Skip navigation

Malware?  Something has my Mac in a knot!

645 Views 10 Replies Latest reply: Mar 13, 2012 1:46 PM by John Galt RSS
kahlua021997 Level 1 Level 1 (5 points)
Currently Being Moderated
Mar 13, 2012 7:29 AM

https://discussions.apple.com/thread/3217174?start=15&tstart=0

 

The above discussion seems to be very similar to my scenario.  Just different website and different prize. I will reference this posting on that discussion.  But, that discussion was six months ago, and is very long.... so I felt it worthy to try to summarize best I could.  And, with taking the information, I wasn't even sure what process to do first?  So, although I state in this post below as fact, realize I am siting other users information from the post mentioned above. 

 

So, in a nutshell, I am asking you all:

  1. Is the below information accurate?
  2. What items do I do first?  What items do I not do at all?

 

My story:  I was searching for some stuff on the planet Jupiter for my daughter's class project.  And, bam, a pop-up came up saying I was a Michigan winner.  How the heck does this pop up know I am from Michigan????

 

What was worse, the pop-up could not be closed (the three dots were not present in the upper left-hand corner), I could not access any menu items, etc.in Safari.  As this other post above mentioned, "my computer/Safari has been hijacked".

 

I have Lion, so naturally, any force closing, and/or rebooting just brings up the same pages once again.  However, along the way, it had asked for an administrator name and password.  I didn't think of it too much as I had been moving between users that day so my other daughter could be surfing the web on her restricted account.  So, I thought it had to do with that.

 

After reading the above-referenced post, I can summarize the plethora of information into the following:

 

  1. I probably came across a similar malware issue
  2. I probably gave my password to an enemy
  3. And, my Mac is currently setting power-off awaiting my decision on what to do.  And, am having to write this post on my husband's Windows PC.  Not happy!

 

Issues and/or solutions:

 

  1. I might be able to hold down the shift key when entering Safari to disable the "resume pages" option on Lion.  (however, that doesn't mean the issue is gone... just that I might be able to access websites and the menu again.)
  2. I am gonna need to delete some files perhaps outside of Safari (downloads.plist; history.plist; historyindex.sk; lastsession.plist; topsites.plist; webpageicons.db;)   THEN EMPTY THE TRASH.
  3. I am sure I need to make sure that my Apple software is up to date, including security definitions.  (no one in the other post even mentioned this, I don't think, but I would think this would be very helpful.)
  4. I am going to have to address Flash cookies (.sol files)
    1. delete them from home/library/preferences/macromedia/flash player/#sharedobjects
    2. settings need to be adjusted in home/library/preferences/macromedia/flash player/macromedia.com/support/flashplayer/sys
    3. FYI: the home>library folder is now hidden.... so will need to discover how to access that
    4. Or use the Flush app to remove all flash cookies; Or use Safaricookies app to be selective on what flash cookies I'd want to keep
    5. Adobe flash player now puts a system preference in system preferences folder for flash player, including a simple way to delete all flash cookies
      1. The old version of FP you have to go to the adobe flash player support page to view the control panel that lets you do this.  The new one, lets you control it on your Mac.--Supposedly you can access this control panel via double clicking the FP icon
  5. Tracker cookies scare me:
    1. If I installed this Trojan(OSX/DNSChanger) by providing my password, my DNS records can be modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements.  (BTW, I moved to a Mac a couple years ago because my Windows laptop got one of these things on them... thought I was immune on a Mac.  So wrong!)
    2. It concerns me that this attacker could be monitoring my passwords, etc on my banks, etc.  Not sure if this is true or not...
    3. SecureMac app has a free Trojan Detection Tool for Mac OS X.  The software to remove it has a 30-day trial and then costs $30US.
    4. It goes on to talk about Windows viruses that can be passed on through emails to other Windows users, which CLAMXAV app can fix.  Uncertain if available for Lion per the contributor's remarks, but is also difficult to remove from your Mac.  The contributor also alerted us to not install Norton on the Mac as it is damaging to the OS.
    5. Some users did the shift button with the Safari button thinking they were done with the whole thing, but realized there was a Trojan on their Mac, still alive.  Sending to trash and emptying trash- not sure if that is all you need to do finding it using spotlight?
  6. Things that didn't work for other users and other threads to read:
    1. VirusBarrier Plus didn't detect anything on a users computer.
    2. https://discussions.apple.com/thread/3198419?tstart=0

Any help on this would be greatly appreciated!!!!!

 

An additional question I have:

 

I have a Time Capsule.  Could I just restore from two days ago and not have to worry about any of the above actions?

MacBook, Mac OS X (10.7.2), iPhone 4, iPod nano 3rd gen, iPod nano 4th gen, Airport Express
  • Linc Davis Level 10 Level 10 (107,760 points)
    Currently Being Moderated
    Mar 13, 2012 10:37 AM (in response to kahlua021997)

    However, along the way, it had asked for an administrator name and password.

     

    What had asked for an administrator password? What did you authorize?

  • Linc Davis Level 10 Level 10 (107,760 points)
    Currently Being Moderated
    Mar 13, 2012 12:43 PM (in response to kahlua021997)

    Please read this whole message before doing anything.

     

    This procedure is a diagnostic test. It won’t solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.

     

    Third-party system modifications are a common cause of usability problems. By a “system modification,” I mean software that affects the operation of other software – potentially for the worse. The following procedure will help identify which such modifications you've installed. Don’t be alarmed by the complexity of these instructions – they’re easy to carry out and won’t change anything on your Mac.

     

    These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.

     

    Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.

     

    Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then either copy or drag it. The headings “Step 1” and so on are not part of the commands.

     

    Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.

     

    Launch the Terminal application in any of the following ways:

     

    ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)

     

    ☞ In the Finder, press the key combination shift-command-U. The application is in the folder that opens.

     

    ☞ If you’re running Mac OS X 10.7 or later, open LaunchPad. Click Utilities, then Terminal in the page that opens.

     

    When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” (without the quotes) and press return. You should then get a new line ending in a dollar sign.

     

    Step 1

     

    Copy or drag – do not type – the line below into the Terminal window, then press return:

     

    kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'
    

     

    Post the lines of output (if any) that appear below what you just entered (the text, please, not a screenshot.)

     

    Step 2

     

    Repeat with this line:

     

    sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'
    

     

    This time, you'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. You don't need to post the warning.

     

    Step 3

     

    launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'
    

     

    Step 4

     

    ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null
    

     

    Important: If you synchronize with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting.

     

    Step 5

     

    osascript -e 'tell application "System Events" to get name of every login item'
    

     

    Remember, steps 1-5 are all drag-and-drop or copy-and-paste, whichever you prefer – no typing, except your password. Also remember to post the output.

     

    You can then quit Terminal.

  • John Galt Level 7 Level 7 (33,080 points)
    Currently Being Moderated
    Mar 13, 2012 12:48 PM (in response to kahlua021997)

    Would you provide your mother's maiden name, your birthdate, your SSN to an anonymous caller? I doubt it. Don't provide names and passwords just because a popup advertisement requests it.

    I have a Time Capsule.  Could I just restore from two days ago and not have to worry about any of the above actions?

     

    That may be the easiest solution.

     

    Change your passwords. All of them.

     

    And, bam, a pop-up came up saying I was a Michigan winner.  How the heck does this pop up know I am from Michigan????

     

    Your IP address is not hidden. It's trivial to correlate it to an approximate geographic location.

     

    Never install anything without knowing what it is, and never provide your name and password without knowing what you are doing. Nothing can prevent phishing attempts.

  • John Galt Level 7 Level 7 (33,080 points)
    Currently Being Moderated
    Mar 13, 2012 1:24 PM (in response to kahlua021997)

    It is possible that it was, since it is normal to encounter that before shutting down when a user is connected.

     

    My response was predicated on the following:

    ... along the way, it had asked for an administrator name and password.  ...

     

    1. I probably came across a similar malware issue
    2. I probably gave my password to an enemy ....

     

    Given your uncertainty my advice remains the same.

  • Linc Davis Level 10 Level 10 (107,760 points)
    Currently Being Moderated
    Mar 13, 2012 1:42 PM (in response to kahlua021997)

    Did the dialog look similar to this? If you're absolutely sure that it did, you should be OK. Otherwise please respond to my last post.

    /___sbsstatic___/migration-images/178/17853247-1.png

  • John Galt Level 7 Level 7 (33,080 points)
    Currently Being Moderated
    Mar 13, 2012 1:46 PM (in response to kahlua021997)

    If you boot Lion Recovery restoring from a TM backup will erase the target disk anyway, but if erasing it first will ease your mind then go ahead.

    Makes me a little anxious as I haven't had to test my time machine/time capsule before now.

     

    Only one way to find out!

     

    It is a bit unsettling in that there is no way to determine in advance that your TM backup is going to work or not. However, I have done this many times with no problems. Time Machine is pretty reliable.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.