Skip navigation
This discussion is archived

Browser Hijack - malware (toseeka)

5893 Views 14 Replies Latest reply: Jun 21, 2009 3:05 PM by Barney-15E RSS
Rawool Duke Calculating status...
Currently Being Moderated
Jun 19, 2009 2:56 PM
I seem to be having trouble with malware. I allow(ed) my roommate to use my machine, and seem to have come down with a bit of malware - specifically a browser hijack.

The hijack redirects to pages like www.toseeka.com and www.shopica.com, but what's worse, will not let me access certain parts of google, i.e. gchat and youtube.

Can anyone help with this?
mac, it's fast
  • Klaus1 Level 8 Level 8 (43,475 points)
    Currently Being Moderated
    Jun 19, 2009 3:45 PM (in response to Rawool Duke)
    If you allow a Trojan to be installed, the user's DNS records can be modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's (that's you!) DNS records stay modified on a minute-by-minute basis.

    You can read more about how, for example, the OSX/DNSChanger Trojan works here:

    http://www.f-secure.com/v-descs/trojanosxdnschanger.shtml

    SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:

    http://macscan.securemac.com/

    The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X and allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.

    (Note that a 30 day trial version of MacScan can be downloaded free of charge from:

    http://macscan.securemac.com/buy/

    and this can perform a complete scan of your entire hard disk. After 30 days the cost is $29.99. The full version permits you to scan selected files and folders only, as well as the entire hard disk. It will detect (and delete if you ask it to) all 'tracker cookies' that switch you to web sites you did not want to go to.)
    20" 2.1GHz iSight iMac G5, 250GB HD, 1.5GB RAM, Mac OS X (10.5.7), iLife 9 and iMovie 6, Toast 7.1.3, iTunes 8.2, QTPro 7.6.2, Safari 4.0.1
  • Klaus1 Level 8 Level 8 (43,475 points)
    Currently Being Moderated
    Jun 19, 2009 4:13 PM (in response to Rawool Duke)
    Delete all cookies as well as URLs for the sites in question, i.e. the ones you are trying to get to and the ones you are redirected to.

    Restart Safari.
    20" 2.1GHz iSight iMac G5, 250GB HD, 1.5GB RAM, Mac OS X (10.5.7), iLife 9 and iMovie 6, Toast 7.1.3, iTunes 8.2, QTPro 7.6.2, Safari 4.0.1
  • nerowolfe Level 6 Level 6 (13,070 points)
    Currently Being Moderated
    Jun 19, 2009 4:16 PM (in response to Rawool Duke)
    What are your DNS?
    Check both your computer and your router.
    Find out what sites your "friend" visited and determine what malware they "offer"
    Your console logs may be useful here.

    Never never use your computer with an administrator account unless you are actually performing administration activity. Casual browsing does not fall into this category.
    Never never let anyone use your account. Always create a standard account for other users or let them use the guest account.
    MacBookPro3,1-17"Core2Duo/VistaUlt64SP1; MacBookPro1,1-15"/XPProSP3; Dual G5/XPP, Mac OS X (10.5.7), Homebrew 3GHz ASUS PC, Dell Inspiron8k, Abacus, Sliderule, HP-50G
  • nerowolfe Level 6 Level 6 (13,070 points)
    Currently Being Moderated
    Jun 19, 2009 6:26 PM (in response to Rawool Duke)
    Create a new user account and see if that one works properly.
    MacBookPro3,1-17"Core2Duo/VistaUlt64SP1; MacBookPro1,1-15"/XPProSP3; Dual G5/XPP, Mac OS X (10.5.7), Homebrew 3GHz ASUS PC, Dell Inspiron8k, Abacus, Sliderule, HP-50G
  • Michael Superczynski Level 5 Level 5 (7,110 points)
    Currently Being Moderated
    Jun 20, 2009 4:17 AM (in response to Rawool Duke)
    No idea what you might do now other than an Archive and Install.

    But in the future, use a non-admin account for guest access.
    MacBook Air SSD (all-time favorite Mac), Mac OS X (10.5.7)
  • Barney-15E Level 7 Level 7 (33,550 points)
    Currently Being Moderated
    Jun 20, 2009 5:42 AM (in response to Rawool Duke)
    Try flushing the DNS cache. In Terminal, type this command:
    dscacheutil -flushcache
    If that doesn't work, check the hosts file. In the Finder, type cmdshiftg and enter /etc in the path.
    In that folder is a file called hosts. Open it with a text editor and make sure there is nothing else but:
    ##
    # Host Database
    #
    # localhost is used to configure the loopback interface
    # when the system is booting. Do not change this entry.
    ##
    127.0.0.1 localhost
    255.255.255.255 broadcasthost
    ::1 localhost
    fe80::1%lo0 localhost
    1.8 SP G5/iMac G4 FP/MBP 2.33/PB G3 Pismo, Mac OS X (10.5.7), XLR8 G4 Upgrade for Pismo
  • CMCSK Level 6 Level 6 (10,250 points)
    Currently Being Moderated
    Jun 20, 2009 5:50 PM (in response to Rawool Duke)
    Archive and install didn't work either?
    Mac OS X (10.5.6)
  • Barney-15E Level 7 Level 7 (33,550 points)
    Currently Being Moderated
    Jun 21, 2009 3:05 PM (in response to Rawool Duke)
    You can use a text editor to edit the file; however as it is a system file, you need a text editor that can authenticate as an admin user. There are other ways to move the file, edit it, and then move it back.

    However, I just use Bare Bones' TextWrangler. It's free and will let you Unlock the file for editing.

    Regardless, that line just redirects the Adobe activation site back to your computer, thus causing it to fail to connect to the server. It is not the cause of your problems.
    1.8 SP G5/iMac G4 FP/MBP 2.33/PB G3 Pismo, Mac OS X (10.5.7), XLR8 G4 Upgrade for Pismo

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.