Previous 1 2 3 Next 31 Replies Latest reply: Mar 14, 2013 4:14 PM by shelbourn Go to original post
  • Linc Davis Level 10 (184,915 points)

    What you've got is a corrupted KlondikeMine3D screen saver download.


    That's nonsense.

  • MadMacs0 Level 5 (4,700 points)

    Linc Davis wrote:


    There hasn't been a verified report of a Flashback infection for almost a year now.

    I don't have time to go through that entire list right now, but weren't they all the result of an old infection?


    At least two A-V labs have declared it extinct, so unless it's started up again (highly doubtful IMHO), this would have to have been installed about a year ago. Could somebody go this long without noticing or running a Software Update?  Hard to believe, but possible I guess.


    In any case, we seem to have lost the OP in all this, so we may never know.

  • Linc Davis Level 10 (184,915 points)

    I don't have time to go through that entire list right now, but weren't they all the result of an old infection?


    I don't know. The point is, it still turns up.

  • thomas_r. Level 7 (30,650 points)

    I suppose that a couple things that could explain it are restoring to old infected backups or using an infected computer that has been sitting on a shelf for a while. Still, the one definitive piece of information that we don't have yet is info about what Avast actually detected. Without that, we're just guessing.

  • shelbourn Level 1 (0 points)

    I apologize to all that have posted recommendations and advice, I have been out of town with very limited internet access. I'm still here and about to get down to remedying this situation as we speak. I do appreciate all the suggestions and I will let you know which (if any work). As far as more detailed info regarding the infection, I will try to get as much as I can, but without access to the admin account I will have some difficulty getting more info. ... Again, sorry to leave you all hanging.

  • shelbourn Level 1 (0 points)

    Thank you so much for this tidbit! It worked like a charm first try. You're a lifesaver! Cheers!

  • MadMacs0 Level 5 (4,700 points)

    shelbourn wrote:


    worked like a charm first try.

    So that's pretty much proof positive that you contracted Flashback malware at some point and there almost certainly are other components of it still on the hard drive. Be sure and run Software Update, as Linc advised which will hopefully take care of the rest, although I believe all the dangerous code is already gone or disabled.


    Several of us are more than curious to know if it was infected last year or has there been a recent outbreak that none of us are aware of. The most useful information would be to discover the date of installation, but if Software Update tells you that malware was removed, that won't be possible. So if you could just let us know how long it had been since you updated the OS or if you had observed unusual behavior such as Safari crashing unexpectedly, that would still be useful.

  • shelbourn Level 1 (0 points)

    Okay, I might as well come clean. This isn't my Mac. It's a good friend of mine's who knows zero about computers in general, let alone macs. I just took ownership of the problem because he mentioned his browser closing independently so I looked into it for him. Anyway...


    After I got it running with your help last night I ran a full backup with Time Machine and manually copied all files over to an external HD (two separate externals). I left last night letting ClamAV running a full scan so I don't know specifically what it found yet. I saw my friend today at work and he said it found something in the hundreds or thousands of infected and or suspicious files. I made sure that he didn't touch anything and the computer is wating for me when I get a chance to get over to his place later on this evening.


    When I originally ran Avast I remember it found .KlondikeMineD.tmp in his user folder. What I don't know is how long he was running his computer with this thing on it. I do know that he attempted to manually delete the file several times to no avail. The only reason he knew which file to delete was because Safari gave a report of a forced close and it listed that file in the error string.


    As far as the updates go, I'm assuming that this was part of the original outbreak, because when I was able to run software update it presented 15 updates!!! Yah, 15!! Including the Java update.


    I will let you know what the exact file names are when I check it out later tonight.


    New issue...the only update I am not able to perform is one for the SuperDrive. Any concerns or ideas? I'm thinking I get the HD fully wiped of all malicious software and try it again.



  • thomas_r. Level 7 (30,650 points)

    Well, given that information, I have to concur with Linc that this is a Flashback infection. Was your friend using an alternate browser for a long time, since Safari wasn't working?


    Honestly, given the condition of the machine, I wouldn't trust that Flashback is the only thing on it. There have been eight other malware families (that I can think of off the top of my head) since Flashback that were capable of installing through vulnerable versions of Java, and your friend's machine could be infected with any or all of them as well. I also wouldn't rely on any anti-virus software for a guarantee of cleaning it up. The only thing that I would do at this point, if it were my friend, is erase the hard drive and reinstall the system and all the applications from scratch. I wouldn't restore anything from backups except personal documents, and even then would only copy them back to the system manually. (I wouldn't let the system try to help you import from a backup after installing.)


    Once you've recovered, I would advise that you and your friend both read my Mac Malware Guide to learn more about how to stay safe. I suspect you will need to help your friend with this, and in this circumstance, I would highly recommend (given past behavior) installing anti-virus software as an added layer to help protect him from himself. I would recommend using Sophos for that purpose, in this case.

  • OM617.952 Level 1 (15 points)

    That's nonsense.

    Prove it please.

  • shelbourn Level 1 (0 points)

    I'm gonna have to agree with Linc on this one. My friend's wife was able to recollect when the issue started and she distinctly remembers installing a "Java" update. That's when the problem with Safari force-closing started. I'm aware of the corrupt and malicious free screen savers that PCs get, but they downloaded no such program on their Mac. I did ask them about that.

  • shelbourn Level 1 (0 points)

    After running full scans with ClamXAV and Sophos there were no threats found. I am going to take your advice and reinstall everything fresh now that I have set up a backup system for him using one of my old FreeAgent drives. But seriously, I feel like I should be getting paid at this point. Haha...what are friends for though?


    Anyway, I'm still having the issue of not being able to install that last SuperDrive update. It's a little weird because it finds the update, downloads it, and installs. At the end of the install it gives me an error saying that all programs have to be closed in order to install, however there were no programs running besides the updater. Screenshots attached...




    Another interesting thing is I was going to check the scan log in Avast for when I conducted that first scan that locked everything up and there is no hint that Avast was even installed on the computer. The program is gone and there are no trace files.

  • Grant Bennet-Alder Level 9 (55,335 points)

    to get rid of whatever it thinks is still running, you could restart in Safe Mode (hold down Shift at Startup).


    Or figure it will get installed with one of the later Updates when you re-install Mac OS X.

  • shelbourn Level 1 (0 points)

    Tried to do it in safe mode already to no avail. Yah, I'm sure it'll get fixed when I reinstall everything. In the meantime it's not really an issue because its just that update that reduces SuperDrive noise when waking from sleep and booting up.

  • andyBall_uk Level 7 (20,490 points)

    If the same update - Apple suggest running SU update while booted from another drive :


    Learn what to do if you cannot install the SuperDrive Firmware Update 3.0 .