Unable to login-start up Macbook Pro

Cala123654 wrote:

Recently started getting the redirected to happili and other websites while surfing (I believe it is called the google redirect virus). To fix the problem I installed Clam Xav and ran scans through my computer and it didnt find anything.

IIRC there are now three possible OS X pieces of Malware (none are viruses on a fully updated Mac):

One is a very old DNSChanger or RSPlug Trojan. The perpetrators of this are in jail awaiting extradition and their servers are being operated as normal servers by the FBI until July 9, so they should not be a factor, but a couple of folks have been shown to be affected somehow here in the Forum over the last couple of weeks. It sounds like this is the one you were trying to find.

The second is also relative old BASH/QHost.WB Trojan disquised as a FlashPlayer11 installer modified the Host file in a predictable way, but it hasn't been seen in a long time

The third possibility has not been verified, but the Flashback.G Trojan that has been active off and on since around Feb 18th has been reported by at least one user as redirecting Google search. As far as I know only Snow Leopard users have been infected to date, but if you approved a fake Apple certificate for a Java app, that could have done it.

My last guess is that there is yet another version of Flashback that we haven't learned of yet.

I installed the VirusBarrier x6, with the 30 day trial version. It installed fine, restarted the computer and when it came back on started the scan of the HDD. BUT I could not open any programs at this point or search the inet. So I restarted the laptop again and now it wont go past the login screen. It loads the background of the desktop but wont load the tool bar, icons etc, it just freezes. I started it in safe boot and ran a full disk repair-verify and disk permission etc. All indicated fine... but still wont start up completely.

Since the last thing you did was install VB, I would suspect that, so my first choice would be to run the uninstaller in safe mode and see where that gets you.

if I do get it started up how can I remove that GRV?

Come back and we'll check a few things.

So, now onto the GRV..

Looks like my fourth option (new varient) may be something you should look into. I checked the Intego blog last night before I wrote my reply to you, but this wasn't there yet http://blog.intego.com/new-flashback-variant-changes-tack-to-infect-macs/. I've had at least one other user who's symptoms were out-of-line with Flashback.G.

My guess is that the information is incomplete as it has been with previous postings. I doubt that the two files they found are the entire story, but they are a start and worth looking for. Let me know if you aren't familiar with how to find invisible files within an Application bundle and I'll talk you through it.

Apparently what you are looking for are:

/Applications/Safari.app/Contents/Resources/.COAASHIPPlotter.png

/Applications/Safari.app/Contents/Resources/.COAASHIPPlotter.xsl

Cala123654 wrote:

Hey, so didnt find those files on my mac, just did a general seach on my mac for invisible files with those names. Just command+F and then changed the kind to other, set invisible files as the parameter and searched, if there is another way of doing it I don't know it. So the problem still persists. As a side note my skype file isnt working anymore either and a reinstall doesnt seem to be working. If we could deal with that after the GRV again it would be great:)

I don't thnk Command+F is going to hack it. It uses the Spotlight database which doesn't look in all the right places, Beside, we know where to look, so it's a bit of a waste of time searching your entire hard drive. Also, if I am properly understanding that you entered the words "invisible files" after "Kind is Other" that isn't the way that works either. And lastly, Intego has speculated that the names they found are probably not going to be the same in every case.

Since I have been unable to locate anybody else in the Forum has verified any of Intego's findings, we don't have a lot to go on.

Why don't we start by eliminating the older possibilities first since we know how to identify them. Then if we learn more about the new thing we won't waste a bunch of time.

For the Rove DNSChanger Trojan:

Visit the site http://www.dcwg.org/checkup.html and click on "Mac OSX" in the left box and follow the directions.

If that's OK then click on "Checking Via Browser" and follow those directions.

To fix any problems you find click on the "Cleanup" tab at the top.

Feel free to read anything else on the site you might be curious about.

For the QHost.WD Trojan (courtesy of Linc Davis):

In the Finder, select Go > "Go to Folder..." from the menu bar. Enter "/etc" (without the quotes) in the window that opens, and press return. A Finder window opens. Locate the file named "hosts" and double-click it. It should open in the TextEdit application. You should see this in the TextEdit window:

##

# Host Database

#

# localhost is used to configure the loopback interface

# when the system is booting. Do not change this entry.

##

127.0.0.1 localhost

255.255.255.255 broadcasthost

::1 localhost

fe80::1%lo0 localhost

If you see anything else, post the entire contents of the window -- the text, please, not a screenshot.

For the Flashback.G Trojan (fane_j and others)

Open the Terminal application (in /Applications/Utilities/), copy and paste the following command into a terminal window and press return.

defaults read ~/.MacOSX/environment

If the file doesn't exist, defaults returns"

Domain /Users/<username>/.MacOSX/environment does not exist

If it does exist, it returns its contents.

The malware entry will look something like this:

{

"DYLD_INSERT_LIBRARIES" = "/Users/Shared/.<dylib_filename>.so";

}

Let me know how it goes.

Disregard

Caught me just in time....

Cala123654 wrote:

Finally found something with the last check.

"DYLD_INSERT_LIBRARIES" = "/Users/Shared/.AudioMPMaker.so";

The last command returned the line above. So now to delete this all I have to do is delete that one file?

No, there are five of them! If you delete that file and log out before you delete at least one of the others you will be locked out of your account.

I googled how to see hidden files now by using the terminal so I found the file at that location.

Good, then you should be able to find them all and drag them to the trash, but before you do will you highlight the ".AudioMPMaker.so" file in the Finder, do a File->Get Info (Command-I) and check the "Name & Extension" box to see if there is a .dylib file extension hidden. Let me know.

~/.MacOSX/environment.plist [This is the most important so get rid of it first]

~/Library/Application Support/.<AudioMPMaker>.so

~/Library/Logs/vmlog

/Users/Shared/.<AudioMPMaker>.so

rm -rf /Users/Shared/.svcdmp

where "~" is your home folder /Users/<yourusername>/

Then reboot and see if your issues are gone.

Good morning, at least it is at my end of the world.

Cala123654 wrote:

Hey, alright time for an update then. I have now managed to delete all those files via the single user interface start up.

Great

Didnt find all of those you mentioned, but I did have 3 of them.

Hmm which two were missing?

I neglected to remind you that Intego said earlier that this Trojan "search[es] for user names and passwords. It looks for a number of domains – websites such as Google, Yahoo!, CNN; bank websites; PayPal; and many others. Presumably, the people behind this malware are looking for both user names and passwords that they can immediately exploit – such as for a bank website – as well as others that may be reused on different sites. (Hint: don’t use the same password for all websites!)" They have since found that this information is sent back via Twitter.

So it would be a good idea to spend some time changing passwords.