Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Infected file in root I can't access :(

F

Freida

Suspended
Original poster
Oct 22, 2010
4,077
5,874
Hello guys, can you please help me out?

I have run different antimalware antiviruses on my computer and all of them found this same infection:
OSX/RSplug.gen10 (some have different labels for it but its still in the same path etc.)
None of the antiviruses are able to cure or delete it so everytime I run the scan it shows up again.
Its in private/var/root/1

I have unlocked hidden files but i'm still unable to access root folder to find this strange 1 file

Is there a way to remove it, please? Can you advice me and also tell me what it could be, please?
Other names were Spigot trojan or something like that.
 
What version of macOS are you running and what scanners have you used? What behaviour made you look for malware?
/private/var/root should not only be hidden but also permission locked.

If you're certain it's malware and not a false positive you can try and see if you can remove it with sudo rm <path>. It should be possible with sudo privilege escalation
 
I'm running the latest version of previous system. I'm not on Catalina.
I got some weird emails few weeks ago so decided to test my system so downloaded ClamXAV first. Did the trial and it always found this thing. Yes, those folders are hidden which is why I unhid them. Root is look and I don't know how to unlock it to access it.
I have tried Avira and now Intego. All these 3 show the same thing although Intego labels it differently.
How does one know if its false positive?
I just wonder how to get rid off it OR how to know if its actually false read as you've mentioned.
Above all, thank you for helping me out :)
Really nice of you :)

casperes1996 said:
What version of macOS are you running and what scanners have you used? What behaviour made you look for malware?
/private/var/root should not only be hidden but also permission locked.

If you're certain it's malware and not a false positive you can try and see if you can remove it with sudo rm <path>. It should be possible with sudo privilege escalation
Click to expand...
 
You can run sudo ls -a /private/var/root/1 in Terminal to see what's inside and sudo rm -r /private/var/root/1 to delete it.
A folder named 1 should not be there in Mojave or Catalina.
 
bogdanw said:
You can run sudo ls -a /private/var/root/1 in Terminal to see what's inside and sudo rm -r /private/var/root/1 to delete it.
A folder named 1 should not be there in Mojave or Catalina.
Click to expand...
it may not be folder, it may be a file. is that still the case, please?
 
bogdanw said:
You can run sudo ls -a /private/var/root/1 in Terminal to see what's inside and sudo rm -r /private/var/root/1 to delete it.
A folder named 1 should not be there in Mojave or Catalina.
Click to expand...

It certainly isn't there on my machine either, but I'm always wary about suggesting people delete such things in case they have some valid program that's put it there; Though it would be a rather odd place to put something like that.

Freida said:
it may not be folder, it may be a file. is that still the case, please?
Click to expand...

If the ls command is run on a file it will just print the name of the file. If -l is passed it will print extra information about it.
rm will delete a file -r just means to also delete subelements if it's a folder
 
I did sudo ls -a /private/var/root/1 and I got '/private/var/root/1 as an answer after i put in my password

Now, what do you mean -l? Should I change the command to sudo ls -a -l /private/var/root/1 instead? Please

casperes1996 said:
It certainly isn't there on my machine either, but I'm always wary about suggesting people delete such things in case they have some valid program that's put it there; Though it would be a rather odd place to put something like that.



If the ls command is run on a file it will just print the name of the file. If -l is passed it will print extra information about it.
rm will delete a file -r just means to also delete subelements if it's a folder
Click to expand...
 
Freida said:
I did sudo ls -a /private/var/root/1 and I got '/private/var/root/1 as an answer after i put in my password

Now, what do you mean -l? Should I change the command to sudo ls -a -l /private/var/root/1 instead? Please
Click to expand...

ls is just the list command. Adding the -l flag, exactly like you wrote it, will just print more information. If you want to delete it, just run the rm command on it
 
Thank you. I got this so I would assume its safe to delete? Maybe a left over from my Mac Pro 2008 ? As I always restored new computer from old computer backups and never set new computer as new. And in the past 12 years I had 6 computers so maybe :)

-rw-r--r-- 1 root wheel 509 27 Sep 2008 /private/var/root/1


casperes1996 said:
ls is just the list command. Adding the -l flag, exactly like you wrote it, will just print more information. If you want to delete it, just run the rm command on it
Click to expand...
 
bogdanw said:
Legitimate apps do not create files or folders named 1 in /private/var/root/. I would just delete it.
If you are unsure, try with
Kaspersky Internet Security for Mac https://support.kaspersky.com/kis20mac or
Bitdefender Antivirus for Mac https://www.bitdefender.com/solutions/antivirus-for-mac.html
Click to expand...

I would just delete it as well, yeah.
Though I have seen in the past that Microsoft are awfully happy naming their files ***** like 1. Though never in /private/var/root.
 
Thank you guys, I've tried but I get this :-(

rm -r /private/var/root/1


rm: /private/var/root/1: Permission denied

now what?
 
I would reinstall the OS. Simply deleting that file is not enough. Any malware that was able to write to that directory could do almost anything else to your system. Any time an attacker gets root privileges it is best to consider the install hosed.
 
Cheers, deleted now ;)


casperes1996 said:
You forgot sudo in front of all that
Click to expand...
[automerge]1589299337[/automerge]
You are right most likely but I'm just about to buy new iMac (when they update it) so will just wait. Deleted the file and tried different antiviruses and it seems ok. New iMac will not get transfer but I think I'll start fresh with manual transfers :)


556fmjoe said:
I would reinstall the OS. Simply deleting that file is not enough. Any malware that was able to write to that directory could do almost anything else to your system. Any time an attacker gets root privileges it is best to consider the install hosed.
Click to expand...
 
Thank you, I've checked internet settings on Wifi and on Ethernet
Wifi has 2 addresses both greyed out so I can't remove either of them
and ethernet has one greyed out too.

Wifi has 192.168.x.x
207.164.xxx.xxx
search domain: 'home' - is that valid or is that a problem?

Ethernet has:
172.18.x.xx
172.18.x.xx
search domain : (work address) so probably ok

Thank you guys for helping, appreciate that a lot


bogdanw said:
Maybe you should have send it to Internet Archive's Software category, it's really a historic trojan :) https://en.wikipedia.org/wiki/RSPlug
This is just another example why restoring from backups is a bad idea.
Just to be sure it wasn't active on your current system, check you DNS settings https://support.apple.com/guide/mac-help/mchlp2720/mac
Click to expand...
 
Freida said:
Wifi has 192.168.x.x
207.164.xxx.xxx
search domain: 'home' - is that valid or is that a problem?
Ethernet has:
172.18.x.xx
172.18.x.xx
search domain : (work address) so probably ok
Click to expand...
If your Internet provider is Bell Canada, then 192.168.x.x 207.164.xxx.xxx with search domain home seems like a valid configuration.
Some public DNS providers now offer protection against malware
Quad9 DNS https://www.quad9.net
Cloudflare No Malware https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
About the Ethernet settings, you should contact your IT department to confirm the configuration.
 
Thank you, I'm using NordVPN so I think I am connected through Bell Canada so I guess all is good then. Will make sure the new computer is setup correctly this time and no left over garbage will be transferred :)
Thank you so much guys for all the help, very educational and helpful :)



bogdanw said:
If your Internet provider is Bell Canada, then 192.168.x.x 207.164.xxx.xxx with search domain home seems like a valid configuration.
Some public DNS providers now offer protection against malware
Quad9 DNS https://www.quad9.net
Cloudflare No Malware https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
About the Ethernet settings, you should contact your IT department to confirm the configuration.
Click to expand...
 
I have the same problem with a file in the Mac2 which I am denied access to. It keeps being quarantined by every anti-virus I have tried. I delete it and it just keeps reappearing. I have read all the answers here, and tried the solutions mentioned, but every time I just get the word "password" and a locked key, which will not let me type in my computers password or anything else. Anyone got any other suggestions please? THis is the annoying file/programme that keeps getting quarantined.
 

Attachments

  • Screenshot 2022-06-29 at 11.36.05.jpg
    Screenshot 2022-06-29 at 11.36.05.jpg
    33.5 KB · Views: 89
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back