Jump to content

Malwarebytes not finding Miner Trojan on scan.


Recommended Posts

Hey, 

I recently let a friend of mine borrow my computer for a couple of weeks to produce some music and have noticed some malware has potentially been installed. Initially Malwarebytes cleared up a cryptojacking miner and quarantined it. However, upon scanning Avast and doing a deep scan I appear to have another file which is entitled MacOS:Miner-AA (Trj) by Avast installed into /usr/local/bin/main.data which cannot be removed using avast and isn't recognised by Malwarebytes at all. I haven't noticed any particularly high CPU readings on activity monitor either but seeing as permissions seem to have been set up to stop me accessing the file I'm concerned it is blocking antivirus and causing issues. 

Any advice on how to remove this would be great, many thanks. 

 

1115298559_Screenshot2020-09-27at03_22_00.thumb.png.e0a9421d918ecaecb1fd58c6e19bf08e.png166360954_Screenshot2020-09-27at14_20_38.thumb.png.bc684980f692513378159128cbf82987.png

Link to post
Share on other sites

Hi @robertwhite41,

It seems some audio software was installed while turning off the System Integrity Protection (SIP).

The file is just a data of the same app and is not executable thus it wont harm the system.

Please turn off the SIP with the help of below article and compress the main.data file and attach the zip file to this topic.

Then run a scan with Avast and the file should be quarantined. Once the file is successfully removed, enable the SIP again.

https://www.imore.com/how-turn-system-integrity-protection-macos

Let us know if this helps or not.

Edited by adas
  • Like 1
Link to post
Share on other sites
1 hour ago, adas said:
3 hours ago, adas said:

Hi @robertwhite41,

It seems some audio software was installed while turning off the System Integrity Protection (SIP).

The file is just a data of the same app and is not executable thus it wont harm the system.

Please turn off the SIP with the help of below article and compress the main.data file and attach the zip file to this topic.

Then run a scan with Avast and the file should be quarantined. Once the file is successfully removed, enable the SIP again.

https://www.imore.com/how-turn-system-integrity-protection-macos

Let us know if this helps or not.

Yeah works great now, many thanks 

 

Link to post
Share on other sites
1 hour ago, robertwhite41 said:

compress the main.data file and attach the zip file to this topic.

You have not done this yet.

Link to post
Share on other sites

@adas, from the Malwarebytes staff, wants to analyze it, probably to see if it's something Malwarebytes needs to detect.

Link to post
Share on other sites

I found a copy of that file, and it definitely looks like a component of BirdMiner. It's just a data file, and not critical to remove if all the other BirdMiner-related items have been removed, but we'll still get that added to the database.

As for why it can't be removed, we're seeing an issue right now where bugs in macOS are causing some BirdMiner files to become protected by System Integrity Protection (SIP). This is not normal, but it means that there is no way to remove the file without disabling SIP. I'd follow the recommendation of adas above to turn off SIP, then delete the file. Make sure you turn SIP back on again when you're done.

One last point - these bugs only trigger if you install something with SIP turned off. This is something that you should NEVER do, for security reasons. After you've got this file removed, keep SIP turned on, and do not disable it again.

  • Like 3
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.