Apple Event: May 7th at 7 am PT

Learn more

Add to your calendar 

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: shelbourn
shelbourn Author
User level: Level 1
11 points

Virus may have bricked my computer

I've never had a virus on any of my Macs, so I need help dealing with this one.... Safari was closing sporadically after about 5 minutes of use. It would close with an error message referencing '.KlondikeMineD.tmp.' I knew immediately that this was no good, however, I didn't know how bad it would be. I ran Avast! (I know... I'm kicking myself for not running ClamAV). So Avast found KlondikeMineD.tmp to be a trojan and when I tried to 'chest' it I received an error message saying the program didn't have the ability to do it, or something like that. Now I knew I was I trouble. I attempted to boot in safe mode and was not able to log in to the administrator account. I am still able to log in as guest with full networking capability, but that does me no good since I can't run a scan or access anything on my administration account, which is where the virus is.


Any help on this would be fantastic. Is there a AV prog out there that has the ability to perform a scan at boot? I'm kind of freaking out because I have tons of pics on my HD that aren't backed up, including baby pics. Thanks for any ideas.

Mac Pro, Mac OS X (10.6.8), Trojan Virua

Posted on Mar 9, 2013 9:57 AM

Reply
Question marked as Best reply
User profile for user: Grant Bennet-Alder
Grant Bennet-Alder
User level: Level 10
127,513 points

Posted on Mar 9, 2013 10:19 AM

10.6.8 has the ability to boot from the Installer DVD and run Disk Utility (Repair Disk ).


You can also use the Installer DVD to Reset the Admin Password, which should then allow you to log in as the Admin under Safe Mode.


If you are running Java games under 10.6.8 without installing the latest Software Updates, that can open you to Java-in-Safari exploits. Be sure to run the latest Java Software Update (which you can do in Safe Mode.)

View in context
31 replies
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Mar 12, 2013 6:43 PM in response to Linc Davis

Linc Davis wrote:


There hasn't been a verified report of a Flashback infection for almost a year now.

I don't have time to go through that entire list right now, but weren't they all the result of an old infection?


At least two A-V labs have declared it extinct, so unless it's started up again (highly doubtful IMHO), this would have to have been installed about a year ago. Could somebody go this long without noticing or running a Software Update? Hard to believe, but possible I guess.


In any case, we seem to have lost the OP in all this, so we may never know.

Reply
User profile for user: shelbourn
shelbourn Author
User level: Level 1
11 points

Mar 12, 2013 9:16 PM in response to MadMacs0

I apologize to all that have posted recommendations and advice, I have been out of town with very limited internet access. I'm still here and about to get down to remedying this situation as we speak. I do appreciate all the suggestions and I will let you know which (if any work). As far as more detailed info regarding the infection, I will try to get as much as I can, but without access to the admin account I will have some difficulty getting more info. ... Again, sorry to leave you all hanging.

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Mar 13, 2013 5:05 PM in response to shelbourn

shelbourn wrote:


worked like a charm first try.

So that's pretty much proof positive that you contracted Flashback malware at some point and there almost certainly are other components of it still on the hard drive. Be sure and run Software Update, as Linc advised which will hopefully take care of the rest, although I believe all the dangerous code is already gone or disabled.


Several of us are more than curious to know if it was infected last year or has there been a recent outbreak that none of us are aware of. The most useful information would be to discover the date of installation, but if Software Update tells you that malware was removed, that won't be possible. So if you could just let us know how long it had been since you updated the OS or if you had observed unusual behavior such as Safari crashing unexpectedly, that would still be useful.

Reply
User profile for user: shelbourn
shelbourn Author
User level: Level 1
11 points

Mar 13, 2013 6:15 PM in response to MadMacs0

Okay, I might as well come clean. This isn't my Mac. It's a good friend of mine's who knows zero about computers in general, let alone macs. I just took ownership of the problem because he mentioned his browser closing independently so I looked into it for him. Anyway...


After I got it running with your help last night I ran a full backup with Time Machine and manually copied all files over to an external HD (two separate externals). I left last night letting ClamAV running a full scan so I don't know specifically what it found yet. I saw my friend today at work and he said it found something in the hundreds or thousands of infected and or suspicious files. I made sure that he didn't touch anything and the computer is wating for me when I get a chance to get over to his place later on this evening.


When I originally ran Avast I remember it found .KlondikeMineD.tmp in his user folder. What I don't know is how long he was running his computer with this thing on it. I do know that he attempted to manually delete the file several times to no avail. The only reason he knew which file to delete was because Safari gave a report of a forced close and it listed that file in the error string.


As far as the updates go, I'm assuming that this was part of the original outbreak, because when I was able to run software update it presented 15 updates!!! Yah, 15!! Including the Java update.


I will let you know what the exact file names are when I check it out later tonight.


New issue...the only update I am not able to perform is one for the SuperDrive. Any concerns or ideas? I'm thinking I get the HD fully wiped of all malicious software and try it again.


Cheers!

Reply
User profile for user: thomas_r.
thomas_r.
User level: Level 7
31,989 points

Mar 13, 2013 6:35 PM in response to shelbourn

Well, given that information, I have to concur with Linc that this is a Flashback infection. Was your friend using an alternate browser for a long time, since Safari wasn't working?


Honestly, given the condition of the machine, I wouldn't trust that Flashback is the only thing on it. There have been eight other malware families (that I can think of off the top of my head) since Flashback that were capable of installing through vulnerable versions of Java, and your friend's machine could be infected with any or all of them as well. I also wouldn't rely on any anti-virus software for a guarantee of cleaning it up. The only thing that I would do at this point, if it were my friend, is erase the hard drive and reinstall the system and all the applications from scratch. I wouldn't restore anything from backups except personal documents, and even then would only copy them back to the system manually. (I wouldn't let the system try to help you import from a backup after installing.)


Once you've recovered, I would advise that you and your friend both read my Mac Malware Guide to learn more about how to stay safe. I suspect you will need to help your friend with this, and in this circumstance, I would highly recommend (given past behavior) installing anti-virus software as an added layer to help protect him from himself. I would recommend using Sophos for that purpose, in this case.

Reply
User profile for user: shelbourn
shelbourn Author
User level: Level 1
11 points

Mar 14, 2013 1:42 PM in response to OM617.952

I'm gonna have to agree with Linc on this one. My friend's wife was able to recollect when the issue started and she distinctly remembers installing a "Java" update. That's when the problem with Safari force-closing started. I'm aware of the corrupt and malicious free screen savers that PCs get, but they downloaded no such program on their Mac. I did ask them about that.

Reply
User profile for user: shelbourn
shelbourn Author
User level: Level 1
11 points

Mar 14, 2013 1:58 PM in response to thomas_r.

After running full scans with ClamXAV and Sophos there were no threats found. I am going to take your advice and reinstall everything fresh now that I have set up a backup system for him using one of my old FreeAgent drives. But seriously, I feel like I should be getting paid at this point. Haha...what are friends for though?


Anyway, I'm still having the issue of not being able to install that last SuperDrive update. It's a little weird because it finds the update, downloads it, and installs. At the end of the install it gives me an error saying that all programs have to be closed in order to install, however there were no programs running besides the updater. Screenshots attached...


User uploaded file

User uploaded file

Another interesting thing is I was going to check the scan log in Avast for when I conducted that first scan that locked everything up and there is no hint that Avast was even installed on the computer. The program is gone and there are no trace files.

Reply

Virus may have bricked my computer

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up