Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: skier53091
skier53091 Author
User level: Level 1
0 points

I have a trojan on my mac. The trojan downloads illegal content until my hard drive is full. How do I remove the trojan?

I noticed that my hard drive was getting full to the point that my computer had no space left. OmniDiskSweeper told me where all the data was. When I went to that folder I saw a TON of illegally downloaded content. I immediately trashed it to get my drive space back, but noticed something was downloading these files again. ClamAV did not find anything and Sophos has been running very slowly. Does anyone know what this is or how to remove it?

iMac, Mac OS X (10.6.8)

Posted on Aug 7, 2013 5:27 AM

Reply
Question marked as Best reply
User profile for user: msuper69
msuper69
User level: Level 6
8,689 points

Posted on Aug 7, 2013 5:31 AM

This sounds like you might have downloaded something and then authenticated and installed it.

Did you download something recently and subsequently started noticing this problem?

If so, the sure way to elimiate it would be to reinstall OS X after using Disk Utility to reformat the drive, perhaps doing a secure erase as well. I hope you've got a good backup of any files that you can't recreate easily.

View in context
53 replies
Question marked as Best reply
User profile for user: msuper69
msuper69
User level: Level 6
8,689 points

Aug 7, 2013 5:31 AM in response to skier53091

This sounds like you might have downloaded something and then authenticated and installed it.

Did you download something recently and subsequently started noticing this problem?

If so, the sure way to elimiate it would be to reinstall OS X after using Disk Utility to reformat the drive, perhaps doing a secure erase as well. I hope you've got a good backup of any files that you can't recreate easily.

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

Aug 7, 2013 1:00 PM in response to skier53091

Please read this whole message before doing anything.

This procedure is a diagnostic test. It won’t solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.

Third-party system modifications are a common cause of usability problems. By a “system modification,” I mean software that affects the operation of other software — potentially for the worse. The following procedure will help identify which such modifications you've installed. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac.


These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.


Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.


Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then copy it. The headings “Step 1” and so on are not part of the commands.


Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.


Launch the Terminal application in any of the following ways:


☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)


☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.


☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.


When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign.


Step 1


Triple-click the line of text below on this page to select it:

kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}' | open -f -a TextEdit

Copy the selected text to the Clipboard by pressing the key combination command-C. Then click anywhere in the Terminal window and paste (command-V). A TextEdit window will open with the output of the command. If the command produced no output, the window will be empty. Post the contents of the TextEdit window (not the Terminal window), if any — the text, please, not a screenshot. You can then close the TextEdit window. The title of the window doesn't matter, and you don't need to post that. No typing is involved in this step.

Step 2


Repeat with this line:

{ sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|org\.(amav|apac|cups|isc|ntp|postf|x)/{print $3}'; sudo defaults read com.apple.loginwindow LoginHook; sudo crontab -l; } 2> /dev/null | open -f -a TextEdit

This time you'll be prompted for your login password, which you do have to type. Nothing will be displayed when you type it. Type it carefully and then press return. You may get a one-time warning to be careful. Heed that warning, but don't post it. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.


Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step.


Step 3

{ launchctl list | sed 1d | awk '!/0x|com\.apple|org\.(x|openbsd)/{print $3}'; crontab -l 2> /dev/null; } | open -f -a TextEdit

Step 4

ls -A /e*/{la,mach}* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts .la* 2> /dev/null | open -f -a TextEdit

Important: If you formerly synchronized with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting.


Step 5

osascript -e 'tell application "System Events" to get name of every login item' | open -f -a TextEdit

Remember, steps 1-5 are all copy-and-paste — no typing, except your password. Also remember to post the output.


You can then quit Terminal.

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Aug 7, 2013 3:15 PM in response to skier53091

skier53091 wrote:


I noticed that my hard drive was getting full to the point that my computer had no space left. OmniDiskSweeper told me where all the data was. When I went to that folder I saw a TON of illegally downloaded content.

Sounds like you have installed a bitorrent server. A-V software is not going to find that. What was the name and path to the folder you found this in?

Reply
User profile for user: Klaus1
Klaus1
User level: Level 9
52,749 points

Aug 7, 2013 3:18 PM in response to msuper69

Norton Antivirus (made by Symantec) has a very long and illustrious reputation for mangling Mac OS X systems, sometimes to the point where a complete reinstall is necessary. Among other things, it installs kernel extensions which are known to cause kernel panics and system freezes; it contains known and documented bugs which can silently corrupt Adobe Photoshop and Adobe InDesign files, destroy a user's ability to authenticate as an administrator, and (on PPC systems) can cause Classic to stop functioning; and Symantec has on at least two occasions now released flawed .dat file updates which erroneously report certain critical Mac OS X files as "viruses." (Deleting these "viruses" causes damage to the system that in some cases renders it unbootable.)


Norton Removal Tool (Symantec Uninstaller):

http://www.symantec.com/business/support/index?page=content&id=TECH103489&locale =en_US

And now this, from 11 January 2012:

Lawsuit Claims Symantec "Scareware" Warns Of Fake Threats To Sell Upgrades

http://www.forbes.com/sites/andygreenberg/2012/01/11/lawsuit-claims-symantec-sca reware-warns-of-fake-threats-to-sell-upgrades/

Reply
User profile for user: skier53091
skier53091 Author
User level: Level 1
0 points

Aug 8, 2013 6:07 AM in response to Linc Davis

I got the following outputs:


step 1:

com.sophos.kext.sav (8.0.14)


step 2:

com.sophos.intercheck

com.sophos.notification

com.sophos.autoupdate

edu.mit.Kerberos.krb5kdc

edu.mit.Kerberos.kadmind

com.microsoft.office.licensing.helper

com.google.keystone.daemon

com.barebones.authd

com.adobe.fpsaud


step 3:

edu.mit.Kerberos.KerberosAgent

com.google.keystone.system.agent

com.citrix.ServiceRecords

com.citrix.ReceiverHelper

com.citrix.AuthManager_Mac

com.adobe.ARM.de23d1e3aa2d00ce38d73f10fcbdc8dcaaaf6be989610710a1ddda77

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae

com.omnigroup.OmniCrashCatcher.i1

edu.mit.Kerberos.CCacheServer

*/5 * * * * /Library/Updates/update


step 4:

/Library/Components:



/Library/Extensions:



/Library/Frameworks:

Frameworks

MacFUSE.framework

NyxAudioAnalysis.framework

PluginManager.framework

SAVI.framework

SUMScanKit.framework

iTunesLibrary.framework



/Library/Input Methods:



/Library/Internet Plug-Ins:

AdobeAAMDetect.plugin

AdobePDFViewer.plugin

AdobePDFViewerNPAPI.plugin

CitrixICAClientPlugIn.plugin

Flash Player.plugin

JavaAppletPlugin.plugin

Quartz Composer.webplugin

QuickTime Plugin.plugin

SharePointBrowserPlugin.plugin

SharePointWebKitPlugin.webplugin

flashplayer.xpt

googletalkbrowserplugin.plugin

npgtpo3dautoplugin.plugin

nsIQTScriptablePlugin.xpt

o1dbrowserplugin.plugin



/Library/Keyboard Layouts:



/Library/LaunchAgents:

com.adobe.AAM.Updater-1.0.plist

com.citrix.AuthManager_Mac.plist

com.citrix.ReceiverHelper.plist

com.citrix.ServiceRecords.plist

com.google.keystone.agent.plist



/Library/LaunchDaemons:

com.adobe.fpsaud.plist

com.barebones.authd.plist

com.google.keystone.daemon.plist

com.microsoft.office.licensing.helper.plist

com.sophos.autoupdate.plist

com.sophos.intercheck.plist

com.sophos.notification.plist



/Library/PreferencePanes:

FMDSysPrefPane.prefPane

Flash Player.prefPane

MacFUSE.prefPane

NTFS-3G.prefPane

TeXDistPrefPane.prefPane



/Library/PrivilegedHelperTools:

com.barebones.authd

com.microsoft.office.licensing.helper



/Library/QuickLook:

iWork.qlgenerator



/Library/QuickTime:

AppleIntermediateCodec.component

AppleMPEG2Codec.component



/Library/Spotlight:

AppleWorks.mdimporter

Microsoft Office.mdimporter

iWork.mdimporter



/Library/StartupItems:

MATLABLmgr



/etc/mach_init.d:

dashboardadvisoryd.plist



/etc/mach_init_per_login_session.d:



/etc/mach_init_per_user.d:



Library/Fonts:



Library/Input Methods:

.localized



Library/Internet Plug-Ins:



Library/Keyboard Layouts:



Library/LaunchAgents:

com.adobe.ARM.202f4087f2bbde52e3ac2df389f53a4f123223c9cc56a8fd83a6f7ae.plist

com.adobe.ARM.de23d1e3aa2d00ce38d73f10fcbdc8dcaaaf6be989610710a1ddda77.plist

com.apple.FTMonitor.plist

com.apple.imagent.plist

com.apple.marcoagent.plist



Library/PreferencePanes:


step 5:

iTunesHelper, SophosUIServer

Reply

I have a trojan on my mac. The trojan downloads illegal content until my hard drive is full. How do I remove the trojan?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up