Loaded] com.Pelobates.plist (? e72d60e6 - installed 2019-04-27)

Executable: /usr/local/bin/Clypeastroida

I'm certain that there is something you should look into.

Look for these. Description of "Clypeastroida" https://www.hybrid-analysis.com/sam...99db6f1dcc576fe8a8e952b13af?environmentId=100

Google wants to spell it differently.

 

[frenchfri]

You should get rid of some of those malware.

Examples:



I'm certain that there is something you should look into.

Look for these. Description of "Clypeastroida" https://www.hybrid-analysis.com/sam...99db6f1dcc576fe8a8e952b13af?environmentId=100

Google wants to spell it differently.

I already went into the library directories and deleted Macrourus and Aguacateca (I tried opening the folders, but it didn't allow me the permissions). But I wasn't sure if those other listings should be of concern. Should I just delete everything under "Clean up" ?

 

[allan.nyholm]

@frenchfri
I believe you should and I would suggest using Terminal and type

sudo rm -rf /Library/Application\ Support/'name of the folder to be deleted'

on those directories which can't be deleted the usual way.

The binary file in /usr/local/bin/ is to be deleted the same way.
You can use Terminal auto-complete and type the first letter or two then press the Tab-key on the keyboard.

Delete everything in the Clean Up art, yes. Also, remember the Launch Daemons too. Delete those in relevance to what you've already deleted.

You also might have to look into https://objective-see.com/index.html and check out the tools available - such as a dylib hijack scanner and Knock Knock plus the TaskExplorer tool just to get an idea of what is lurking on your Mac.

Personally I would have wiped the Mac completely, reinstalling macOS Mojave or the macOS of your choice for your current Mac computer. I do hope that you get rid of everything in relation to the malware.

Btw. don't download any malware from the website linked The author of these apps is well known for helping out with creating wonderful applications for the Mac that stops malware and such in its tracks. You can however also lock down your macOS to a point where a dialogue window pops up constantly asking if this is allowed to do that. I tried that myself and dialed back on using everything available to me

 

[NastyNatex]

Also, try to install Eset and see if it detects anything.

www.eset.com