Q: Finder shows strange letter and number strings, programs "quit unexpectedly"

Hi MadMacs0,

Thanks for writing. I can open things now, but only in my 2nd user account. I cannot open anything that wasn't already running in the infected account. I will open Console and look for the install info you described and report back. My question is, will it show me installs from my other account, or just the account I'm in? I haven't used this account for a long time.

Okay, well this is very odd, indeed. I was going to install MacScan on my 2nd user account (at the suggestion of an Apple Genius friend), but was having trouble because I couldn't recall the password for that account. So, I decided to boot from the install disk and create a new password.

Well, booting from disk didn't work (hold down the 'C' key on startup, right?) and it booted to my main user account. The difference is all symptoms seem to have vanished. There are no stage numbers or symbols in contextual menus as there were before, and I am able to open and run applications. What the ****?

I am really confused. I'm going, however, to look in Console now and see what I see, as you suggested.

Okay, I found this in Console. Looks like the package you mentioned. Yet, I've no Preferences.dylib file and no symptoms after startup.

Sep 24 11:20:13 Macintosh-8 Installer[7317]: Opened from: /Users/me/Desktop/FlashPlayer-11-macos.pkg

Sep 24 11:20:50 Macintosh-8 Installer[7317]:           Install: "FlashPlayer"

Sep 24 11:20:50 Macintosh-8 Installer[7317]:                     FlashPlayer-11-macos.pkg#flashplayer.pkg : com.adobe.update.fp.flashPlayer.FlashPlayer.pkg : 12.0

Sep 24 11:20:51 Macintosh-8 Installer[7317]: -[IFDInstallController(Private) _buildInstallPlan]: file://localhost/Users/me/Desktop/FlashPlayer-11-macos.pkg#flashplayer.pkg

Sep 24 11:20:51 Macintosh-8 installd[7327]: PackageKit: packages=(\n    "PKLeopardPackage <file://localhost/Users/me/Desktop/FlashPlayer-11-macos.pkg#flashplayer.pkg>"\n )

Sep 24 11:20:52 Macintosh-8 installd[7327]: PackageKit: Extracting file://localhost/Users/me/Desktop/FlashPlayer-11-macos.pkg#flashplayer.pkg (destination=/var/folders/G3/G3EBFtrmEj8c6HLNVxk4J++++TI/Cleanup At Startup/PKInstallSandbox-tmp/Root/tmp/AdobeUpdate, uid=501)

Sep 24 11:20:52 Macintosh-8 installd[7327]: PackageKit: Executing script "./preinstall" in /private/tmp/PKInstallSandbox.9Y9BkW/Scripts/com.adobe.update.fp.flashPlayer.Fl ashPlayer.pkg.gRRM98

Sep 24 11:20:54 Macintosh-8 installd[7327]: ./preinstall: rm: /tmp/PKInstallSandbox.9Y9BkW/Scripts/com.adobe.update.fp.flashPlayer.FlashPlaye r.pkg.gRRM98/preinstall/: Not a directory

Not quite sure how to proceed. Everything still appears back to normal since my re-boot, but it's clear from the install.log file that I installed this thing on September 24. Should I wipe the drive and start fresh?

trickmonkey wrote:

 

Okay, I found this in Console. Looks like the package you mentioned. Yet, I've no Preferences.dylib file and no symptoms after startup.

 

Sep 24 11:20:13 Macintosh-8 Installer[7317]: Opened from: /Users/me/Desktop/FlashPlayer-11-macos.pkg

So the good news is that we know when it was installed, but they managed to conceal all the details of what was installed where. It just reports putting everyting in a temp directory, then it must have run a script to move everything to it's final location, etc. I was hoping to find out where those missing files went.

trickmonkey wrote:

 

Not quite sure how to proceed. Everything still appears back to normal since my re-boot, but it's clear from the install.log file that I installed this thing on September 24. Should I wipe the drive and start fresh?

A new version showed up last night, so I've been chasing that most of the day. A couple of people were able to download it and confirmed that it is different from the one you apparently installed, so I don't think that will be of much help to us. The only good news about that is the Apple XProtect system was able to warn them this time.

IIRC you said you had a TimeMachine backup, so if you are willing to lose a couple of weeks worth of new stuff, then that's about the only sure solution to your problem. The fact that everything is currently working puzzles me, but I don't think having a backdoor open to these people is a healthy alternative. We don't even have any good information on how it phones home. I'm sure they will be back with some new trick one of these days.

trickmonkey wrote:

 

I was going to install MacScan on my 2nd user account (at the suggestion of an Apple Genius friend)

Just so you know, MacScan definitions were last updated on Sep 26 and they do not list FlashBack as one of the Trojans they protect against, so I feel certain it won't help you with this issue yet.

Thanks, MadMacs0.

I'm really baffled about why everything's working, too. It's all still fine. Everything looks and works normally.

So, as long as I restore from a Time Machine backup precious to September 24, everything should be fine?

Would I be able to then go into later Time Machine backups and grab individual files (documents, music, photos) without risking harm?

Lastly, should I delete all backups from the 24th on?

Thanks so much for all of your assistance. I truly appreciate it.

travis

Make that 'previous to', not 'precious'. (Did they remove the edit function in here?)

Ah, good to know re MacScan. ClamXav also came up empty.

trickmonkey wrote:

ClamXav also came up empty.

Yes, it will currently only catch one version of the installer, which seems to be deleted after in installation has completed, so it's not at all effective here. That pretty much holds true for the Apple XProtect system which can catch nine versions now of the installer when downloaded but none of what gets installed.

The new version of the installer that appeared briefly this morning was caught by the latest XProtect but not by any of the 43 scanners on VirusTotal.

A user said he uploaded his installed files a couple of days ago to the AV sample sites, but it seems nobody has been inclined to author signatures for them.  There's just not much help available for this one right now.

Okay, thanks.

Just want to be 100% sure: you do feel it's safe to restore from Time Machine prior to September 24?

Also, would I be able to go into the most recent backups and retrieve individual files (documents, music, etc)?

And should I then delete all the backups from the 24th on?

I tried to respond last night but the Forum was down for maintenance.

trickmonkey wrote:

 

Just want to be 100% sure: you do feel it's safe to restore from Time Machine prior to September 24?

 

Also, would I be able to go into the most recent backups and retrieve individual files (documents, music, etc)?

There is no such thing as 100% in this business. Murphy's law is alive and well.

I have successfully used TM to replace a failing hard drive, so I know it's capable of doing so. I also had a clone available on another hard drive, just in case. But if you look around the forum you will find users with failed attempts, corrupt TM disks, etc.  Not a lot, but at some. I also read something recently about a known bug with Mac OS X 7.0.1, but I don't know the details.

So I do think it would be wise to bring a third hard drive into this equation. The usual way is to make a clone of your current internal drive, but in this case it seems to me that it might be smart to use TM to restore the third drive to where it was before Sep 24 plus all the additional files you want to restore and boot off of it until you are satisfied that it's what you want. Then erase the internal and clone the third drive to it. Does that make sense?

And should I then delete all the backups from the 24th on?

I suppose so.

True, re the 100%.

I understand what you're saying to do, but I'd have to do a bit of educating myself on exactly how to do it, plus acquire a hard drive to clone to, so I may just take my chances with Time Machine. I have restored from TM once in the past and it worked beautifully, so hopefully it will again.

Oddly, still no sign of the former Malware symptoms.