Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Should I be worried about these items found by ClamXav?

So I ran a ClamXav scan just now and it found seven files. I don't know how to open up the whole thing so that I can show you exactly what it found, but I will type what I can see...


XvidSetup-1.exe Infection Name: Suspect.W32.AdI...

XvidSetup.exe Infection Name: ^same thing

1895.emlx

2825.emlx

2874.emlx

5099.emlx

717.emlx


^All of these have the Infection Name: Heuristics.Phishing....



Can anybody tell me what these are? Are they viruses, or trojans, etc? I'm not an expert at all when it comes to malware so I'm not sure how to interpret these. I hadn't done a scan in a few months so I'm worried that these items are really dangerous, and that I've been putting my computer at risk for the last few months. Should I be worried that someone managed to access my files and information because these items were on my system? Thanks.

MacBook Pro, Mac OS X (10.6.6)

Posted on Sep 29, 2011 12:08 PM

Reply
22 replies
Sort By: 

Sep 29, 2011 12:20 PM in response to apple56

The .exe files are of no concern to you. They are probably attachments on an e-mail or something copied from a Windows machine via flash drive or CD or whatnot. In any case, though, a .exe file is a Windows app, and thus cannot run on a Mac.


The .emlx files are e-mail messages in Mail. To figure out exactly what they are, reveal them in the Finder, and see what mailbox they're in. You can also use Quicklook on them (select them and press space in the Finder) to view the messages, which will give you a subject and other key pieces of information to help you locate the messages in Mail. Once found, delete them. They are probably just phishing attempts, but as long as you don't visit the web site they try to convince you to go to, they're of no danger to you.

Reply

Sep 29, 2011 12:26 PM in response to apple56

OpenDNS includes anti phishing filters, adds security, and it's free.



Open System Preferences / Preferences then select the Network tab. Click the Advanced tab then click the DNS tab.


Enter these numbers exactly as you see them here.


Click +


208.67.222.222


Click +


208.67.220.220


Then click OK.


More about OpenDNS here.


Topic : Manually provided DNS server addresses are higher priority than DHCP's


OpenDNS: 30 million users around the world!

Reply

Sep 29, 2011 12:30 PM in response to apple56

Ok, so there's no way possible that my laptop has actually been attacked/infected/hacked? I just need some reassurance that my computer is secure, as I have on occasion accidentally clicked on advertisements on websites.


More importantly, I have reason to believe that my teenage cousin has been viewing **** sites on my laptop. I know, what a cliche..but seriously. He visited during August, and while he was here for a week, I let him use my laptop when he neded it (I figured it's better to let him use my laptop than my desktop) - unfortunately, this was mostly unsupervised, seeing as I had a summer job. Let's just say that he didn't clear out all the browsing history before he left...


Now I'm left feeling extremely paranoid that someone managed to access my files - is this even possible, or is this all just paranoia? Are there any symptoms when one's computer has been hacked?


Thanks again

Reply

Sep 29, 2011 12:38 PM in response to apple56

I have heard that there are keylogger trojans that attack Macs. They can record passwords, etc, then send them back to the theives that put the keyloggers trojans on the net.


You can use a program like 1Password to avoid entering passwords via the keyboard.


https://agilebits.com/

Reply

Sep 29, 2011 12:39 PM in response to thomas_r.

I found them in Finder, and they were actually legitimate emails that I had previously received. Almost all of them are from Scene (Canadian company where you collect points for free movies). The one that's different is advertising a special Mastercard for students. I can't guarantee that I never opened these emails, seeing as they appeared to be legit emails. The Mastercard one was emailed to me by a society in my school, and I've been apart of Scene for a few years

Reply

Sep 29, 2011 2:21 PM in response to apple56

apple56 wrote:


I found them in Finder, and they were actually legitimate emails that I had previously received. Almost all of them are from Scene (Canadian company where you collect points for free movies). The one that's different is advertising a special Mastercard for students. I can't guarantee that I never opened these emails, seeing as they appeared to be legit emails. The Mastercard one was emailed to me by a society in my school, and I've been apart of Scene for a few years

The word Heuristics is your clue here. That means it was a guess. The clamav database contains the names of mostly financial institution addresses which are commonly used for phising attacks. If it spots a message that says it's from one of these it puts it through about 30 checks to see if there is any attempt to trick you in any way, such as containing a link that is different from what's displayed. SInce legitemate emails sometimes use these things to simplify things for the user, they often show up as possibly infected. Just make a note of the message numbers for future reference.


I do need to correct something Thomas said.

The .emlx files are e-mail messages in Mail. To figure out exactly what they are, reveal them in the Finder, and see what mailbox they're in. You can also use Quicklook on them (select them and press space in the Finder) to view the messages, which will give you a subject and other key pieces of information to help you locate the messages in Mail. Once found, delete them.

Once you have revealed them in the FInder (simply right-click/control-click on the file name in ClamXav) you can simply double-click them to open them in your Mail client. Nothing bad can happen by just reading it. If you decide to delete it, use the Mail client's delete button. If you move them to quarantine or trash them from the Finder then you will almost certainly corrupt the mailbox index and you could lose additional emails in the process. You also will not have deleted the message from the server if you are using IMAP or choose to retain mail on the server using POP. The next time you fetch email from the server those same infected messages will show up in the mailbox again. This applies to all AV software that I'm familiar with, not just ClamXav.

Reply

Sep 29, 2011 2:25 PM in response to SimonJester753

SimonJester753 wrote:


I have heard that there are keylogger trojans that attack Macs.

There are none that anybody knows of. There are keystroke loggers for the Mac available commercially or from hacker sites, but they must be installed using physical access to your Mac or via some sort of remote admin access program. Nothing currently that would do that as a Trojan.

Reply

Sep 29, 2011 2:28 PM in response to apple56

apple56 wrote:


So I ran a ClamXav scan just now and it found seven files. I don't know how to open up the whole thing so that I can show you exactly what it found

If you click on the small bar at the top of the window between columns you can drag it to the right to expand the column, just like you can in the Finder and most other Mac windows.

Reply

Sep 29, 2011 3:04 PM in response to apple56

Now I'm left feeling extremely paranoid that someone managed to access my files - is this even possible, or is this all just paranoia?


Someone has certainly had access to your files: your cousin, and anyone else he chose to give them to.


If you're going to allow other people to use your computer while it's logged into your account, then it's pointless to worry about privacy or security. You have none of either.


On the other hand, if you do care about security, at the very least you'll enable the guest account or create a permanent one for each regular user, and activate fast user switching. That's not real security, but it will protect you from the most casual kind of snooping.


Mac OS X 10.6 Help: Creating a guest user account

Mac OS X 10.6 Help: Quickly switching between accounts

Reply

Sep 29, 2011 3:04 PM in response to MadMacs0

Thanks..I will definitely go into my inbox and delete those messages in there.


So there's no cause for concern that there's been something on my laptop stealing my files/info? I do shop online quite a bit, but thankfully I haven't noticed any mysetrious purchases on my statements.


to be perfectly honest..in a moment of poor judgement, I took a less than flattering picture of myself using photobooth. I immediately regretted it and threw it into the trash can, and emptied trash. I then read up about recovery of deleted files, and did erase free space for extra measure. Then I got paranoid about the possibility that I had been previously hacked, and that someone somehow got a hold of that file. What's the possibility that it could've happened? Let's just say this photo is painfully embarrassing, and I 100% regret ever taking it...

Reply

Sep 29, 2011 3:07 PM in response to Linc Davis

You make some valid points, and I agree that was a stupid move on my part.

However, read the post that I just posted above...said file I am concerned about did not exist when my cousin was here, so I'm not necessarily concerned about who has had physical access to my computer. Nobody else ever uses this laptop now other than myself, unless someone has remote access, which is precisely what I'm trying to figure out.

Reply

Sep 29, 2011 3:58 PM in response to Linc Davis

Linc Davis wrote:


The ClamXav output is not evidence of a remote intrusion.

That's a good point. Although there is a feature of the clamav engine that can be used to detect something called PUA or Potentially Unwanted Applications, it is off by default and not really obvious as to how you activate it. Keystoke loggers are usually considerd PUA and not malware.


Turning it on for a Mac user is of little use as there aren't signatures for any Mac PUA so all you get is things like pdf's with hidden features that are not a Mac threat.


I don't really know how good other AV software is at detecting PUA, other than MacScan from SecureMac. Years ago that is all it checked for, but recently they've added support for Trojans, Remote Admin Program, 10,000 Tracking Cookies and a couple of other exploits.


Similarly, ClamXav will probably not find software that is "phoning home" such as many commercial applications, web pages, etc. The built in firewall won't help you with this, either. Little Snitch from Objective Development is considered the gold standard for Macs, but it is a bit of a PITA to maintain as you must approve every new request from every application and decide whether to approve, deny and for how long.

Reply

Should I be worried about these items found by ClamXav?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.