Removing Malware - help please


#1

Ok, firstly a mea culpa. In a moment of weakness (post dinner + wine++), I down loaded and installed malware of some type.

It was the fake Adobe Flash update request that some website was asking for, and because I had recently upgraded to 10.14 I assumed it was needed following that.

The following morning I noticed safari was sluggish and then unresponsive. This is what I’ve done so far to try and remove it:

  • deleted the installation files and downloads.
  • Deleted the browser I downloaded it on (Opera).
  • Ran Bytedefender (from the App Store) and sure enough that found some malicious files, in various locations named ‘PegasusSearch’. Deleted those and restarted, problem NOT fixed.
  • ran Bytedefender again (on entire HD), no further problematic files found.
  • checked Safari extension, there are none.
  • deleted Safari website data and cookies and history.
  • restarted, no change.
  • opened Activity monitor and can see PegasusSearch running under network (see attachment).
  • With Safari running I Force Quit that process, and Safari recoveries, briefly, but I can see PegasusSearch returning and that coincides with Safari ceasing functioning (losing access to the net).
  • I note PegasusSearch is sitting in ‘root’.
  • I run reinstall of Mac OS Mojave, thinking that would fix it.
    It hasn’t!

Ok, so what next? There are two obvious options: I backedup to Timemachine prior to updating the OS (unfortunately though, not afterwards).

Do I Restore from that? Will that revert back to the previous OS? If it doesn’t will the problem still reside in OS 10.14?

Is there anything else I can do prior to a complete erase and doing a clean install?

Welcome any suggestions as I’m at head scratching point.


#2

Try running Malwarebytes, I usually have success with it.

https://www.malwarebytes.com


#3

Interesting that there’s not much out there related to PegasusSearch - generally you can get detailed manual removal instructions if you Google the name of the thing. Unfortunately, once something is installed it can have placed anything, anywhere on your Mac, which makes removal difficult if you don’t know where to look, and removing the files you use to download it doesn’t help much, nor will reinstalling over the top due to how user data isn’t touched during a regular reinstall.

If Malwarebytes doesn’t fix it, I found a German forum (translated) that suggests you’ll also need to remove the associated LaunchDaemons and LaunchAgents (and the executables they point to).

Check the following locations and remove anything related to PegasusSearch or anything that doesn’t look legit, i.e. from a company name you recognise:

~/Library/LaunchAgents/ (i.e. /Users/<yourusernamehere>/Library/LaunchAgents)
/Library/LaunchDaemons/

Then I also recommend clicking on the PegasusSearch process in Activity Monitor, hitting the Info button, then Sample, and seeing where the actual executable lives. It might be in ~/Library/Application Support, or in /Library/Application Support, or maybe even somewhere else even obscure like /var/root. If you need a hand with this, this site has decent enough steps with screenshots.

After that, give it a reboot and see if you’re in the clear.

But not to worry - in my experience, most common malware is just annoying and not truly malicious.

A clean install and restore from last known good backup is the only way to be sure you got removed everything, but sometimes you can get away with “good enough” removal if you don’t want to go through that.


#4

Ok, checked LaunchAgents and LaunchDaemons and found PegasusSearch in the later. Deleted it.

Downloaded and ran Malwarebytes and it found further Malware by the name of Macbooster and Macbooster 2. Deleted those and restarted.

Opened Safari and checked Activity Monitor for any sign of PegasusSearch, none.

Did some work using Safari and it all went smoothly, prior to logging off checked activity monitor again, still no sign of the bug.

So so far so good. Will report back if it returns, otherwise solved!

Thanks guys.