bemkah

Q: Finder menu stuffed up

I just noticed that my Finder menu had some of the words replaced with numbers - for example, N169.3, N148, N35. The numbers seem to have replaced options like 'clean up' etc.

 

These weren't there yesterday, so I figured it was a virus.

 

I downloaded ClamXav and it said there was one infection: 6572.emlx Heuristics.Phishing

 

It won't delete, and I'm not sure what I'm supposed to do now.

 

It hasn't slowed my computer down any or caused any programs to malfunction, but I do a fair bit of internet banking from my computer so I'm worried.

 

Is there any danger of my information being sent anywhere? Is there anything I can do to get rid of this virus? Should I take my computer to be fixed? I'm not the most technically minded person obviously so any help you could give me would be awesome.

 

Thanks in advance.

MacBook Pro

Posted on Feb 20, 2012 11:57 PM

Close

Q: Finder menu stuffed up

  • All replies
  • Helpful answers

  • by MadMacs0,Helpful

    MadMacs0 MadMacs0 Feb 22, 2012 2:28 AM in response to bemkah
    Level 5 (4,791 points)
    Feb 22, 2012 2:28 AM in response to bemkah

    bemkah wrote:

     

    I just noticed that my Finder menu had some of the words replaced with numbers - for example, N169.3, N148, N35. The numbers seem to have replaced options like 'clean up' etc.

     

    These weren't there yesterday, so I figured it was a virus.

    Not a virus, but you have been infected by the latest Flashback Trojan which ClamXav won't find yet.

    I downloaded ClamXav and it said there was one infection: 6572.emlx Heuristics.Phishing

     

    It won't delete, and I'm not sure what I'm supposed to do now.

    That infection, if it even is one, has nothing to do with your problem. At worst it's junk mail trying to get you to give up privacy information by clicking on a link. To get rid of it, you should right-click / control-click on the infection or file name in ClamXav and select "Reveal in Finder". When the window opens, double click on the file "6572.emlx" which will open it in your e-mail client. If it is truly a phishing / junk / spam message, then use the delete button in the e-mail client to get rid of it. If this is from a gmail account let me know as there is one additional step to insure you permanently delete it from the server. I have sever e-mails from my credit union that are identified as heuristics.phishing.... because they contain a link to the IRS, so are deemed "suspicious". I just make note of the file number and ignore it on subsequent scans.

    It hasn't slowed my computer down any or caused any programs to malfunction, but I do a fair bit of internet banking from my computer so I'm worried.

     

    Is there any danger of my information being sent anywhere? Is there anything I can do to get rid of this virus? Should I take my computer to be fixed? I'm not the most technically minded person obviously so any help you could give me would be awesome.

    The Trojan infection has already sent information out about your computer, but chances are good that none of your banking information has been compromised. It just announced that your computer had been successfully infected for future use, whatever that may be.

     

    Since you say your aren't technically skilled, then I won't bother having you attempt to clean it up. We are only starting to understand how to do that now. It's quite complicated and still incomplete. Your best bet at this point is to erase your hard drive and reinstall the system then restore all your data from backup.

     

    The other mystery we are struggling with is how did this happen. Past versions of this Trojan were advertised as updates to the FlashPlayer and required you to download and install the update, but the folks that have been complaining about this for the past couple of days claim not to have done any of that. If you recall seeing anything like that or downloading anything in the past four to five days, let me know.

  • by MadMacs0,

    MadMacs0 MadMacs0 Feb 22, 2012 3:01 AM in response to bemkah
    Level 5 (4,791 points)
    Feb 22, 2012 3:01 AM in response to bemkah

    I just ran across this article by a colleague of mine that emphasizes most of what I've already told you about your Trojan infection.

  • by fane_j,

    fane_j fane_j Feb 22, 2012 4:23 AM in response to bemkah
    Level 4 (3,672 points)
    Feb 22, 2012 4:23 AM in response to bemkah

    bemkah wrote:

     

    I just noticed that my Finder menu had some of the words replaced with numbers - for example, N169.3, N148, N35. The numbers seem to have replaced options like 'clean up' etc.

    A very small point. Quite likely, it's been made already, but there are several threads on the topic ( MadMacs0 and his colleagues have been very busy tracking it all) and I didn't get to read all the posts. So, just in case, note that there is nothing strange about the codes N148, etc. They are the actual, unlocalised names of Finder's commands and other features (a full listing can be found in the Localizable.strings files). Some bug in the malware must interfere with the localised string display mechanism; perhaps Finder itself is infected.

  • by MadMacs0,

    MadMacs0 MadMacs0 Feb 22, 2012 6:36 PM in response to fane_j
    Level 5 (4,791 points)
    Feb 22, 2012 6:36 PM in response to fane_j

    fane_j wrote:

     

    bemkah wrote:

     

    I just noticed that my Finder menu had some of the words replaced with numbers - for example, N169.3, N148, N35. The numbers seem to have replaced options like 'clean up' etc.

    A very small point. Quite likely, it's been made already, but there are several threads on the topic ( MadMacs0 and his colleagues have been very busy tracking it all) and I didn't get to read all the posts. So, just in case, note that there is nothing strange about the codes N148, etc. They are the actual, unlocalised names of Finder's commands and other features (a full listing can be found in the Localizable.strings files). Some bug in the malware must interfere with the localised string display mechanism; perhaps Finder itself is infected.

    Thanks, that's good to know and I, for one, had never thought to check on that. It has been an artifact since the early days of this Trojan and with all the talent the malware developer has shown on this, I'm surprised he hasn't fixed it. Any programmers out there with some ideas?

  • by bemkah,

    bemkah bemkah Feb 23, 2012 12:22 AM in response to MadMacs0
    Level 1 (0 points)
    Feb 23, 2012 12:22 AM in response to MadMacs0

    Thank you heaps, MadMacs0. That is exactly what I needed - I'm currently in the process of backing up all of my files so I can reinstall the system.

     

    I did download an Apple update the morning I discovered the problem, as well as software from Digital Theatre - could one of those be the culprit?

  • by MadMacs0,

    MadMacs0 MadMacs0 Feb 23, 2012 2:19 PM in response to bemkah
    Level 5 (4,791 points)
    Feb 23, 2012 2:19 PM in response to bemkah

    bemkah wrote:

     

    I did download an Apple update the morning I discovered the problem, as well as software from Digital Theatre - could one of those be the culprit?

    If there was something embedded in an Apple update, I'm sure we would have heard by now, so that wasn't it.

     

    It's conceivable that the Digital Theater site was hacked, but according to Google Safe Browsing http://www.google.com/safebrowsing/diagnostic?site=digitaltheater.com and WOT http://www.mywot.com/en/scorecard/digitaltheater.com it's OK.

     

    The only one that might know how this is happening seems to be Intego, so read Flashback Mac Trojan Horse Infections Increasing with New Variant.