keylogger.spectorpro.r is detected as a threat. However, unable to remove it. How can I fix this?

  • 1 November 2015
  • 17 replies
  • 189 views

The following file is detected as a threat.  I follow instructions to quarantine, then delete it, however, it is almost immediately rediscovered again.  Below is the log file output showing multiple times to get rid of it.    Any suggestions?
 
Automated Cleanup Engine
Starting Cleanup at 2015-Nov-01 13:05:48
Starting Routine> Detected /.MobileBackups/Computer/2015-10-27-161640/Volume/System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist [Name: "Keylogger.SpectorPro.r", MD5: 00000000000000000000000000000000]
Automated Cleanup Engine
Starting Cleanup at 2015-Nov-01 13:06:26
Starting Routine> Detected /.MobileBackups/Computer/2015-10-27-161640/Volume/System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist [Name: "Keylogger.SpectorPro.r", MD5: 00000000000000000000000000000000]
Automated Cleanup Engine
Starting Cleanup at 2015-Nov-01 13:07:09
Starting Routine> Detected /.MobileBackups/Computer/2015-10-27-161640/Volume/System/Library/Extensions/AppleKextExcludeList.kext/Contents/Info.plist [Name: "Keylogger.SpectorPro.r", MD5: 00000000000000000000000000000000]
 

17 replies

Userlevel 7
Badge +56
Hello and Welcome to the Webroot Community!
 
Well this is from your Mobile Back Ups and the MD5 hash is unknown so please Submit a Support Ticket and they will look into it for you.
 
MD5: 00000000000000000000000000000000
 
Thanks,
 
Daniel 😉
Userlevel 7
Badge +62
Hello ?,
 
Welcome to the Webroot Community,
 
Thank you ? you got here before me..
 
These are in your Mobile Backup. The Time Machine
 
Webroot is unable to remove any files from backups due to the way that OSX is set up.  I recommend that you allow the files in your backup or if you are not using timemachine backup to turn it off in your settings and this will resolve your issues.
 
Please have a look HERE and HERE
 
These posts are from our Mac Threat Researcher ? explaining this issue.
 
More explanation here at this post.
 
You can also sumbit a Support Ticket and see if they can help you with your issues free of charge with an active Webroot subscription.
 
Hope this helps?
Userlevel 7
Badge +56
? a Big Mac attack. LOL
 
Thanks,
 
Daniel 😉
Userlevel 7
Hello arayjames,
 
This file is in the Apple Kext Exclude List, which is a file that Apple uses to allow certain files to run on the machine without Gatekeeper's permission. The reason we are picking it up is because we are looking for a string of code which Apple is also looking for. There is an exclusion in place to allow the file on the actual machine but we do not have an exclusion for backups like this as this would cause an exploit in our detections.
 
We recommend if Webroot continues to detect these files that you uncheck the box next to them on the removal page. This will tell Webroot to ignore the files in their current location.

If you would like to remove these files manually from the backup in Time Machine, you can use the following steps:

Note: This action is permanent, and will impact all past backups on the given Time Machine drive, even backups from the distant archives on that drive. For this reason, be absolutely certain you want to remove an item before deleting it, otherwise you may end up missing data you would have wanted to keep.

1. Open the backup manager by pulling down Time Machine menu item and selecting, “Enter into Time Machine.”
2. Navigate to the directory location of the files/folders you want to remove.
3. Right-click on the folder or file you want to remove and select “Delete all backups of [File Name].”
4. Confirm the removal.

As the process is the same whether you are deleting the backup of a file or an entire folder, please be careful to only select the items you wish to delete. You cannot recover these files.

Another option available to Time Machine users is to exclude the files and folders from being backed up by the Time Machine. You can add them to the exclusion list which will permanently block the files/folders from being backed up in the future. By doing this, the infected file will eventually be deleted from the backup over time and prevent it from ever getting re-introduced to the drive should it be installed on the computer again.
 
Regards,
 
Userlevel 7
Badge +56
Thanks Devin for the info it's much appreciated!
 
Daniel 😉
Userlevel 7
Badge +62
Thank you Devin! Very clearly stated..appreciated the help!
Userlevel 7
So, if I understand it right ?, it is essentially a "Non-False-Positive" False Positive.  ?  Really an FP, but one that is there for a reason and not able to be fixed as it would open an exploit.
Userlevel 7
Sort of...  So the actual file is a FP but it is an FP only because Apple decided that it was a good idea to create a file that has a giant list of file names/paths/drivers/etc... so i dont know who bright idea that is but that is why we detect them lol.  The file is 23554 lines of software that they are allowing.  It looks like this...

Userlevel 7
Badge +62
All I can say is WOW...unreal!!:@
Userlevel 1
I find that after allowing these files, Webroot remains red as if it has detected a threat, although it no longer lists any. I have worked round this by uninstalling then reinstalling Webroot, but have had to do it several times now, and it is getting to the point where I skip the reinstallation as more bother than it's worth!
Userlevel 7
Badge +56
Hello ? and Welcome to the Webroot Community!
 
Can you please Submit a Support Ticket and they will help you with this issue. Also ? or ? will be by to help as well.
 
Thanks,
 
Daniel 😉
Userlevel 7
Badge +62
Hello Punter,
 
Welcome to the Webroot Community,
 
Here is Wanderingbugs advice:
 
No need to worry, there isnt a keylogger on your device.  Thie file that we are finding is the AppleExcludeList.kext on your backup. We are finding it due to the fact that apple has put the keyloggers information in the file and we are reading that.  I suggest that you allow the file, as we cannot remove it and nor should we as it is a legit file.  After allowing it please turn off scan mounted drives and this should correct the issue that you are having.
 
 
This file is in the Apple Kext Exclude List, which is a file that Apple uses to allow certain files to run on the machine without Gatekeeper's permission. The reason we are picking it up is because we are looking for a string of code which Apple is also looking for. There is an exclusion in place to allow the file on the actual machine but we do not have an exclusion for backups like this as this would cause an exploit in our detections.
 
We recommend if Webroot continues to detect these files that you uncheck the box next to them on the removal page. This will tell Webroot to ignore the files in their current location.

If you would like to remove these files manually from the backup in Time Machine, you can use the following steps:

Note: This action is permanent, and will impact all past backups on the given Time Machine drive, even backups from the distant archives on that drive. For this reason, be absolutely certain you want to remove an item before deleting it, otherwise you may end up missing data you would have wanted to keep.

1. Open the backup manager by pulling down Time Machine menu item and selecting, “Enter into Time Machine.”
2. Navigate to the directory location of the files/folders you want to remove.
3. Right-click on the folder or file you want to remove and select “Delete all backups of [File Name].”
4. Confirm the removal.

As the process is the same whether you are deleting the backup of a file or an entire folder, please be careful to only select the items you wish to delete. You cannot recover these files.

Another option available to Time Machine users is to exclude the files and folders from being backed up by the Time Machine. You can add them to the exclusion list which will permanently block the files/folders from being backed up in the future. By doing this, the infected file will eventually be deleted from the backup over time and prevent it from ever getting re-introduced to the drive should it be installed on the computer again.
 
Hope this helps?
 
 
 
 
Userlevel 1
Thanks Both,
 
Yes, I am reasonably confident that the computer is not infected, my issue is that even after allowing the files in the Time Machine backup, Webroot retains the red alert status, and the only way to cure this seems to be allow it to do a full rescan of the  computer. Similarly, yesterday I installed a Java VM update, and Webroot caught all the crapware that Oracle now insist on bundling with it, which is good, but again it's on red alert, and no doubt it will remain that way until it's done another full scan. I have that scheduled, but don't want to do it right away because it can impact performance, and particularly Time Machine backups, when I'm trying to work.
 
I'm happy to submit a support ticket if you think this will do any good, but it looks to me more like an inherent flaw in the OS X version of Webroot, which is proving far more problematic than the Windows version has ever been!
Userlevel 7
@ wrote:
Thanks Both,
 
Yes, I am reasonably confident that the computer is not infected, my issue is that even after allowing the files in the Time Machine backup, Webroot retains the red alert status, and the only way to cure this seems to be allow it to do a full rescan of the  computer. Similarly, yesterday I installed a Java VM update, and Webroot caught all the crapware that Oracle now insist on bundling with it, which is good, but again it's on red alert, and no doubt it will remain that way until it's done another full scan. I have that scheduled, but don't want to do it right away because it can impact performance, and particularly Time Machine backups, when I'm trying to work.
 
I'm happy to submit a support ticket if you think this will do any good, but it looks to me more like an inherent flaw in the OS X version of Webroot, which is proving far more problematic than the Windows version has ever been!
Hello Punter,
If WSA is stuck in the Red UI then we will need to gather logs and see where the disconnect is happening.  Please submit a ticket to support and let them know that I informed you to gather logs for them to run. 
Regards,
 
Userlevel 1
Okay, I'll do so, thanks.
Userlevel 1
So I have downloaded and run your utility which has generated a 30 MB log of my system, which skimming through, I see contains information such as hidden network names, which I would not want made public, and now you want me to upload it to a dubious looking file sharing site then send you the "Link To Share This File With Anyone", seriously?
 
The fact that you even suggest this makes me question your attitude to the security of my computer, and whether I want to be using your product at all.
Userlevel 7
OS X, like other Unix systems have limitations on the use of uploads to an FTP server.  Unlike our windows client, we are unable to have the files delivered to the FTP without having the customer type in either a server password or a public key . I have been working on building out a new server for this process and should have it rolled out very soon, I am waiting on the S3 bucket gathering to take place from Amazon's servers.  The maclogs program was essentailly created for support to run on the machine and remove locally however we have the option to upload if the customer does not have the time for us to remote access their machine. I can understand not wanting to upload the files to the server.  The security of your information is of the upmost importance to us, and we do not want you to do anything that you feel would compromise this.  If you would prefer, you can send them directly to me and I will work on it personally for you.
Regards,
 

Reply