Is Trojan in My Mac?

Similar Messages

• How can I tell whether there is a Trojan on my Mac?  I downloaded two file that looked legit but I think they were not. They originated in theory from eFax . I am on OS X 10.6.8

  How can I tell whether there is a Trojan on my Mac?  I downloaded two file that looked legit but I think they were not. They originated in theory from eFax . I am on OS X 10.6.8

  You could try doing a scan with one of the tools mentioned here:
  http://www.thesafemac.com/mmg-antivirus

• I can't start my macbook pro because I turned it off when I got a trojan on my mac. When I turn my mac on I get the message that my computer restarted because of a problem. Then it turns off again and turns on again and it starts all over. What can I do?

  I can't start my macbook pro because I turned it off when I got a trojan on my mac. When I turn on my mac I get the message that my computer restarted because of a problem. Then it turns off again and turns on again and it starts all over. What can I do?

  Boot into your recovery partition (restart, hold down ⌘R until you see the Apple logo), and use Disk Utility to repair your hard drive. Repair permissions too while you're there. OS X: About OS X Recovery

• Do SpyEye, Zeus Trojan horses affect Mac OSX?

  I received a mail Nov 12 from a known address. The only content was a link, which seems to be related to SpyEye, which I found (afterwards) is a trojan horse version of Zeus.
  Stupidly I clicked it and then looked. No further clicks...But I also replied to the mail.
  What I saw were different job possibilities, one of which was to post links for Google....?
  My Sophos virus/malware scanner did not report anything, and when I became aware I immediately continued to scan the computer and Sophos did not find anything.
  Does anyone know if these trojans can/will affect Mac OSX  v. 10.5.8?
  Thanks, G

  How can I tell if my computer is...: Apple Support Communities

• Trojan horses on Mac

  Hi,
  is there someone who knows who to find trojan horses on a Mac?

  The only Trojans that exist for Mac have been "proof of concept" ones. One called "Leap or "Oompa-Loompa". I wouldn't waste my money on a program that claims to find them.
  That said, it is possible (though not probable) for spyware to get onto your Mac. The best way to avoid that is by using your firewall and/or a hard wired router, downloading only from "trusted" sites, installing all security updates and being careful about what you give administrative power to. It is also recommended to run day to day tasks from a non-admin account.
  Don't use Limewire or any other P2P service to download your software, get it from reputable sources. In addition, always keep at least your users backed up, preferably a clone of your entire system on a separate disk. And put your sensitive passwords, bank accounts, credit card numbers in a "secure note" in a new keychain or in an encrypted folder.
  As for viruses, none. If and when a Mac virus does appear it will be headline news and you can download the AV software then. If you feel you have to run an AV program I'd suggest ClamXav a mac friendly freeware app that is very stable with Tiger. It will check for known virus signatures at any rate.
  Enjoy your Mac
  -mj
  [email protected]

• Apple insider say there are Two new trojan horses threaten Mac software

  Yes it says pirates downloading iworks etc, and before you all ask no I don't have it.
  Either this is a scam or is this the first Mac trojan? Im woried as I have never had anything bad happen to my Mac. Shall i get anti virus? I dont use torrent sites any way, but if they can effect Mac programs could it affect my emails?

  As Terence says, a trojan is NOT a virus.
  It may seem like a minor distinction, but a virus can come onto a computer via an e-mail attachment, embedded into an email, or something loaded from the internet, CD/DVD, USB drive, etc., then replicate itself to, say, everyone in your address book, +all without any action by you+. There are hundreds of thousands of them for PCs. At the moment, for Macs there are exactly zero known viruses. None. Zip. Zilch. So don't panic.
  It is possible, though, for you to get one of these. It won't do any harm on your Mac, but if you send it to a PC user, it may spread. If you want, you can get anti-virus software for this purpose. The one I see recommended most is ClamXav, and is free. Like many Mac users, I don't run any.
  There is malware, including trojans, for Macs, though far fewer than for PCs. As reported, all these require some action by you -- and in those cases where they come with pirated software, you obviously would have to be a thief, too (poetic justice?).
  Here's a similar thread, with some recommendations: http://discussions.apple.com/thread.jspa?threadID=1797574

• Trojan found on Mac by Avast?

  I know Avast! isn't the best, but this is the only time it's given me an "infection" detection so far. The file was an "alekspack10.jar" file and considered a trojan.
  I already deleted it using Avast! but what I want to know is was that enough? Does that take it off of my computer? Is there any other way I can scan for it on my computer?
  I know this isn't the Avast! forums, but if there's anything else I can do to make sure that (possible) trojan is off of there I would like to know.

  I already had deleted it before posting this but I can check to see if I can still find the file.
  If you have backups, you might be able to find it there. (If you don't, you should drop everything you're doing and focus on starting a backup system. Literally.)
  I'd also point out that the knee-jerk reaction that causes people to immediately delete things detected as malware is a bad one. You should NEVER allow anti-virus software to immediately delete something that it determines is malicious, nor should you delete it yourself until you have done your homework.
  Deleting "infected" files automatically is bad for several reasons:
  * It could be a false positive, and deleting it could destroy valuable data, damage an application or damage your system.
  * If it's actually malicious, it could be a new variant of something else, and ought to be submitted to the security community (via VirusTotal) so they can do a better job of keeping you safe.
  * If it's actually Mac malware, you need to know exactly what it is so that you can find out more about how to get rid of it. Some Mac malware can be removed fairly easily, but other malware should never be removed by any method other than erasing the hard drive and starting fresh.
  For more information on how to properly deal with such things, see:
  How to remove infected files

• Trojan Horse on Mac

  I read about a Trojan Horse on the Mac and the MacScan came up and offers a way to prevent it. MacScan appears to be free. Is it valid? I the Trojan Horse a real problem?

  Just to supplement BDAqua's good advice:
  From MacWorld, January 10, 2008:
  SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:
  http://www.securemac.com/
  The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X. Called DNSChanger Trojan and also known as OSX.RSPlug.A Trojan Horse the software attacks users attempting to play a fake video file.
  Upon attempting to play the video, the victim receives the following message:
  “Quicktime Player is unable to play movie file.
Please click here to download new version of codec.”
  Upon running the installer, the user's DNS records are modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's DNS records stay modified on a minute-by-minute basis.
  SecureMac's DNSChanger Removal Tool allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.
  There may be other ways of guarding against Trojans, viruses and general malware affecting the Mac. A white paper has recently been published on the subject by SubRosaSoft, available here:
  http://www.macforensicslab.com/ProductsAndServices/index.php?mainpage=document_general_info&cPath=11&productsid=174
  Also, beware of MacSweeper:
  MacSweeper is malware that misleads users by exaggerating reports about spyware, adware or viruses on their computer. It is the first known "rogue" application for the Mac OS X operating system. The software was discovered by F-Secure, a Finland based computer security software company on January 17, 2008
  http://en.wikipedia.org/wiki/MacSweeper
  You should also read what a major contributor called tacit has to say here:
  http://tacit.livejournal.com/238112.html

• Is the flashback.39 trojan really infecting Macs?

  Is there any truth to the claim made by an article on Macworld that was posted on April 5th about a Backdoor Flashback.39 Trojan?  They say the Dr. Web says it has infected over 300,000 Macs in the US. 

  I give many people help on this forum and many others, both Mac and Windows.
  Your original Question posted in a Hardware forum was kind of foolish to say the least. A publication like MacWorld would not post an article about Malware without first checking it out. Wouldn't you think? A simple Google search on it turns up 14 Million hits.
  https://www.google.com/webhp?source=search_app#hl=en&sclient=psy-ab&q=flashback+ trojan+mac&oq=Flashback+troja&aq=1&aqi=g-z1g3&aql=&gs_l=hp.1.1.0i3j0l3.1903l1903 l3l4624l1l1l0l0l0l0l77l77l1l1l0.frgbld.&pbx=1&bav=on.2,or.r_gc.r_pw.r_cp.r_qf.,c f.osb&fp=c541f35354c9590f&biw=1280&bih=939
  Just on the first page of the results there are several hit from different New Pubs about it. Are they all wrong, Lying.
  Why not contact Macworld and ask them if they are posting Lies about this.
  Sorry if I offended you BUT.

• Windows trojan on a Mac?

  Avast! for Mac found a suspicious string in a Wuala memory dump-file and told me it is WIN32:banker-KDL. But… Can malware written for Windows even install itself and operate on a Mac running OS X (10.8.5)?

  OpenDNS has nothing to do with the issue and will do nothing to improve security.
  "Avast" is perhaps the worst of the whole wretched lot of commercial "security" products for the Mac. It's worse than the imaginary "viruses" you were worried about when you installed it. Not only does it fail to protect you, it throws false warnings, destabilizes and slows down your computer, and sometimes or always corrupts the network settings and the permissions of files in your home folder. Removing it may not repair all the damage, and neither will Disk Utility or even reinstalling OS X.
  Back up all data, then remove "Avast" according to the developer's instructions. Reboot.
  If you tried to remove Avast by dragging an application to the Trash, you'll have to reinstall it and follow the instructions linked above.
  If you still have problems after following those instructions, post again.
  This is a comment on OpenDNS and other public domain-name system (DNS) services, such as Google DNS. You should use such a service if it solves a problem for you, and not if it creates problems you don't already have. To summarize:
  1. Using public DNS will probably not make your network faster, and may make it slower.
  2. It will probably not stop your browser from being "redirected" when you try to connect to a valid web address.
  3. It will not make you safer from malware attacks.
  4. It could cause confidential information to be compromised.
  5. It has other privacy implications that you should take into account.
  A DNS server resolves the human-readable "domain name" of an Internet host, such as www.apple.com, to the numerical address by which that host can be reached. The process is analogous to looking up a phone number by name. There is no chance that changing the DNS server you use will have any effect on a network problem not related to name resolution.
  There are two valid reasons why you might want to use a public DNS service:
  The DNS servers provided by your ISP are misconfigured or don't perform well.
  You have a use for the filtering controls provided by OpenDNS and others.
  Although some DNS services are touted as responding faster than others, there will be no noticeable difference if your ISP is delivering what you pay for. Most likely, the difference in response time among the DNS servers available to you is on the order of a hundredth of a second or less. But under some conditions, public DNS will significantly slow down network performance.
  A content-distribution network (CDN), such as the one used by Apple, relies on the location of the DNS server to optimize performance. If your query goes to a distant server, you may get slow downloads of Apple content, among other things. From the report of a test carried out by a networking consultant:
  We listed 9 CDNs that would benefit from supporting/using edns-client-subnet, and only two actually support edns-client-subnet: CDN77 and ChinaCache. Others, including Akamai, Internap and CDNetworks, do not currently. This really is too bad, because from the performance data we collected, it is clear these CDNs deliver (much) worse performance currently in many countries to Google DNS and OpenDNS users.   
  Another reason often given for using public DNS is to avoid "redirection," that is, false results from a query for a valid domain name. Ethical ISP's do not intentionally redirect valid DNS queries, though it might happen unintentionally because of a misconfiguration; for example, because the address of a network host has recently changed, or because of a "poisoning" attack on the DNS server. If you regularly get false results from name resolution, there is some other reason for it. Note that your ISP may, and OpenDNS certainly will, redirect invalid queries to ad sites, in violation of published standards for DNS.
  Some ISP's have been known to "hijack" DNS queries to their own server, irrespective of where those queries are directed. I don't know of any large ISP that is currently doing this, but if yours is, you won't be able to use a public DNS service, even if you change the network settings on your computer or router.
  The claims on the OpenDNS website that it "blocks" malware attacks such as Flashback are false advertising. A DNS service does not and cannot block anything. All it can do is to selectively refuse to answer queries. It's trivial for a malware attacker to evade such controls. It's just as easy to evade the parental controls offered by OpenDNS. Nevertheless, you may find those control features useful, despite their limitations. Here is an example of an ASC user who had undesirable results from OpenDNS content filtering.
  There is one exception to the rule that OpenDNS and Google DNS don't improve performance. The "prefetching" performed by modern web browsers, including Safari, may confuse some DNS servers, with the effects described in this Apple Support article. The article suggests testing OpenDNS, Google DNS, or another third-party DNS service as a possible way to overcome the problem.
  If you need to switch DNS providers because of a misconfiguration of your ISP's servers, the change will most likely only need to be temporary. The problem may be resolved automatically within a matter of hours.
  If you intend to use public DNS, such as OpenDNS, on a long-term basis, you should be aware of the privacy implications. As a user of the free service, you are not an OpenDNS customer, and the service provider  — a for-profit corporation — doesn't have a contract with you. The marketers to whom OpenDNS sells information are its customers.
  OpenDNS will know, and store, the address of every Internet server you use from now on. This is from its privacy policy:
  When you use our Services, OpenDNS stores certain DNS, IP address and related information about you to improve the quality of our Service, to provide you with Services and for internal business and analysis purposes.
  Concerning personal information, the policy states:
  ...[I]t is disclosed to entities that perform marketing services on our behalf or to other entities with whom we have joint marketing agreements...
  You can't opt out of those disclosures. Read the privacy policy carefully and draw your own conclusions. The privacy policy of Google DNS seems to be somewhat more benign, but again, you should judge for yourself.
  That's not the worst of it, though. The practice of hijacking nonexistent domains followed by most public DNS services could result in leaking confidential information to a hacker:
  For example, consider the "same origin trust model" used for Web cookies. If you're holding a cookie for GOOGLE.COM and you can be fooled into following a link to KJHSDFKJHSKJHMJHER.GOOGLE.COM, and the resulting NXDOMAIN response is remapped into a positive answer to some advertising server, then you're going to send your cookie to that advertising server when you send your HTTP GET request there. Not such a bad thing for a GOOGLE.COM cookie, but a real problem for a BANKOFAMERICA.COM cookie.  
  To emphasize, NXDOMAIN remapping is not something that only happens when you randomly mistype a domain name.It can be exploited deliberately by malicious links placed on any web page. In the case of OpenDNS, the result would be that a cookie intended for another server would be sent to the OpenDNS web server instead. A rogue OpenDNS employee, or anyone who managed to break into the web server, might then be able to impersonate you on another website. If this scenario seems far-fetched, it's the stuff that network exploits are made of.
  See also a brief. somewhat outdated, critique of OpenDNS on a Harvard Law School blog, with a response from the company's founder.

• ClamXav just detected a trojan on my mac!

  ClamXav just detected a trojan in my downloads folder, no idea what it is. File is called installplayer3913001.exe and it's been there since january. What should I do, apart from not double click on it? I don't know if I have ever opened this file or not.

  It is a windows file (.exe), os x won't open it, but windows will, if you have windows installed.
  You may safely delete it.
  If you think it may have gotten opened in windows(probably not, since it was in the os x download
  folder), then you will need to check your windows installation with a windows virus/malware software
  program.
  Kj

• I have a trojan on my mac. The trojan downloads illegal content until my hard drive is full. How do I remove the trojan?

  I noticed that my hard drive was getting full to the point that my computer had no space left. OmniDiskSweeper told me where all the data was. When I went to that folder I saw a TON of illegally downloaded content. I immediately trashed it to get my drive space back, but noticed something was downloading these files again. ClamAV did not find anything and Sophos has been running very slowly. Does anyone know what this is or how to remove it?

  Please read this whole message before doing anything.
  This procedure is a diagnostic test. It won’t solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
  Third-party system modifications are a common cause of usability problems. By a “system modification,” I mean software that affects the operation of other software — potentially for the worse. The following procedure will help identify which such modifications you've installed. Don’t be alarmed by the complexity of these instructions — they’re easy to carry out and won’t change anything on your Mac. 
  These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing. 
  Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects. 
  Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then copy it. The headings “Step 1” and so on are not part of the commands. 
  Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply. 
  Launch the Terminal application in any of the following ways: 
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.) 
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens. 
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid. 
  When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” and press return. You should then get a new line ending in a dollar sign. 
  Step 1 
  Triple-click the line of text below on this page to select it:
  kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}' | open -f -a TextEdit 
  Copy the selected text to the Clipboard by pressing the key combination command-C. Then click anywhere in the Terminal window and paste (command-V). A TextEdit window will open with the output of the command. If the command produced no output, the window will be empty. Post the contents of the TextEdit window (not the Terminal window), if any — the text, please, not a screenshot. You can then close the TextEdit window. The title of the window doesn't matter, and you don't need to post that. No typing is involved in this step.
  Step 2 
  Repeat with this line:
  { sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|org\.(amav|apac|cups|isc|ntp|postf|x)/{print $3}'; sudo defaults read com.apple.loginwindow LoginHook; sudo crontab -l; } 2> /dev/null | open -f -a TextEdit 
  This time you'll be prompted for your login password, which you do have to type. Nothing will be displayed when you type it. Type it carefully and then press return. You may get a one-time warning to be careful. Heed that warning, but don't post it. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator. 
  Note: If you don’t have a login password, you’ll need to set one before taking this step. If that’s not possible, skip to the next step. 
  Step 3
  { launchctl list | sed 1d | awk '!/0x|com\.apple|org\.(x|openbsd)/{print $3}'; crontab -l 2> /dev/null; } | open -f -a TextEdit 
  Step 4
  ls -A /e*/{la,mach}* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts .la* 2> /dev/null | open -f -a TextEdit  
  Important: If you formerly synchronized with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting. 
  Step 5
  osascript -e 'tell application "System Events" to get name of every login item' | open -f -a TextEdit 
  Remember, steps 1-5 are all copy-and-paste — no typing, except your password. Also remember to post the output. 
  You can then quit Terminal.

• Malware?  Something has my Mac in a knot!

  https://discussions.apple.com/thread/3217174?start=15&tstart=0
  The above discussion seems to be very similar to my scenario.  Just different website and different prize. I will reference this posting on that discussion.  But, that discussion was six months ago, and is very long.... so I felt it worthy to try to summarize best I could.  And, with taking the information, I wasn't even sure what process to do first?  So, although I state in this post below as fact, realize I am siting other users information from the post mentioned above. 
  So, in a nutshell, I am asking you all:
  Is the below information accurate?
  What items do I do first?  What items do I not do at all?
  My story:  I was searching for some stuff on the planet Jupiter for my daughter's class project.  And, bam, a pop-up came up saying I was a Michigan winner.  How the heck does this pop up know I am from Michigan????
  What was worse, the pop-up could not be closed (the three dots were not present in the upper left-hand corner), I could not access any menu items, etc.in Safari.  As this other post above mentioned, "my computer/Safari has been hijacked".
  I have Lion, so naturally, any force closing, and/or rebooting just brings up the same pages once again.  However, along the way, it had asked for an administrator name and password.  I didn't think of it too much as I had been moving between users that day so my other daughter could be surfing the web on her restricted account.  So, I thought it had to do with that.
  After reading the above-referenced post, I can summarize the plethora of information into the following:
  I probably came across a similar malware issue
  I probably gave my password to an enemy
  And, my Mac is currently setting power-off awaiting my decision on what to do.  And, am having to write this post on my husband's Windows PC.  Not happy!
  Issues and/or solutions:
  I might be able to hold down the shift key when entering Safari to disable the "resume pages" option on Lion.  (however, that doesn't mean the issue is gone... just that I might be able to access websites and the menu again.)
  I am gonna need to delete some files perhaps outside of Safari (downloads.plist; history.plist; historyindex.sk; lastsession.plist; topsites.plist; webpageicons.db;)   THEN EMPTY THE TRASH.
  I am sure I need to make sure that my Apple software is up to date, including security definitions.  (no one in the other post even mentioned this, I don't think, but I would think this would be very helpful.)
  I am going to have to address Flash cookies (.sol files)
  delete them from home/library/preferences/macromedia/flash player/#sharedobjects
  settings need to be adjusted in home/library/preferences/macromedia/flash player/macromedia.com/support/flashplayer/sys
  FYI: the home>library folder is now hidden.... so will need to discover how to access that
  Or use the Flush app to remove all flash cookies; Or use Safaricookies app to be selective on what flash cookies I'd want to keep
  Adobe flash player now puts a system preference in system preferences folder for flash player, including a simple way to delete all flash cookiesThe old version of FP you have to go to the adobe flash player support page to view the control panel that lets you do this.  The new one, lets you control it on your Mac.--Supposedly you can access this control panel via double clicking the FP icon
  Tracker cookies scare me:
  If I installed this Trojan(OSX/DNSChanger) by providing my password, my DNS records can be modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements.  (BTW, I moved to a Mac a couple years ago because my Windows laptop got one of these things on them... thought I was immune on a Mac.  So wrong!)
  It concerns me that this attacker could be monitoring my passwords, etc on my banks, etc.  Not sure if this is true or not...
  SecureMac app has a free Trojan Detection Tool for Mac OS X.  The software to remove it has a 30-day trial and then costs $30US.
  It goes on to talk about Windows viruses that can be passed on through emails to other Windows users, which CLAMXAV app can fix.  Uncertain if available for Lion per the contributor's remarks, but is also difficult to remove from your Mac.  The contributor also alerted us to not install Norton on the Mac as it is damaging to the OS.
  Some users did the shift button with the Safari button thinking they were done with the whole thing, but realized there was a Trojan on their Mac, still alive.  Sending to trash and emptying trash- not sure if that is all you need to do finding it using spotlight?
  Things that didn't work for other users and other threads to read:
  VirusBarrier Plus didn't detect anything on a users computer.
  https://discussions.apple.com/thread/3198419?tstart=0
  Any help on this would be greatly appreciated!!!!!
  An additional question I have:
  I have a Time Capsule.  Could I just restore from two days ago and not have to worry about any of the above actions?

  Please read this whole message before doing anything.
  This procedure is a diagnostic test. It won’t solve your problem. Don’t be disappointed when you find that nothing has changed after you complete it.
  Third-party system modifications are a common cause of usability problems. By a “system modification,” I mean software that affects the operation of other software – potentially for the worse. The following procedure will help identify which such modifications you've installed. Don’t be alarmed by the complexity of these instructions – they’re easy to carry out and won’t change anything on your Mac.
  These steps are to be taken while booted in “normal” mode, not in safe mode. If you’re now running in safe mode, reboot as usual before continuing.
  Below are instructions to enter some UNIX shell commands. The commands are harmless, but they must be entered exactly as given in order to work. If you have doubts about the safety of the procedure suggested here, search this site for other discussions in which it’s been followed without any report of ill effects.
  Some of the commands will line-wrap or scroll in your browser, but each one is really just a single line, all of which must be selected. You can accomplish this easily by triple-clicking anywhere in the line. The whole line will highlight, and you can then either copy or drag it. The headings “Step 1” and so on are not part of the commands.
  Note: If you have more than one user account, Step 2 must be taken as an administrator. Ordinarily that would be the user created automatically when you booted the system for the first time. The other steps should be taken as the user who has the problem, if different. Most personal Macs have only one user, and in that case this paragraph doesn’t apply.
  Launch the Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, press the key combination shift-command-U. The application is in the folder that opens.
  ☞ If you’re running Mac OS X 10.7 or later, open LaunchPad. Click Utilities, then Terminal in the page that opens.
  When you launch Terminal, a text window will open with a line already in it, ending either in a dollar sign (“$”) or a percent sign (“%”). If you get the percent sign, enter “sh” (without the quotes) and press return. You should then get a new line ending in a dollar sign.
  Step 1
  Copy or drag – do not type – the line below into the Terminal window, then press return:
  kextstat -kl | awk '!/com\.apple/{printf "%s %s\n", $6, $7}'
  Post the lines of output (if any) that appear below what you just entered (the text, please, not a screenshot.)
  Step 2
  Repeat with this line:
  sudo launchctl list | sed 1d | awk '!/0x|com\.(apple|openssh|vix)|edu\.mit|org\.(amavis|apache|cups|isc|ntp|postfix|x)/{print $3}'
  This time, you'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. You don't need to post the warning.
  Step 3
  launchctl list | sed 1d | awk '!/0x|com\.apple|edu\.mit|org\.(x|openbsd)/{print $3}'
  Step 4
  ls -1A /e*/mach* {,/}L*/{Ad,Compon,Ex,Fram,In,Keyb,La,Mail/Bu,P*P,Priv,Qu,Scripti,Servi,Spo,Sta}* L*/Fonts 2> /dev/null
  Important: If you synchronize with a MobileMe account, your me.com email address may appear in the output of the above command. If so, anonymize it before posting.
  Step 5
  osascript -e 'tell application "System Events" to get name of every login item'
  Remember, steps 1-5 are all drag-and-drop or copy-and-paste, whichever you prefer – no typing, except your password. Also remember to post the output.
  You can then quit Terminal.

• Malware on my Mac

  I clicked a link on Google to the Marmot Thunder Ridge jacket and up popped an ad for something called "Spyshredder". Without doing anything more this thing started a scan of my computer. It then said I had two viruses and one trojan.
  Immediatly after doing this it offered to clean these items, and I got a notice that it was trying to install an executible on my iMac, which I declined. But whatever the bug was would not let me cancel out of the program. Eventually the only thing I could do was force quit Safari.
  Later I was researching the jacket using Firefox, and the same thing happened.
  Recently I have received a flurry of security updates that seemed like they were legitimately from Apple, and I installed them. Could it be I have accidentally installed a virus on my iMac? Obviously we are no longer virus/trojan proof, since Mac is sending all these updates out, and it appears that I have something on my computer that locked me up and would not let me go to any other sites.
  Anyone know anything about these? Is there a fix?
  Thanks
  Doug

  Stormrydr wrote:
  I clicked a link on Google to the Marmot Thunder Ridge jacket and up popped an ad for something called "Spyshredder". Without doing anything more this thing started a scan of my computer. It then said I had two viruses and one trojan.
  They lied. It's that simple.
  1 it takes time to do a virus scan. On my Windows XP boxes and on my Vista box, antivirus systems such as the antivirus component of Zone Alarm Security Suite can take hours to scan the whole system. Even an anti-spyware sweep by something like Spyware Doctor can take 15 or 20 minutes. There is no way that something 'scanned' your system _over an internet connection_ in a short time. It can't be done.
  2 there are no Mac OS X viruses or trojans in the wild. The last serious Mac malware was the autostart worm, from 1998. The last trojan that was even barely well-known was the one which pretended to be the installer for MS Office 2004. All other malware outbreaks have been either insignificant or merely lab rats.
  3 this kind of thing is very well known in WIndows circles. Typically the 'free Internet scan' which turns up the malware is a front for someone who is pushing malware, usually something designed to perform identity theft, or to take over your machine so it can be part of a zombie botnet, or both.
  Immediatly after doing this it offered to clean these items, and I got a notice that it was trying to install an executible on my iMac, which I declined. But whatever the bug was would not let me cancel out of the program. Eventually the only thing I could do was force quit Safari.
  This is not a bug. They don't want to let you go until you've let them install stuff on your system. They want you for their zombie botnet.
  Later I was researching the jacket using Firefox, and the same thing happened.
  Recently I have received a flurry of security updates that seemed like they were legitimately from Apple, and I installed them. Could it be I have accidentally installed a virus on my iMac? Obviously we are no longer virus/trojan proof, since Mac is sending all these updates out, and it appears that I have something on my computer that locked me up and would not let me go to any other sites.
  Apple is patching things so that we can continue to be malware resistant.
  Anyone know anything about these? Is there a fix?
  Google 'spyshredder' and be thankful you don't run Windows.
  Thanks
  Doug

• Question on the new virus attack warning on the Mac

  Hi everybody,
  Just wondering if anyone is getting worried about the new virus attacks that are predicted on their way at the Mac according to media sources. I have Firewall on and also Stealth Mode enabled but I'm worried now if that's enough. I've looked at ClamX but that seems like it can cause other problems. MacScan seems to be good software for a decent price. Any ideas from anyone will be appreciated.
  Rich

  No viruses that can attack OS X have so far been detected 'in the wild', i.e. in anything other than laboratory conditions.
  It is possible, however, to pass on a Windows virus to another Windows user, for example through an email attachment. To prevent this all you need is the free anti-virus utility ClamXav, which you can download from:
  http://www.clamxav.com/
  However, the appearance of Trojans and other malware that can possibly infect a Mac seems to be growing, but is a completely different issue to viruses.
  If you allow a Trojan to be installed, the user's DNS records can be modified, redirecting incoming internet traffic through the attacker's servers, where it can be hijacked and injected with malicious websites and pornographic advertisements. The trojan also installs a watchdog process that ensures the victim's (that's you!) DNS records stay modified on a minute-by-minute basis.
  You can read more about how, for example, the OSX/DNSChanger Trojan works here:
  http://www.f-secure.com/v-descs/trojanosxdnschanger.shtml
  SecureMac has introduced a free Trojan Detection Tool for Mac OS X. It's available here:
  http://macscan.securemac.com/
  The DNSChanger Removal Tool detects and removes spyware targeting Mac OS X and allows users to check to see if the trojan has been installed on their computer; if it has, the software helps to identify and remove the offending file. After a system reboot, the users' DNS records will be repaired.
  (Note that a 30 day trial version of MacScan can be downloaded free of charge from:
  http://macscan.securemac.com/buy/
  and this can perform a complete scan of your entire hard disk. After 30 days the cost is $29.99. The full version permits you to scan selected files and folders only, as well as the entire hard disk. It will detect (and delete if you ask it to) all 'tracker cookies' that switch you to web sites you did not want to go to.)
  A white paper has recently been published on the subject of Trojans by SubRosaSoft, available here:
  http://www.macforensicslab.com/ProductsAndServices/index.php?mainpage=document_general_info&cPath=11&productsid=174
  Also, beware of MacSweeper:
  MacSweeper is malware that misleads users by exaggerating reports about spyware, adware or viruses on their computer. It is the first known "rogue" application for the Mac OS X operating system. The software was discovered by F-Secure, a Finland based computer security software company on January 17, 2008
  http://en.wikipedia.org/wiki/MacSweeper
  On June 23, 2008 this news reached Mac users:
  http://www.theregister.co.uk/2008/06/23/mac_trojan/
  More information on Mac security can be found here:
  http://macscan.securemac.com/
  The MacScan application can be downloaded from here:
  http://macscan.securemac.com/buy/
  You can download a 30 day trail copy which enables you to do a full scan of your hard disk. After that it costs $29.95.
  More on Trojans on the Mac here:
  http://www.technewsworld.com/story/63574.html?welcome=1214487119
  This was published on July 25, 2008:
  Attack code that exploits flaws in the net's addressing system are starting to circulate online, say security experts.
  The code could be a boon to phishing gangs who redirect web users to fake bank sites and steal login details.
  In light of the news net firms are being urged to apply a fix for the loop-hole before attacks by hi-tech criminals become widespread.
  Net security groups say there is anecdotal evidence that small scale attacks are already happening.
  Further details here: http://news.bbc.co.uk/2/hi/technology/7525206.stm
  A further development was the Koobface malware that can be picked up from Facebook (already a notorious site for malware, like many other 'social networking' sites), as reported here on December 9, 2008:
  http://news.bbc.co.uk/newsbeat/hi/technology/newsid_7773000/7773340.stm
  You can keep up to date, particularly about malware present in some downloadable pirated software, at the Securemac site:
  http://www.securemac.com/
  There may be other ways of guarding against Trojans, viruses and general malware affecting the Mac, and alternatives will probably appear in the future. In the meantime the advice is: be careful where you go on the web and what you download!
  As to the current 'Conficker furore' affecting Intel-powered computers, MacWorld recently had this to say:
  http://www.macworld.co.uk/news/index.cfm?email&NewsID=25613
  Although any content that you download has the possibility of containing malicious software, practising a bit of care will generally keep you free from the consequences of anything like the DNSChanger trojan.
  1. Avoid going to suspect and untrusted Web sites, especially *********** sites.
  2. Check out what you are downloading. Mac OS X asks you for you administrator password to install applications for a reason! Only download media and applications from well-known and trusted Web sites. If you think you may have downloaded suspicious files, read the installer packages and make sure they are legit. If you cannot determine if the program you downloaded is infected, do a quick Internet search and see if any other users reported issues after installing a particular program.
  3. Use an antivirus program like ClamXav. If you are in the habit of downloading a lot of media and other files, it may be well worth your while to run those files through an AV application.
  4. Use Mac OS X's built-in Firewalls and other security features.
  5. Stop using LimeWire. LimeWire (and other peer-to-peer sharing applications) are hotbeds of potential software issues waiting to happen to your Mac. Everything from changing permissions to downloading trojans and other malicious software can be acquired from using these applications.
  6. Resist the temptation to download pirated software. After the release of iWork '09 earlier this year, a Trojan was discovered circulating in pirated copies of Apple's productivity suite of applications (as well as pirated copies of Adobe's Photoshop CS4). Security professionals now believe that the botnet (from iServices) has become active. Although the potential damage range is projected to be minimal, an estimated 20,000 copies of the Trojan have been downloaded.