User profile for user: LaurieNY
LaurieNY Author
User level: Level 1
9 points

Spyware/malware/keylogger? HELP!!!

Hi. I was looking for free dialup servce as a backup. I came across a link in a forum I frequent, and went to the site. Registration was just username and password. I registered, but was suspicious.

So I ran a search and came across complaints that the site (Metconnect.com) was infiltrated by hackers, and they'd installed "urchin.js" trackers. Out of curiosity, I did a find on my computer (my Pismo laptop) and found two instances of this "urchin.js," which apparently comes with Google Analytics? But what was really suspicious was their location: both were found in a folder where I keep copies of credit reports and my financial information, titled "Credit Reports/Money."

I immediately deleted them both, disconnected from the internet and started a spyware/keylogger check that comes with Internet Cleanup/Net Blockade, which I keep running at all times and use the feature which lets me know when anyone tries to connect to my computer (like Little Snitch). I also have my firewall settings turned up to the max/stealth.

However, I am still freaking out and wondering just what information these folks might already have grabbed in those few minutes. The spyware check takes a few hours and isn't close to finished.

Does anyone have any experience with this, and know what I might be up against?

Thanks so much!!

Pismo G4 550; Pismo G3 500; Mac 700; iMac DV500 Graphite; dead iBook SE Graphite, Mac OS X (10.4.11), iPhone 3G; Nano 4G/8GB; Nano 1G/2GB; Shuffle 1G/512MB; Airport Express

Posted on Sep 28, 2009 12:37 PM

Reply
38 replies
User profile for user: WZZZ
WZZZ
User level: Level 6
13,238 points

Sep 28, 2009 1:25 PM in response to LaurieNY

Hi,
Google Analytics gathers statistics about website visits and the urchin.js is related. I found this:
http://answers.yahoo.com/question/index?qid=20071104122712AAAbKwi

But I, too, don't like it being in those folders. Don't know what that means and don't understand why those files ended up anywhere on your computer.

Google Analytics is something I always block with the NoScript addon--indispensable these days--on Firefox. I wouldn't use anything else as my main browser, since none have this kind of protection.
http://noscript.net/

Little Snitch checks for outgoing connections. You can also scan for malware with the demo version of Macscan. 30 days free.
http://macscan.securemac.com/

Maybe someone else will have something more to say.
Reply
User profile for user: WZZZ
WZZZ
User level: Level 6
13,238 points

Sep 28, 2009 1:35 PM in response to LaurieNY

Have a look at this.
How this works: Google Analytics downloads a small javascript urchin.js (Google Analytics Urchin Module) on >the client's computer which reports the all the tracking and analyzing data about the visitor back to Google. >By adding the above line, we have effectively blocked our browser from downloading the urchin.js file.

http://labnol.blogspot.com/2005/11/prevent-google-analytics-from-tracking.html

That sounds like a cookie, but that's not what you ended up with, as it downloaded in a folder.

But, as mentioned, Firefox with NoScript will keep this crap out, along with a lot of other stuff.

Now I don't know WTH to do, like if the tracker copied and sent back all information that was in that folder.


Doesn't seem likely, but maybe someone else can help out on this.
Reply
User profile for user: LaurieNY
LaurieNY Author
User level: Level 1
9 points

Sep 28, 2009 1:43 PM in response to WZZZ

Yeah, and what a folder it decided to download itself to... TWICE. Convenient, huh? Thanks for the input. Still waiting for spyware etc. scan to finish, but of course that won't help if the damage is already done. I suppose I should freeze my credit reports. Geez, pdfs of my tax returns are also in that folder, investment account information, electronic copies of paystubs and credit card statements... holy crap.
Reply
User profile for user: WZZZ
WZZZ
User level: Level 6
13,238 points

Sep 28, 2009 3:08 PM in response to BDAqua

Thanks BD,

Laurie, I just checked three internet ratings sites for metconnect.com and nothing bad shows up. Check for yourself.

http://www.mywot.com/

http://www.siteadvisor.com/

https://safeweb.norton.com/

I don't know what to say. Maybe metconnect.com was hacked. I don't understand how a hack like this would have worked. Were there any ads on the site? The ads could have been hacked. This is becoming more and more a malware vector. Did the site have any Flash? Another malware vector. You could try contacting metconnect to ask them what they know. Look it up on whois.

http://whois.org/

If no one can say what might have happened here, there are a few knowledgable security people who hang out in the Safari forum. You might try asking over there, whether or not you were running Safari. (What I would say is this exploit, if it really is one, and I doubt it, isn't very subtle. You found it right away. Data theft, I would think, would be much less conspicuous. Leads me to think it wasn't really an exploit. Maybe something else happened.)

http://discussions.apple.com/forum.jspa?forumID=876

Another idea: ask over at the NoScript forum. Even if you're not using NoScript, Giorgio, the developer, is very helpful and extremely knowledgeable on this subject.

http://forums.informaction.com/viewforum.php?f=7&sid=ef0

Message was edited by: WZZZ
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Spyware/malware/keylogger? HELP!!!

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up