12 Replies Latest reply: Apr 17, 2009 8:10 PM by R C-R
ParagJ_11 Level 1 Level 1 (60 points)
Hi,

Bit worried right now..two things that i observed today.

1. when i opened apple.com, I had a advertisement banner on top of it. First I thought, apple website was hacked, then realized..apple is find...darn, its my system that has been compromised...
Opened safari and still the same. Then I downloaded macscan and it said all clear. restarted and it went.

2. My mac just blinked..as if I a screenshot was taken..much like the way we take screenshot on iphone by pressing the home and sleep button.

Do i have virus or malware, key logger screenshot logger..i dunno what else it could be? how do i find out my system is secure ??

Thanks, Pj

iMac, Macbook, iPhone, iTouch, Mac OS X (10.5.5)
  • Kappy Level 10 Level 10 (252,820 points)
    There is no known malware affecting Macs at this time with the exception of two trojans. However, for these to affect your system you would have to download files and install the software included in the download. Unless you deliberately did something like this then your system is fine.
  • Michael Prior Level 1 Level 1 (5 points)
    Hi Kappy

    I received an e.mail today claiming that there was a serious virus effecting Macs, it describes a Mac OSX Botnet aka Mac Bot or i Botnet that has infiltrated thousands of Macs, however when you click on purchase anti virus at the bottom it takes you to the 'PC Tools' web site and suggests anti virus software for the Mac at $29.95. I'm assuming this is just a sales ploy, what do you think ?

    Best,, Michael
  • iBod Level 7 Level 7 (29,340 points)
    a serious virus effecting Macs, it describes a Mac OSX Botnet aka Mac Bot or i Botnet that has infiltrated thousands of Macs


    That's half true. There have been reports of a small botnet made up of Macs but it's not caused the spread of a virus. According to the reports it's from hacked versions of iLife/iWorks that people installed on their machines after downloading pirated versions.
  • Michael Prior Level 1 Level 1 (5 points)
    Thanks i Bod, very interesting.

    Best,, Michael
  • ParagJ_11 Level 1 Level 1 (60 points)
    I surely do hope that what you guys are mentioning is true that there is no virus.
    macscan didn't report anything to me..so i would assume that some plugin was installed on my safari and of course i didn't know about it...

    how do i remove all plugins installed in safari ??
  • Kappy Level 10 Level 10 (252,820 points)
    See the following as relevant:

    *First Mac-based botnet becomes active*

    The first known botnet to exploit Mac OS X has been activated, security researchers claim. The network is believed to have been put in place by iServices, a Trojan infection accompanying some pirated versions of iWork '09 and Photoshop CS4. Although downloaded at least 20,000 times by the end of January, the Trojan's payload has remained dormant for some time, in the same manner as many Windows botnets.

    Symptoms of the active iServices botnet may begin with excessive CPU usage on a Mac, the result of a PHP script instigating denial-of-service attacks on websites. Many anti-virus programs have been updated to block iServices however, and it may also be possible to halt the Trojan's operations by deleting "System/Library/StartupItems/DivX" and/or "System/Library/StartupItems/iWorkServices" folders. Some security companies, such as SecureMac, are offering removal tools specifically targeted at iServices.

    In spite of the potential number of infected computers, the danger from the current botnet is expected to be minimal, both as a result of security measures and the limited vectors of infection. Symantec researchers warn, though, that the code in iServices is designed to be extremely flexible, and as such modified versions may appear in upcoming months.
  • iBod Level 7 Level 7 (29,340 points)
    Try running [ClamXav|http://www.clamxav.com> as well to see if that finds anything.

    Have you installed anything 'naughty' recently? If you haven't then it's highly unlikely to be caused by malware. If you have, then it could well be.

    The most common malware updates the DNS settings in your network preferences to direct you to alternative sites than the one you requested. Check your settings to see if there any numbers listed there and post them here if there are so we can check if they're legit or the result of a malware installation.
  • ParagJ_11 Level 1 Level 1 (60 points)
    DNS just says the default router one; in my case 10.1.1.0. Also, trying out clamxav right now.
    Yes, i did install hotspot shield to my mac; i didn't know it was naughty. it had few awards winning...
  • R C-R Level 6 Level 6 (15,930 points)
    ParagJ_11 wrote:
    how do i remove all plugins installed in safari ??


    First, see if there are any suspicious ones, since some are very useful. (In particular, you probably want to keep the QuickTime plug-in.) You can list all plugins easily from within Safari: just select "Installed Plug-ins" from its Help menu.

    The plug-ins themselves are located in /Library/Internet Plug-Ins & in ~/Library/Internet Plug-Ins (the root level Library folder & the Library folders in home folders).

    I suggest that you do not remove any of them until you verify which are safe and desirable, of if you must go it alone, move the suspected ones to a desktop folder to deactivate them & see if anything changes.
  • ParagJ_11 Level 1 Level 1 (60 points)
    The only unknown i have is nsIQTScriptablePlugin.xpt

    not sure what this does..any clues ?? is this safe ??
  • ParagJ_11 Level 1 Level 1 (60 points)
    System/Library/StartupItems/ seems to be empty for me..
  • R C-R Level 6 Level 6 (15,930 points)
    The only thing I can find on the nsIQTScriptablePlugin plug-in that isn't related to Windows suggests it is a Mozilla Firefox Component, & therefore should be safe. (It probably won't even interact with Safari.)

    If you have any questions about its safety, temporarily move it to a desktop folder & see if there is any difference in the Mac's behavior.