1 2 3 Previous Next 40 Replies Latest reply: Mar 3, 2012 11:32 AM by MadMacs0
Jay-Lee Level 1 Level 1 (0 points)

I think I may have this Java Trojan virus that many have been talking about, in which the most common attribute of it is that it makes my Finder display folder names as N80, N81, etc.... in replacement of titles such as 'Open Finder' and 'Empty Trash'

 

Here are some screen caps of the problem.

 

Screen shot 2012-03-02 at 4.00.42 PM.jpgScreen shot 2012-03-02 at 4.00.51 PM.jpg

 

Screen shot 2012-03-02 at 4.01.22 PM.jpg   

 

I have tried a few things, such as Repair Disk Permissions, restarting, and logging off, but to no success.

 

Any suggestions/ ideas would be greatly appreciated, as I am concerned this might be the Java Trojan virus, and wish to restore my mac to what it was before.

 

I have a Mac OS X 10.6.6

 

Thanks!  Lucy


MacBook, Mac OS X (10.6.6)
  • 2. Re: Please Help! Finder is displaying strange codes such as N80 and N201
    X423424X Level 6 Level 6 (14,190 points)

    Read these:

     

    Beware the Morphing Flashback Malware

     

    Intego finds new, insidious strain of Mac Flashback Trojan horse

     

    For the current strain of this thojan (flashback.g) look for the following files, easies done from the terminal (use the following commands):

     

    ls -la /Users/Shared/*.so

    ls -la /Users/Shared/.svcdmp

    ls -la ~/.MACOSX/environment.plist

    ls -la ~/Library/Logs/vmLog

     

    The ls command will report an error if it cannot file the file(s).

     

    If you find any of these guys delete them (also easiest done from the terminal).

     

    Also, you will probably have to replace your safair and/or firefox browsers since this trojan may inject code into them as well.

  • 3. Re: Please Help! Finder is displaying strange codes such as N80 and N201
    fane_j Level 4 Level 4 (3,660 points)

    Jay-Lee wrote:

     

    I think I may have this Java Trojan virus

    I'm afraid it's very likely you do. I can't see your pics, but the subject is enough.

     

    If you want to be sure, open Terminal and paste this line in it

     

    defaults read ~/.MacOSX/environment

     

    then press Return. Copy the result and paste it here.

     

    Thomas A Reed, a frequent contributor to this forum, has info on it here

     

    <http://www.reedcorner.net/news.php/?p=355>

     

    There are other threads on the topic, eg

     

    <https://discussions.apple.com/message/17652575#17652575>

    <https://discussions.apple.com/message/17643296#17643296>

     

    Unfortunately, the only solution at this point is to erase your hard disk, re-install the OS and apps from the original discs, and restore your documents (but only your documents) from the backup. The reason is that, at this point, no-one knows for sure what code this malware has installed, where, and how to find it; so, removing the files listed here or there is no guarantee that all the malicious code has been removed.

  • 4. Re: Please Help! Finder is displaying strange codes such as N80 and N201
    Jay-Lee Level 1 Level 1 (0 points)

    thank's so much for the answers already guys...unfortunately its a tricky case because I'm not very familiar with mac systems etc....what do you mean by the terminal, and how do i get to it?

     

    Sorry my lack of understanding of computers aha

     

    Thanks!

  • 5. Re: Please Help! Finder is displaying strange codes such as N80 and N201
    X423424X Level 6 Level 6 (14,190 points)

    Hmm, not sure what to say here under these conditions.

     

    Tricky case is the appropriate term here.

     

    Terminal is an app in your Utilities folder.  But I am hesitant to go further on how to proceed with you due to your unfamiliarity with the system.  Fane_j, do you care to chime in here on how to proceed?

  • 6. Re: Please Help! Finder is displaying strange codes such as N80 and N201
    MadMacs0 Level 4 Level 4 (3,725 points)

    Jay-Lee wrote:

     

    what do you mean by the terminal, and how do i get to it?

    Go to /Applications/Utilities/ and double-click on the Terminal application.

     

    When the window opens copy and paste "defaults read ~/.MacOSX/environment" without the quotes and press return.

     

    Copy the results and paste them here.

  • 7. Re: Please Help! Finder is displaying strange codes such as N80 and N201
    Jay-Lee Level 1 Level 1 (0 points)

    thanks! il see what I can get done later when iv finished work,I just need to know where a lot of the mac files etc are as Im more familiar with a pc.

     

    again, thanks

  • 8. Re: Please Help! Finder is displaying strange codes such as N80 and N201
    Jay-Lee Level 1 Level 1 (0 points)

    hey, I did what you suggested, and it replied with:

     

    "DYLD_INSERT_LIBRARIES" = "/Users/Shared/.GameHouseHolidayExpress.so";

  • 9. Re: Please Help! Finder is displaying strange codes such as N80 and N201
    WZZZ Level 6 Level 6 (12,220 points)

    It should come up empty. You're infected.

    Is there more I should do to ensure the virus is gone?

    You need to follow the instructions above from fane_j to wipe and start clean.

     

    Message was edited by: WZZZ

  • 10. Re: Please Help! Finder is displaying strange codes such as N80 and N201
    Jay-Lee Level 1 Level 1 (0 points)

    udpate:  I have done what your previously suggested in a similar post, in which you stated to:

    "In the Finder select "Go To Folder..." from the "Go" menu or type Command-Shift-G.

    In the "Go to the folder:" dialog type "~/.MacOSX/" without the quotes."

     

    I found the "environment.plist" file and trashed it, logged out, and restarted and everything appears as how it should!  Codes for Finder names are gone and have been replaced with their proper names.

     

    I also ran "defaults read ~/.MacOSX/environment" through Terminal again and this time it replied with ".MacOSX/environment does not exist"

     

    Is there more I should do to ensure the virus is gone?

  • 11. Re: Please Help! Finder is displaying strange codes such as N80 and N201
    X423424X Level 6 Level 6 (14,190 points)

    The environment.plist is the key file on which the rest of the torjan hangs (at least in this strain).  But you posted that it references "/Users/Shared/.GameHouseHolidayExpress.so". so that file must be there too.  You should trash that as well.

     

    There may be some of the other files I mentioned earlier so look for them as well:

     

    /Users/Shared/.svcdmp

    ~/Library/Logs/vmLog  (in your home directory)

     

    And if the Tidbits article is correct (see part that starts with Infection Effects) safari, firefox, and skype should be replaced.

  • 12. Re: Please Help! Finder is displaying strange codes such as N80 and N201
    MadMacs0 Level 4 Level 4 (3,725 points)

    X423424X wrote:

     

    The environment.plist is the key file on which the rest of the torjan hangs (at least in this strain).  But you posted that it references "/Users/Shared/.GameHouseHolidayExpress.so". so that file must be there too.  You should trash that as well.

     

    There may be some of the other files I mentioned earlier so look for them as well:

     

    /Users/Shared/.svcdmp

    ~/Library/Logs/vmLog  (in your home directory)

    @Jay-Lee, There may well be one more in "~/Library/Application Support/.GameHouseHolidayExpress.so" which may or may not be causing Google redirects.

     

    Since some of these are hidden, you will need to use some of the following in Terminal. Be sure to copy and paste them exactly as written as you could easily delete something else with a typo:

     

    rm -rf ~/.MacOSX/environment.plist

         (you already got this one)

     

    rm -rf ~/Library/Applications Support/.GameHouseHolidayExpress.so

     

    rm -rf ~/Library/Logs/vmlog

         (you probably found this one already)

     

    rm -rf /Users/Shared/.GameHouseHolidayExpress.so

     

    rm -rf /Users/Shared/.svcdmp

    And if the Tidbits article is correct (see part that starts with Infection Effects) safari, firefox, and skype should be replaced.

    I currently agree with this as it's not that hard to do, but yesterday a user found evidence that the applications were not infected on the hard drive, only when they launched and loaded into RAM. Since we don't have confirmation from Iomega, TidBITS or anybody else yet, safest thing would be to replace them from source after removing the above.

     

    Several (including myself) have recommended making sure you have a backup of all your data, use your install disks to reformat and install a clean system, update it with Software Update, restore all your applications from source and then recover your data files from backup. Or use a TimeMachine backup to return your hard drive to pre-infection status, if you know exactly when it happened. That's extreme and a lot of work I know, but with the lack of detail published concerning this infection, that's the only way to be certain you got everything. If after removing all traces of the Trojan and replacing the network apps you still have unexplained issues, it's probably your only choice at this time.

  • 13. Re: Please Help! Finder is displaying strange codes such as N80 and N201
    X423424X Level 6 Level 6 (14,190 points)

    There may well be one more in "~/Library/Application Support/.GameHouseHolidayExpress.so" which may or may not be causing Google redirects.

     

    ~/Library/Application Support/ ??  His DYLD_INSERT_LIBRARIES was pointing at /Users/Shared.  I've seen no mention of ~/Library/Application Support in any of the articles (or at least I don't recall at the moment).

  • 14. Re: Please Help! Finder is displaying strange codes such as N80 and N201
    WZZZ Level 6 Level 6 (12,220 points)

    In addition to what has been said, since this thing is rather pointless unless it can get back to the mothership -- they aren't just trying to prove that they can break into your computer; this is for profit -- I can't recommend Little Snitch highly enough. It will detect when an infected application or process is trying to make an outbound connection and "phone home." If you don't go the complete erase and install route from scratch, then, at least, you will know if something you haven't zapped is still hiding somewhere and trying to get out with your sensitive data or who knows what and be able to stop it.

     

    It runs as a free demo for three hours, but can be renewed.

     

    http://www.obdev.at/products/littlesnitch/releasenotes.html

1 2 3 Previous Next