Please Help! Finder is displaying strange codes such as N80 and N201

I've seen no mention of ~/Library/Application Support in any of the articles (or at least I don't recall at the moment).

It's only come up in the last couple of days, so it's either new or has been overlooked in the past. It's in a couple of threads, but the most authoritative is the discussion by Phillipe from Iomega Re: Safari quits - plugin related

Be careful, there are links to a known Trojan distribution server, which appears to have been cleaned up, but you never can be certain.

X423424X wrote:

FWIW, I am an advocate of using LS. It is one of my "must haves" for my systems. But having said that, if this trojan, when embedded in a browser, calls home via the browser, say using port 80, then of course LS won't detect it unless you block the port. And you can't really do that since then you couldn't use the browser.

That's absolutely true and it has been alleged that the Trojan uses Twitter to call home, which means the only way to know for sure would be a packet sniffer. That's way above my ability, although I do have WireShark installed, I've never had the time to even begin to use it for anything.

You might want to look at CocoaPacketAnalyzer. It's easier to use and doesn't require you to install a StartupItem to fix /dev/bpf* (chgrp admin /dev/bpf*; chmod g+rw /dev/bpf*).

FWIW, same with me with respect to WireShark. I have it installed (hence my awareness of the StartupItem) but I never really used it except to make sure new versions launch properly. CocoaPackAnalyzer, on the other hand, I have actually used from time to time.

There was a typo in that one for Applications Support. Try it again in termainl this time using the following linke:

rm -rf ~/Library/Applications\ Support/.GameHouseHolidayExpress.so

(the explicit space in "Application Support" wasn't escaped -- that's a backslash in front of that space)

After running these through the terminal, the majority of replies were 'No such file or directory', EXCEPT for /Library/Applications Support/.GameHouseHolidayExpress.so which replied with Operation not permitted

I am not sure you executed those commands exactly as they were specified. That is because rm -rf won't report any errors if it cannot find the item it is trying to remove (the -f option). You shouldn't have seen "no such file or directory". So just to summarize these are the commands you should try (one at a time):

rm -rf ~/.MacOSX/environment.plist

rm -rf ~/Library/Applications\ Support/.GameHouseHolidayExpress.so

rm -rf ~/Library/Logs/vmlog

rm -rf /Users/Shared/.GameHouseHolidayExpress.so

rm -rf /Users/Shared/.svcdmp

And just to be sure, try each of these commands:

ls -la ~/.MACOSX/environment.plist

ls -la ~/Library/Applications\ Support/*.so

ls -la ~/Library/Logs/vmLog

ls -la /Users/Shared/*.so

ls -la /Users/Shared/.svcdmp

For each of these, this time you should be seeing "no such file or directory". This will confirm all this crap has been removed.

I'm not sure what's going on, but I cannot see any of the postings for the past four hours. I am getting copies in my e-mail, but cannot reply to any of those. I hope this makes it.

Sorry about the typo, my notes have it correct, but it didn't make it into my postings.

There is another typo in what X423424X said so try this:

rm -rf "~/Library/Application Support/.GameHouseHolidayExpress.so"

leaving the quotes where they are, and if that doesn't work, try:

rm -rf ~/Library/Application\ Support/.GameHouseHolidayExpress.so

If still nothing then either VirusBarrier got rid of it or it was never there to start with.

The quoting syntax is fine too.

Posted this for you as a test to see if you see that it was posted.

Rebooting isn't going to change anything. If the stuff is still there, it isn't going to go away on its own.

Not sure what you mean by "format my mac". If you mean do a full clean (not update) install that is your choice I assume weighted against all the work to get back to your current setup.

If the files are gone, particularly environment.plist, and you replaced your safari, and the problem is gone (no numbers in menus) you are probably safe as you are.

I generally never suggest full reinstalls for anything because most problems can be figured out. In my own case I also always have backups, real full clones, not non-bootable TMs, that I can always fall back on.

On this problem of not seeing posts. I haven't noticed it. But a while ago Apple took down these forums for a short time. Maybe that was realated to that problem.

The boards seem to be working correctly for me now.

Jay-Lee wrote:

Do you think that I should still reboot / format my Mac?

That's what the majority are still recommending. It is the first time I've ever suggested that a week or so ago when it seemed we knew very little about what was going on. Today I modified that to suggest infected users replace the network apps from source, which is relatively easy and wait to see if there are any other unexplained issues. If you have a TM backup and haven't done much since, then going back to before the infection date is an option that wouldn't be as difficult. I heard last night that it may not even be necessary to replace the apps as the code injection takes place in RAM and not on the hard drive, but since that isn't Intego's position yet, I would follow their recommendation until they change it.

I would hope that you have shut down the UserName / Password harvesting, but there's a lot we don't know about that process yet. In any case, I would change all the passwords for Google and financial sites that you visited since the date of infection, along with any passwords on other sites that are identical to those.

What a mess. And I I still don't know where all these people are downloading this thing from.

Disregard.