Currently Being ModeratedMay 6, 2011 6:26 PM (in response to PlugInFiend)
The trojan can be removed by killing the process "MacDefender" in Activity Monitor, deleting the application and the preference file, and removing the login item. There would also be a receipt in /var/db/receipts if you ran the installer.
Currently Being ModeratedMay 7, 2011 4:16 AM (in response to leroydouglas)
Currently Being ModeratedMay 7, 2011 6:09 AM (in response to PlugInFiend)
After you erased your boot volume, what did you restore besides the OS? Did you install the MacKeeper application, which is not usually considered a trojan?
Currently Being ModeratedMay 7, 2011 6:37 AM (in response to Linc Davis)
i havent installed anything except steam.
i think i'm slightly misunderstood when i said mackeeper. it isnt the application that is popping up, it's a window that looks like an advertisement for mackeeper, but it looks completely fake because of how the image in it is so low quality.
Currently Being ModeratedMay 7, 2011 6:56 AM (in response to PlugInFiend)
Then perhaps a better question is - when does this window "keep popping up"? Randomly no matter if your computer is connected to a network or not; whenever a browser is opened; when you surf to certain sites (or types of sites)?...
The more detailed and precise the information you can provide, the better an answer you'll receive. Even if you don't think the details are relevant, we might.
Currently Being ModeratedMay 7, 2011 9:26 AM (in response to g_wolfman)
well, it seems completely random, i havent had a chance to figure out the permutations of conditions, but every time ive seen it, it's been when safari is opened, but it doesnt matter what site im on.
Currently Being ModeratedMay 7, 2011 4:45 PM (in response to PlugInFiend)
Then you might first want to try changing your DNS servers to use Google DNS (126.96.36.199) or OpenDNS (188.8.131.52 or 184.108.40.206) and see if that solves the problem. It's possible your ISP has been subjected to DNS Cache poisoning. Or possible your own router has (if you have one, that is).
Currently Being ModeratedMay 7, 2011 5:36 PM (in response to g_wolfman)
what does that mean for my isp and my network? will other devices on the network be prone to this trojan?
Currently Being ModeratedMay 8, 2011 5:21 AM (in response to g_wolfman)
i managed to catch it at work. it seems to appear soon after log in. it didnt happen at all yesterday, i was opening and closing my macbook quite often.
i checked the activity monitor and it appears to be using flash to run that window. i quit the process and the window went blank, (with plug-in failure)
Currently Being ModeratedMay 8, 2011 7:06 AM (in response to PlugInFiend)
If all you've said so far is accurate, then it must be something in your home folder that keeps getting restored after you erase the boot volume.
First, check the box labeled "Block pop-up windows" in Safari > Preferences > Security.
Open the Accounts preference pane and check your login items. Delete anything you don't recognize.
Comb through the Library subfolder of your home folder. Anything you don't recognize, move. Delete it later if it turns out you didn't need it. This will take a while.
Currently Being ModeratedMay 8, 2011 7:37 AM (in response to Linc Davis)
the odd thing is, that safari is already blocking pop ups, and the only log in item i have is itunes helper. and it seems there's nothing out of the ordinary in my library.
would it be wise to head down to the apple store and see if i can get my hard drive replaced? if the problem is located in there.
Currently Being ModeratedMay 8, 2011 8:15 AM (in response to PlugInFiend)
I do think you should make an appointment at the Apple Store, because this problem is getting too complicated to manage by question and answer. Without being able to see your files, I frankly can't take your word for it that there's nothing out of the ordinary. I very much doubt that replacing your hard drive is the solution.
Currently Being ModeratedMay 20, 2011 10:03 AM (in response to PlugInFiend)
For Activity Monitor, you needed to show all processes which you did not — though I don't know for certain which user it runs under, you or root.
It would have been very interesting to see what happened if you disabled Flash. I would have recommended downloading the latest version, NOT installing it, then killing the plugin you have followed by a restart of Safari. Then see what happens.
Flash can pop up windows (or at least it has in the past; I doubt they fixed that as it probably would break programs).
Hope you post the solution from your visit.