osx.pirrit_removal
osx.pirrit_removal copied to clipboard
aserper
Removed my settings
Hi, First of all I'm sorry for your inconvenience, as you obviously can imagine, I can't really take responsibility on that issue. But on the other hand I want to understand what happened in order to fix any issues with this removal script and I'd also appriciate the use of clean language.
A. Were you infected by pirrit or did you run this script straight away without knowing if you were indeed infected? B. I checked that code several times on different OS X versions infected by pirrit and did not see any irregular results. C. Could you please elaborate on which preferences were deleted and what kind of instabilities you are experiencing?
P.S. I just checked it AGAIN on a test systems and didn't see any problems. I'd really like to help you out, please respond.
I do not know whether infected.
Retired network settings and certain applications. Time machine settings. Stopped working right mouse button, although it right in the settings. Some applications, such as Bartender, can not perform the installation again.
This is what I found right now. Unfortunately, the output terminal has disappeared after a reboot and I can not attach it.
Will have to recover from a Time Machine.
Hi, Thanks for letting me know. Running this script unless you are infected can cause some unexpected behaviour. I ran this script now on an uninfected machine and the I do find that the 3 finger drag gesture on my trackpad isn't working. The rest of the things are working fine, I'll try to investigate further
The issue is that with a system that is not infected the values being read from com.common.plist are not present. There needs to be logic to ensure that values are indeed being read back and not blank. Because your system was not infected the rm commands are erase many things in /Library instead of /Library/
Just needs more checks and balances to ensure the defaults commands are not erring out and that the variables being used to store the values are not blank or at least not equal to /Library etc.
You are perfectly right. I intended to rewrite this script entirely and actually doing it with Python but then most of the AV/Antimalware products started picking pirrit up so it seemed redundant to me...
I have had the same problem, and after running the script I could not boot my mac. However, no damage done, because we all run backups. Right. :-) The point is that the virus/malware is mutating. The com.common.plist has very different keys, and the script starts executing semi-random deletes as a consequence. However, I still got rid of pirrit by following the script and using visual inspection before manually executing the commands. This is my com.common.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>lastc</key>
<string>Tue May 10 22:52:28 2016</string>
<key>laste</key>
<string>Host thecloudservices.net not found http://thecloudservices.net/pd/pi?id=1&d=1&cl=0 Tue May 10 22:43:58 2016</string>
<key>lastp</key>
<string>Tue May 10 22:43:28 2016</string>
<key>lastr</key>
<string>false</string>
</dict>
</plist>
BTW, my real comment is really "Thank you!" Sure, it took 2 hours instead of 2 mins, but I am still pirrit free. Which is actually less time then I have spent messing around with clamav (28 hour scan), Avira (found nothing) etc.
Hi, That's so strange that people got problema with this script, non the less when their computers stop booting! I'm sorry for the trouble you've had. I checked it several times and I did not have any problems with it on my test machines. I will have to eventually convert it to a python script with more checks to assure this kind of behavior won't happen, i just can't find the time