Finder shows strange letter and number strings, programs "quit unexpectedly"

Your dad was correct; there are no Mac viruses. A virus is a specific kind of malware, and a trojan is not a virus.

Semantics aside, however, whatever the form of malware, you do need to keep your wits about you on the web and download only from trusted sites.

@ sig No I gave the advice to make a clean install, which is finally not wrong, although I did not know to read well the error logs. But you may correct me, instead of giving advices, so that we learn all from your wisdom.

@ Linc Davis Thank you for this deep insight and the serious words. One thing I am wondering: which was the hint to the trojan in the posted error log? Please enlighten me and the forum. I am eager to learn.

marek

My Dad told me there were no Mac viruses.

Strictly speaking, he's right, but the advice was somewhat misleading. A virus, in the strict sense, is malware that spreads without human intervention. For example, all you do is visit a website, and you're infected. That sort of thing happens to Windows users, but not to Mac users -- so far. A trojan horse is malware that the user is duped into installing voluntarily. That's what happened to you. Mac trojans used to be very rare, but they're becoming less so, and there will be more of them in the future. The only real defense is safe computing practices. Don't rely on software to protect you.

I have two external drives for files and an external drive for backing up via Crash Plan. Is that going to make things worse?

Make sure you disinfect your backups.

One thing I am wondering: which was the hint to the trojan in the posted error log?

The dynamic shared library that the trojan injects into running processes.

Linc Davis wrote:

Regrettably, you installed the "Flashback" trojan.

Download the ClamXav anti-malware application and run it. It should find the trojan and remove it. If not, you'll need to remove at least the following files from your home folder, then log out and log back in:

1. .MacOSX/environment.plist
2. Library/LaunchAgents/com.apple.SystemUI.plist
3. Library/Preferences/perflib
4. Library/Preferences/Preferences.dylib
5. Library/Logs/swlog

Unfortunately ClamXav will only detect the installer which destroys itself after installation of the above files. Since there is evidence that the bad guys are changing the signature of the installer, perhaps for every download, there is a strong possibility that it won't even detect the installer. Same goes for Apple's XProtect system.

I believe, the only way I know of to see if your infected is to check for the presence of these files and, as you suggested, remove all of them during the same session or risk not being able to log back into the account.

Linc, if you still have these files can you upload them all to VirusTotal and clamav? As I recall the log file was blank, so you would only need to upload the first four. Be sure and use the keyword "macos" on the clamav site.

noellle wrote:

I will look for those files and log out and log back in.

If you find the files, move them all into a folder on your desktop first in case I need you to upload them to a couple of AV Sample databases so that the AV community can code up signatures for them. I'm hoping Linc will take care of that, but just in case he no longer has them.

noellle wrote:

Ok - so if they are just on my desktop, they are not dangerous?

That's correct, but you should reboot and log back in to deactivate them after they have been moved.

Unfortunately ClamXav will only detect the installer which destroys itself after installation of the above files.

That's news to me.

Linc, if you still have these files can you upload them...

I'm afraid I don't, but I downloaded the installer from a link posted on Mailinator which I think you also had. All I did was run it, under controlled conditions, of course.

As I recall the log file was blank, so you would only need to upload the first four.

The log file wasn't empty, but the contents were variable.

Ok - so if they are just on my desktop, they are not dangerous?

To be clear, moving the files to the Desktop does not inactivate the trojan. You must move or delete the files and then log out.

Since you have to do this manually, you should know that one of the items you need to delete is invisible in the Finder. Launch the Terminal application, copy or drag -- do not type -- the line below into the window, and press return:

rm -r .MacOSX

You can then quit Terminal.

Hi All,

I had this same issue and had started another thread on it a few days ago. I just did as Linc suggested and now the issue no longer exists. I've moved the files to my desktop. Be forewarned, when I logged back in after removing the files, my screen went blank which made my heart skip a beat. I had to restart and then everything was just like always except those wierd numbers were finally gone. I have the files to upload to AV and will be glad to be rid of them. Thanks!

noellle wrote:

Ok - so if they are just on my desktop, they are not dangerous?

You can trash the files, another user has uploaded them for us. Hope that takes care of all your issues.

Linc Davis wrote:

Unfortunately ClamXav will only detect the installer which destroys itself after installation of the above files.

That's news to me.

News that it only detects the installer or that it destroys itself. Did your's not disappear?

I'm afraid I don't, but I downloaded the installer from a link posted on Mailinator which I think you also had.

Yes, I posted the link, but it would not let me download the file, possibly because I'm running Leopard on a PPC.