14 Replies Latest reply: Jun 21, 2009 3:05 PM by Barney-15E
Rawool Duke Level 1 Level 1 (0 points)
I seem to be having trouble with malware. I allow(ed) my roommate to use my machine, and seem to have come down with a bit of malware - specifically a browser hijack.

The hijack redirects to pages like www.toseeka.com and www.shopica.com, but what's worse, will not let me access certain parts of google, i.e. gchat and youtube.

Can anyone help with this?

mac, it's fast
  • Klaus1 Level 8 Level 8 (45,355 points)
    If you allow a Trojan to be installed, the user's DNS records can be modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's (that's you!) DNS records stay modified on a minute-by-minute basis.

    You can read more about how, for example, the OSX/DNSChanger Trojan works here:

    http://www.f-secure.com/v-descs/trojanosxdnschanger.shtml

    SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:

    http://macscan.securemac.com/

    The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X and allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.

    (Note that a 30 day trial version of MacScan can be downloaded free of charge from:

    http://macscan.securemac.com/buy/

    and this can perform a complete scan of your entire hard disk. After 30 days the cost is $29.99. The full version permits you to scan selected files and folders only, as well as the entire hard disk. It will detect (and delete if you ask it to) all 'tracker cookies' that switch you to web sites you did not want to go to.)
  • Rawool Duke Level 1 Level 1 (0 points)
    I've tried this tool, unfortunately it doesn't solve the problem. The full scan (with upgraded definitions) reports no issues.
  • Klaus1 Level 8 Level 8 (45,355 points)
    Delete all cookies as well as URLs for the sites in question, i.e. the ones you are trying to get to and the ones you are redirected to.

    Restart Safari.
  • nerowolfe Level 6 Level 6 (13,070 points)
    What are your DNS?
    Check both your computer and your router.
    Find out what sites your "friend" visited and determine what malware they "offer"
    Your console logs may be useful here.

    Never never use your computer with an administrator account unless you are actually performing administration activity. Casual browsing does not fall into this category.
    Never never let anyone use your account. Always create a standard account for other users or let them use the guest account.
  • Rawool Duke Level 1 Level 1 (0 points)
    Cleared all cookies in Firefox and Safari - does not seem to fix the problem.

    FYI - the browser in question is Firefox, although Safari seems to be affected as well.
  • Rawool Duke Level 1 Level 1 (0 points)
    Any other suggestions?
  • nerowolfe Level 6 Level 6 (13,070 points)
    Create a new user account and see if that one works properly.
  • Rawool Duke Level 1 Level 1 (0 points)
    No, it doesn't work on the new user account either.

    Ideas?
  • Michael Superczynski Level 5 Level 5 (7,845 points)
    No idea what you might do now other than an Archive and Install.

    But in the future, use a non-admin account for guest access.
  • Barney-15E Level 8 Level 8 (38,075 points)
    Try flushing the DNS cache. In Terminal, type this command:
    dscacheutil -flushcache
    If that doesn't work, check the hosts file. In the Finder, type cmdshiftg and enter /etc in the path.
    In that folder is a file called hosts. Open it with a text editor and make sure there is nothing else but:
    ##
    # Host Database
    #
    # localhost is used to configure the loopback interface
    # when the system is booting. Do not change this entry.
    ##
    127.0.0.1 localhost
    255.255.255.255 broadcasthost
    ::1 localhost
    fe80::1%lo0 localhost
  • Rawool Duke Level 1 Level 1 (0 points)
    The flush cache did not work, however, in my hosts I also have one random entry:

    ##
    # Host Database
    #
    # localhost is used to configure the loopback interface
    # when the system is booting. Do not change this entry.
    ##
    127.0.0.1 localhost
    255.255.255.255 broadcasthost
    ::1 localhost
    fe80::1%lo0 localhost
    127.0.0.1 activate.adobe.com

    I checked the hosts earlier before I rebooted, and also noticed this activate.adobe.com. How do I remove this from hosts?
  • Rawool Duke Level 1 Level 1 (0 points)
    Anybody, anybody, Bueller, Bueller...?
  • CMCSK Level 6 Level 6 (10,445 points)
    Archive and install didn't work either?
  • Barney-15E Level 8 Level 8 (38,075 points)
    You can use a text editor to edit the file; however as it is a system file, you need a text editor that can authenticate as an admin user. There are other ways to move the file, edit it, and then move it back.

    However, I just use Bare Bones' TextWrangler. It's free and will let you Unlock the file for editing.

    Regardless, that line just redirects the Adobe activation site back to your computer, thus causing it to fail to connect to the server. It is not the cause of your problems.