1 2 3 4 Previous Next 57 Replies Latest reply: Oct 30, 2012 4:29 PM by BDAqua
SnowLeo777 Level 1 Level 1 (0 points)

Since a couple of days my iMac (Snow Leopard (10.6.8) would not start up when it is connected to the Internet. Blue

screen appears, and the desktop never appears. If I disconnect the Internet or turn off the modem, it loads

correctly and works as usual. If I turn on the modem while the computer is already on, it freezes or gets extremely

slow - impossible to open any application or turn it off in a normal way. I called my Internet provider, we reset

the modem, and I connected my old PC to test the modem with another computer. It works without problem. After the

reset I tried it with Mac again. The computer was able to start up, very slowly, and I managed to set up the

Internet connection again. But then a message appeared on the screen saying "Please type you computer password in

order for Dropbox to function properly". I clicked "cancel". After that the computer became incredibly slow again,

freezing each time I clicked the mouse.
I would like to run ClamXav or another antivirus software but can not do it because I need to get definitions from

Internet, and the computer becomes not usable as soon as it's connected to the Internet.

Does it look like a malware? The message that appears by itself proposing to enter the password for the computer

seems not to be normal.

I would really appreciate some advice!


iMac, Mac OS X (10.6.8)
  • 1. Re: New malware?
    BDAqua Level 10 Level 10 (116,465 points)

    Doesn't sound like malware yet.

     

    One way to test is to Safe Boot from the HD, (holding Shift key down at bootup), run Disk Utility in Applications>Utilities, then highlight your drive, click on Repair Permissions, Test for problem in Safe Mode...

     

    PS. Safe boot may stay on the gray radian for a long time, let it go, it's trying to repair the Hard Drive

     

    Reboot, test again.

     

    If it only does it in Regular Boot, then it could be some hardware problem like Video card, (Quartz is turned off in Safe Mode), or Airport, or some USB or Firewire device, or 3rd party add-on, Check System Preferences>Accounts>Login Items window to see if it or something relevant is listed.

     

    Check the System Preferences>Other Row, for 3rd party Pref Panes.

     

    Also look in these if they exist, some are invisible...

     

    /private/var/run/StartupItems

    /Library/StartupItems

    /System/Library/StartupItems

    /System/Library/LaunchDaemons

    /Library/LaunchDaemons

  • 2. Re: New malware?
    MadMacs0 Level 4 Level 4 (3,720 points)

    SnowLeo777 wrote:

     

    a message appeared on the screen saying "Please type you computer password in

    order for Dropbox to function properly". I clicked "cancel".

    You need to type in your admin password to clear this. Dropbox won't work properly without it and it could even be causing some of your issue.

     

    I agree with BDAqua that this is not malware.

     

    If a hardware problem is indicated, then you should run the Apple Hardware Test. Instructions for running it on your model iMac should be explained in your manual or read Intel-based Macs: Using Apple Hardware Test.

     

    How are you attached to the internet, via WiFi or directly connected to your Cable/DSL modem with an ethernet wire?

  • 3. Re: New malware?
    SnowLeo777 Level 1 Level 1 (0 points)

    Thank you for the answers, I will try your suggestions. I already ran Apple Hardware Test and it says everything is OK. I always used Airport for wireless Internet connection, but when the problem occured, I tried it with ethernet wire, and the result is the same, the computer stops working properly as soon as it attemps to connect to the Internet.

     

    Since Dropbox never asked for admin password before, and it happened at the same time that the Internet problem, I thought it was suspicious. Maybe this message appeared because the modem was reset, and I had to configuer the Internet connection as if it was the first time.

  • 4. Re: New malware?
    SnowLeo777 Level 1 Level 1 (0 points)

    I ran extended Apple Hardware Test that took an hour, and no problem is found.

     

    Then I did a Safe Boot and ran Disk Utility. I verified the disk, and it says "The volume Mac HD appears to be OK".

     

    But the "Verify Disk Permissions" test revealed plenty of errors. About 40 permission errors, for exemple:

    - Permissions differ  on "System/Library/Frameworks/JavaVM.frameworkl/Versions/A/Resources/Deploy.bundle /Contents/Home/lib/security/cacerts" should be -rw-r--r--, they are lrwxr-xr-x

    - Permissions differ  on "System/Library/CoreServices/MenuExtras/RemoteDesktop.menu/Contents/Resources/k o.lproj/RemoteDesktopMenu.nib" should be drwxr-xr-x, they are -rw-r--r--

     

    5 user errors, for exemple:

    - User differs on "provate/var/at" should be 0, user is 1

    - User differs on "System/Library/Frameworks/JavaVm.framework/Versions/1.6.0/libraries" should be 95, user is 0

     

    3 group errors, for exemple:

    - Group differs on "System/Library/Cose Services/Finder.app/Contents/Resources/English.lproj/InfoPlist.strings" should be 0, group is 20

     

    1 warning:

    SUD file "System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARD" Agent has been modified and will not be repared

     

     

    What does it all mean?..

    So now I should repair permissions and repeat the test?

     

    Thanks again for your help.

  • 5. Re: New malware?
    MadMacs0 Level 4 Level 4 (3,720 points)

    SnowLeo777 wrote:

     

    ...should repair permissions and repeat the test?

    Repair permissions. No need to repeat the test as it will still say there are a few errors as explained in "Disk Utility's Repair Disk Permissions messages that you can safely ignore".

  • 6. Re: New malware?
    SnowLeo777 Level 1 Level 1 (0 points)

    Permissions repared.

     

    The problem is still there, even after Safe boot. After regular boot, as soon as there is Internet connection, if I try to open Safari or any other application, it takes forever and finally nothing happens (or maybe it would take hours...). In Safe mode most applications open normally but for Safari it takes about 10 minutes to load. And all other applications freeze during this time. So it is better in Safe mode but still doesn't work properly.

     

    In safe mode, with Ethernet cable connected, I ran Network Diagnostics, all lights in Ethernet Network Status are

    green, and it says that no problem is detected.

     

    In Safe mode I was able to install and run ClamXaV. It is still running and found HTML.Spy.IMG in one Jpeg file. Is it a PC virus?

     

    What else could I do?..

  • 7. Re: New malware?
    MadMacs0 Level 4 Level 4 (3,720 points)

    SnowLeo777 wrote:

     

    In Safe mode I was able to install and run ClamXaV. It is still running and found HTML.Spy.IMG in one Jpeg file. Is it a PC virus?

    All OS X malware should have "OSX" in the infection name. The signature contains a link to a JavaScript on a web site in Argentina, so I suspect it was found in one of your browser caches.

     

    Checking VirusTotal shows what the infection is called by 29 other vendors, and appears to be a Windows Trojan, possibly disquised as a clickable image. More details are probably available from one of the other vendors, like Sophos.

     

    To get detailed information on what ClamXav has found, click on the ClamXav window showing the results to make sure it's in front and  type Command-A, Command-C (or choose "Select-All", "Copy" from the "Edit" menu) to copy the information to your clip board, then come back here and type Command-V or choose "Paste" to show us what was found where.

  • 8. Re: New malware?
    SnowLeo777 Level 1 Level 1 (0 points)

    Scan is finished, and nothing else was found. HTML.Spy.IMG was found in a real Jpeg image that I saved to the Pictures folder about 2 years ago. I guess I should just delete it?

    Nothing else to show you...

    In the Scan summary window, before the scan results, it says "LibClamAV Error: fmap_readpage: pread error: Input/output error". And in scan results it also says "Total errors: 1101"

  • 9. Re: New malware?
    MadMacs0 Level 4 Level 4 (3,720 points)

    SnowLeo777 wrote:

     

    In the Scan summary window, before the scan results, it says "LibClamAV Error: fmap_readpage: pread error: Input/output error".

    Might be more information in either the Scan Log or system.log, but there's not a lot of information on these errors in the ClamAV documentation. Possibly a problem trying to read a file. Not sure whether a corrupt file would cause this or a bad sector on your hard drive.

    And in scan results it also says "Total errors: 1101"

    Unfortunately, these errors are not logged by the current scan engine (supposed to be fixed in v0.98.x), so there is no way to be certain, but in previous tests these were either files that you do not have read access to (system or other users' files) or temporary files that disappear during the scan process. 1100 seems like a lot, to me, but without knowing your setup I can't really tell. Did this include any external drives? I don't think LibClamAV errors are included in that count.

  • 10. Re: New malware?
    SnowLeo777 Level 1 Level 1 (0 points)

    Can I do anything else to see where the problem comes from? Any other tests?

    Maybe to reset the modem again? (though it works fine with a PC)

     

    BDAqua suggested in the first post:

     

    Also look in these if they exist, some are invisible...

     

    /private/var/run/StartupItems

    /Library/StartupItems

    /System/Library/StartupItems

    /System/Library/LaunchDaemons

    /Library/LaunchDaemons

     

    What exactly should I look for? And how can I see invisible folders?

  • 11. Re: New malware?
    MadMacs0 Level 4 Level 4 (3,720 points)

    SnowLeo777 wrote:

     

    BDAqua suggested in the first post:

     

    Also look in these if they exist, some are invisible...

     

    /private/var/run/StartupItems

    ...

     

    What exactly should I look for?

    Anything you don't expect to be launched at startup. If you don't know then post what you find and someone can tell you if any look to be abnormal.

    And how can I see invisible folders?

    In the Finder's "Go" menu, choose "Go to Folder..." or type Command-Shift-G

    Copy and paste "/private/var/run/StartupItems" without the quotes and click the "Go" button.

  • 12. Re: New malware?
    SnowLeo777 Level 1 Level 1 (0 points)

    Ok.

     

    /private/var/run/StartupItems

    - folder doesn't exist.

     

    /Library/StartupItems

    - folder "EmagicA26A62mFirmwareLoader" containing items: StartupParameters.plist, Daemonizer,

    EmagicA26A62mFirmwareLoader, EmagicA26A62mFW

    - folder "Jaksta" containing items: StartupParameters.plist, Jaksta (application "Jaksta" is not installed on my computer)

    - folder "Qmaster" (see screenshot):

    Qmaster.png

     

     

    /System/Library/StartupItems

    - folder is empty

     

     

    /Library/LaunchDaemons

    - 5 items, see screenshot:

     

    Library-LaunchDaemons.png

     

    /System/Library/LaunchDaemons

    - 164 items, see screenshots:

     

     

     

    System-Library-LaunchDaemons1.png

    System-Library-LaunchDaemons2.png

     

    System-Library-LaunchDaemons3.png

     

    System-Library-LaunchDaemons4.png

     

    Is there anything that should not be there?

    Thank you!

  • 13. Re: New malware?
    BDAqua Level 10 Level 10 (116,465 points)

    At least get rid of this one...

     

    folder "Jaksta" containing items: StartupParameters.plist

  • 14. Re: New malware?
    SnowLeo777 Level 1 Level 1 (0 points)

    I deleted this folder.

     

    The problem stays, and also today I noticed that the computer is loading very slowly when the Wireless Magic Mouse is on. Blue screen stays for 5-10 minutes before the desktop appears. This happens even with Ethernet cable unplugged, and it didn't happen when I first started my post.

    So at the moment it boots very slowly showing gray screen for a long time, and the blue screen for a very long time when:

    - Ehternet cable is plugged in and the modem is on;
    - Ethernet cable is unplugged but Wireless Magic Mouse is on.

     

    And it works all right if I boot it while the modem is off and a USB mouse is connected (or no mouse is connected during startup, and I switch on the Wireless Magic Mouse after the boot is done).

1 2 3 4 Previous Next