Skip navigation

Virus may have bricked my computer

2320 Views 31 Replies Latest reply: Mar 14, 2013 4:14 PM by shelbourn RSS
1 2 3 Previous Next
shelbourn Calculating status...
Currently Being Moderated
Mar 9, 2013 9:57 AM

I've never had a virus on any of my Macs, so I need help dealing with this one....  Safari was closing sporadically after about 5 minutes of use. It would close with an error message referencing '.KlondikeMineD.tmp.' I knew immediately that this was no good,  however, I didn't know how bad it would be. I ran Avast! (I know... I'm kicking myself for not running ClamAV). So Avast found KlondikeMineD.tmp to be a trojan and when I tried to 'chest' it I received an error message saying the program didn't have the ability to do it, or something like that. Now I knew I was I trouble. I attempted to boot in safe mode and was not able to log in to the administrator account. I am still able to log in as guest with full networking capability, but that does me no good since I can't run a scan or access anything on my administration account, which is where the virus is.

 

Any help on this would be fantastic. Is there a AV prog out there that has the ability to perform a scan at boot? I'm kind of freaking out because I have tons of pics on my HD that aren't backed up, including baby pics. Thanks for any ideas.

Mac Pro, Mac OS X (10.6.8), Trojan Virua
  • Grant Bennet-Alder Level 8 Level 8 (48,110 points)
    Currently Being Moderated
    Mar 9, 2013 10:19 AM (in response to shelbourn)

    10.6.8 has the ability to boot from the Installer DVD and run Disk Utility (Repair Disk ).

     

    You can also use the Installer DVD to Reset the Admin Password, which should then allow you to log in as the Admin under Safe Mode.

     

    If you are running Java games under 10.6.8 without installing the latest Software Updates, that can open you to Java-in-Safari exploits. Be sure to run the latest Java Software Update (which you can do in Safe Mode.)

    Mac Pro (Early 2009), Mac OS X (10.6.8), & Server, PPC, & AppleTalk Printers
  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Mar 9, 2013 11:33 AM (in response to shelbourn)

    What message do you get when you attempt to log into your admin account, exactly. I do recall a similar situation to this over a year ago when FlashBack removal was causing users to be locked out of their accounts and there was a solution at the time, but I'd need to do a bit of research to recall exactly what needed to be done.

     

    Assuming you can get your account working again, we can probably help clear the infection if we know more about it. I can tell that it's an invisible file, but would need to know the exact "infection name" that Avast used and the path to where the file is located. It would also be helpful to the community if it could be uploaded to http://www.virustotal.com to get a better idea of what we're dealing with and to share it amongst other A-V vendors if it's something new. Knowing the creation date of the file might also give us some idea of how long you've been infected.

  • Linc Davis Level 10 Level 10 (107,760 points)
    Currently Being Moderated
    Mar 9, 2013 8:56 PM (in response to shelbourn)

    You’ve been infected with the “Flashback” malware. See this Apple support document:

     

    About Flashback malware

     

    Back up all data, if you haven't already done so.

     

    From the menu bar, select

      

    Software Update

      

    to install the latest Java update, as well as any other available updates. That should clear the infection in most cases. You must update to the latest version of OS X 10.6 or 10.7 before you can install the Java update.

     

    The removal tool runs automatically in the background and is then deleted. Don’t look for something to click. If the malware is removed, you’ll be notified.

     

    After you’ve secured your system — not before — change every Internet password you have, starting with banking passwords, and check all financial accounts for unauthorized transactions.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Mar 9, 2013 9:46 PM (in response to Linc Davis)

    Linc Davis wrote:

     

     

    You’ve been infected with the “Flashback” malware. See this Apple support document:

     

    I certainly agree that it's the most probable explanation, just that the file name isn't on my list of known Flashback related files. I don't know that anybody has a complete list, but is it one you can confirm?

     

    I also concur that the other steps are the most prudent way to get rid of it, but they all require access to an admin account, which the OP doesn't currently have.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Mar 9, 2013 9:49 PM (in response to shelbourn)

    shelbourn wrote:

     

    I'm gonna try Grant's advice and if that doesn't work I suppose I'll have to lug it into the Apple Store.

    I can almost guarantee that all they will be willing to do is re-install a system and not guarantee that any of your data will be retained.

     

    As I said before, if this is a Flashback infection, I'm sure I have a recovery solution file away in some of my notes from last year, so I would give that a try before making that trip.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Mar 9, 2013 9:51 PM (in response to Grant Bennet-Alder)

    Grant Bennet-Alder wrote:

     

    You can also use the Installer DVD to Reset the Admin Password, which should then allow you to log in as the Admin under Safe Mode.

    I'm almost certain that won't work as the admin account needs that file in order to log in. Reseting the password won't help. Is there a way to use it to reset the Guest account with admin privileges?

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Mar 9, 2013 11:23 PM (in response to shelbourn)

    Found my notes from when we first observed this happening:

    Boot in single user mode by holding down the 'Command-S' keys when you start your mac. (http://support.apple.com/kb/HT1492)

     

    After a while, you get a terminal prompt and type:

     

    mount -uw /

    rm /Users/*/.MacOSX/environment.plist

    reboot

    Note were the spaces are (after "mount", "-uw" & "rm") and where they are not, as they are very important.

     

    If you are then able to log back into your account, follow Linc's instructions.

  • BitterCreek Level 1 Level 1 (100 points)
    Currently Being Moderated
    Mar 12, 2013 5:24 AM (in response to shelbourn)

    There are no damaging Mac Viruses. What you've got is a corrupted KlondikeMine3D screen saver download.

     

    Delete the temporary file.

  • thomas_r. Level 7 Level 7 (26,945 points)
    Currently Being Moderated
    Mar 12, 2013 11:31 AM (in response to shelbourn)

    What trojan did Avast say that it found? We need to know the exact name that it called it.

     

    I seriously doubt that this is a Flashback infection, unless it has been there for quite some time. There hasn't been a verified report of a Flashback infection for almost a year now. Besides which, unless you haven't updated your computer in 11 months, you will have had an update installed that would prevent Flashback infections and remove the malware, if present.

     

    Thus, knowing what Avast called it is extremely important. Though it's also important to note that Avast has a bit of a problem with false positives.

     

    If you can also find out from Avast where this file is, assuming you haven't deleted it, we could run some other tests on it to see what it might be.

  • andyBall_uk Level 6 Level 6 (17,515 points)
    Currently Being Moderated
    Mar 12, 2013 5:59 PM (in response to MadMacs0)


    list of known Flashback related files. I don't know that anybody has a complete list...

    weren't many of them sort of random, albeit starting with a . & ending .tmp and with a vaguely plausible bit in the middle, like here ?.

    check on the name, and check that it crashes safari referencing the file too, as did many others...

     

    I think you're right that Linc's right - since some people don't update OS much & their infections likely don't get 'verified'.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Mar 12, 2013 6:29 PM (in response to andyBall_uk)

    andyBall_uk wrote:

     

    weren't many of them sort of random, albeit starting with a . & ending .tmp and with a vaguely plausible bit in the middle, like here ?.

    Not exactly "random". The way it was explained, the communications module would contact the Flashback Command and Control Server at a certain point in the installation process and request file names. Those names were probably randomized by the C&C server, but from a fixed list of file names. For awhile I was trying to keep a list of the names that were being found, but the sample size here on the list seemed to be smaller than the list of names, so at some point I gave up.

    I think you're right that Linc's right - since some people don't update OS much & their infections likely don't get 'verified'.

    Except that one other thing we've been running into lately, is finding these "plug-ins" within a Safari archive of a previous version. Apparently the Safari installation process retains a copy of the previous version in case there are issues with the new installation, so it can stop and recover the older version. If that older version contained a Flashback plug-in, it may eventually be identified there. Of course it's harmless and at some point should be replaced. I guess I don't quite understand why it isn't deleted as a final step in the installation process and can think of no reason not to delete it, if found.

     

    The difference with this one is that it seems to have locked the user out, which would indicate that the file may well have been in an active location.

1 2 3 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.