Previous 1 2 3 Next 71 Replies Latest reply: Feb 1, 2012 12:19 PM by BDAqua
V.A.P. Level 1 (0 points)

I believe I may have a virus (or trojan) on my mail. I have searched the discussions and tried a few things suggested but I understand that even deleting things can come back.

We have a very old system and I have always done the security updates, which are no longer available since 2009-005 (I believe). We are buying a new iMac and I want to be sure nothing gets transferred into it.

Any help? Thanks.

emac, Mac OS X (10.4.11), 700mHz, Power PC G4, Tiger
  • BDAqua Level 10 (121,630 points)

    Well, yes, but unlikely it actually affects Macs.


    I think you could eliminate it with...


    ClamXAV, free Virus scanner...


    Free Sophos...


  • V.A.P. Level 1 (0 points)

    If found, will clamxav eliminate problem? Have not heard of sophos (all of the attempts at finding info resulted in quite a bit of warning and am now nervous to click on anything), is price the main difference? I appreciate your help, apologize for the non-tech understanding and will let you know what comes of it. So, there is no problem with this type of communication on my computer? Thanks.

  • MadMacs0 Level 5 (4,700 points)

    V.A.P. wrote:


    If found, will clamxav eliminate problem?

    Perhaps, but you haven't described the problem and I'm unaware of any Trojan (there are no Mac viruses) in e-mail that could cause any problems, but there is always that possibility. ClamXav should be able to locate any malware you have, but if it or any other AV software identifies anything in your e-mail, return here (or better yet, the ClamXav Forum) for instructions on how to deal with it without screwing up your e-mail. Do not move any e-mail around on your hard drive nor allow the AV software to do so (quarantine or delete/trash).


    One additional caution with ClamXav.  Read the notice on the Download page that the last version which supports Tiger is v2.2.1. Any later versions will not work properly.

    Have not heard of sophos (all of the attempts at finding info resulted in quite a bit of warning and am now nervous to click on anything), is price the main difference?

    They are both available for free. Some have found issues with both, but others still swear by them.


    Full disclosure, I do uncompensated Tech Support on the ClamXav Forum.


    Message was edited by: MadMacs0 to add link to ClamXav Forum

  • BDAqua Level 10 (121,630 points)

    ClamXAV is the least bothersome one for the OS, but in my testing of hundreds of Malware laden eMails they both found the same exact ones, though I don't think I have any younger than 2-3 years, (I try to collect them).


    Either one should allow you to quarantine or get rid of them.

  • Klaus1 Level 8 (47,595 points)



    No viruses that can attack OS X have so far been detected 'in the wild', i.e. in anything other than laboratory conditions.


    It is possible, however, to pass on a Windows virus to another Windows user, for example through an email attachment. To prevent this all you need is the free anti-virus utility ClamXav, which you can download for Tiger from:



    and for Leopard, Snow Leopard and Lion from here:



    Note: If you wish to uninstall ClamXav: keep a copy of the disk image from when you downloaded it, or download it again - the uninstaller is included with the application. To uninstall, quit ClamXav Sentry (if you use it) and make sure it's not set to launch at log in. The uninstaller will remove the engine and any schedules you've got set up, then just drag to the trash.


    If you are already using ClamXav: please ensure that you have installed all recent  Apple Security Updates  and that your version of ClamXav is the latest available.


    Do not install Norton Anti-Virus on a Mac as it can seriously damage your operating system. Norton Anti-Virus is not compatible with Apple OS X.




    Do not be tricked by 'scareware' that tempts computer users to download fake anti-virus software that may itself be malware.


    Fake anti-virus software that infect PCs with malicious code are a growing threat, according to a study by Google. Its analysis of 240m web pages over 13 months showed that fake anti-virus programs accounted for 15% of all malicious software.


    Scammers trick people into downloading programs by convincing them that their PC is infected with a virus.

    Once installed, the software may steal data or force people to make a payment to register the fake product.

    Beware of PDF files from unknown sources. A security firm announced that by its counting, malicious Reader documents made up 80% of all exploits at the end of 2009.:

  which Rogue_PDFs_account_for_80_of_all_exploits_says_researcher




    The appearance of Trojans and other malware that can possibly infect a Mac seems to be growing, but is a completely different issue to viruses.


    If you allow a Trojan to be installed, the user's DNS records can be modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's  (that's you!)  DNS records stay modified on a minute-by-minute basis.


    You can read more about how, for example, the OSX/DNSChanger Trojan works (by falsely suggesting extra codecs are required for Quicktime) here:



    SecureMac has introduced a free Trojan Detection Tool for Mac OS X.  It's available here:



    First update the MacScan malware definitions before scanning. You can also contact their support team for any additional support -


    The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X and allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.


    (Note that a 30 day trial version of MacScan can be downloaded free of charge from:



    and this can perform a complete scan of your entire hard disk. After 30 days free trial the cost is $29.99. The full version permits you to scan selected files and folders only, as well as the entire hard disk. It will detect (and delete if you ask it to) all 'tracker cookies' that switch you to web sites you did not want to go to.)

  • BDAqua Level 10 (121,630 points)

    Great post Klaus1 !

  • Klaus1 Level 8 (47,595 points)

    Thanks BD!


    (That was the short economy version)

  • BDAqua Level 10 (121,630 points)

    I like the new pic of you too!

  • Klaus1 Level 8 (47,595 points)

    Not me - our cat Bailey. A friendlier face!

  • BDAqua Level 10 (121,630 points)

    Any cat owner should know that they are but an extension of the cat!

  • V.A.P. Level 1 (0 points)

    Thank you all for your comments.

    I had already read the long version of Klaus1's post but wasn't certain what to use.


    I believe my situation would come under the Trojans and Re-direction to fake websites. Should I use the clamxav,

    or one of: the F-Secure anti-virus to disinfect or Macscan (as found in Klaus1 post)?


    I can give you the (fairly long) details of my computer's situation if that would help.


    Also, don't know if this is relevant, but I am using Tiger 10.4.11 and have safari and firefox.


    I have also done a couple things which I read about in applehelp, keychain help:

    keychain access>help>keychain access help, opened keychain in apps/utilities>show key..., if closed, select key, found 1 cert that came up NOT A VALID SIGNATURE which I deleted. Also: Keychain first aid>verification failed, should choose repair option - repair failed: users differ on -/library/preferences/, should be 501, owner is 0. Owner not corrected on above, reason - no such file on directory, checked default keychain, checked keychain search list, checked contents of -/library/keychains/login keychain, checked /library/keychains/filevault-master.keychain.

    "Warning-some problems not fixed".

    Have gotten that repair to fix, but at the moment I am confused as to what I did to get to it. I did go into keychain prefs>first aid>and unchecked "change location keychain settings (check this box if want keychain to always remain unlocked, though I can't remember why I chose to do that (have read alot of things).


    I have also done disc permission repair, again not certain of when that took place during the past week.


    Some things I have found (not certain if they were correct or done incorrectly):

    - under keychain help: keychain prefs>certificates were off for - online cert status protocol (ocsp) - cert revocation list (crl) - I changed both to require if cert indicates (priority auto>ocsp)

    - found: (this did not look like other folders, clicked > no default app. spec.

    - on activity monitor - kernal_task (process ID 0)

    - today found in cashes:

    - and in system library caches: kernalcache.8EF1135F (no def. app spec.) - rest of the  caches were sheets, this one was a folder.


    I think that's it for now. Maybe this is all standard info and nothing to do with my concern.

    I thank you again for your help.


    Klaus1 - I had a (favorite ever!) long hair orange cat named Bailey too.

  • Klaus1 Level 8 (47,595 points)

    I had a (favorite ever!) long hair orange cat named Bailey too.


    The one that ownes us is short haired!




    I have ClamXav set to scan incoming emails, but nothing else.


    Message was edited by: Klaus1

  • V.A.P. Level 1 (0 points)

    I have run the clamxav and it found 3 infected files.


    They are

    file: animan.class-5953..., infection name: Exploit.Java.Byte...

    file: ms03011.jar-3847f... , infection name: Java.ByteVerify-1

    file: 3668.emlx, infection name: HTML.Phishing.A...


    Was prev. advised to check back for instructions on what to do with this info, please help!


  • BDAqua Level 10 (121,630 points)

    Without Mail running.


    I'd get EasyFind...



    Near the bottom of the page.


    Then Search for those names or partial names, move them to the Trash & empty the Trash.

Previous 1 2 3 Next