virus/trojan
 

Hi i have a problem but not from google but this is kind of a similar problem, today i visited myspace.com and when it loaded it automatically took me to a anti-virus scan site and it started scanning and it told me i have 3 virus , one of which was a trojan and i don't know if its true or not but im afraid and dont know what to do can anyone help me. I'm using a 10.4 macintosh . Help me please!!!! :(

Hello Nightdav, and welcome to the forum.

Since your post was not related to the "Google" thread that it was in, I moved it to a new thread.

You don't have any viruses. There are no viruses that can run on OS X, except for a few cross-platform Windows AND Mac viruses that run on old versions of Microsoft Office.

So, your computer was NOT really scanned. The "anti-virus scan site" that you saw was lying to you, because it wanted you to spend money on it's fraudulent "service".

Don't be afraid.

I also doubt that you have a Trojan, although there have been reports of a Trojan in the wild that is targetting OS X. To install this Trojan, people have gone to porn sites, which inform them that they don't have the right codec installed to watch a movie on the site, and "helpfully" asks to install the right codec. Unfortunately, people fall for this ploy, and allow the Trojan Horse (which is pretending to be a video codec to watch porn movies) to install, even entering their administrator password to allow it to install.

So, you *might* have a Trojan on your computer, but I doubt it. Certainly the fraudulent "virus scan" site has no way of knowing, since it didn't really scan anything.

Trevor

marketing scheme to get you to buy software, ignore it.

emm i just logged on this morning and all my information is gone my bookmarks my game information and my background picture was changed to a Porn picture and my antivirus scanner was deleted... what does this mean? :(

It's a fake advertisement with a fake 'scanning' window trying to scare you into purchasing their product. Ignore it. It's fake.

EDIT: Nevermind, maybe not. Didn't realize you posted a minute before I did.

Some questions:

Does anyone else have access to your Mac?

Have you downloaded any software (even a "codec") from a less-than reputable web site?

Have you changed the name of your home folder? (It is usually named the same as your username.)

What type of Mac (specific model) do you have?
What version of 10.4 are you running? (You can see this from the "About this Mac" item in the Apple menu.)

I am using mac OS X 10.4.11 leoperd. Also no i dont download any codec stuff nor have changed the name of my home folder.

no one else has access to my mac unless if i am hijacked. I don't download codec software. I have not changed the name of my home folder or any name. I use 10.4.11 Mac OS X Leoperd. :(

You're pulling our collective legs?

virus/trojan
 

if i was kidding would i be in this mess lol...

no one else has access to my computer unless if i was hijacked Hayne

Read Hayne's post again, you may have done two things.
Description and fixes:
http://www.downloadsquad.com/2007/11...ding-as-codec/

It sounds to me like someone hacked into your MySpace account. You used a simple password, didn't you?

Another question: You said "my antivirus scanner was deleted".
Which anti-virus software did you have?
How do you know it was deleted?

And do you have any other user accounts on this Mac?

By the way, you don't seem to have answered my question about what Mac model you have.

im sure clam av would help, go download it (free)

That's a neat trick. :eek:

I think nightdaw has something else than getting help in mind. All said seems very suspicious and not mac-like.

I was starting to think that as well, who uses "mac os 10.4.11 leopard??

ok alot of questions ok first off my antivirus is clamXav 2nd i know it got deleted because when i checked all my files and searched for clamXav there was nothing and it was not on the dock. My Myspace password isnt simple its a long password that only i know. Also i still use 10.4.11 OS X it is not a lie or a joke lol. Anyways when i scanned with clamXav when i got it back yesterday it said there are no infected files and when i told my friends what happend they said someone might have keylogged you or hijacked your browser. So i changed all my passwords , but im still kinda afraid of it happening again.

And what's OS 10.4.x called?
Sorry, but if you're going to claim to be the first OS X user to get a true virus on their system in nearly eight years, you need to A) be credible, and B) be very precise. Telling us you're using "Leoperd" when Leopard is OS 10.5.x makes us wonder if you even have a Mac. After all, if you do have a Mac, the system wide spell checker should have caught the misspelling.

If no-one has had access to your Mac and you haven't installed any programs from less-than-reliable sites, then it would have been hard to install a keylogger on your Mac.

Just to make sure that we have the correct info, please launch the "Terminal" application (under /Applications/Utilities) and copy & paste the following commands (all together), press Return, then copy & paste the results back here so we can see:

uname -a
sysctl -a 2>/dev/null | egrep 'osrelease =|model ='
echo "done"

OMG lol im so sorry i was reading something else i meant to say tiger 10.4.11 OS X tiger lol very sorry.

Please run the commands I suggested in my previous post and show us the results (via copy & paste)

wtmp begins Thu Apr 1 00:52
filip-gabrielyans-power-mac-g4:~ filipgabrielyan$ Welcome to Darwin!
-bash: Welcome: command not found
filip-gabrielyans-power-mac-g4:~ filipgabrielyan$ You have mail.
-bash: You: command not found
filip-gabrielyans-power-mac-g4:~ filipgabrielyan$ filip-gabrielyans-power-mac-g4:~ filipgabrielyan$
-bash: filip-gabrielyans-power-mac-g4:~: command not found
filip-gabrielyans-power-mac-g4:~ filipgabrielyan$
filip-gabrielyans-power-mac-g4:~ filipgabrielyan$
filip-gabrielyans-power-mac-g4:~ filipgabrielyan$





(Thats what showed up when i did the copy & paste thing)

You seem to have copied what was in the Terminal window back into the Terminal window again.
Don't do that.
Instead, copy the 3 lines of commands that I gave in the above post and then paste them into a Terminal window, then press Return.
Then copy the contents of the Terminal window and paste it into your reply on this forum.

this is what it said when i put in (under/Applications/Utilities) and pressed return.



-bash: under: command not found
filip-gabrielyans-power-mac-g4:~ filipgabrielyan$

You've obviously misread Hayne's post. I'll reiterate for him. Open the terminal program and then copy and paste the following commands, hitting return after each line, then copy and paste the results here. The commands you should be copy and pasting are the ones below which are green.

uname -a
sysctl -a 2>/dev/null | egrep 'osrelease =|model ='
echo "done"

(This is what it says)



Last login: Wed May 21 13:17:20 on ttyp1
Welcome to Darwin!
You have mail.
filip-gabrielyans-power-mac-g4:~ filipgabrielyan$ under
-bash: under: command not found
filip-gabrielyans-power-mac-g4:~ filipgabrielyan$ Applications
-bash: Applications: command not found
filip-gabrielyans-power-mac-g4:~ filipgabrielyan$ Utilities
-bash: Utilities: command not found

It should look like this

Nightdav, if you are serious about receiving some help, I would start reading the instructions in hayne's posts carefully and follow them. I'm finding it hard to believe that you honestly thought that hayne meant for you to type "(under/Applications/Utilities)" into the terminal. Instead, I'm more inclined to believe that you are trying to waste everyone's time. Please prove me wrong and type the proper commands in your terminal (the ones in green).

Twice!

I'm tempted to file this under "troll". Quite apart from what seems to be a wilfull refusal to read instructions, the original symptoms just don't seem that reasonable to me. They just don't seem to be the sort of thing which could possibly have happened under the alleged circumstances.

Just because he/she doesn't understand does not make them a troll. This forum is pretty darn polite and people are pretty cool. Lets keep it that way.

(Is this the correct thing?)


Welcome to Darwin!
You have mail.
filip-gabrielyans-power-mac-g4:~ filipgabrielyan$ uname -a
Darwin filip-gabrielyans-power-mac-g4.local 8.11.0 Darwin Kernel Version 8.11.0: Wed Oct 10 18:26:00 PDT 2007; root:xnu-792.24.17~1/RELEASE_PPC Power Macintosh powerpc
filip-gabrielyans-power-mac-g4:~ filipgabrielyan$ sysctl -a 2>/dev/null | egrep 'osrelease =|model ='
kern.osrelease = 8.11.0
hw.model = PowerMac3,6
filip-gabrielyans-power-mac-g4:~ filipgabrielyan$ echo "done"

no replies yet what's wrong... did something happen ... :(

The results of those commands (post #33) show that you are (as you said) running OS X 10.4.11

Please give us a recap of your current situation. Is there some problem with your Mac at the moment?

If you think that someone else had control of your Mac (either via physical access or remotely over the network) and that person was malicious, then you should do the following:

a) Make a good backup of all of your files (usually this means your home folder)
b) Do an "erase & install" of OS X from the Install DVD. Note that the "erase" part of this will completely erase all files on the Mac, hence the need for the backup first.
c) After the install is finished, copy your files from the backup disk to your newly created user account.
d) Make sure that you use good (difficult to guess) passwords and don't download any software from less-than-reliable sites. And be sure to keep your system software up to date by using Software Update.

Just to add one thing to Hayne's very good list.

Do NOT use the same or previous passwords if your system has been compromised, make up all new passwords.

Did that already, anyways Thanks a lot everyone :) .

With reference to my earlier post and tlarkin's followup, tlarking is correct, of course. I apologise unreservedly. Long day on my part, although that's not an excuse.

Nightdav: just to add to what hayne and tlarkin have already said, I'd also recommend you make sure your firewall is on and locked down to anything non-essential. And maybe consider investing in a router or other hardware firewall if you don't have one already?

The situation you described earlier certainly sounds like someone had access to your computer somehow and, if nobody has physical access, we've got to assume they got in remotely.

To add another piece of "standard" advice to hayne's list, use a separate user account for daily computing and reserve your admin account only for administrative tasks. This separation of accounts makes it a little bit harder for you to accidentally give someone carte blanche access to your computer.

Root And Administrator Account
 

Would someone explain this a bit more? How is the "Admin" account different than "Root"? The 1st account that I set up on my new Mac is admin, is it also "Root"? How important is it to set accounts this way if no one else has physical access to the machine? Can one just drag the admin account home folder to the public folder to replicate it for a new user account that does not have admin prilivege? This is a home computer with only one user, locked when unattended. Have tried searching for a sticky on the subject with no luck.

The admin account still has restrictions of things at the system level, that only the root account can access. However, and admin can access these said resources via the sudo command and with authentication.

I would suggest making new user accounts via the system preferences accounts pane. You can actually create an admin account and never log into it, and just use that admin account for authentication for installing things.

So it's time consuming to "clone" another account's preferences etc. What is the best way to replicate the "admin" account's settings (without admin access of course)?

I don't recommend copying any preferences across user accounts, I think it could cause some unwanted issues. It isn't that time consuming unless you have an extremely large home directory, plus permissions would be screwy since your original account would own everything.

I think I would need to understand your higher goal, ie what you are trying to accomplish, to fully answer your question. Creating accounts is easy and is done through system preferences.

If you want certain things to replicate across all user accounts there is a way to do so, but it depends on what you are trying to do.

Not being aware, upon buying this new Mac, I just made the one account and customized it with settings and some applications. It is set as "admin". Just want to create a user account without "admin" access, with all my original settings and applications. Is there a way to do that without the time consuming chore of starting over? I have used the system preferences panel to create another account.

Well all users have access to all the applications under /Applications, so no need to copy all of that. Basically you will want to probably just grab your documents and toss them on a thumb drive or a shared folder and just create the new account.

The only thing a home directory really holds is that user's data and preferences. Most other things are in the system and all users can access them, but the ones that require admin will prompt you for a password, but you can still access them.

The preferences is not that hard, but some things may be a bit screwy if you copy them. Everything is stored under ~/Library/Preferences under each user account. You could just toss all of those into a shared folder and then drag them into your new user's account in the same place. I am not sure exactly what would happen since I always make fresh accounts.

Just create a second account - this will be the one that you will use only for "admin" duties, so the preferences etc are not important. Make this new account an admin account.

Then logout of your current user account and login as the new account. Go to the Accounts preferences and remove the "admin" status from your regular account. Log out and then login using your regular account which will no longer be an admin account.

That makes it clear, and sounds much simpler. Thanks for the advice, to both of you.

One of the privileges that an admin user has is the ability to create and modify just about anything in /Applications and /Library. An admin, or any program an admin runs, has free rein to install new applications or rewrite existing applications. A malicious program that can trick an admin into running it could, for example, replace Safari with a program that behaved the same in every respect, except that it would also forward to its author a copy of every password you entered. All Apple applications and most third-party applications installed into /Applications grant write access to admins. No password required!

That's probably the most important reason for not running routinely as admin. We all make mistakes. We all accidentally click on links that we instantly realize we shouldn't have clicked on. If you're running as admin, and you've just launched a malicious app, you're infected. If you're a non-admin, at least the stuff in /Applications and /Library is (mostly) safe from harm.

But, if you're just now getting around to creating a separate admin account, all the third-party software you've already installed is probably still owned and writable by your non-admin user. It's still vulnerable.

From this point onward, if you download an application using your non-admin account and try to install it, you'll get an authentication dialog asking for an admin password. That's because only an admin can add new things to /Applications.

If this is a drag-and-drop install (the most common kind), and you go ahead and type in your admin password, the new application will be installed but it will still be owned and writable by the non-admin user. That is, it's still vulnerable.

The risk here isn't that the new application might be malicious. I assume you wouldn't install a new application from a source you didn't trust. (And if you would, then abandon all hope.) The risk here is that you're leaving the new application vulnerable to attack, even when you're not running as admin.

For that reason, you should consider application-installing to be one of your admin-only duties. Never install applications from your non-admin account. I know that authentication dialog seems to promise that it'll Do The Right Thing™, but it won't. Shun it.

To fix up permissions on any third-party apps you've already installed, log in as admin, open Terminal (in /Applications/Utilities) and run the following commands, supplying your admin password when asked:
This leaves your third-party apps owned by your admin (same as any apps you drag-install later). You can use this to distinguish Apple apps from third-party apps. (If you don't care, you can replace the second command with the simpler:but you should still do the first command to keep from promoting any suid apps to suid root. (Never mind what that means; it's just something you don't want to do.)

So is this one command: sudo find /Applications -perm +6000 -not -user root -exec chmod ug-s {} \;ADMIN=$(id -u)
And this another: sudo find /Applications -not -user root -print0 | sudo xargs -0
chown $ADMIN:admin
Enter the 1st and then the second? Not being familar with terminal, I never go there. Thanks for the clear explanation, and the help.

Knowing how important it is to get terminal commands right, could someone look at these and tell me if they are correct as to spacing of the words and etc? Are they 2 distinct commands?
sudo find /Applications -perm +6000 -not -user root -exec chmod ug-s {} \; ADMIN=$(id -u)

sudo find /Applications -not -user root -print0 | sudo xargs -0 chown $ADMIN:admin

Should they be entered as one unbroken line?
Should there be a space between the semicolon and ADMIN in the first line?
Should there be a space between chown and $ in the second?

No 3.
Enter them like this:
This should be right for copy/paste.

I ran this command a few days ago and I just noticed that Firefox and Flock browsers have the "check for updates" greyed out.

I'm guessing this command disables my Standard account from updating any 3rd party software?

If I download and install any app using my Standard account, I will only have "Read only" privileges from now on then?

alright thanks guys it helped a lot !!!

Any 3rd party apps that I have installed while logged into my Standard account all show that I have Read & Write privileges after running the code. Did I do something wrong?