Cala123654 wrote:
Hey, so didnt find those files on my mac, just did a general seach on my mac for invisible files with those names. Just command+F and then changed the kind to other, set invisible files as the parameter and searched, if there is another way of doing it I don't know it. So the problem still persists. As a side note my skype file isnt working anymore either and a reinstall doesnt seem to be working. If we could deal with that after the GRV again it would be great:)
I don't thnk Command+F is going to hack it. It uses the Spotlight database which doesn't look in all the right places, Beside, we know where to look, so it's a bit of a waste of time searching your entire hard drive. Also, if I am properly understanding that you entered the words "invisible files" after "Kind is Other" that isn't the way that works either. And lastly, Intego has speculated that the names they found are probably not going to be the same in every case.
Since I have been unable to locate anybody else in the Forum has verified any of Intego's findings, we don't have a lot to go on.
Why don't we start by eliminating the older possibilities first since we know how to identify them. Then if we learn more about the new thing we won't waste a bunch of time.
For the Rove DNSChanger Trojan:
Visit the site http://www.dcwg.org/checkup.html and click on "Mac OSX" in the left box and follow the directions.
If that's OK then click on "Checking Via Browser" and follow those directions.
To fix any problems you find click on the "Cleanup" tab at the top.
Feel free to read anything else on the site you might be curious about.
For the QHost.WD Trojan (courtesy of Linc Davis):
In the Finder, select Go > "Go to Folder..." from the menu bar. Enter "/etc" (without the quotes) in the window that opens, and press return. A Finder window opens. Locate the file named "hosts" and double-click it. It should open in the TextEdit application. You should see this in the TextEdit window:
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting. Do not change this entry.
##
127.0.0.1 localhost
255.255.255.255 broadcasthost
::1 localhost
fe80::1%lo0 localhost
If you see anything else, post the entire contents of the window -- the text, please, not a screenshot.
For the Flashback.G Trojan (fane_j and others)
Open the Terminal application (in /Applications/Utilities/), copy and paste the following command into a terminal window and press return.
defaults read ~/.MacOSX/environment
If the file doesn't exist, defaults returns"
Domain /Users/<username>/.MacOSX/environment does not exist
If it does exist, it returns its contents.
The malware entry will look something like this:
{
"DYLD_INSERT_LIBRARIES" = "/Users/Shared/.<dylib_filename>.so";
}
Let me know how it goes.