Q: Finder shows strange letter and number strings, programs "quit unexpectedly"

Thank you for your replies, noellle. I will try moving the files back, as you said, but how can you be sure your machine isn't still infected at some level, and that it can't be accessed by someone on the outside?

I figured erasing and starting fresh would be the only way to be sure.

Also, I'm concerned about this .dylib file and why I can't locate it. On the Intego site people said if the .dylib file wasn't there then you weren't infected, but there's no question that my machine is f'd up by this malware right now.

I put the trashed files back, but it did no good.

I think nuking it is the only thing left to do.

Linc or MadMacs0, if you guys have any suggestions I am desperate for some.

I've scoured the net for more answer to no avail. The only real information I've come across is in this thread. I clearly have been infected by this malware, yet the file that everyone says is a clear indicator (Preferences.dylib) is nowhere to be found.

If anyone can offer any help at all I'm very much in need of it.

Thank you.

trickmonkey wrote:

 

I can't open Terminal to copy/paste Linc's code for the .MacOSX file, and when I went to the folder via 'Go To Folder' as suggested, it was empty. There was no environment.plist.

 

Also, I have been unable to find the 'Library/Preferences/Preferences.dylib' file or the swlog file (though, I did find the softwareupdate file that was mentioned).

The only things I can think of is that you either have a new version of this thing which has placed the functionality of those files elsewhere or the installer didn't finish it's task for whatever reason.

Have you checked your downloads folder for a FlashPlayer installer of some sort?

The other clue would be if you can figure out when all this happened? If you recall seeing any of the art work displayed at the Intego site and were prompted to download and install a flash update, was it a couple of weeks ago or something that just happened?  That's important if you decide you want to restore from Time Machine. You should be able to find the exact time you installed it by going back through the install logs that Console can display.

One user who did failed to remove the environment.plist was unable to log back into his account. Fortunately he had another admin account established from which he was able to find and delete it. Otherwise I think he would have lost everything.  I'm hesitant to tell you to trash what you have as it could have similar results.

I'll read through your other questions in a bit and get back to you.

Hi MadMacs0,

Thanks much for your reply. I'm not sure when I got the phony installer pop-up. Maybe last week or early this week? I know I saw the first symptom (the weird N152 in place of 'Open With') yesterday. Or maybe the day before. It's all starting to blur.

trickmonkey wrote:

I'm not sure when I got the phony installer pop-up. Maybe last week or early this week? I know I saw the first symptom (the weird N152 in place of 'Open With') yesterday. Or maybe the day before. It's all starting to blur.

I take it you able to open applications again. If so, open up the Console app in /Applications/Utilities/ and there should be a list of files on the left. If not use the "Show Log List" button, the under "LOG FILES" find /var/log/ (if you don't see these click on the small disclosure triangle so it points down) and scroll down to the first install.log. There's a box in the upper right corner of the window above the words "Filter" that has gray "String Matching" Try entering "flashplayer" without the quotes and see if it tells you when you installed it and what it was called. The one I have is "FlashPlayer-11-macos.pkg".

noellle wrote:

 

My business website, www.kristenbuchmann.com has been hacked or something....

 

I changed my password with my hosting company's web panel. I also have a web panel password for two other parts of my site (a wordpress blog hosted on my site and also a flash site with a separate web panel,) but they have urls that are part of my site, so I am nervous to click through to change them. What should I do ???

First I would start a new thread with a more appropriate title which will attract folks who know more about this than I do.

Do you think this is related or just bad timing?

 

Do you know how I can get Google to relist me as safe???! Very bad for business.

I don't really see how it could be related, unless that's where you picked up the Trojan.

This site has some tips on what to do and how to contact them. I think someone is going to have to scan the code on your pages and remove whatever is causing it.

I think I may have to take a look at your site once you get it fixed. Looks quite elegant.

OK, I clicked on Lifestyle Portraits, I think, and was redirected to macosxsoftwareupdate.org-slash-flashplugin-slash-7f-slash- (I used -slash- for / so that people won't be tempted to click on it) which is the site I've been watching. As I said yesterday, that address has been removed from the DNS database, so it doesn't work, but you still need to clean that redirect off of your site in order to get Google to take you off the blacklist and if that site ever goes active...well you know what happens next.