I think I may have an undiscovered mac virus...

Discussion in 'macOS Mojave (10.14)' started by frenchfri, Jun 14, 2019.

  1. frenchfri macrumors newbie

    frenchfri

    Joined:
    Mar 19, 2018
    Location:
    United States
    #1
    I own a mid-2014 MacBook Pro running macOS Mojave 10.14.3.

    Over the past few months, suspicious things have been happening that I can no longer brush off. I'm starting to become worried about everything I do on my laptop, even logging into my account on this website...

    First things first (this has been happening for a few months now), many times when I open my laptop to the lockscreen, there would be a little binoculars icon on the top right of the screen, next to the time and battery. It looks like this:

    [​IMG]

    (this is just a screenshot of it I found online, not my actual computer)

    This icon disappears when I reach the desktop screen.

    I know that this icon is supposed to indicate activity with Remote Access / screen sharing, but everything involving those things is disabled on the Sharing settings in system preferences.

    [​IMG]

    Gee, wouldn't this really make someone think their computer screen is being watched? I eventually brushed this off as some kind of bug, but as of late, I'm thinking it might be related to this next thing I've discovered:

    [​IMG]

    what in the name of macintosh are these "Macrourus" and "Aguacateca" processes I keep seeing in my activity monitor?

    I thought they could just be system processes (considering they come from the "root" user), but google doesn't seem to know anything about them.

    I originally discovered them as I was working on a project in Premiere Pro, and noticed that my laptop was really struggling to keep up, more-so than usual. I checked activity monitor, and caught them taking up more than 100% of the CPU. (???)

    They always arrive together (never one by itself), and every time I see them, they're there for a few seconds then disappear. Luckily, I managed to catch a screenshot of it and post it here.

    Don't a lot of mac viruses take hold of the "root" user? I'm really not sure how a lot of it works, but I'm very skeptical and I'm not sure what to think anymore.

    Is this just a paranoia fest, or should I be seriously concerned? I don't want to have to wipe my hard drive again, I'm so sick of doing that LOL. But even if I decide to do a fresh install, and then restore from a backup, couldn't the virus still be kept in the backup?
     
  2. jbarley macrumors 68040

    jbarley

    Joined:
    Jul 1, 2006
    Location:
    Vancouver Island
    #2
  3. NoBoMac macrumors 68020

    NoBoMac

    Joined:
    Jul 1, 2014
    #3
    Wild guess, but looks a lot like crypto currency mining software running on the machine. And one way for that to happen is downloading suspect software or supposedly cracked software from nefarious sites.

    And if have mining software on the machine, could very well have other malware from possibly same downloads/installs.

    And might be something as simple as sketchy browser extension.

    What @jbarley said: get and run MalWareBytes. Here's the link to their website (not a fan of MacUpdate: seen too many iffy things floating on there, imo).

    https://www.malwarebytes.com/mac-download/
     
  4. frenchfri thread starter macrumors newbie

    frenchfri

    Joined:
    Mar 19, 2018
    Location:
    United States
    #4
    Thanks for the replies! I just ran the malwarebytes scanner and these are my results:

    [​IMG]

    I don't know what to believe anymore, lol. I just wish there was information about what those processes are supposed to be... and why that binoculars icon shows up on my lockscreen unwarranted
     
  5. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #5
    The fact your Google-Fu finds nothing on these is a big clue it is crypto currency mining software that came along for the ride with some app you installed as @NoBoMac mentioned. These apps randomly make up these process names as you discovered.

    In Activity Monitor select the process then select Info then Open files and ports and it will show the app that is launching that process.
     
  6. frenchfri thread starter macrumors newbie

    frenchfri

    Joined:
    Mar 19, 2018
    Location:
    United States
    #6
    wow, I hadn't considered this. I'll have to keep an eye on activity monitor and wait for those processes to come back up. They're only there around 10-20% of the time I check activity monitor. And they usually leave pretty quickly. This will be tricky..

    Thank you for the help!
     
  7. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #7
    Did this seem to coincide with some new app you recently installed? That would be your first suspect.
     
  8. frenchfri thread starter macrumors newbie

    frenchfri

    Joined:
    Mar 19, 2018
    Location:
    United States
    #8
    I don't think so. I don't think I've recently installed any new apps. But... at some point in the past few months, I did try installing a cracked version of an autotune plugin. It didn't even seem to install anything anywhere, so I deleted it, but I bet it did install this lovely virus :)

    Also, here's another suspicious thing that I forgot about. On the same day I was working on my Premiere project, this prompt came up on my screen:

    [​IMG]

    I have no idea what iLok is, and it's not in my applications folder. Nor does anything about it show up in finder when I search for it in "this mac".

    Why do I have bad luck?
     
  9. NoBoMac macrumors 68020

    NoBoMac

    Joined:
    Jul 1, 2014
    #9
    Quick Google search, the cracked auto-tune plug-in you tried to install (Antares?) uses iLok for license management, so, appear to still have some pieces in there that are causing issues.

    Hopefully lesson learned: that "free" software is not free.
     
  10. MacDawg macrumors Core

    MacDawg

    Joined:
    Mar 20, 2004
    Location:
    "Between the Hedges"
    #10
    FWIW, installing sketchy software has nothing to do with bad luck

    A lot of truth there for software and in life
     
  11. frenchfri thread starter macrumors newbie

    frenchfri

    Joined:
    Mar 19, 2018
    Location:
    United States
    #11
    Haha, point taken. Up until this point, I've been successful with pirating softwares for the most part. I guess I made a dumb decision in this instance. But it still could be something else that's causing the sketchy processes and the binoculars icon. I'm pretty sure these things and the autotune installation happened on separate occasions
     
  12. BasicGreatGuy Contributor

    BasicGreatGuy

    Joined:
    Sep 21, 2012
    Location:
    In the middle of several books.
    #12
    That is the kind of thing that can happen when you knowingly install stolen software from website X. If you like the app, pay for it.

    If you keep engaging in this kind of activity, you will put yourself at risk for some real trouble.
     
  13. SecuritySteve macrumors 6502a

    SecuritySteve

    Joined:
    Jul 6, 2017
    Location:
    California
    #13
    In Activity Monitor, 100% CPU is equal to 100% of one core of your CPU. If you have a 4 core CPU, for example, you have 400% total resource pool.

    This just looks like mining software. You can also make yourself more secure by applying the latest security updates for 10.14, updating to 10.14.5.
     
  14. BeatCrazy macrumors 68000

    Joined:
    Jul 20, 2011
    #14
    The crux of the problem right here :)
     
  15. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #15

    Run the app Etrecheck to create a report that shows all launch items. Post the report here for us to take a look and we may be able to see what process is launching to cause this.
     
  16. rpmurray macrumors regular

    Joined:
    Feb 21, 2017
    Location:
    Back End of Beyond
    #16
    Is it possible that you accidentaly started recording? Simply click the “Stop” icon in the menu bar and recording will end and the binoculars icon will disappear from the lock screen.

    [​IMG]

    This’ll also happen if you lock your screen while running Duet Display on a connected iPad.
     
  17. frenchfri thread starter macrumors newbie

    frenchfri

    Joined:
    Mar 19, 2018
    Location:
    United States
    #17
    LOL I totally agree and understand, it's really not as bad as I've probably made it seem. I pay for the Adobe creative cloud suite as well as Ableton Live (every program I ever use). In terms of piracy, I've really only ever cracked a few games and small plugins. I know, I'm naughty for that...

    Will do!

    Neither of these are the case... I wish it was something that simple, though

    Funny story, actually... Ever since I've posted this thread, I've encountered neither of the things I originally described. It's almost like posting about it fixed everything, lol
    --- Post Merged, Jun 15, 2019 ---
    Here's my Etrecheck report (just copied and pasted, I wasn't sure how to post it in a less clunky way)

    EtreCheck version: 5.2 (5029)

    Report generated: 2019-06-15 15:11:14

    Download EtreCheck from https://etrecheck.com

    Runtime: 2:07

    Performance: Excellent

    Sandbox: Enabled

    Full drive access: Disabled


    Problem: Other problem


    Major Issues:

    Anything that appears on this list needs immediate attention.


    System Integrity Protection disabled - System Integrity Protection is disabled. This computer is at risk of malware infection.


    Minor Issues:

    These issues do not need immediate attention but they may indicate future problems or opportunities for improvement.


    High battery cycle count - Your battery may be losing capacity.

    Clean up - There are orphan files that could be removed.

    Unsigned files - There are unsigned software files installed. They appear to be legitimate but should be reviewed.

    32-bit Apps - This machine has 32-bits apps will not work after macOS 10.14 “Mojave”.

    Limited drive access - More information may be available with Full Drive Access.


    Hardware Information:

    MacBook Pro (Retina, 13-inch, Mid 2014)

    MacBook Pro Model: MacBookPro11,1

    1 2.6 GHz Intel Core i5 (i5-4278U) CPU: 2-core

    8 GB RAM - Not upgradeable

    BANK 0/DIMM0 - 4 GB DDR3 1600 ok

    BANK 1/DIMM0 - 4 GB DDR3 1600 ok

    Battery: Health = Normal - Cycle count = 894


    Video Information:

    Intel Iris - VRAM: 1536 MB

    Color LCD 2560 x 1600


    Drives:

    disk0 - APPLE SSD SM0256F 251.00 GB (Solid State - TRIM: Yes)

    Internal PCI 5.0 GT/s x2 Serial ATA

    disk0s1 - EFI (MS-DOS FAT32) [EFI] 210 MB

    disk0s2 [APFS Container] 181.79 GB

    disk1 [APFS Virtual drive] 181.79 GB (Shared by 4 volumes)

    disk1s1 - m********i (APFS) (Shared - 150.73 GB used)

    disk1s2 - Preboot (APFS) [APFS Preboot] (Shared)

    disk1s3 - Recovery (APFS) [Recovery] (Shared)

    disk1s4 - VM (APFS) [APFS VM] (Shared - 1.07 GB used)

    disk0s3 - B******P (MS-DOS FAT12) 69.00 GB (67.88 GB used)


    Mounted Volumes:

    disk0s3 - B******P 69.00 GB (1.12 GB free)

    MS-DOS FAT12

    Mount point: /Volumes/B******P


    disk1s1 - m********i 181.79 GB (29.30 GB free)

    APFS

    Mount point: /

    Encrypted


    disk1s4 - VM [APFS VM] (Shared - 1.07 GB used)

    APFS

    Mount point: /private/var/vm


    Network:

    Interface en5: iPad

    Interface en4: iPhone

    Interface en0: Wi-Fi

    802.11 a/b/g/n/ac

    Interface en3: Bluetooth PAN

    Interface bridge0: Thunderbolt Bridge


    System Software:

    macOS Mojave 10.14.3 (18D109)

    Time since boot: Less than an hour


    Notifications:

    Notifications not available without Full Drive Access.


    Security:

    Gatekeeper: Enabled

    System Integrity Protection: Disabled


    Unsigned Files:

    Launchd: ~/Library/LaunchAgents/com.valvesoftware.steamclean.plist

    Executable: ~/Library/Application Support/Steam/SteamApps/steamclean Public

    Details: Exact match found in the whitelist - probably OK


    Launchd: /Library/LaunchDaemons/com.Disa.plist

    Executable: /usr/local/bin/Clypeastroida

    Details: Executable file is not accessible without Full Disk Access


    Launchd: ~/Library/Application Support/Steam/com.valvesoftware.steam.ipctool.plist

    Executable: ~/Library/Application Support/Steam/Steam.AppBundle/Steam/Contents/MacOS/ipcserver

    Details: Exact match found in the whitelist - probably OK


    32-bit Applications:

    11 32-bit apps


    Kernel Extensions:

    /Library/Extensions

    Soundflower.kext (MATT INGALLS, 2.0b2 - SDK 10.10)


    System Launch Agents:

    [Not Loaded] 17 Apple tasks

    [Loaded] 166 Apple tasks

    [Running] 116 Apple tasks


    System Launch Daemons:

    [Not Loaded] 37 Apple tasks

    [Loaded] 189 Apple tasks

    [Running] 108 Apple tasks

    [Other] One Apple task


    Launch Agents:

    [Running] com.adobe.AdobeCreativeCloud.plist (Adobe Systems, Inc. - installed 2019-05-27)

    [Running] com.adobe.GC.AGM.plist (Adobe Systems, Inc. - installed 2019-05-16)

    [Not Loaded] com.adobe.GC.Invoker-1.0.plist (Adobe Systems, Inc. - installed 2019-05-16)


    Launch Daemons:

    [Running] com.Disa.plist (? ac4858da - installed 2019-04-27)

    [Not Loaded] com.Epicaridea.plist (? edb2a65b - installed 2019-04-27)

    [Not Loaded] com.Pelobates.plist (? e72d60e6 - installed 2019-04-27)

    [Running] com.adobe.acc.installer.v2.plist (Adobe Systems, Inc. - installed 2019-05-27)

    [Running] com.adobe.agsservice.plist (Adobe Systems, Inc. - installed 2019-05-16)

    [Loaded] com.apple.installer.osmessagetracing.plist (Apple - installed 2019-02-05)


    User Launch Agents:

    [Loaded] com.adobe.GC.Invoker-1.0.plist (Adobe Systems, Inc. - installed 2018-12-10)

    [Running] com.amazon.music.plist (AMZN Mobile LLC - installed 2019-06-15)

    [Loaded] com.google.keystone.agent.plist (Google, Inc. - installed 2019-05-09)

    [Loaded] com.google.keystone.xpcservice.plist (Google, Inc. - installed 2019-05-09)

    [Loaded] com.valvesoftware.steamclean.plist (? 0 - installed 2019-06-15)


    Internet Plug-ins:

    AdobeAAMDetect: 3.0.0.0 (Adobe Systems, Inc. - installed 2019-05-27)


    Audio Plug-ins:

    AppleTimeSyncAudioClock: 1.0 (Apple - installed 2018-11-30)

    BluetoothAudioPlugIn: 6.0.10 (Apple - installed 2019-02-13)

    AirPlay: 2.0 (Apple - installed 2019-02-13)

    AppleAVBAudio: 710.1 (Apple - installed 2018-11-30)

    BridgeAudioSP: 5.2 (Apple - installed 2019-02-13)

    iSightAudio: 7.7.3 (Apple - installed 2018-11-30)


    Time Machine:

    Time Machine information not available without Full Drive Access.


    Performance:

    System Load: 4.23 (1 min ago) 3.20 (5 min ago) 3.47 (15 min ago)

    Nominal I/O speed: 4.35 MB/s

    File system: 29.18 seconds

    Write speed: 548 MB/s

    Read speed: 756 MB/s


    CPU Usage Snapshot:

    Type Overall

    System 3 %

    User 3 %

    Idle 94 %


    Top Processes Snapshot by CPU:

    Process (count) CPU (Source - Location)

    Other processes 14.77 % (?)

    EtreCheck 6.48 % (App Store)

    Adobe Desktop Service 0.64 % (Adobe Systems, Inc.)

    Creative Cloud 0.60 % (Adobe Systems, Inc.)

    Adobe CEF Helper 0.40 % (Adobe Systems, Inc.)


    Top Processes Snapshot by Memory:

    Process (count) RAM usage (Source - Location)

    EtreCheck 533 MB (App Store)

    Adobe Desktop Service 268 MB (Adobe Systems, Inc.)

    Brave Browser 216 MB (Brave Software, Inc.)

    Brave Browser Helper 109 MB (Brave Software, Inc.)

    NotificationCenter 99 MB (Apple)


    Top Processes Snapshot by Network Use:

    Process Input / Output (Source - Location)

    mDNSResponder 260 KB / 17 KB (Apple)

    apsd 108 KB / 35 KB (Apple)

    netbiosd 103 KB / 1 KB (Apple)

    rapportd 367 B / 437 B (Apple)

    SystemUIServer 0 B / 64 B (Apple)


    Virtual Memory Information:

    Physical RAM: 8 GB


    Free RAM: 672 MB

    Used RAM: 4.35 GB

    Cached files: 3.00 GB


    Available RAM: 3.65 GB

    Swap Used: 0 B


    Software Installs (past 30 days):

    Install Date Name (Version)

    2019-05-17 SketchUp 8.0

    2019-06-03 Gatekeeper Configuration Data (167)

    2019-06-14 Malwarebytes for Mac

    2019-06-14 "Malwarebytes for Mac Uninstaller"

    2019-06-15 EtreCheck (5.2)


    Clean up:

    /Library/LaunchDaemons/com.Pelobates.plist

    /Library/Application Support/Aguacateca/Dinocerata

    Executable not found

    /Library/LaunchDaemons/com.Epicaridea.plist

    /Library/Application Support/Macrourus/Tardenoisian

    Executable not found



    Diagnostics Information (past 7 days):

    Directory /Library/Logs/DiagnosticReports is not accessible.

    Enable Full Drive Access to see more information.


    End of report
     
  18. allan.nyholm macrumors 6502a

    allan.nyholm

    Joined:
    Nov 22, 2007
    Location:
    Aalborg, Denmark
    #18
    You should get rid of some of those malware.

    Examples:

    I'm certain that there is something you should look into.

    Look for these. Description of "Clypeastroida" https://www.hybrid-analysis.com/sam...99db6f1dcc576fe8a8e952b13af?environmentId=100

    Google wants to spell it differently.
     
  19. frenchfri thread starter macrumors newbie

    frenchfri

    Joined:
    Mar 19, 2018
    Location:
    United States
    #19
    I already went into the library directories and deleted Macrourus and Aguacateca (I tried opening the folders, but it didn't allow me the permissions). But I wasn't sure if those other listings should be of concern. Should I just delete everything under "Clean up" ?
     
  20. allan.nyholm macrumors 6502a

    allan.nyholm

    Joined:
    Nov 22, 2007
    Location:
    Aalborg, Denmark
    #20
    @frenchfri
    I believe you should and I would suggest using Terminal and type
    Code:
    sudo rm -rf /Library/Application\ Support/'name of the folder to be deleted'
    on those directories which can't be deleted the usual way.

    The binary file in /usr/local/bin/ is to be deleted the same way.
    You can use Terminal auto-complete and type the first letter or two then press the Tab-key on the keyboard.

    Delete everything in the Clean Up art, yes. Also, remember the Launch Daemons too. Delete those in relevance to what you've already deleted.

    You also might have to look into https://objective-see.com/index.html and check out the tools available - such as a dylib hijack scanner and Knock Knock plus the TaskExplorer tool just to get an idea of what is lurking on your Mac.

    Personally I would have wiped the Mac completely, reinstalling macOS Mojave or the macOS of your choice for your current Mac computer. I do hope that you get rid of everything in relation to the malware.

    Btw. don't download any malware from the website linked :p The author of these apps is well known for helping out with creating wonderful applications for the Mac that stops malware and such in its tracks. You can however also lock down your macOS to a point where a dialogue window pops up constantly asking if this is allowed to do that. I tried that myself and dialed back on using everything available to me
     

Share This Page

19 June 14, 2019