Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Virus may have bricked my computer

I've never had a virus on any of my Macs, so I need help dealing with this one.... Safari was closing sporadically after about 5 minutes of use. It would close with an error message referencing '.KlondikeMineD.tmp.' I knew immediately that this was no good, however, I didn't know how bad it would be. I ran Avast! (I know... I'm kicking myself for not running ClamAV). So Avast found KlondikeMineD.tmp to be a trojan and when I tried to 'chest' it I received an error message saying the program didn't have the ability to do it, or something like that. Now I knew I was I trouble. I attempted to boot in safe mode and was not able to log in to the administrator account. I am still able to log in as guest with full networking capability, but that does me no good since I can't run a scan or access anything on my administration account, which is where the virus is.


Any help on this would be fantastic. Is there a AV prog out there that has the ability to perform a scan at boot? I'm kind of freaking out because I have tons of pics on my HD that aren't backed up, including baby pics. Thanks for any ideas.

Mac Pro, Mac OS X (10.6.8), Trojan Virua

Posted on Mar 9, 2013 9:57 AM

Reply
Question marked as Best reply

Posted on Mar 9, 2013 10:19 AM

10.6.8 has the ability to boot from the Installer DVD and run Disk Utility (Repair Disk ).


You can also use the Installer DVD to Reset the Admin Password, which should then allow you to log in as the Admin under Safe Mode.


If you are running Java games under 10.6.8 without installing the latest Software Updates, that can open you to Java-in-Safari exploits. Be sure to run the latest Java Software Update (which you can do in Safe Mode.)

31 replies
Question marked as Best reply

Mar 9, 2013 10:19 AM in response to shelbourn

10.6.8 has the ability to boot from the Installer DVD and run Disk Utility (Repair Disk ).


You can also use the Installer DVD to Reset the Admin Password, which should then allow you to log in as the Admin under Safe Mode.


If you are running Java games under 10.6.8 without installing the latest Software Updates, that can open you to Java-in-Safari exploits. Be sure to run the latest Java Software Update (which you can do in Safe Mode.)

Mar 9, 2013 11:33 AM in response to shelbourn

What message do you get when you attempt to log into your admin account, exactly. I do recall a similar situation to this over a year ago when FlashBack removal was causing users to be locked out of their accounts and there was a solution at the time, but I'd need to do a bit of research to recall exactly what needed to be done.


Assuming you can get your account working again, we can probably help clear the infection if we know more about it. I can tell that it's an invisible file, but would need to know the exact "infection name" that Avast used and the path to where the file is located. It would also be helpful to the community if it could be uploaded to http://www.virustotal.com to get a better idea of what we're dealing with and to share it amongst other A-V vendors if it's something new. Knowing the creation date of the file might also give us some idea of how long you've been infected.

Mar 9, 2013 8:56 PM in response to shelbourn

You’ve been infected with the “Flashback” malware. See this Apple support document:


About Flashback malware


Back up all data, if you haven't already done so.


From the menu bar, select

Software Update

to install the latest Java update, as well as any other available updates. That should clear the infection in most cases. You must update to the latest version of OS X 10.6 or 10.7 before you can install the Java update.


The removal tool runs automatically in the background and is then deleted. Don’t look for something to click. If the malware is removed, you’ll be notified.


After you’ve secured your system — not before — change every Internet password you have, starting with banking passwords, and check all financial accounts for unauthorized transactions.

Mar 9, 2013 9:41 PM in response to MadMacs0

I'll give you all the info that I can remember regarding all of your questions. When I attempt to log in to the admin account, I enter my password and it acts like its accepting it and then it just hangs on a light blue screen. There are no gears, rainbows or anything indicating that the CPU is processing. It just sits there until I eventually have to perform a hard boot. I tried turning off my router and nothing changed. As far as the rest of your inquiries I can't exactly remember where the files were located. I know, this was a total newb move. I am usually more careful, but whatever...it's done now. I just don't wanna lose my pics. I'm gonna try Grant's advice and if that doesn't work I suppose I'll have to lug it into the Apple Store. Thank you for your help man!

Mar 9, 2013 9:46 PM in response to Linc Davis

Linc Davis wrote:



You’ve been infected with the “Flashback” malware. See this Apple support document:


I certainly agree that it's the most probable explanation, just that the file name isn't on my list of known Flashback related files. I don't know that anybody has a complete list, but is it one you can confirm?


I also concur that the other steps are the most prudent way to get rid of it, but they all require access to an admin account, which the OP doesn't currently have.

Mar 9, 2013 9:49 PM in response to shelbourn

shelbourn wrote:


I'm gonna try Grant's advice and if that doesn't work I suppose I'll have to lug it into the Apple Store.

I can almost guarantee that all they will be willing to do is re-install a system and not guarantee that any of your data will be retained.


As I said before, if this is a Flashback infection, I'm sure I have a recovery solution file away in some of my notes from last year, so I would give that a try before making that trip.

Mar 9, 2013 9:51 PM in response to Grant Bennet-Alder

Grant Bennet-Alder wrote:


You can also use the Installer DVD to Reset the Admin Password, which should then allow you to log in as the Admin under Safe Mode.

I'm almost certain that won't work as the admin account needs that file in order to log in. Reseting the password won't help. Is there a way to use it to reset the Guest account with admin privileges?

Mar 9, 2013 11:23 PM in response to shelbourn

Found my notes from when we first observed this happening:

Boot in single user mode by holding down the 'Command-S' keys when you start your mac. (http://support.apple.com/kb/HT1492)


After a while, you get a terminal prompt and type:


mount -uw /

rm /Users/*/.MacOSX/environment.plist

reboot

Note were the spaces are (after "mount", "-uw" & "rm") and where they are not, as they are very important.


If you are then able to log back into your account, follow Linc's instructions.

Mar 12, 2013 11:31 AM in response to shelbourn

What trojan did Avast say that it found? We need to know the exact name that it called it.


I seriously doubt that this is a Flashback infection, unless it has been there for quite some time. There hasn't been a verified report of a Flashback infection for almost a year now. Besides which, unless you haven't updated your computer in 11 months, you will have had an update installed that would prevent Flashback infections and remove the malware, if present.


Thus, knowing what Avast called it is extremely important. Though it's also important to note that Avast has a bit of a problem with false positives.


If you can also find out from Avast where this file is, assuming you haven't deleted it, we could run some other tests on it to see what it might be.

Mar 12, 2013 5:59 PM in response to MadMacs0

list of known Flashback related files. I don't know that anybody has a complete list...

weren't many of them sort of random, albeit starting with a . & ending .tmp and with a vaguely plausible bit in the middle, like here ?.

check on the name, and check that it crashes safari referencing the file too, as did many others...


I think you're right that Linc's right - since some people don't update OS much & their infections likely don't get 'verified'.

Mar 12, 2013 6:29 PM in response to andyBall_uk

andyBall_uk wrote:


weren't many of them sort of random, albeit starting with a . & ending .tmp and with a vaguely plausible bit in the middle, like here ?.

Not exactly "random". The way it was explained, the communications module would contact the Flashback Command and Control Server at a certain point in the installation process and request file names. Those names were probably randomized by the C&C server, but from a fixed list of file names. For awhile I was trying to keep a list of the names that were being found, but the sample size here on the list seemed to be smaller than the list of names, so at some point I gave up.

I think you're right that Linc's right - since some people don't update OS much & their infections likely don't get 'verified'.

Except that one other thing we've been running into lately, is finding these "plug-ins" within a Safari archive of a previous version. Apparently the Safari installation process retains a copy of the previous version in case there are issues with the new installation, so it can stop and recover the older version. If that older version contained a Flashback plug-in, it may eventually be identified there. Of course it's harmless and at some point should be replaced. I guess I don't quite understand why it isn't deleted as a final step in the installation process and can think of no reason not to delete it, if found.


The difference with this one is that it seems to have locked the user out, which would indicate that the file may well have been in an active location.

Virus may have bricked my computer

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.