Level 6

19,695 points

Yikes, it looks like I may have a Trojan

In the middle of reading a story on my local newspaper's website last night, all of a sudden I get what appears to be a virus scan running under the name of Immunizator. I couldn't get it stopped. The only thing I could do was an "emergency" shutdown, restart & shut down were blocked by the darn thing. It was so late I really didn't want to deal with it, so I thought I would try this afternoon.

After doing a "google" for "immunizator", it does look like it's some type of Mac OsX Trojan. I have gone through, sending the app to the trash, & all of the .dmg junk. When I tried to empty the "trash", this stuff has the "empty" option blocked, so I did a "force empty" with Leopard Cache Cleaner which appeared to work. "Appeared" is the key word. When I use "finder" to look up the key word, "immunizator", the **** thing still opens up on my system. I'm now totally confused, lost, whatever as to what I need to do to get rid of this, ONCE & FOR ALL! Help is greatly appreciated.

iMac G5 2.0, Mac OS X (10.5.4), 160GB iPod Classic, 2G iPod shuffle, iTunes 7.7

Posted on Jul 11, 2008 8:13 PM

37 replies

REECO

Level 1

10 points

Jul 13, 2008 8:04 AM in response to StarDeb55

I cannot find a thread/topic to place this with at this time. I just received an e-mail from supposedly Apple. The subject line was: "IMPORTANT : Billing Problem 9th july. It has a no response back line and the following message:
We were unable to process your most recent payment. Did you recently change your bank, phone number or credit card?
To ensure that your service is not interrupted, please update your billing information today by clicking here , After a few clicks, just verify the information you entered is correct 9th july 2008."
The e-mail is using the Apple logo and the blue world backdrop.

I have contacted Apple's customer service with no help given. They suggested I come on this forum to get an answer. They could not even tell me the date my account was renewed. I found that on an old invoice I had saved.
My account is current and is not due for many months.
Looks like a scam - just wanted Apple to beware and let its customers be on the alert.

ali brown

Level 7

26,493 points

Jul 13, 2008 8:06 AM in response to StarDeb55

Cool Deb!

Did you ever figure out how you picked up the critter?

Thanks for the

too!

ali b

StarDeb55 Author

Level 6

19,695 points

Jul 13, 2008 8:07 AM in response to REECO

.mac is now MobileMe, it would be more appropriate for you to post in the following forum, rather than post in a thread that has no relation to your issue. Thanks!

http://discussions.apple.com/category.jspa?categoryID=116

StarDeb55 Author

Level 6

19,695 points

Jul 13, 2008 8:14 AM in response to ali brown

I'm reasonably certain it happened when I was reading a couple of stories on my local newspaper's website on Thurs. evening. I'm making an educated guess that the link to one of the stories must have had the thing imbedded in it & when I clicked on the link, BOOM! A window popped up that looked like a virus scan was running, & I, absolutely, good not get it stopped, nor could I get the system to shut down. I had to just do a power down of my whole system, & the rest, shall we say is "history". I did e-mail the newspaper last night, told them what happened, & I wouldn't be using their website, again, plus I intended to tell all of my friends.

MGW

Level 7

27,047 points

Jul 13, 2008 8:36 AM in response to StarDeb55

Deb, I had the same (almost) thing happen to me yesterday when I was on VersionTracker. A window popped up that said something like "Vista Virus Checker". I couldn't close it, it kept saying that it had found two viruses and to click on repair. It also proceeded to download several .exe files, which of course, I trashed immediately. The only way I could get rid of it was to close the VT page. There were also several pop-unders, but they were blank, no text. I have checked my system, and luckily can find no traces of it, but I did inform VT.

The funny thing is that I don't have Windows, have never loaded it on this machine, and in fact don't even have a partition for it, this is a pure Mac OS computer.

orangekay

Level 5

4,085 points

Jul 13, 2008 8:38 AM in response to StarDeb55

Glad you got it sorted out. In looking at the report, I do have to ask if there's any particular reason why you have a font setup as a login item.

ali brown

Level 7

26,493 points

Jul 13, 2008 9:04 AM in response to StarDeb55

Deb,

Another iMunizator Topic.

ali b

StarDeb55 Author

Level 6

19,695 points

Jul 13, 2008 10:44 AM in response to ali brown

Saw that one last night, read it about 4 times, trying to sort my own problem out.

StarDeb55 Author

Level 6

19,695 points

Jul 13, 2008 10:46 AM in response to MGW

I have a pre-Intel machine. When I switched from the darkside & the Intel machines came out, I'm thinking why on God's green earth would I want to put Windows on a Mac when I wanted nothing to do with Bill & Co. ever again.

StarDeb55 Author

Level 6

19,695 points

Jul 13, 2008 10:47 AM in response to orangekay

To give the short answer, I have no idea.

orangekay

Level 5

4,085 points

Jul 13, 2008 10:56 AM in response to StarDeb55

Given that and the bogus entry in there, you may want to consider simply deleting ~/Library/Preferences/com.apple.loginitems.plist and adding back the things you actually want. It may not be causing you any problems right now, but it looks like that file may be suffering from some degree of corruption.

StarDeb55 Author

Level 6

19,695 points

Jul 13, 2008 11:04 AM in response to orangekay

When I look at the contents of this, it looks like it only has to do with my HP printer, so do I really want to delete it?

orangekay

Level 5

4,085 points

Jul 13, 2008 11:27 AM in response to StarDeb55

It holds everything you see in System Preferences > Accounts > (Your Account) > Login Items, which according to your machine would be:

/System/Library/CoreServices/System Events.app
/Library/Fonts/CorsivaBold.ttf
/Applications/Mail.app
/Applications/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft AU Daemon.app
*missing value*
/Volumes/Camino/Camino.app
/Applications/iTunes.app

If you're seeing something about your printer in there then that may be the *missing value* that should not exist. If deleting worries you then you can just move it to the desktop, log out and log back in.

StarDeb55 Author

Level 6

19,695 points

Jul 13, 2008 2:26 PM in response to orangekay

I'm sorry to be so dense, but when I open this us the ONLY thing I see are references to my printer, nothing else. There are no references to any of the other startup items.

orangekay

Level 5

4,085 points

Jul 13, 2008 2:35 PM in response to StarDeb55

What exactly are you opening it with and are you positive you've got the right file? Its contents should not be human readable.

Note that "~" in a path refers to your personal home folder.

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Yikes, it looks like I may have a Trojan