ComputerUser23483 wrote:
I think I have a virus or spyware on my computer. It redirects me to a third-party site (something like LinkBucks) when I try to visit Facebook, Google or YouTube. This happens in both Safari and in Mozilla Firefox.
I have been seeing a few of these over the past few days, so it could be something new, but let me give you a couple of suggestions for what has been discovered in the last couple of weeks.
Here's an AppleScript written by fane_j which will check for what we know about the last two Flashback Trojans. Open Script Editor (/Applications/Apple Script/) then copy and paste what follows into the window:
--script begins
property theItems : {"defaults read ~/.MacOSX/environment", "ls -al /Applications/Safari.app/Contents/Resources/*COAA*", "java -version 2>&1"}
on run
set myClip to ""
repeat with i in theItems
try
do shell script i
set myClip to myClip & result & return & return
on error errText
set myClip to myClip & i & " -- " & errText & return & return
set myClip to result
end try
end repeat
set the clipboard to myClip
end run
--script ends
Press the run button. Results will be on your clipboard which you can paste into a text document, e-mail or back here.
It performs three checks:
The first will identify whether or not you have the Flashback.G Trojan (as well as a couple of earlier versions). If you are infected it will look something like this:
{
"DYLD_INSERT_LIBRARIES" = "/Users/Shared/.<dylib_filename>.so";
}
If it says that, STOP everything and return here for instructions! Do not attempt any file deletions or you can easily lock yourself out of your account.
If it says anything else or cannot find the file, you are OK on this one.
The second test looks for the Flashback.N Trojan, but since we have not been able to find anybody who was infected yet and the information on it is incomplete, there's no assurances for this one.
The third checks to see what version of Java you have. If it says anything less than 1.6.0_29 followed by some other alpha-numerics, you are vulnerable to being infected without any action on your part other than visiting a web site. In such a case use Software Update to get the latest patch.
The other suggestion would be to check for the old DNSChanger by visiting the site http://www.dcwg.org/checkup.html, click on "Mac OSX" in the left box and follow the directions.
If that's OK then click on "Checking Via Browser" and follow those directions.
It's possible that your router is infected, but unfortunately they still have not posted instructions for that.
To fix any problems you find click on the "Cleanup" tab at the top.
Feel free to read anything else on the site you might be curious about.