Finder shows strange letter and number strings, programs "quit unexpectedly"

noellle wrote:

Ok, so ClamXav finished scanning my computer only, and it did find some phising things and a worm. they might be from the folder of my Dad's old username, though, which is still there in a strange way from when he gave me his computer and then I got a new one....I doubt that's significant, but it's worth a mention.

The one caution I wanted to mention here is to not move any files that are email. That will likely cause corruption of the mailbox index which could then result in loss of some or all additional emails. Also, if these are IMAP accounts or POP accounts where you have chosen to leave messages on the server, the infected emails will remain on the server and be downloaded to your computer again the next time you check email. So make sure you don't select both "Check e-mail for phishing and malware" in Preferences->General and either move to Trash or to Quarantine in either Preferences->Quarantine or Preferences->Sentry.

Depending on the email client used, email is either contained in one huge database file (e.g. Microsoft Entourage) or individual files that usually are labeled <number>.eml or <number>.emlx (e.g. Apple Mail). The following instructions apply only to the latter individual files..

- Right-click/control-click on the file name and select "Reveal In Finder".

- When the window opens, double click on the email file to open it in the email client.

- Read the email and if you agree that it's malware, use the email client's delete button to move it to the trash folder and then empty the trash.

- If you believe this was a false alarm and want to keep the message, make note of it's number so that you can ignore it on subsequent scans.

- If it's a g-mail account, then you will also have to use your browser and web mail to permanently delete the message as they don't honor your clients requests to do so.

If you use a "huge file" email client then come to the ClamXav Forum for some a more complicated method of dealing with infected files.

Sorry, I got way behind in my real job today.

noellle wrote:

it told me it was my job to dedide what to do with them, so I moved them to a folder called "quarantined files." Unfortunately, I don't know how to tell where their original locations were.

That info is all in the "Scan Log" but depending on how many files we are talking about that could be an endless task. After the log is open you only to select "Find->Find" from the "Edit" menu or Command-F. Enter "FOUND" in all caps and uncheck the box "Ignore Case". But let's not do that now as it sounds like it may not be necessary.

That said, I check my email using a web browser. I don't believe I have ever set up imail or whatever.

Then your email may just be appearing in a browser cache file which means you already read and perhaps acted on it. I guess what I'm asking is what are these files called?

The thing is, like I said, I used to use my dad's mac under his username - long story, and since it crashed completely, the move to my new mac trying to create a new username for myself wasn't a clean move.

The files may have been from my dad's account....Unless it knows how to read my email files that I read and use via Safari or Firefox??

For the most part ClamXav can only read files in your account and common files such as Applications, Library and most System files. So if he still has a separate user account from yours on your computer then it won't scan it without logging into his account and running it from there.

noellle wrote:

Then your email may just be appearing in a browser cache file which means you already read and perhaps acted on it. I guess what I'm asking is what are these files called?

Here is a screen shot of the file and their names as they appear in the "quarantined files" folder in the finder. As you can see, there are not very many:

Well, I think it's safe to say that none of those are from your browser cache so that must mean that these are all from your dad's old computer. The ones that end in .emlx appear to be from Apple Mail, so you should be able to read them.

The Incoming_Mail and mbox look suspiciously like those large database files. A look at how big they are should tell you. Since you probably don't have the application that can read those I know of no way to remove the infected messages.

No clue as to what 25195 is.

Hmmm...It was July 2010 when my dad's old computer crashed and I bought this one. I do have a folder labeled with his name on my hard drive. I think the folder on my drive labeled with his name is essentially just a copy of the old computer's contents and not a real username. Yet, when I tried copying the recovered files from the old computer to this new one, I might have dragged and dropped some of his things into my username space, if that makes sense.

So I take it you didn't use Migration Assistant to move his account over, just drug some of his files into a folder on your hard drive. So that means you have probably scanned all his files.

noellle wrote:

I just thought I would mention this: I usually use Safari, but I just opened up Firefox, and it had the same popup window that may be related to the virus????

It said something like asking me if I wanted to install this program - Flashplayer, which was found in my extensions folder. The creator is not verified, and it warns me not to open anything from someone I don't trust.

I clicked "cancel" and hope that didn't start anything bad. The next time I opened Firefox, there was no popup.

Here is the complete filepath:

file:///Users/kristen/Library/Application%20Support/Firefox/Profiles/57ianzuc.default/extensions/adobeflashplayerforfirefox@gmail.com.xpi

Did it look the same error message and popup that was shown in the link I gave you to the Intego site?

You probably did the right thing. You must always download FlashPlayer directly from http://get.adobe.com/FlashPlayer, but I it sounds like they may now have an extension for FireFox 7 instead of the usual Plug-In. Since I'm running a much older OS X than you are, I think I'd better defer to other users who have been through this already.

noellle wrote:

Can I double click on the files to open them - is it safe? they are all dated 06-08, probably before I used the mac.

There is no known email malware that can infect a Mac simply by opening it. Now clicking on a link or an attachment within an email is a different story, but reading it is not a problem unless you act on something you see there. I can only guess that these are simple phishing attempts since you didn't list the infection, so they are probably all simply junk mail.

the two unix files are 1.8 and 10.1 MB

shall I trash them or will that ruin apple mail for me if I ever want to use it? (you said there's no way to remove the infected files)

None of your father's email will have any effect on you now or in the future, so you can safely drag them to the trash. The only danger I can imagine is if these are your emails and you have somehow created an account in your Mail application, which you said you did not.

Sorry - I can't find the link to the "Intego" site you mentioned. Would you please remind me? I only see a link to the Calxav forums, which I hadn't visited cause I didn't know if I had to (and still am not sure)

Flashback Trojan Spreading; Mac Users Should Be Wary of Flash Installers

Do you mean I should post a different post about the flash player for those who have been through this already? Or do you know where those threads are?

I was just hoping that somebody who is following this thread had upgraded FireFox to FlashPlayer 11 already and would be able to advise you. It was only released a couple of days ago. If you nobody else comes forward then a new thread or search through the forums might be in order.

noellle wrote:

I followed the link you gave to the Intego site. I am not sure if mine is the same. I think that the first stage may have happened several weeks ago??

Yes, that was about the time of the attack. It only lasted a day or two. I check every day to see if it's active and although it appears that the server was cleaned and made ready for a new owner it is not currently in use by anybody. The url has been been removed from the system so it appears that the bad guys have either taken a break and plotting their next move having accoumplished their objective (whatever that was) or hopefully all their computers were confiscated when police arrested them.

One thing that was very helpful on the Intego site was this: one person said of the thread on apple discussions that lists the five files I was supposed to delete that he didn't have the "swlog" file but did have "softwareupdate." Same with ME!! Should I delete that one too?? (Library/Logs/softwareupdate)

Yes, I remember that coming up at the time. I think there is pretty solid evidence now that the name gets changed during installation. I would like to know what it currently says. Please open it up with Console, which is in /Applications/Utilities/ or with TextEdit. If it's text then copy and paste it here. If it's garbage then Trash it.