Q: Finder shows strange letter and number strings, programs "quit unexpectedly"

I was actually just going to tell you that the Finder menu has returned to normal. I guess I deleted that file after all. But I'll still check for any sign of the trojan and post it here if I find anything. Thanks for the help!

I've decided to do a complete wipe and restore from time machine, does anyone know if you can find the infected files in TM so you don't accidentally upload them again

Danish26 wrote:

 

I've decided to do a complete wipe and restore from time machine, does anyone know if you can find the infected files in TM so you don't accidentally upload them again

Yes, but why would you do that? The whole idea behind wipe and restore is because we aren't certain that those are the only files that are involved, so you need to go back to a date before you were infected.

Hi,

Thanks for posting this problem so I know I wasn't alone. Just called tec support and he told me to create a new account and transfer files over via an external hard drive and back up files using Time Machine. The words are all back instead of numbers. YAY!

TheBrickGuy wrote:

 

I was actually just going to tell you that the Finder menu has returned to normal. I guess I deleted that file after all. But I'll still check for any sign of the trojan and post it here if I find anything.

Hoping that no news is good news, I'll wrap things up with a couple of loose ends.

To turn hidden files back off:

Open the terminal (found in /Applications/Utilities/)

Type the following (without quotation marks) to show hidden files: “defaults write com.apple.finder AppleShowAllFiles -bool false”

Hit enter

Type the following (without quotation marks) to restart the Finder: “killall Finder”

Hit enter

Since the Trojan was probably able to harvest some of your UserName / Password pairs, you should go to all the sites you visited and change passwords, expecially Google and any financially related pages. And if you use the same password for multiple sites, change those, as well.

Let me know if you are still experiencing Google re-directs as you may also have another Trojan.

And if you want to get ClamXav going, visit the ClamXav Forum for help with that.

killerquail wrote:

 

Hi,

 

Thanks for posting this problem so I know I wasn't alone. Just called tec support and he told me to create a new account and transfer files over via an external hard drive and back up files using Time Machine. The words are all back instead of numbers. YAY!

Yes, but the Trojan installs several hidden files into your home directory, so if you use your current TimeMachine you'll be restoring at least some of these files again. As I just mentioned to Danish26 you will need to go back to a date prior to your infections.

killerquail wrote:

 

Hi,

 

transfer files over via an external hard drive and back up files using Time Machine.

Something else I don't quite understand is how you would use TM with the new account as that will simply restore files to your old account. Even if you were able to locate a file on TM from your old account, most of them are only links, not real files, making it difficult to even use the Finder to try and copy them over. Sounds like a lot of work.

MadMacs0 wrote:

 

Something else I don't quite understand is how you would use TM with the new account as that will simply restore files to your old account. Even if you were able to locate a file on TM from your old account, most of them are only links, not real files, making it difficult to even use the Finder to try and copy them over. Sounds like a lot of work.

Yes I agree. Too much work.

BTW, Intego just discovered the source of infections:

it seems to be distributed from Wordpress infected blogs.

The threat evolves again and no tips given here are correct to detect the new variant: no more .so files or environment.plist.

The good news is that MacDefender aka FlashBack asks for the admin password now!

http://blog.intego.com/new-flashback-variant-changes-tack-to-infect-macs/

Philip Barrier wrote:

 

BTW, Intego just discovered the source of infections:

it seems to be distributed from Wordpress infected blogs.

 

The threat evolves again and no tips given here are correct to detect the new variant: no more .so files or environment.plist.

 

The good news is that MacDefender aka FlashBack asks for the admin password now!

 

http://blog.intego.com/new-flashback-variant-changes-tack-to-infect-macs/

I looked there last night just before posting to this and a couple of other threads as there seemed to be some new symptoms poping up with a couple of users, but it wasn't there at that time.

Well, at least a couple of these recent folks did have the environment.plist and .so files, so they still had the old one. Also, Intego didn't say those two files weren't there in the article, they only talk about the two new ones. I'm not comfortable assuming that the previous five files have now been replaced by only two. I think we have more to learn about this one.

The other thing I find surprising about the article is that they say the MacDefender folks are behind this. I thought those folks were in jail. Probably by coinsidence last week the thought crossed my mind that this attack had a lot of similarities to the MacDefender evolution.

Phillip, I should have read through this much more thoroughly.  I did EXACTLY what I shouldn't have.  I

deleted the .so file in /Users/Shared before having removed the environment.plist file.

How do I boot on a install DVD, and use the Terminal Application in the Installer Menu to remove the bad files?

Thanks in advance.

Jean90013 wrote:

 

I deleted the .so file in /Users/Shared before having removed the environment.plist file.

 

How do I boot on a install DVD, and use the Terminal Application in the Installer Menu to remove the bad files?

Try this first:

Boot in single user mode by holding down the 's' key when you start your mac. (http://support.apple.com/kb/HT1492)

After a while, you get a terminal prompt and type:

mount -uw /

rm /Users/*/.MacOSX/environment.plist

reboot

Your Mac would be ok after that, providing you're going to delete all the remaining virus files.

MadMac,

Thank you so much for your advice.  We are all very lucky to have you on the boards.

Sadly, I can't book up in single user mode, or safety or anything other than from the disk.  My life has been all about the blue screen...

Jean90013 wrote:

 

MadMac,

 

Sadly, I can't book up in single user mode, or safety or anything other than from the disk.

I don't understand your not being able to boot into single user mode as my understanding is that it doesn't initially involve the hard drive in any way and others who have tried this were successful. About all I can suggest is to try...

Resetting PRAM and NVRAM

1. Shut down the computer.
2. Locate the following keys on the keyboard: Command, Option, P, and R. You will need to hold these keys down simultaneously in step 4.
3. Turn on the computer.
4. Press and hold the Command-Option-P-R keys. You must press this key combination before the gray screen appears.
5. Hold the keys down until the computer restarts and you hear the startup sound for the second time.
6. Release the keys.

then attempt single user mode with Command-S. Looking back I see the instructions I copied didn't tell you to hold the Command key down along with 's', so maybe that's the only problem.

If none of that works, are you able to see view the "environment.plist" file in the hidden folder on your Hard Drive at /Users/<yourusername>/.MacOSX/? If you can, drag it to the trash and empty. If not, I'll have to do some homework to figure out how to make it visible or point the Terminal app at it from your installation disk.

Hello All,

I have these strange numbers in my finder as well - I tried looking for the Trojan using the terminal and go to folder method but nothing was uncovered.  In Terminal it said ".MacOSX/environment does not exist" and go to folder option doesnt give me any message except for A14.1 on the bottom left of that little pop up.

thanks for any help

R

richieberetta wrote:

 

Hello All,

 

I have these strange numbers in my finder as well - I tried looking for the Trojan using the terminal and go to folder method but nothing was uncovered.

This is a very old thread and most probably won't solve your problem.

You haven't posted any information to your profile yet, so we don't know what OS you are running.  If it's 10.6.8 or Lion, then use Software Update to update your Java (and anything else you find) which should eliminate the problem.

If you are able to update to at least 10.6.8 you should do so as soon as possible and run all the updates. It's available for free to MobileMe users at http://www.me.com/snow-leopard

If you must continue to use Tiger or Leopard then try this tool from F-Secure http://www.f-secure.com/weblog/archives/00002346.html.