Have I been hacked?
Dear All
Am a little in shock as I think someone has been in my laptop. Yesterday (Sat) afternoon I decided I would look for any live coverage of the Sri Lanka vs England game at Lords. With a simple Google search ('cricket sri lanka test live') I found www.webcric.com which had some poor quality, but OK live video, apparently coming from a channel 4 (there was a '4' logo in the corner of the screen, but Channel 4 UK were not covering the game, as far as I know). However, when I first followed the link from Google, a window popped up asking if I wanted to download 'MacKeeper', with a 'Yes or Cancel' dialog, which I perhaps stupidly clicked on (I clicked 'Cancel'). Nothing obviously untoward happened and I was taken to the webcric site where I watched a few minutes of cricket before the tea break and then, I think, paused/stopped it and went off to do something else for a while. I subsequently came back and visited a couple of other sites later in the evening and then left the computer sleeping overnight.
This morning I woke the computer and checked email. I then decided I needed to find a site I had seen yesterday and so, unusually, opened up the History in Safari and found 10 pages which I do not remember visiting (beginning 'guideforamsterdam.com' in ). These appear in sequence directly after my visit to webcric and the MacKeeper link, and before the next site I visited (Facebook, for my sins). Interestingly, there are also two other obscure links either side of the webcric link, which also have unusual formats ('bit.ly/fQSWvl' and 'd3.zedo.com/jsc etc.'). I have not followed these latter two links, but all of the other unexpected links, which are listed as having 'no title', take you to the guideforamsterdam.com site, except for the final one ('www.chill.net/search etc') which takes me to my account on Amazon where a search for 'club red hat' appears to have been done?!
Needless to say, this is very unnerving. I have checked with the rest of my household and no-one admits to using my computer. More to the point, I have a passworded screen saver that kicks in quite quickly, so I doubt this is the nefarious activity of my kids!
So I am uncertain what to do next. I have turned my Airport off for the time being, but obviously I will have to turn it on again to send this email and clearly I need the internet. So, in addition to warning you all about such sites, I am hoping I can get some advice. What is the most effective thing for me to do, particularly to get rid of the possibility that I now have a program on board that may be able to monitor my activities (record password keystrokes for example)? Thoughts I had are:
1) I assume that simply changing the password either on my laptop, or on my home network, will essentially be ineffective. If indeed a program has been downloaded, it's here and already on the wrong side of my passwords and firewalls (there is, by the way, no obvious signs of downloads in the Safari Download window, but I don't suppose that means much).
2) On the other hand, I could do something radical, like create a new user for myself and transfer across my essential docs and delete the rest. But that may not be enough.
3) Spend some money and get my Sophos anti-virus software up to date. But will that find whatever it is that's doing this?
4) Most radical, wipe the hard disk and do a restore from Time Machine (last back up two days ago; my applications are not included in the backup).
5) I am being completely neurotic?
Any help/advice gratefully received. In the meantime I'm going be working offline and not accessing my bank!!
Andy
Macbook, Mac OS X (10.5.6)
