Q: Finder shows strange letter and number strings, programs "quit unexpectedly"

noellle wrote:

 

Is that garbage? Shall I trash it?

 

Do I need to change my passwords again, now that I've found this file, do you suppose?

Yes, go ahead and trash it. I'm sure it means something to them, but not to me. I've asked another user to post his to see how it compares.

Since it's just a text file that means it can't actively do anything, so if you've changed your password since you trashed the others I'm sure you are OK.

According to the Intego article they only collected information about your computer, not about you or your passwords, but it never hurts to do easy things like that.

noellle wrote:

 

I just tried to scan my CrashPlan Backup drive with Calxav, but it couldn't do it - finishes in seconds and says it found nothing. I'm assuming that, since it's a clone of all of my drives, basically, that when it purges my father's email files that I just deleted, everything will be a-okay with it, right?

Backup volumes are another special case for AV software, just like email. They have an index that keeps track of what's where and if you delete something without it's knowledge you could lose it all. With Time Machine you can get TM to delete files for you, but I'm not aware of any way to do that with CrashPlan. I use both. My daughter and I CrashPlan backup to each other over the internet and I use TM for a local backup along with a periodic SuperDuper! clone. All the advise I've read says not to use AV software on backkups. My understanding of CrashPlan is that those files will be deleted the next time it updates.

noellle wrote:

 

I'm not sure if I should post this here or on the Intego site link you gave me, since you know all that has been happening with my machine and what I have done about it.

 

Here is a concern, based on what "Louie, "Intego," and "Steve Joblard" posted on that link.

 

...

 

Intego said that they have found several variants and it might change over time.

Will Calxav do what Intego will do? I don't really want to have to buy something but will if I have to...or do I need to do something else? - Like Louie starting from scratch?

There is a lot of paranoid advise being given around the net every time something new comes out. One user who came from a PC background always recommends to people who are infected with a new piece of malware that they unplug from the internet, totally erase their drive, install the OS, plug back into the internet and install all updates then start over with your applications and data. I wouldn't be surprised if that's not the best answer for PC users, but I still don't believe the Mac has progressed to that point.

As far as the backdoor is concerned, Intego did tell us it was there, but since there have been no reports of that site coming back to life and nobody has been reporting anything new since then that they haven't gotten to that point yet. I think they were just trying to build up their network of infected Macs, which they now have a record of, and planned to move to the next phase once the heat is off. The anomalies that you observed may mean they went back to the drawing board to work on v1.1.

As far as several variants are concerned, I have observed the same thing. Apple found a total of eight different signatures and none of them matched the one that Linc Davis, Thomas Reed and I obtained. But the only thing they changed was the "signature" of the installer, but I believe that the files installed were all the same.  When I uploaded the one I had, none of the 43 AV scanners on that site identified the file.  So they have apparently found a way to stay ahead of the AV folks who write signatures.

That reminds me of one more thing you should do. The name of the downloaded installer was probably "FlashPlayer-11-macos.pkg" and would have been placed in your download folder. It reportedly destroys itself when finished with the installation, so it should not be there, but take a look just in case.

Oh, and thanks for the points. I'm not really trying to collect them, but appreciate the thought.

noellle wrote:

 

Ok. Thanks!

 

 

MadMacs0 wrote:

You probably did the right thing. You must always download FlashPlayer directly from http://get.adobe.com/FlashPlayer

Were you referring to how to find out how I should install the newest FlashPlayer for Firefox?

Yes, as far as I know you should be able to get all your updates for FlashPlayer at that site. If FireFox has something else going, I'll defer to somebody else to answer that question as I cannot.

Are all of my problems solved now, as far as the trojan, etc. are concerned?

 

or is the backdoor still an issue?

Looks like I was answering that when you wrote this.

I'm new to this discussion, but in serious need of assistance. It's clear my machine is infected with this malware. I have the same strange numbers replacing certain functions in contextual menus and applications not opening. I ran ClamXav, but it found nothing. I'm now trying to delete the files mentioned above, but cannot find them all. I can't open Terminal to copy/paste Linc's code for the .MacOSX file, and when I went to the folder via 'Go To Folder' as suggested, it was empty. There was no environment.plist.

Also, I have been unable to find the 'Library/Preferences/Preferences.dylib' file or the swlog file (though, I did find the softwareupdate file that was mentioned).

Any help would be much appreciated! I've moved the files I did find to the trash, but I don't want to proceed without getting everything.

Desperate for help with this, if anyone can offer assistance.

Could I possibly erase my drive and re-install from Time Machine (from a backup date that predates the infection)?

I've tried, at the suggestion of others, to download and run MacScan and VirusBarrierX6, but my machine cannot even mount the installers, apparently due to this malware. Help!

Anyone?