Possible Malware infection?

Similar Messages

• File Sharing Enabling Itself/ Possible Malware Infection?

  Greetings to all,
  I'm posting this out of sheer desperation because no one else seems to have reported such an issue (or so Google would have me believe).
  A bit of background info:
  I'm running 10.8.5 and Firefox 24.0, no frills, no extra customisations apart from one add-on; pretty much everything left to the default settings (homepage, theme, etc.).
  I noticed two weeks ago that my first tab in Firefox kept shivering every time a new tab was opened or an existing one was closed.  The only thing that had been installed was AdBlock Plus and that was running flawlessly for a month.
  I researched the problem on my own and found that previous versions of Firefox had similar shaking issues but none were related to AdBlock.
  I reset my browser and the shaking stopped.  I re-installed AdBlock and the issue returned in ten minutes.  I reported this to AdBlock Plus but have yet to hear back from them.
  Now moving onto the crux of the issue:
  I noticed in the last week that File Sharing has been turning itself on.  I have another Mac on the network but I have only used this feature a handful of times and always make sure to disable it as soon as I'm done.  This is combination with e-mails that I did not send that appear to be sent from my account despite having changed my password several times in the last year.  None of my contacts have reported that they received spam from me.
  I had been mildly suspicious of some such malware due to Netflix/ Hulu magically playing videos on their own well after they had already timed out.
  I checked Activity Monitor and there were no suspicious processes but I figured if a keylogger, for instance, were sophisticated enough, I still might not be able to see it.
  Enter MacScan 2.9.4.  I downloaded it directly from their website and ran a full-system scan which ultimately yielded nothing.
  I re-open Firefox and what do I see?  Yahoo! has been made my new homepage and a bunch of Spigot searchbars have been added, namely that for Amazon and eBay.
  When I Googled the company name, almost all the of articles referred to it as malware.
  I have since reset my browser and I'm starting to freak out more than just a little.
  A well-known and recommended AV hijacks my browser, spam is being sent to me by 'me', File Sharing is enabling itself, and of course, the phantom video playing.
  Has anyone seen this conglomeration of symptoms before and if so, what can I do about it?
  If not, am I going to have to wipe both Macs?
  Please some kind soul out there, help!

  I'm not following your description well enough to know exactly what happened. What site were you viewing when this happened, and did it happen immediately on clicking a link or did it just happen spontaneously? What is a "corrupted install window"? And what is "the corrupt file" you found in your download folder? Without more information, it's difficult to say, but it doesn't sound like malware to me. Of course, if you wish to set your mind at ease, get a copy of [ClamXav|http://www.clamxav.com> and scan your hard drive. Also, I would point you to my [Mac Virus guide|http://www.reedcorner.net/thomas/guides/macvirus>, but as I've received private communications from you already, I see you've found it!
  Note that files ending in .part are temp files... they are the beginnings of files that your browser started downloading. When you cancel a download, whatever had been downloaded to that point is left in a .part file, I believe to allow for resumption of the download later (if the server in question supports that). Whatever's in there is not complete and could not possibly be opened, so it is not a threat.

• Is it possible to trace back from a malware- infected cache item to the originating url?

  Is it possible to trace back from a malware- infected cache item to the originating url?

  Hi Sree,
  Code for Setting the response of Notification:
  PROCEDURE sr_response (
  p_sr_doc_number IN VARCHAR2,
  p_result IN VARCHAR2,
  p_message OUT VARCHAR2
  AS
  v_notification_id NUMBER;
  BEGIN
  SELECT notification_id
  INTO v_notification_id
  FROM wf_notifications
  WHERE MESSAGE_TYPE = 'XXEGASR1'
  AND message_name = 'SR_REQ_APPROVE'
  AND status = 'OPEN'
  AND item_key LIKE TO_CHAR (p_sr_doc_number) || '%';
  wf_notification.setattrtext (v_notification_id, 'RESULT', p_result);
  wf_notification.respond (v_notification_id);
  p_message := 'Shipment request has been approved';
  EXCEPTION
  WHEN NO_DATA_FOUND
  THEN
  p_message := 'Failed to approve notification';
  END sr_response;
  From OAF in Eventhandller of Submit/Rejact button you can call like this:
  String sql = "BEGIN xxega_sr_notf_pkg.invoke_wf (:1); END;";
  OracleCallableStatement cs = (OracleCallableStatement)am.getOADBTransaction().createCallableStatement(sql,1);
                 try
                 cs.setString(1,srNo);
                 cs.execute();
                 cs.close();
                 catch (Exception ex)
                 System.out.println("ex.toString()"+ex.getCause());
                 throw new OAException(ex.getMessage().subSequence(10,96).toString(),OAException.ERROR);
  Hope this will help.
  Regards,
  Reetesh Sharma

• Possible malware or infection??

  so my iphone was recently booted from my schools wifi network because they say they detected a malware infection on my" computer" . Now my iphone seems to be working fine, no signs of a problem. But they said i cant get access back till i've identified the problem and cleaned it up. is there any way to identify such a problem on my iphone if one existed????

  evilclaw2321,
  Without some verification that the packages you install only do the things they say they will, there is no way to tell what is happening.
  Without some verification and certification of the applications, whether or not a give application does more than what it says, is entirely up to how trustworthy the author and source for getting it is.
  Yes, it is possible you could have malware installed. However, troubleshooting specific applications installed by breaking your iPhone's license agreement is not something that can be done within Apple Discussions.
  Hope this helps,
  Nathan C.

• Malware Infection via USB stick

  Is it possible to infect a Mac with malware simply by mounting an infected usb stick?

  There is nothing known that is capable of doing that.
  There is a supposed piece of malware that has been written about by a very well-known security researcher, Dragos Ruiu, who has called it badBIOS. According to his claims, this malware can do some amazing things, including copy itself via USB. However, the claims seem to be a bit too amazing, and not a single security researcher has managed to verify any of it. Most security experts seem to think that this either doesn't exist or is being seriously exaggerated.
  Since this sort of thing isn't something that can be hidden from hordes of knowledgeable and determined security researchers for long, my personal opinion is that it's mythological.
  Is there a reason in particular that you're asking this?

• Can't get rid of virus/malware/infection

  I have a virus/malware/infection that Office Max hasn't been able to get rid of and I purchased McAfee 2012 Antivirus Plus and even contacted McAfee for help.  they want more money and I have already spent $173 and can't spend anymore.
  I have all the programs needed for reloading the harddrive.  I purchased all the programs a few years ago.
  I have an HP Pavillion V5000 laptop.  I need to know how to reformat the harddrive and will this get rid of the infections??
  thank you,
  Gregory

   Hi,
  These files would appear to relate to a Malware infection - the reason the specific DLLs cannot be loaded may well be because your existing security software has already removed them.
  Try the following.
  On another PC, follow the procedure on the link below to create a bootable CD which you can use to scan your computer and hopefully remove the Malware.
  http://connect.microsoft.com/systemsweeper
  When this has completed, boot into Windows, then download and install the free versions of MBAM and SUPERAntiSpyware on the links below.
  MBAM
  SUPERAntiSpyware
  When installed, run full scans with both these utilities - if any malware is detected, remove/quarantine it and run the scan again until both applications come back clean.
  If the above doesn't help, post back with the following.
  1.  The full Model No. and Product No. of the notebook ( from the service tag underneath your notebook ) - see Here for a further explanation.
  2.  The full version of the operating system you are using ( ie Windows 7 32bit ).
  Regards,
  DP-K
  ****Click the White thumb to say thanks****
  ****Please mark Accept As Solution if it solves your problem****
  ****I don't work for HP****
  Microsoft MVP - Windows Experience

• I have cs4. Had to rebuild my mac OS after malware infected it. Now getting an error code 150:30 when trying to open PS. Can this be fixed or do I have to upgrade to cs6?

  I have cs4. Had to rebuild my mac OS after malware infected it. Now getting an error code 150:30 when trying to open PS. Can this be fixed or do I have to upgrade to cs6?

  150:30 means licensing is broken. It's a common CS4 error. On Macs it usually happens when Photoshop is retrieved from backup or migrated from another Mac. Photoshop is never meant to be moved that way. As advised, you should uninstall and reinstall from your discs.
  Sine reinstall only apply the base install and the CS4 Help > Update function is outdated, you will have to manually download and install your updates from here:  Product updates for Bridge and Photoshop.
  Gene

• I opened an email that I later identified on hoaxbusters as depositing malware.  I have malwarebytes on my laptop, but nothing similar on my iphone4  what app should I buy?  If I run it, will it find or fix the possible malware?

  I opened an email on my phone that I later identified on hoaxbusters as depositing malware.  I have malwarebytes on my laptop, but nothing similar on my iphone4.  What app should I buy?  If I run it, will it find or fix the possible malware?

  The creeps that generate this code figured that the iPhone since is is selling so well would be a great market for them even if iOS makes it impossible for their code to do anything practical unless it is jail broken first.
  For additional information on jailbreaking, read http://en.wikipedia.org/wiki/IOS_jailbreaking

• New add-on appeared after cleaning malware infection - is it legitimate?

  I cleaned up a malware infection and, upon opening Firefox, I got a notice that a new add-on had been installed. It is called XULRunner 1.9.1 and appears to be from Mozilla. Given that I'd just had the malware infection, though, I'm suspicious of anything new adding itself.
  Could anyone tell me if this is a legitimate add-on and what exactly it's for/does? Thank you very much!

  In frustrationi I decided to close all of my Firefox add-ons. When i did this, the Google re-directs went away. I enabled my add-ons one at a time and after I enabled XULRunner 1.9.1 the re-directs started again. Thats proof enough for me. I would like to remove the application from my computer if anyone can help me locate it, I'd appreciate that.

• My safari has been compromised by a malware infection

  My safari 5 has been compromised by a malware infection and I need to reinstall but it will not reinstall from install disc and will not install from internet, any ideas? My service provider has solved the problem from his end but safari will not allow me access to my mail.

  Uninstalling and reinstalling Safari won't rid the hard drive of malware.
  Read here > http://www.reedcorner.net/guides/macvirus/
  safari will not allow me access to my mail.
  This is why setting up web based mail via your Mac Mail app is a better way to go. That way if you can't access your mail via a browser, you can access it via Mac Mail.
  I'm going by your profile: v10.6.8. See if you can reinstall Safari from here >  Safari 5.1

• HT202447 Can the Flashback malware infect my iPad?

  As well as my iMac, I use a first generation iPad which I sync with the Mac, which runs Snow Leopard.
  Can the Flashback malware infect my iPad?

  Many thanks Roger.
  I've got Intego VirusBarrier on the iMac, which I also use to scan my iPad periodically.
  No issues found on either, so good news!

• Malware Infection Possible on Nokia 909?

  I have a Nokia Lumia, model 909, and I wanted to know if it was possible to get infected with Malware.  If so, how would I check to see if I have malware and get it removed?  As some background, I was online today (AT&T LTE) and I clicked a link on a news story, once I did it tried to redirect me to an inappropriate site.  I hit the back button quickly, so it never loaded. 
  I just want to make sure that my phone is safe and check to see if it would impact any networks I am connected to.

  The web browser does not allow downloading so how will a malware get in? The phone also does not allow execution of executable files. have you checked this http://bit.ly/15bGljX

• Firefox 4 crashes after windows recovery virus /malware infection

  Hello My computer was infected by the "windows recovery " virus/malware when running Firefox 4 with administrator right user . I could get rid of the virus/malware using antivirus and antimalware sw ( superantispyware, antimalwarebytes, spybot and avast ) . Currently , no viruses or malwares are reporetd on my system . Still, when starting firefox.exe , the error message " firefox has encountered a problem and needs to close " is triggered and , although firefox starts and runs OK; it will close whenever a send/don't send option is taken on the error message . If I rename the Firefox.ex exe program into another name, Firefox runs OK and the error message is not triggered .
  I have had superantispyware support run an analysis tool on my system and their feedback was that the infection, if any, can only be viral . I had AVAST run in F8 safe mode and no viruses are reported any longer after desinfection of the system where a couple of exes created by the malware were found/deleted . I tried uninstall/reinstall Firefox 4 and 3, but the problem remains . Also, I have looked for a crash report in the documents and settings folder but finds none . Last, I also tried to start firefox.exe in safe mode but it will not start ( it will well start if I rename firefox.exe into another name )
  Thanks beforehand if you can suggest something to solve this .
  Best regards Pierre W

  Does it help if you create a new profile or uninstall and reinstall Firefox?
  If you reinstall Firefox then be sure to remove the Firefox program folder to remove possibly left over files in it.
  You can try to create a new profile as a test to check if your current profile is causing the problems.
  See "Basic Troubleshooting: Make a new profile":
  *https://support.mozilla.org/kb/Basic+Troubleshooting#w_8-make-a-new-profile
  There may be extensions and plugins installed by default in a new profile, so check that in "Tools > Add-ons > Extensions & Plugins" in case there are still problems.
  If the new profile works then you can transfer some files from the old profile to that new profile, but be careful not to copy corrupted files.
  See:
  *http://kb.mozillazine.org/Transferring_data_to_a_new_profile_-_Firefox
  See also:
  *http://kb.mozillazine.org/Firefox_crashes
  *https://support.mozilla.org/kb/Firefox+crashes

• Suspicious metadata suggests possible malware...

  I have this really weird problem that just came up, and I don't know what to think except "malware?".
  I run an old program called Business Sense using Classic. I have several copies of the application on my machine, and I recently noticed some strange behavior: if I open a Business Sense file (not the application directly), it opens the program (no problems). But if I try to open the application itself, the computer instead tries to open it as a file in Script Editor. Get Info reveals that the kind is listed as "application" instead of "Application (Classic)". The "Open With" panel shows up, and the Memory panel does not. Two copies of the program have this problem, and the other 5 or so do not. Other Classic apps do not have this problem as far as I can see. Sometimes the Business Sense icon changes to a weird "color glitch" square (sort of like TV noise but with color). If I use SetFileInfo (from the developer tools) to turn off the custom icon flag, the weird icon goes away.
  Here's the really weird part. I used an Automator workflow that I cobbled together from macosxhints.com to view all of the metadata for the file (it uses the mdls command in the command line). The funky copies of Business Sense show this metadata:
  */Documents/BS Data/B $‚Ñ¢ 2.3 -------------*
  *kMDItemAttributeChangeDate = 2007-11-25 19:33:02 -0800*
  *kMDItemContentCreationDate = 1993-12-22 09:00:00 -0800*
  *kMDItemContentModificationDate = 2007-11-25 19:33:01 -0800*
  *kMDItemContentType = "com.prospa.manpage"*
  *kMDItemContentTypeTree = ("com.prospa.manpage", "public.data", "public.item")*
  *kMDItemDisplayName = "B $‚Ñ¢ 2.3"*
  *kMDItemFSContentChangeDate = 2007-11-25 19:33:01 -0800*
  *kMDItemFSCreationDate = 1993-12-22 09:00:00 -0800*
  *kMDItemFSCreatorCode = 1112755795*
  *kMDItemFSFinderFlags = 9472*
  *kMDItemFSInvisible = 0*
  *kMDItemFSIsExtensionHidden = 0*
  *kMDItemFSLabel = 0*
  *kMDItemFSName = "B $‚Ñ¢ 2.3"*
  *kMDItemFSNodeCount = 0*
  *kMDItemFSOwnerGroupID = 80*
  *kMDItemFSOwnerUserID = 501*
  *kMDItemFSSize = 411634*
  *kMDItemFSTypeCode = 1095782476*
  *kMDItemID = 208135*
  *kMDItemKind = "application"*
  *kMDItemLastUsedDate = 2004-12-11 16:34:45 -0800*
  *kMDItemUsedDates = (2004-12-11 16:34:45 -0800)*
  Don't mind the funky file name (it's named "B $™ 2.3" in the Finder). The weird part is what are in the ContentType and ContentTypeTree fields. For comparison, here's the metadata from one of the normal Business Sense applications:
  */Documents/BS Data/Empty DDS/B $‚Ñ¢ 2.3 -------------*
  *kMDItemAttributeChangeDate = 2007-06-25 20:10:46 -0700*
  *kMDItemContentCreationDate = 1993-12-22 09:00:00 -0800*
  *kMDItemContentModificationDate = 2002-07-13 16:52:09 -0700*
  *kMDItemContentType = "com.apple.application-file"*
  *kMDItemContentTypeTree = (*
  "com.apple.application-file",
  "com.apple.application",
  "public.executable",
  "public.data",
  "public.item"
  *kMDItemDisplayName = "B $‚Ñ¢ 2.3"*
  *kMDItemFSContentChangeDate = 2002-07-13 16:52:09 -0700*
  *kMDItemFSCreationDate = 1993-12-22 09:00:00 -0800*
  *kMDItemFSCreatorCode = 1112755795*
  *kMDItemFSFinderFlags = 8448*
  *kMDItemFSInvisible = 0*
  *kMDItemFSIsExtensionHidden = 0*
  *kMDItemFSLabel = 0*
  *kMDItemFSName = "B $‚Ñ¢ 2.3"*
  *kMDItemFSNodeCount = 0*
  *kMDItemFSOwnerGroupID = 80*
  *kMDItemFSOwnerUserID = 501*
  *kMDItemFSSize = 408262*
  *kMDItemFSTypeCode = 1095782476*
  *kMDItemID = 208691*
  *kMDItemKind = "Classic Application"*
  *kMDItemLastUsedDate = 2002-07-13 16:52:09 -0700*
  *kMDItemUsedDates = (2002-07-13 16:52:09 -0700)*
  Whereas the normal one has metadata values one would expect ("com.apple.application-file", "com.apple.application", "public.executable", etc.), the funky one has a value that doesn't make any sense: "com.prospa.manpage"
  Where the heck did that come from? I tried going to that website (prospa.com) and it's just a placeholder for a domain squatter. Interestingly, manpage.prospa.com does exist, and redirects to prospa.com. On that website, a contact address is listed: [email protected], but the words "contact us" to the right of that send the user to http://paty-poker.net/ which looks almost exactly the same as the first site.
  A whois inquiry of prospa.com is shown below. It reveals that the owner is in South Korea, and lists a different contact email address ([email protected])
  *Tue Dec 04 08:00 PM*
  *cybertoothdog $ whois prospa.com*
  *Whois Server Version 2.0*
  *Domain names in the .com and .net domains can now be registered*
  *with many different competing registrars. Go to http://www.internic.net*
  *for detailed information.*
  *Domain Name: PROSPA.COM*
  *Registrar: CYDENTITY, INC. D/B/A CYPACK.COM*
  *Whois Server: whois.cypack.com*
  *Referral URL: http://www.cypack.com*
  *Name Server: NS1.HOSTNAME.NET*
  *Name Server: NS2.HOSTNAME.NET*
  *Status: clientDeleteProhibited*
  *Status: clientTransferProhibited*
  *Status: clientUpdateProhibited*
  *Updated Date: 12-jul-2007*
  *Creation Date: 14-jun-2001*
  *Expiration Date: 14-jun-2008*
  *>>> Last update of whois database: Wed, 05 Dec 2007 04:00:42 UTC <<<*
  *The Registry database contains ONLY .COM, .NET, .EDU domains and*
  Registrars.
  *Welcome to CyDentity, Inc. dba CyPack.com's WHOIS Service*
  *Domain Name: PROSPA.COM*
  *Domain Status: LOCK*
  *Registrar: CyDentity, Inc. dba CyPack.com*
  *Referral URL: <a class="jive-link-external-small" href="http://">http://www.CyPack.com*
  *Domain Registration Date....: 2001-06-14 GMT.*
  *Domain Expiration Date......: 2008-06-14 GMT.*
  Registrant:
  kimtaeho
  *17-211, Maewol-dong, Seo-gu*
  *Gwangju, Gwangju 502153*
  KR
  *Administrative, Technical, Billing Contact:*
  *kimtaeho [email protected]*
  *17-211, Maewol-dong, Seo-gu*
  *Gwangju, Gwangju 502153*
  KR
  *(PHONE) +82-11-226-2899 (FAX) +82-62-603-0969*
  *Domain Name Servers in listed order:*
  NS1.HOSTNAME.NET
  NS2.HOSTNAME.NET
  I don't know Korean. I don't go to Korean websites. Where in the heck did my computer get the information to put "com.prospa.manpage" into the metadata of a random Classic application on my computer? I can't think of any reason that makes any sense other than malware. I looked up "com.prospa.manpage" and "prospa.com" on Google, Yahoo, and Altavista; nothing comes up for the first one, and nothing that seems relevant comes up for the second one. I also tried searching for "prospa.com", "com.prospa" and "prospa" in Spotlight - not a single result listed. Not even the funky Business Sense application.
  Does anyone have any idea what this could be? I hate bringing up the idea of "malware", but that's the only thing that makes any sense to me. What else would it be?
  So far, the only thing I could think of to do was to email the [email protected] address using a junk email account saying that I was "interested" in the prospa.com website. I just did that this evening, so I don't expect to hear anything back for a while - although I don't know what good it's going to do. Does anyone know how to report this to Apple directly?
  Any help or suggestions greatly appreciated!

  I figured it out. I feel sort of silly.
  At one point, my son's PowerBook hard drive was connected to the computer. He had a spotlight importer called manimporter.mdimporter installed. Somehow, the file associations for that mdimporter got added to my lsregister database, so any file that ended in .[number] (such as B $™ 2.3) was seen as a man file. I re-indexed the lsregister database using the command found at the bottom of this macosxhints.com hint:
  http://www.macosxhints.com/article.php?story=20071014124330643
  and that fixed the problem (perhaps this information will help someone with a similar problem in the future, like it did for me). I had to modify the search slightly, as just updating the database didn't get rid of the entry for manimporter.mdimporter. Using the following two variants seems to have returned everything to normal:
  ./lsregister -kill -f -domain local -domain system -domain user -domain network -dump
  +This one kills the current database and forces a new update of all possible domains. I also added a+ *> ~/file.txt* +to the end so that the dump command would load all the data into a text file that I could look at later.+
  ./lsregister -f -R /system/library/
  +This one picks up things like .dmg and .zip. I don't know why those weren't indexed in the first command. This one gives a lot of errors as it encounters things like jpeg files, but it seems to be ok.+
  I don't recall whether I had to run these commands as root or not. Anyway, I hope this helps somebody.

• Possible Malware or Virus on IMac?

  Today one of my family members visited the site Neopets, as she does almost everyday. What is strange is that every link she clicks on the site, be it for playing a game, checking contact information at the bottom of the site, starting a game etc,would cause a pop up to appear saying that we do not have the updated player. By pressing ok, it redirects us to a site called updateplayer.us. It is almost identical to the adobe/flash site which makes me believe that its some type of phishing scam. Furthermore, it will again redirect us to other sites, all similar but with different names (i.e. bamplay.net, and fatplay.net). These sites were identical to one another (bamplay and fatplay). So my question is, do we have a virus or malware on or mac? We have the lion OS. Everything is up to date, (flash player is 13.0.0.214) and our system updates are all up to date. We only download updates through system preferences/ software update. Other than pictures that we have recieved from friends and family, and the occasional pdf we download for school/taxes, the only downloading/installing we have done is from the system/flash updates. We don't visit any malicious websites and are fairly cautious internet users. This just started happening today for the first time ever, and it only appears to be happening on Neopets. Do we have a virus or malicious software installed? Everything else seems to be running fine. Safari still seems to be fast. Or is this something on Neopets end? I'm not very skilled with computers so any help would be appreciated!
  Thanks!
  P.S.
  Has anyone else who visits the site been experiencing this?

  If Neopets requires Adobe Flash Player, always navigate on your own to Adobe's website and download the installer from them, and never from within someone else's website including this one. Fortunately, thousands of Apple Support Communities participants are here to rapidly respond to anyone's malicious intent.
  Adobe's website is as follows, which you will be able to see for yourself exactly as it appears, in your browser's URL field:
  https://get.adobe.com/flashplayer/
  Ignore unexpected popups or solicitations to update Flash Player; they can direct you to fraudulent sites that will attempt to convince you to install malicious software, or to reveal personal information such as your Apple ID credentials.
  Or is this something on Neopets end?
  That is another possibility, as are other potential causes, but the malicious router hacking I described is a serious concern and must be ruled out at your earliest opportunity.