Jump to content

Continuous quarantined threats that won't delete


Recommended Posts

Hello,

I just removed what was apparently 22 items of malware with Malwarebytes trial, but I keep getting live-protection updates about new quarantined threats every five minutes or so. I am currently up to six detected threats, see screen shot. I tried clearing the quarantine twice, but they just keep coming back and multiplying. The scan comes back as clean. What does this mean? How do I make sure that all malware is promptly detected and deleted?

I was using Bitdefender in parallel, which detects 3 threats that it cannot disinfect, quarantine or delete, which also keep coming back when I try to manually delete them. The show up as in the screen shot, and I'm not sure if they're even the same items?

Please help, I'm completely inexperienced with these kinds of things and have no idea what to do.

Screen Shot 2018-04-07 at 20.42.14.png

Screen Shot 2018-04-07 at 20.39.56.png

Link to post
Share on other sites

I can't figure out how to get the scan logs, but here is the one from Bitdefender, if that helps in any way:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>logVersion</key>
    <string>1.1</string>
    <key>scanDetails</key>
    <array>
        <string>1</string>
        <string>/.cleverfiles/hlink.ref/crutter_aquose.cd8f3402-59e3-4178-b640-177248f186f9.8f9f73be-2a94-4170-933c-4ff83867d1c0.c2413d3c-39c6-4aaf-bfdd-d8ab73654162</string>
        <string>Gen:Variant.Adware.MAC.Pirrit.1</string>
        <string>20</string>
        <string>149</string>
        <string>1</string>
        <string>/.cleverfiles/hlink.ref/mk.pkg.f28fe604-bd8e-4cb8-a8b8-1655297a46d0.c5c1e948-e567-4159-83f0-a2547c206c72.39d7fc48-ec5f-4bc5-8f0d-3ae0f474e5e8=&gt;SignUpInstallerPane=&gt;(Mach-O I386 ALL)</string>
        <string>Gen:Variant.Application.MAC.PazaCA.1</string>
        <string>20</string>
        <string>141</string>
        <string>1</string>
        <string>/.cleverfiles/hlink.ref/mk.pkg.f28fe604-bd8e-4cb8-a8b8-1655297a46d0.c5c1e948-e567-4159-83f0-a2547c206c72.39d7fc48-ec5f-4bc5-8f0d-3ae0f474e5e8=&gt;SignUpInstallerPane=&gt;(Mach-O x86-64 ALL)</string>
        <string>Gen:Variant.Application.MAC.PazaCA.1</string>
        <string>20</string>
        <string>141</string>
    </array>
</dict>
</plist>
 

Link to post
Share on other sites

Here's something that worked for another user who had similar issues:

- Go to the Go menu at the top of your screen, and select "Library" - you may have to hold down the option key (sometimes labelled 'alt' on your keyboard) to make the "Library" item appear.
- When the library window opens, drag the folder "hlpramc" to the trash.
 

Link to post
Share on other sites

It's probably hiding someplace else then. Check the Library directory at the root level of your drive, rather than the one in your user folder to see if it might be there.

What seems to be happening is that Malwarebytes is attempting to move it to your Quarantine folder by copying it there and then deleting the original, but for whatever reason may not be able to perform the last step to delete it from it's original location. So it repeats this with every scan.

Or maybe it was moved to your Quarantine folder, but isn't removed by Empty Trash, so the next scan moves it back to Quarantine. 

Try holding the <Option>-key down when selecting "Empty Trash". Doesn't always work for stubborn files, but worth a try.

Link to post
Share on other sites

I managed to delete the three files Bitdefender found with that strategy, so those scans are showing up clear now.

However I found the 'hlpramc' files and at the root level and emptied trash using alt, but they but they keep coming back and Malwarebytes keeps quarantining... sigh. These seem indeed to be some particularly stubborn files (of which some I suspect is spyware, so I'm anxious to get rid of it), so what more can I do? Burn it all down?

Link to post
Share on other sites

About all I can tell you is that this folder has never been associated with Spyware of any kind. It's associated with a recent variety of Pirrit Adware.

Link to post
Share on other sites

That makes sense - to clarify, Spyware was positively one form of malware I had before, to the point were there were several login attempts to various accounts of mine, but I'm glad to be assured they were deleted in the first round.

Yep, Pirrit Adware showed up before I managed to delete it. Screenshot below.

So my computer is now supposedly clean, both according to scans in both applications and when looking for the folder in my harddrive, except Malwarebytes doesn't seem to get it. Any ideas why, or where else I could get assistance with this?

Screen Shot 2018-04-09 at 19.50.17.png

Link to post
Share on other sites

7 hours ago, azs said:

Any ideas why, or where else I could get assistance with this?

I was hoping we would be joined by a staff member now that the weekend is over, but maybe that will happen tomorrow.

The only exercise I would recommend at this time is to try to get to the bottom of where the original hlpramc folder is located.

To do that you will need one of the following tools:

Find Any File https://itunes.apple.com/us/app/find-any-file-faf/id402569179?mt=12 (Faster, more thorough for this particular job, but $8 USD)

Easy Find https://www.devontechnologies.com/products/freeware/

For guidance on which is best read "Alternatives to Easy Find" at the bottom of http://apps.tempel.org/FindAnyFile/index.php.

Link to post
Share on other sites

  • Staff

Regarding those hlpramc folders, those are associated with Advanced Mac Cleaner. If you are using a recent version of Malwarebytes for Mac, it should have alerted you to restart your computer when those items were quarantined. If you don't restart, an Advanced Mac Cleaner process is probably still running, and keeps re-creating that folder. Restart your computer, then scan with Malwarebytes for Mac and remove anything remaining.

As for what Bitdefender is finding, it appears those files are in a folder created by Disk Drill. They may very well be components of Pirrit that were recovered by Disk Drill, but they're completely inactive in that location and cannot be run from there. They also may be false positives on the part of Bitdefender.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.