cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

keylogger.spectorpro.r is detected as a threat. However, unable to remove it. How can I fix this?

The following file is detected as a threat.  I follow instructions to quarantine, then delete it, however, it is almost immediately rediscovered again.  Below is the log file output showing multiple times to get rid of it.    Any suggestions?

 

Automated Cleanup Engine
Starting Cleanup at 2015-Nov-01 13:05:48

Starting Routine> Detected /.MobileBackups/Computer/2015-10-27-161640/Volume/System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist [Name: "Keylogger.SpectorPro.r", MD5: 00000000000000000000000000000000]

Automated Cleanup Engine
Starting Cleanup at 2015-Nov-01 13:06:26

Starting Routine> Detected /.MobileBackups/Computer/2015-10-27-161640/Volume/System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist [Name: "Keylogger.SpectorPro.r", MD5: 00000000000000000000000000000000]

Automated Cleanup Engine
Starting Cleanup at 2015-Nov-01 13:07:09

Starting Routine> Detected /.MobileBackups/Computer/2015-10-27-161640/Volume/System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist [Name: "Keylogger.SpectorPro.r", MD5: 00000000000000000000000000000000]

 

17 REPLIES

Re: keylogger.spectorpro.r is detected as a threat. However, unable to remove it. How can I fix th

Hello and Welcome to the Webroot Community!

 

Well this is from your Mobile Back Ups and the MD5 hash is unknown so please Submit a Support Ticket and they will look into it for you.

 

MD5: 00000000000000000000000000000000

 

Thanks,

 

Daniel Smiley Wink

Gold VIP

Re: keylogger.spectorpro.r is detected as a threat. However, unable to remove it. How can I fix th

Hello @arayjames,

 

Welcome to the Webroot Community,

 

Thank you @RetiredTripleHelix you got here before me..

 

These are in your Mobile Backup. The Time Machine

 

Webroot is unable to remove any files from backups due to the way that OSX is set up.  I recommend that you allow the files in your backup or if you are not using timemachine backup to turn it off in your settings and this will resolve your issues.

 

Please have a look HERE and HERE

 

These posts are from our Mac Threat Researcher @Wanderingbug explaining this issue.

 

More explanation here at this post.

 

You can also sumbit a Support Ticket and see if they can help you with your issues free of charge with an active Webroot subscription.

 

Hope this helps?


Sherry




original.png Microsoft® Windows Insider MVP - Windows Security



Helpful Webroot Links:

Download (PC) | Download (Best Buy Subscription) | Submit Trouble Ticket | Account Console | User_Guides | BrightCloud URL lookup

Register
and Introduce yourself to The Community!

ALIENWARE 17R4 Win 10 Pro x64 / Mac OS X El Capitan (10.11.6), IPad's, PCs,W 10 & (VM:14) & Webroot® SecureAnywhere™ Internet Security Complete (Android Samsung Galaxy Note 8) Beta Tester,Windows Insider Builds

Re: keylogger.spectorpro.r is detected as a threat. However, unable to remove it. How can I fix th

@Ssherjj a Big Mac attack. LOL

 

Thanks,

 

Daniel Smiley Wink

Retired Webrooter

Re: keylogger.spectorpro.r is detected as a threat. However, unable to remove it. How can I fix th

Hello arayjames,

 

This file is in the Apple Kext Exclude List, which is a file that Apple uses to allow certain files to run on the machine without Gatekeeper's permission. The reason we are picking it up is because we are looking for a string of code which Apple is also looking for. There is an exclusion in place to allow the file on the actual machine but we do not have an exclusion for backups like this as this would cause an exploit in our detections.

 

We recommend if Webroot continues to detect these files that you uncheck the box next to them on the removal page. This will tell Webroot to ignore the files in their current location.

If you would like to remove these files manually from the backup in Time Machine, you can use the following steps:

Note: This action is permanent, and will impact all past backups on the given Time Machine drive, even backups from the distant archives on that drive. For this reason, be absolutely certain you want to remove an item before deleting it, otherwise you may end up missing data you would have wanted to keep.

1. Open the backup manager by pulling down Time Machine menu item and selecting, “Enter into Time Machine.”
2. Navigate to the directory location of the files/folders you want to remove.
3. Right-click on the folder or file you want to remove and select “Delete all backups of [File Name].”
4. Confirm the removal.

As the process is the same whether you are deleting the backup of a file or an entire folder, please be careful to only select the items you wish to delete. You cannot recover these files.

Another option available to Time Machine users is to exclude the files and folders from being backed up by the Time Machine. You can add them to the exclusion list which will permanently block the files/folders from being backed up in the future. By doing this, the infected file will eventually be deleted from the backup over time and prevent it from ever getting re-introduced to the drive should it be installed on the computer again.

 

Regards,

 

Devin T Byrd
Former Mac Threat Research Analyst

Re: keylogger.spectorpro.r is detected as a threat. However, unable to remove it. How can I fix th

Thanks Devin for the info it's much appreciated!

 

Daniel Smiley Wink

Gold VIP

Re: keylogger.spectorpro.r is detected as a threat. However, unable to remove it. How can I fix th

Thank you Devin! Very clearly stated..appreciated the help!


Sherry




original.png Microsoft® Windows Insider MVP - Windows Security



Helpful Webroot Links:

Download (PC) | Download (Best Buy Subscription) | Submit Trouble Ticket | Account Console | User_Guides | BrightCloud URL lookup

Register
and Introduce yourself to The Community!

ALIENWARE 17R4 Win 10 Pro x64 / Mac OS X El Capitan (10.11.6), IPad's, PCs,W 10 & (VM:14) & Webroot® SecureAnywhere™ Internet Security Complete (Android Samsung Galaxy Note 8) Beta Tester,Windows Insider Builds
Silver VIP

Re: keylogger.spectorpro.r is detected as a threat. However, unable to remove it. How can I fix th

So, if I understand it right @Wanderingbug, it is essentially a "Non-False-Positive" False Positive.  ?  Really an FP, but one that is there for a reason and not able to be fixed as it would open an exploit.


David

         

New to the Community? Register now and start posting!



Helpful Webroot Links:


Download (PC)   Download (Best Buy Subscription)   Submit Trouble Ticket   Account Console   User Guides   



"If you don't learn something new every day, you need to pay more attention. I often get my daily learning here so grab a chair and stay a while!"

WSA-Complete (Beta PC), WSA Mobile (Android), WSA Business Mobile (Android) WSA-Endpoint (PC- Some of the time.....)
Retired Webrooter

Re: keylogger.spectorpro.r is detected as a threat. However, unable to remove it. How can I fix th

Sort of...  So the actual file is a FP but it is an FP only because Apple decided that it was a good idea to create a file that has a giant list of file names/paths/drivers/etc... so i dont know who bright idea that is but that is why we detect them lol.  The file is 23554 lines of software that they are allowing.  It looks like this...

Screen Shot 2015-11-02 at 10.02.07 AM.png

Devin T Byrd
Former Mac Threat Research Analyst
Gold VIP

Re: keylogger.spectorpro.r is detected as a threat. However, unable to remove it. How can I fix th

All I can say is WOW...unreal!!Smiley Frustrated


Sherry




original.png Microsoft® Windows Insider MVP - Windows Security



Helpful Webroot Links:

Download (PC) | Download (Best Buy Subscription) | Submit Trouble Ticket | Account Console | User_Guides | BrightCloud URL lookup

Register
and Introduce yourself to The Community!

ALIENWARE 17R4 Win 10 Pro x64 / Mac OS X El Capitan (10.11.6), IPad's, PCs,W 10 & (VM:14) & Webroot® SecureAnywhere™ Internet Security Complete (Android Samsung Galaxy Note 8) Beta Tester,Windows Insider Builds