Previous 1 2 3 Next 40 Replies Latest reply: Mar 3, 2012 11:32 AM by MadMacs0 Go to original post
  • X423424X Level 6 Level 6 (14,215 points)

    FWIW, I am an advocate of using LS.  It is one of my "must haves" for my systems.  But having said that, if this trojan, when embedded in a browser, calls home via the browser, say using port 80, then of course LS won't detect it unless you block the port.  And you can't really do that since then you couldn't use the browser.

     

    Note, I may be mixing my trojan strains up, but I seem to recall that one of these strains doesn't bother installing itself if it sees certain protections.  I think the Intego stuff is one and LS may be another.

  • MadMacs0 Level 5 Level 5 (4,605 points)

    I've seen no mention of ~/Library/Application Support in any of the articles (or at least I don't recall at the moment).

    It's only come up in the last couple of days, so it's either new or has been overlooked in the past. It's in a couple of threads, but the most authoritative is the discussion by Phillipe from Iomega Re: Safari quits - plugin related

    Be careful, there are links to a known Trojan distribution server, which appears to have been cleaned up, but you never can be certain.

  • MadMacs0 Level 5 Level 5 (4,605 points)

    X423424X wrote:

     

    FWIW, I am an advocate of using LS.  It is one of my "must haves" for my systems.  But having said that, if this trojan, when embedded in a browser, calls home via the browser, say using port 80, then of course LS won't detect it unless you block the port.  And you can't really do that since then you couldn't use the browser.

    That's absolutely true and it has been alleged that the Trojan uses Twitter to call home, which means the only way to know for sure would be a packet sniffer. That's way above my ability, although I do have WireShark installed, I've never had the time to even begin to use it for anything.

  • X423424X Level 6 Level 6 (14,215 points)

    You might want to look at CocoaPacketAnalyzer.  It's easier to use and doesn't require you to install a StartupItem to fix /dev/bpf* (chgrp admin /dev/bpf*; chmod g+rw /dev/bpf*).

     

    FWIW, same with me with respect to WireShark.  I have it installed (hence my awareness of the StartupItem) but I never really used it except to make sure new versions launch properly.  CocoaPackAnalyzer, on the other hand, I have actually used from time to time.

  • Jay-Lee Level 1 Level 1 (0 points)

    Update!

    Okay, so the virus is still very much here (no surprises)

     

    I read the two articles that you provided, downloaded Virus Barrier X6 and it indeed found the file GameHouseHolidayExpress.so and stated it was infected by the OSX/Flashback G virus.  I revealed it in the Finder, and it is in a shared folder.  I believe that it is in this file: ls /Users/Shared/.*.so, as when I run it through terminal, it replies with /Users/Shared/.GameHouseHolidayExpress.so.

     

    Here is a snapshot of the files, some of which I put in trash, the others left in the Shared folder, it is asking for my password.

     

    Screen shot 2012-03-03 at 10.03.54 AM.jpg

     

     

     

    Mad Macs' stated also

    "Since some of these are hidden, you will need to use some of the following in Terminal. Be sure to copy and paste them exactly as written as you could easily delete something else with a typo:

     

    rm -rf ~/.MacOSX/environment.plist

         (you already got this one)

     

    rm -rf ~/Library/Applications Support/.GameHouseHolidayExpress.so

     

    rm -rf ~/Library/Logs/vmlog

         (you probably found this one already)

     

    rm -rf /Users/Shared/.GameHouseHolidayExpress.so

     

    rm -rf /Users/Shared/.svcdmp

     

     

    After running these through the terminal, the majority of replies were 'No such file or directory', EXCEPT for /Library/Applications Support/.GameHouseHolidayExpress.so which replied with  Operation not permitted

     

    I also rebooted my Safari, I don't have firefox, and I'm ditching skype because I don't use it anyway.

    I'm also planning on changing my passwords through my other computer.

     

    Where do I go now?  And, again, thank you so much for all your input.

  • X423424X Level 6 Level 6 (14,215 points)

    There was a typo in that one for Applications Support.  Try it again in termainl this time using the following linke:

     

    rm -rf ~/Library/Applications\ Support/.GameHouseHolidayExpress.so

     

    (the explicit space in "Application Support" wasn't escaped -- that's a backslash in front of that space)

     

    After running these through the terminal, the majority of replies were 'No such file or directory', EXCEPT for /Library/Applications Support/.GameHouseHolidayExpress.so which replied with  Operation not permitted

     

    I am not sure you executed those commands exactly as they were specified.  That is because rm -rf won't report any errors if it cannot find the item it is trying to remove (the -f option).  You shouldn't have seen "no such file or directory".  So just to summarize these are the commands you should try (one at a time):

     

    rm -rf ~/.MacOSX/environment.plist

    rm -rf ~/Library/Applications\ Support/.GameHouseHolidayExpress.so

    rm -rf ~/Library/Logs/vmlog

    rm -rf /Users/Shared/.GameHouseHolidayExpress.so

    rm -rf /Users/Shared/.svcdmp

     

    And just to be sure,  try each of these commands:

     

    ls -la ~/.MACOSX/environment.plist

    ls -la ~/Library/Applications\ Support/*.so

    ls -la ~/Library/Logs/vmLog

    ls -la /Users/Shared/*.so

    ls -la /Users/Shared/.svcdmp

     

    For each of these, this time you should be seeing "no such file or directory".  This will confirm all this crap has been removed.

  • Jay-Lee Level 1 Level 1 (0 points)

    Got you, recently I just went through Virus Barrier X6 and trashed all the the files it told me were infected, and I have logged out and back in.

     

    ....okay, so for the first lot of commands you gave: 

     

    rm -rf ~/.MacOSX/environment.plist

    rm -rf ~/Library/Applications\ Support/.GameHouseHolidayExpress.so

    rm -rf ~/Library/Logs/vmlog

    rm -rf /Users/Shared/.GameHouseHolidayExpress.so

    rm -rf /Users/Shared/.svcdmp

     

    It replied with absolutely nothing for each of them....I'm not sure if that's right?

     

     

    For the second lot of commands:

     

    ls -la ~/.MACOSX/environment.plist

    ls -la ~/Library/Applications\ Support/*.so

    ls -la /Users/Shared/*.so

    ls -la ~/Library/Logs/vmLog

    ls -la /Users/Shared/.svcdmp

     

    It replied with no such file or directory for all, as you suggested


     


  • MadMacs0 Level 5 Level 5 (4,605 points)

    I'm not sure what's going on, but I cannot see any of the postings for the past four hours. I am getting copies in my e-mail, but cannot reply to any of those. I hope this makes it.

     

    Sorry about the typo, my notes have it correct, but it didn't make it into my postings.

     

    There is another typo in what X423424X said so try this:

     

    rm -rf "~/Library/Application Support/.GameHouseHolidayExpress.so"

     

    leaving the quotes where they are, and if that doesn't work, try:

     

    rm -rf ~/Library/Application\ Support/.GameHouseHolidayExpress.so

     

    If still nothing then either VirusBarrier got rid of it or it was never there to start with.

  • X423424X Level 6 Level 6 (14,215 points)

    The quoting syntax is fine too.

     

    Posted this for you as a test to see if you see that it was posted.

  • Jay-Lee Level 1 Level 1 (0 points)

    I noticed also!  It's saying that X23424X has replied to my last comment, yet I cannot see it, and I cannot see your comment on my Mac, just my PC.  Something faulty's going on on the boards I guess....

     

    Anyway! I ran again through the terminal and still nothing...so it's looking good?

  • Jay-Lee Level 1 Level 1 (0 points)

    I'm able to see the replies on my PC, but not my Mac....but I think the sitaution is looking good....

  • Jay-Lee Level 1 Level 1 (0 points)

    Do you think that I should still reboot / format my Mac? 

  • X423424X Level 6 Level 6 (14,215 points)

    Rebooting isn't going to change anything.  If the stuff is still there, it isn't going to go away on its own.

     

    Not sure what you mean by "format my mac".  If you mean do a full clean (not update) install that is your choice I assume weighted against all the work to get back to your current setup. 

     

    If the files are gone, particularly environment.plist, and you replaced your safari, and the problem is gone (no numbers in menus) you are probably safe as you are.

     

    I generally never suggest full reinstalls for anything because most problems can be figured out.  In my own case I also always have backups, real full clones, not non-bootable TMs, that I can always fall back on.

     

    On this problem of not seeing posts. I haven't noticed it. But a while ago Apple took down these forums for a short time.  Maybe that was realated to that problem.

  • MadMacs0 Level 5 Level 5 (4,605 points)

    The boards seem to be working correctly for me now.

    Jay-Lee wrote:

     

    Do you think that I should still reboot / format my Mac? 

    That's what the majority are still recommending. It is the first time I've ever suggested that a week or so ago when it seemed we knew very little about what was going on. Today I modified that to suggest infected users replace the network apps from source, which is relatively easy and wait to see if there are any other unexplained issues. If you have a TM backup and haven't done much since, then going back to before the infection date is an option that wouldn't be as difficult. I heard last night that it may not even be necessary to replace the apps as the code injection takes place in RAM and not on the hard drive, but since that isn't Intego's position yet, I would follow their recommendation until they change it.

     

    I would hope that you have shut down the UserName / Password harvesting, but there's a lot we don't know about that process yet. In any case, I would change all the passwords for Google and financial sites that you visited since the date of infection, along with any passwords on other sites that are identical to those.

  • X423424X Level 6 Level 6 (14,215 points)

    What a mess.  And I I still don't know where all these people are downloading this thing from.