Apple Event: May 7th at 7 am PT

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Level 1

0 points

Safari quits - plugin related

Safari 5.0/Snow Leopard - I get this error frequently:

"Safari quit unexpectedly while using the .PowerArchiverRC.tmp plugin."

Process:	Safari [4291]
Path:	/Applications/Safari.app/Contents/MacOS/Safari
Identifier:	com.apple.Safari
Version:	5.0 (6533.16)
Build Info:	WebBrowser-75331600~1
Code Type:	X86 (Native)

Parent Process: launchd [91]

PlugIn Path:

/Users/petermork/Library/Application Support/.PowerArchiverRC.tmp

PlugIn Identifier: .PowerArchiverRC.tmp

PlugIn Version:

??? (???)

Date/Time:	2012-02-24 04:07:09.616 -0500
OS Version:	Mac OS X 10.6.2 (10C540)

Report Version: 6

I don't have PowerArchiver installed, nor can I find the plugin at the path indicated (/Users/petermork/Library/Application Support/.PowerArchiverRC.tmp), not even as a hidden file.

It's also not listed in "Installed Plug-Ins"

What do I do? Thanks.

iMac (20-inch Early 2008), Mac OS X (10.6.2)

Posted on Feb 24, 2012 5:24 AM

27 replies

MadMacs0

Level 5

5,221 points

Feb 29, 2012 12:58 AM in response to Pebey

Pebey wrote:

Intego sent me three lines to run in Terminal, which are supposed to repair the malware:

rm ~/.MacOSX/environment.plist

rm "/Users/petermork/Library/Application Support/.PowerArchiverRC.tmp"

rm /Users/Shared/.libgmalloc.dylib

Will this work, in your opinion?

It will probably remove the malware and the symptoms, but it will not repair the damage it has already done. It has probably injected all your web browsers with code designed to "sniff out usernames and passwords that you enter into many popular sites (like banking sites, Google, PayPal, and others), presumably so that the malfeasants behind the software can exploit that information in other nefarious ways." And that's just what we know it will do. You will have to replace all of your network applications from original source (mostly browsers and skype according to what Iomega told me today) and change the passwords of every popular site you have visited in the last ten days or so along with other sites where you have used the same username/password combination.

Since we don't really know all it's capable of, Linc's previous recommendation to erase the drive, reinstall the OS and applications, then restore user data from backup is still your best choice.

Mar 1, 2012 4:04 AM in response to Pebey

Hi Pebey, can you also upload it to Virus Total as well.

https://www.virustotal.com/

Thanks

Mar 1, 2012 4:26 AM in response to drStrangeP0rk

Oh also,

Are the infected Machines being targeted only older systems that do not have XProtect?

If the Window that pops up is fake it most likely is hiding an installer in the background which is a behavior seen in the past from this set of criminals. Previous versions used a Decoy PDF.

http://mcaf.ee/t0xar

What we need to find out from Intego is this Certificate Window is just a Decoy, an image in a window of the APPLET, that hides an installer. (The sample I have with is reported to be Version.G is all about deception, nothing was real nor did it work on updated systems. Thanks for toggling the memory switch MadMacs0.) Thus Turning off "Open Safe Files" especially for older Macs without XProtect seems to be an excellent recommendation.

Intego had to update the information about this once so lets hope that they do again to let everyone know if inFact the certificate is a decoy like back in Sept, 2011.

Thanks

Pebey Author

Level 1

0 points

Mar 1, 2012 7:17 AM in response to drStrangeP0rk

Tried to send to contact@virustotal.com - got a delivery failure notice.

Where do I send?

Pebey Author

Level 1

0 points

Mar 1, 2012 10:05 AM in response to Pebey

The attachments may be too large (23 mb).

MadMacs0

Level 5

5,221 points

Mar 1, 2012 11:08 AM in response to Pebey

The normal interface with VirusTotal is through the submission of individual original files either uploaded to the site or submitted through e-mail to scan@virustotal.com. You then receive a report back of the scan results. The file should be exactly as downloaded or installed, without changing the name of the file or compressing it in any manner. The size limit is 32MB. It is not clear whether they have a capability to manually process the files in the manner you are trying to submit them or not. Most of the site is fully automated.

Details on mail submission is can be found at https://www.virustotal.com/documentation/email-submissions/

Pebey Author

Level 1

0 points

Mar 1, 2012 11:43 AM in response to MadMacs0

Well, I'm doing what drStrangepORk asked (I think) which is to send the log posted above to VirusTotal - not the actual file, which I can't access.

MadMacs0

Level 5

5,221 points

Mar 1, 2012 12:17 PM in response to Pebey

Pebey wrote:

Well, I'm doing what drStrangepORk asked (I think) which is to send the log posted above to VirusTotal - not the actual file, which I can't access.

Actually, you can access them if they are still on the hard drive they are just hidden. Unfortunately I need to rush off and don't have time to walk you through that. Perhaps somebody else can jump in here.

MadMacs0

Level 5

5,221 points

Mar 2, 2012 2:05 AM in response to Pebey

Looks like everybody else has abondoned us on this one. Do you still have those original files on your hard drive or did you run those rm commands that Iomega gave you already?

Pebey Author

Level 1

0 points

Mar 2, 2012 5:14 AM in response to Pebey

I did. Hoping that killed the original files.

I plan to do a backiup and clean install, but it'll have to wait until after the weekend. If you have a foolproof procerural for this, I'd like to hear it. Thanks.

Pebey Author

Level 1

0 points

Mar 2, 2012 5:22 AM in response to Pebey

PS Here is what I sent to Phillipe from Intego, after narrowing down the source of the infection to a specific site:

Philippe,

I believe this may have been the page:

http://vegweb.com/index.php?topic=15539.0

I tried to go to a page with a recipe for soup, and got a Google-generated warning about malware, below. However I don't remember ignoring the warning and opening the page anyway - I would not risk it.

Thank you for your help, and yes, I am very interested in your findings.

Warning - visiting this web site may harm your computer!

Suggestions:

Return to the previous page and pick another result.
Try another search to find what you're looking for.

Or you can continue to http://vegweb.com/index.php?topic=15539.0 at your own risk. For detailed information about the problems we found, visit Google's Safe Browsing diagnostic page for this site.

For more information about how to protect yourself from harmful software online, you can visit StopBadware.org.

If you are the owner of this web site, you can request a review of your site using Google's Webmaster Tools. More information about the review process is available in Google's Webmaster Help Center.

Advisory provided by

> Subject: Re: Malware confirm?
> From: phdevallois@intego.com
> Date: Tue, 28 Feb 2012 23:39:24 +0100
> To: pebey@hotmail.com
>
>
> On 28 févr. 2012, at 21:49, Peter Mork wrote:
>
> > Here it is as a .dmg - hope this passes muster.
>
> Your infection has started with a malicious Java applet on Feb 22th:
>
> Wed Feb 22 06:24:06 pool-71-255-173-221 \[0x0-0x17017\].com.apple.Safari[231] <Notice>: load: class msf/x/AppletX not found.
> Wed Feb 22 06:24:06 pool-71-255-173-221 \[0x0-0x17017\].com.apple.Safari[231] <Notice>: java.lang.ClassNotFoundException: msf.x.AppletX
> Wed Feb 22 06:24:06 pool-71-255-173-221 \[0x0-0x17017\].com.apple.Safari[231] <Notice>: \tat sun.applet.AppletClassLoader.findClass(AppletClassLoader.java:211)
> Wed Feb 22 06:24:06 pool-71-255-173-221 \[0x0-0x17017\].com.apple.Safari[231] <Notice>: \tat java.lang.ClassLoader.loadClass(ClassLoader.java:315)
> Wed Feb 22 06:24:06 pool-71-255-173-221 \[0x0-0x17017\].com.apple.Safari[231] <Notice>: \tat sun.applet.AppletClassLoader.loadClass(AppletClassLoader.java:144)
> Wed Feb 22 06:24:06 pool-71-255-173-221 \[0x0-0x17017\].com.apple.Safari[231] <Notice>: \tat java.lang.ClassLoader.loadClass(ClassLoader.java:250)
> Wed Feb 22 06:24:06 pool-71-255-173-221 \[0x0-0x17017\].com.apple.Safari[231] <Notice>: \tat sun.applet.AppletClassLoader.loadCode(AppletClassLoader.java:662)
> Wed Feb 22 06:24:06 pool-71-255-173-221 \[0x0-0x17017\].com.apple.Safari[231] <Notice>: \tat sun.applet.AppletPanel.createApplet(AppletPanel.java:785)
> Wed Feb 22 06:24:06 pool-71-255-173-221 \[0x0-0x17017\].com.apple.Safari[231] <Notice>: \tat sun.plugin.AppletViewer.createApplet(AppletViewer.java:2372)
> Wed Feb 22 06:24:06 pool-71-255-173-221 \[0x0-0x17017\].com.apple.Safari[231] <Notice>: \tat sun.applet.AppletPanel.runLoader(AppletPanel.java:714)
> Wed Feb 22 06:24:06 pool-71-255-173-221 \[0x0-0x17017\].com.apple.Safari[231] <Notice>: \tat sun.applet.AppletPanel.run(AppletPanel.java:368)
> Wed Feb 22 06:24:06 pool-71-255-173-221 \[0x0-0x17017\].com.apple.Safari[231] <Notice>: \tat java.lang.Thread.run(Thread.java:637)
> Wed Feb 22 06:24:53 pool-71-255-173-221 com.apple.launchd.peruser.501[91] (\[0x0-0x17017\].com.apple.Safari[231]) <Warning>: Job appears to have crashed: Bus error
> Wed Feb 22 06:24:57 pool-71-255-173-221 ReportCrash[2695] <Notice>: Saved crash report for Safari\[231\] version 5.0 (6533.16) to /Users/petermork/Library/Logs/DiagnosticReports/Safari_2012-02-22-062457_peter- morks-imac.crash
>
> There's a Java exploit which has installed Mac OS X backdoors in the /Users/Shared and ~/Library/Application Support/ folders.
>
> Do you remember what was the site where's the applet has been loaded?
>
> The Applet is no more in your Java Cache folder, but I got the malware IP address: 95.215.63.38
> The server seems to be hosted in Spain.
>
> Maybe you can remember the site by browsing your Safari history.
>
> This is very important to stop bad activities from the malware group.
>
> Thanks again for your collaboration.
> Yours,
> --
> Philippe

MadMacs0

Level 5

5,221 points

Mar 2, 2012 2:29 PM in response to Pebey

Pebey wrote:

PS Here is what I sent to Phillipe from Intego, after narrowing down the source of the infection to a specific site:

I checked the page and can find no trace of a Java applet now, but it looks like the web site has definitely been busy dispensing Trojans http://www.google.com/safebrowsing/diagnostic?site=vegweb.com.

The IP address is not one of the ones I knew of being reportedly associated with FlashBack, but it's not that hard to move servers around the globe. It does not appear to be functioning at this time, but that's not unusual either. If they are using Twitter to receive reports as was mentioned, they really only need it up when they are serving the Trojan files. There is little information available about the ownership http://whois.domaintools.com/95.215.63.38, but Spain looks to be correct. Doesn't really matter as it could be anywhere.

Safari quits - plugin related