Yikes, it looks like I may have a Trojan

Question

Level 6

19,695 points

Yikes, it looks like I may have a Trojan

In the middle of reading a story on my local newspaper's website last night, all of a sudden I get what appears to be a virus scan running under the name of Immunizator. I couldn't get it stopped. The only thing I could do was an "emergency" shutdown, restart & shut down were blocked by the darn thing. It was so late I really didn't want to deal with it, so I thought I would try this afternoon.

After doing a "google" for "immunizator", it does look like it's some type of Mac OsX Trojan. I have gone through, sending the app to the trash, & all of the .dmg junk. When I tried to empty the "trash", this stuff has the "empty" option blocked, so I did a "force empty" with Leopard Cache Cleaner which appeared to work. "Appeared" is the key word. When I use "finder" to look up the key word, "immunizator", the **** thing still opens up on my system. I'm now totally confused, lost, whatever as to what I need to do to get rid of this, ONCE & FOR ALL! Help is greatly appreciated.

iMac G5 2.0, Mac OS X (10.5.4), 160GB iPod Classic, 2G iPod shuffle, iTunes 7.7

Posted on Jul 11, 2008 8:13 PM

Reply

Answer 1

Dogcow-Moof

Level 8

36,833 points

Jul 11, 2008 8:33 PM in response to StarDeb55

Are you the only user of your system?

Is there someone who might have fallen for the claim that your system was "infected" and actually entered their password to "unlock" it and/or went on to install or purchase "Immunizator"?

You can read more about this Trojan here.

For reference, here is what the bogus software popup looks like:

Never, ever provide your system password to a popup like this, and never run software downloaded from the web unless you know what it is and explicitly requested that it be downloaded.

Reply

Answer 2

glsmith

Level 3

875 points

Jul 11, 2008 8:49 PM in response to StarDeb55

You'll probably have more luck extricating it from your system using the command line utilities, e.g. rm for deletes, kill for stopping processes, etc. Likely this trojan hasn't mucked with these system commands (and, rm doesn't send things to the trash, it just deletes them).

From the command line, you can also take a look inside some areas like /Applications, /Library/Preferences/ and your ~/Library/Preferences/ folders to make sure nothing else was deposited. You could compare these areas with known-good backups.

You might want to also check out your Startup items (System Preferences->Accounts), and potentially the trojan made it so launchd runs it. For that, look in /System/Library/LaunchDaemons/. As to what you're looking for, I'm not sure. I don't have any first hand knowledge of this trojan, so don't know what kind of crap it's put on your system...

Message was edited by: glsmith

Reply

Answer 3

StarDeb55 Author

Level 6

19,695 points

Jul 11, 2008 8:40 PM in response to Dogcow-Moof

Oh, I know what the pop-up looks like, I've been fighting with it all afternoon. I'm the only user of my system, but I swear on a stack of bibles that I didn't enter my admin password, unless I'm having a total memory loss. I've read about 3 different articles describing it, but I need step by step instructions on how to manually remove it. I've never gone in on "terminal" or anywhere else like that on my Mac. The articles I've read don't seem to have very clear instructions on removal. I downloaded Clamxv & it doesn't seem to recognize it.

Reply

Answer 4

V.K.

Level 9

56,192 points

Jul 11, 2008 9:22 PM in response to StarDeb55

check out this [thread|http://discussions.apple.com/thread.jspa?threadID=1450924&start=0&tstar t=0].

I haven't found step-by-step to remove it but that thread mentions that intego antivirus can do it. not sure if it's worth the price.

However, if you are not comfortable with terminal you may have problems clearing it out by yourself.

as mentioned by others you should look at

1. /Library/Launchdaemons, /Library/LaunchAgents
2 ~/Library/Launchdaemons, ~/Library/LaunchAgents ( ~ stands for your home directory).
3.your login items in account preferences
4.~/Library/Caches and /Library/Caches
5. ~/Library/Preferences and /Library/preferences
6.~/Library/Contextual Menu Items and /Library/Contextual Menu Items
7.~/Library/Internet plug-ins and /Library/Internet plug-ins

zap anything suspicious.

also check your user crontab and root crontab

run this in terminal

crontab -l

this will list your user crontab

sudo crontab -u root -l

that's for your root crontab. if you see anything strange zap it too.

crontab -r

to delete user crontab and

sudo crontab -u root -r

to delete root crontab.

Message was edited by: V.K.

Reply

Answer 5

ali brown

Level 7

26,493 points

Jul 12, 2008 10:54 AM in response to StarDeb55

Hi Deb!

Have you tried ClamXav?

ali b

Reply

Answer 6

StarDeb55 Author

Level 6

19,695 points

Jul 12, 2008 1:05 PM in response to ali brown

Hi ali! I downloaded it last night. Tried to run it, but not sure exactly how, I assume I need to check applications? If you could point me in the right direction, I would be grateful. Also, do you think ClamX will nuke the stupid thing?

Deb

Reply

Answer 7

orangekay

Level 5

4,085 points

Jul 12, 2008 1:12 PM in response to StarDeb55

Assuming this trojan doesn't go out of its way to make whatever it installed look like it came from Apple, this script will dump out a list of all the foreign launchd jobs, StartupItems, Login Items, kernel extensions and whatever all else it can find into a Terminal window. This can be a whole lot faster than digging through all those folders manually and trying to figure out what came from who:

http://www.khiltd.com/Downloads/ConsultantsCanary.tar.gz

Of course, if they've forged Apple bundle IDs for any of this stuff, it may not find a thing. I've never seen the bugger, so I have no idea what it does.

Reply

Answer 8

StarDeb55 Author

Level 6

19,695 points

Jul 12, 2008 1:29 PM in response to orangekay

Thanks for the link. I've downloaded this & ran it. I've got a ton of stuff on the report that I'm basically clueless about what to look for. I see nothing that say Immunizator, anywhere on the report, after that beats me.

I have actually thought about doing a fresh Leopard installation as I have a Superduper clone of my hard drive that's as recent as Thurs. night. I would prefer not to, but if I have to I will. If it comes to that, I would assume it's going to have to be a fresh install, as an archive/install will simply keep this piece of junk?

Message was edited by: StarDeb55

Reply

Answer 9

The hatter

Level 9

61,031 points

Jul 12, 2008 2:03 PM in response to StarDeb55

Keeping multiple backups from SuperDuper is nice to have. Some of those can be on disk images of course that you could have just the system; or just the user folder. So you can keep one from an original install with just standard Apple updates if you ever need to.

I would not archive and install. Instead, I think you should or must use Partition in Disk Utility. Might even want to zero the drive. Might even pull the drive after that and replace it with a new boot drive.

Intego AntiVirus: the demo should have 30-day and still be able to scan, not sure if it will repair in demo mode, so check. But I will say that using it in real-time active protection, which I tried for a day, can make even my system run sluggish. I set it up to scan different areas each hour (system, home library, downloads w/ all my installers and updates that measures 10GB) and to watch email.

I wanted to keep Intego AV around and updated as a 'just in case' and in part to support someone doing AV for OS X besides ClamXav (weak on repair). I also use Intego NetBarrier 5 and a 'hardened router firewall' that blocks and logs a lot of services, etc.

Having used Kaspersky for Windows which has very low and little impact, and does a live scan of any downloads along with http traffic, I was very disappointed in Intego's implementation (they issued an update the other day to improve performance but like I said, I gave it a try and still find it wanting.

In fact my SuperDuper clones that usually fly, were down to a snails pace, 2 hrs for what should have been under 20 minutes, and forget using TimeMachine with Intego doing active monitoring.

For your web surfing, look for hidden files in various places like home library, top level Library/Startupitems and System LaunchDaemons and LaunchAgents for one.

Consider another browser. Give Firefox 3 a try along with the extension add-on "NoScript" and then configure web sites and disable javascript except when you need to. But there are a lot of issues with good normal but unpatched SQL servers and the SQL-injection malware javascript. And that could exploit plug-ins (Flash, QT, Real, etc).

And for finding things on my Mac I now use Path Finder's search feature rather than Spotlight - quick and easy to find things hidden and in system locations.

It is good to test using your SuperDuper clones, maybe you have, not clear, but it is quick and painless and works like a charm.

Might want to keep one backup that is just Users, which is easy to do in SD! in the future. And keep (and lock away) a fresh clean system, maybe create an image that would fit on a dual layer DVD or something.

PS: Leopard Cache Cleaner - includes latest ClamXav bundled with it and has a Rootkit scanning tool (have not used it, but I do keep LCC around because it has so many features and tools which I turn to for fixes and problems, worth a look at some point). It will also help create an emergency disk.

Reply

Answer 10

orangekay

Level 5

4,085 points

Jul 12, 2008 7:07 PM in response to StarDeb55

If you want to post the list here we might be able to pick out the suspicious bits. Just take out any serial numbers or other personal info and surround it with code tags (minus the spaces between brackets) like so:

{ code }
blah blah blah
{ code }

Reply

Answer 11

StarDeb55 Author

Level 6

19,695 points

Jul 12, 2008 7:22 PM in response to orangekay

Sorry, in a lot of ways I'm still a computer rookie, especially when it comes to Macs, so not sure what you mean by code tags. If it was an iTunes/iPod problem, I could probably do everything you need. Anway, for what's it worth, here it is. Thanks for taking a look.

Last login: Fri Jul 11 20:55:41 on ttys000
VDSL-130-13-145-202:~ python "/Users//Desktop/Consultant's Canary.app/Contents/Resources/Scripts/cc.pyo"

KHI Consultant's Canary Report v2.7.8

Model Name.......................................... iMac G5
Model Identifier................................ PowerMac8,2
Processor Name............................ PowerPC G5 (3.1)
Processor Speed....................................... 2 GHz
Number Of CPUs............................................ 1
L2 Cache (per CPU)................................... 512 KB
Memory............................................... 512 MB
Bus Speed........................................... 667 MHz
Boot ROM Version.................................... 5.2.5f1
Serial Number...................................
System Version....................... Mac OS X 10.5.4 (9E17)
Kernel Version................................. Darwin 9.4.0
Boot Volume.................................... Macintosh HD
Boot Mode............................................ Normal
User Name..................
Time since boot................................. 2 days 9:16

---

Login Items

/System/Library/CoreServices/System Events.app
/Library/Fonts/CorsivaBold.ttf
/Applications/Mail.app
/Applications/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app
missing value
/Volumes/Camino/Camino.app
/Applications/iTunes.app

---

Overly Privileged Processes

/Library/Frameworks/HPServicesInterface.framework/Runtime/hpusbmond

---

Foreign System Augmentations

Frameworks

/Library/Frameworks
FS Name: Bundle ID:
EWSMac.framework com.eSellerate.EWSMac16777504
HPDeviceModel.framework com.hp.dmf
HPPml.framework com.hp.hpio.HPPmlFramework
HPServicesInterface.framework com.hp.hpio.HPServicesInterfaceFramework
HPSmartPrint.framework com.hp.print.HPSmartPrint
StuffIt.framework com.stuffit.sdk
StuffItSupport.framework ?

Input Managers

/Library/InputManagers
FS Name: Bundle ID:
1PasswdIM com.1passwd.InputManager

Internet/Safari Plug-Ins

/Library/Internet Plug-Ins
FS Name: Bundle ID:
Flash Player.plugin com.macromedia.Flash Player.plugin
RealPlayer Plugin.plugin com.RealNetworks.RealPlayerPlugin
Silverlight.plugin com.microsoft.SilverlightPlugin

/Users/debbieknoepfel/Library/Internet Plug-Ins
FS Name: Bundle ID:
Move MediaPlayer.plugin com.movenetworks.movemediaplayer.plugin
Unity Web Player.plugin com.unity.UnityWebPlayer

iPhoto Plug-Ins

/Applications/iPhoto.app/Contents/PlugIns
FS Name: Bundle ID:
HPPhotoExport.iPhotoExporter com.hp.imagezone.tab

Kernel Extensions

/System/Library/Extensions
FS Name: Bundle ID:
BJUSBLoad.kext jp.co.canon.bj.print.BJUSBLoad
EPSONUSBPrintClass.kext com.epson.print.kext.USBPrintClass
hp io_printerclassdriverenabler.kext com.hp.hpio.hp io_printerclassdriverenabler
LexmarkUSBMerge.kext com.lexmark.print.usbmerge

Launchd Jobs

/Library/LaunchAgents
FS Name: Bundle ID:
com.hp.launchurlagent.plist com.hp.launchurlagent

System Preferences Plug-Ins

/Users/debbieknoepfel/Library/PreferencePanes
FS Name: Bundle ID:
MenuMeters.prefPane com.ragingmenace.MenuMeters

QuickTime Plug-Ins

/Library/QuickTime
FS Name: Bundle ID:
CanonMJPEGAVI.component jp.co.canon.MJPEGAVIExporter

Screen Savers

/Library/Screen Savers
FS Name: Bundle ID:
2005 World Book.saver com.MacKiev.WBScreenSaver2005

Spotlight Metadata Importers

/Library/Spotlight
FS Name: Bundle ID:
Microsoft Entourage.mdimporter com.microsoft.entourageMDImporter
Microsoft Office.mdimporter com.microsoft.MDImporter.Office

Startup Items

/Library/StartupItems
FS Name: Bundle ID:
HP IO HP IO
HP Trap Monitor HP Trap Monitor

Dashboard Widgets

/Users/debbieknoepfel/Library/Widgets
FS Name: Bundle ID:
AlbumArt.wdgt net.liquidx.AlbumArtWidget
Amazon Art.wdgt org.netcetera.widget.albumart
Chi Pet.wdgt novisdesign.ChiPet.widget
Couch Potato.wdgt com.PatrickPatoray.CouchPotato
DashTunes.wdgt com.jonlink.DashTunes
Galacticaa.wdgt net.galacticaa.widget
Games.wdgt com.freeloader.widget.Games
iPodage.wdgt cc.chch.widget.ipodage
iStat disks.wdgt com.iSlayer.iStatDisks.widget
iStat nano.wdgt com.iStatnano.widget
iStat pro.wdgt com.iSlayer.iStatpro4.widget
MacPinball.wdgt unity.baKno.MacPinball.widget
mondo solitaire.wdgt com.gandreas.widget.mondoSolitaire
Scenario Poker.wdgt com.scenario.widget.poker
snake.wdgt com.amade.snake
To Do.wdgt com.philipefatio.widget.To Do

End of Report

Consultant's Canary Copyright © 2008 KHI Ltd. Co., LLC
Unauthorized distribution is prohibited
http://www.khiltd.com

VDSL-130-13-145-202:~

Reply

Answer 12

StarDeb55 Author

Level 6

19,695 points

Jul 12, 2008 7:45 PM in response to V.K.

I have checked & rechecked the locations listed in steps 1-7. I see nothing that screams out at me that there's a problem.

Reply

Answer 13

StarDeb55 Author

Level 6

19,695 points

Jul 13, 2008 7:03 AM in response to StarDeb55

Thanks everyone for all of the help. I hadn't noticed until last night that this piece of junk had installed a small icon by the "time machine icon" on the desktop tool bar. When I saw that, I was able to delete it which then allowed me the .dmg installation icon from the desktop. The trash emptied of all of this stuff without a problem. Finder doesn't pull up anything with "imunizatior" in it, & the stupid warning window hasn't popped up since then.

Reply

Answer 14

ali brown

Level 7

26,493 points

Jul 13, 2008 7:51 AM in response to StarDeb55

You're Welcome Deb!

I'm really happy that you tracked the culprit down!

You could also do a HD search for it's Alias:
OSX_MACSWEEP.B

And thanks for the

!

ali b

Reply

Answer 15

StarDeb55 Author

Level 6

19,695 points

Jul 13, 2008 8:00 AM in response to ali brown

Just did the alias search per your suggestion, nothing shows up, so it looks like I'm in the clear.

Reply