Finder shows strange letter and number strings, programs "quit unexpectedly"

I've decided to do a complete wipe and restore from time machine, does anyone know if you can find the infected files in TM so you don't accidentally upload them again

Danish26 wrote:

I've decided to do a complete wipe and restore from time machine, does anyone know if you can find the infected files in TM so you don't accidentally upload them again

Yes, but why would you do that? The whole idea behind wipe and restore is because we aren't certain that those are the only files that are involved, so you need to go back to a date before you were infected.

Hi,

Thanks for posting this problem so I know I wasn't alone. Just called tec support and he told me to create a new account and transfer files over via an external hard drive and back up files using Time Machine. The words are all back instead of numbers. YAY!

TheBrickGuy wrote:

I was actually just going to tell you that the Finder menu has returned to normal. I guess I deleted that file after all. But I'll still check for any sign of the trojan and post it here if I find anything.

Hoping that no news is good news, I'll wrap things up with a couple of loose ends.

To turn hidden files back off:

Open the terminal (found in /Applications/Utilities/)

Type the following (without quotation marks) to show hidden files: “defaults write com.apple.finder AppleShowAllFiles -bool false”

Hit enter

Type the following (without quotation marks) to restart the Finder: “killall Finder”

Hit enter

Since the Trojan was probably able to harvest some of your UserName / Password pairs, you should go to all the sites you visited and change passwords, expecially Google and any financially related pages. And if you use the same password for multiple sites, change those, as well.

Let me know if you are still experiencing Google re-directs as you may also have another Trojan.

And if you want to get ClamXav going, visit the ClamXav Forum for help with that.

killerquail wrote:

Hi,

Thanks for posting this problem so I know I wasn't alone. Just called tec support and he told me to create a new account and transfer files over via an external hard drive and back up files using Time Machine. The words are all back instead of numbers. YAY!

Yes, but the Trojan installs several hidden files into your home directory, so if you use your current TimeMachine you'll be restoring at least some of these files again. As I just mentioned to Danish26 you will need to go back to a date prior to your infections.

killerquail wrote:

Hi,

transfer files over via an external hard drive and back up files using Time Machine.

Something else I don't quite understand is how you would use TM with the new account as that will simply restore files to your old account. Even if you were able to locate a file on TM from your old account, most of them are only links, not real files, making it difficult to even use the Finder to try and copy them over. Sounds like a lot of work.

MadMacs0 wrote:

Something else I don't quite understand is how you would use TM with the new account as that will simply restore files to your old account. Even if you were able to locate a file on TM from your old account, most of them are only links, not real files, making it difficult to even use the Finder to try and copy them over. Sounds like a lot of work.

Yes I agree. Too much work.

BTW, Intego just discovered the source of infections:

it seems to be distributed from Wordpress infected blogs.

The threat evolves again and no tips given here are correct to detect the new variant: no more .so files or environment.plist.

The good news is that MacDefender aka FlashBack asks for the admin password now!

http://blog.intego.com/new-flashback-variant-changes-tack-to-infect-macs/

Philip Barrier wrote:

BTW, Intego just discovered the source of infections:

it seems to be distributed from Wordpress infected blogs.

The threat evolves again and no tips given here are correct to detect the new variant: no more .so files or environment.plist.

The good news is that MacDefender aka FlashBack asks for the admin password now!

http://blog.intego.com/new-flashback-variant-changes-tack-to-infect-macs/

I looked there last night just before posting to this and a couple of other threads as there seemed to be some new symptoms poping up with a couple of users, but it wasn't there at that time.

Well, at least a couple of these recent folks did have the environment.plist and .so files, so they still had the old one. Also, Intego didn't say those two files weren't there in the article, they only talk about the two new ones. I'm not comfortable assuming that the previous five files have now been replaced by only two. I think we have more to learn about this one.

The other thing I find surprising about the article is that they say the MacDefender folks are behind this. I thought those folks were in jail. Probably by coinsidence last week the thought crossed my mind that this attack had a lot of similarities to the MacDefender evolution.

Phillip, I should have read through this much more thoroughly. I did EXACTLY what I shouldn't have. I

deleted the .so file in /Users/Shared before having removed the environment.plist file.

How do I boot on a install DVD, and use the Terminal Application in the Installer Menu to remove the bad files?

Thanks in advance.

Jean90013 wrote:

I deleted the .so file in /Users/Shared before having removed the environment.plist file.

How do I boot on a install DVD, and use the Terminal Application in the Installer Menu to remove the bad files?

Try this first:

Boot in single user mode by holding down the 's' key when you start your mac. (http://support.apple.com/kb/HT1492)

After a while, you get a terminal prompt and type:

mount -uw /

rm /Users/*/.MacOSX/environment.plist

reboot

Your Mac would be ok after that, providing you're going to delete all the remaining virus files.

MadMac,

Thank you so much for your advice. We are all very lucky to have you on the boards.

Sadly, I can't book up in single user mode, or safety or anything other than from the disk. My life has been all about the blue screen...

Jean90013 wrote:

MadMac,

Sadly, I can't book up in single user mode, or safety or anything other than from the disk.

I don't understand your not being able to boot into single user mode as my understanding is that it doesn't initially involve the hard drive in any way and others who have tried this were successful. About all I can suggest is to try...

Resetting PRAM and NVRAM

1. Shut down the computer.
2. Locate the following keys on the keyboard: Command, Option, P, and R. You will need to hold these keys down simultaneously in step 4.
3. Turn on the computer.
4. Press and hold the Command-Option-P-R keys. You must press this key combination before the gray screen appears.
5. Hold the keys down until the computer restarts and you hear the startup sound for the second time.
6. Release the keys.

then attempt single user mode with Command-S. Looking back I see the instructions I copied didn't tell you to hold the Command key down along with 's', so maybe that's the only problem.

If none of that works, are you able to see view the "environment.plist" file in the hidden folder on your Hard Drive at /Users/<yourusername>/.MacOSX/? If you can, drag it to the trash and empty. If not, I'll have to do some homework to figure out how to make it visible or point the Terminal app at it from your installation disk.

Hello All,

I have these strange numbers in my finder as well - I tried looking for the Trojan using the terminal and go to folder method but nothing was uncovered. In Terminal it said ".MacOSX/environment does not exist" and go to folder option doesnt give me any message except for A14.1 on the bottom left of that little pop up.

thanks for any help

R

richieberetta wrote:

Hello All,

I have these strange numbers in my finder as well - I tried looking for the Trojan using the terminal and go to folder method but nothing was uncovered.

This is a very old thread and most probably won't solve your problem.

You haven't posted any information to your profile yet, so we don't know what OS you are running. If it's 10.6.8 or Lion, then use Software Update to update your Java (and anything else you find) which should eliminate the problem.

If you are able to update to at least 10.6.8 you should do so as soon as possible and run all the updates. It's available for free to MobileMe users at http://www.me.com/snow-leopard

If you must continue to use Tiger or Leopard then try this tool from F-Secure http://www.f-secure.com/weblog/archives/00002346.html.

Hey again MadMacs0,

First I'd like to thank you for the replies I see that you have done your share of helping - that's really amazing!

Any sorry I didn't realize I was being so vague. I'll give you a little update:

I was running a version of Snow Leopard that was earlier thatn 10.6.8. I rarely update - now I'm realizing that not updating is a foolish move. Anyway - I did install flash update a while ago but that was when I was prompted while on youtube.com - I can't recall if that was when I started seeing strange characters in my finder menu when I would right click a file - I only took notice of it a couple of days ago. (sidenote: that would be the only time I'd see the characters - it substituted the "Open With" one other menu option I can't recal - only when right clickingl. Also, I never experienced any fake google redirects or crashes - but I don't use Safari as my main browser.)

After reading this whole thread last night I did the search using terminal and Go to Folder as I described in my previous post without finding any trace of the Trojan. After writing the post I did a system update I am now running 10.6.8. and all my software is current. The strange characters don't show up anymore and I ran that F-Secure script just now and it said that there was no malware found.

It seems as if the problem is sorted but if possible I would like your expert opinion as to if I'm really safe or not. I have changed all my pw's and erased Firefox and Chrome and re-installed them. I may be a little paranoid but my mother (who uses a PC) just got hit up with an $800 fraudulant charge a week ago so I'm trying to stay safe.

All the best and thank you for the help!

R