Trojan .exe and zip.000 showing up in /private/tmp and private/var/folders
I continually have .exe files and zip.000 files showing up inside two folders on my iMac. My antivirus software (Trend Micro Smart Surfing for Mac) finds and quaranteens them daily. Usually it is about six a day. Today it found 18 or so. I am not worried about them themselves since they are a windows problem, but I can't seem to figure out where they are coming from. Is there a way to track these folders and find what is placing these files in there? Thanks for any help!
OSX Lion 10.7.4
Well, it's running somewhere on your Mac, see if any clues here...
http://www.intego.com/mac-security-blog/
http://www.zdnet.com/cross-platform-trojan-checks-your-os-attacks-windows-mac-li nux-7000000656/
Disable Java in your Browser settings, not JavaScript.
http://support.apple.com/kb/HT5241?viewlocale=en_US
http://support.google.com/chrome/bin/answer.py?hl=en-GB&answer=142064
http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets
Flashback - Detect and remove the uprising Mac OS X Trojan...
http://www.mac-and-i.net/2012/04/flashback-detect-and-remove-uprising.html
In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following:
/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app
If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.
http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-ma lware-from-os-x/
http://x704.net/bbs/viewtopic.php?f=8&t=5844&p=70660#p70660
The most current flashback removal instructions are F-Secure's Trojan-Downloader:OSX/Flashback.K.
https://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_c hecking_site
More bad news...
https://www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Explo its_Targeted_Attacks_and_Possible_APT_link
Similar Messages
-
I am getting the following error message when I try to import photos into iPhoto from my camera: "/private/var/folders/GB/GBl4wh8-ELqUVMI5dO-ryU TI/-Tmp-/iPhoto/DSCF2033.JPG". Have already tried removing and reinstalling iPhoto to no avail.
Does this happen if you try to Import to Library within iPhoto, or is it when you connect your camera (and which is set to automatically use iPhoto) that this error message occurs?
If you open Image Capture > Preferences is iPhoto selected as the choice when a camera is connected? -
What is the difference between SAPinst_SP_WAS640.exe and WebAS640SP9.zip
Dies tge SAOubst_SP_WAS640.exe include MaxDB, and what is the latest version and file size ?Hello
Check if following links help:
[1.|http://www.symantec.com/connect/articles/understanding-difference-between-exe-and-msi]
[2.|http://social.msdn.microsoft.com/forums/en-US/winformssetup/thread/89699824-706e-44ea-9578-8866e6dfd058/]
Thanks
Saurabh -
Memory leak in oracle.exe and mds.exe
We are facing Memory leak in oue MDM server. Our environment details
are as follows;
MDM 5.5 SP5 ( Build 5.5.41.70)
Oracle 10.2 patch 2
windows server 2003 SP1
XI 7.0 SP 9
If server is running continuously 3-4 days then Nonpaged memory is
getting exausted and server does not respond. Now we have to retart the
windows server manually.
If we see the task manager it is shows more than 200,000 handles for
oracle.exe and more than 100,000 handles for mds.exe.
1: Oracle.exe -- more than 200000 handles ( Approx >5000 is problem)
2: Mds.exe -- more than 100000 handles ( Approx >5000 is problem)
Since these applications are not releasing the handles properly so all
nonpaged memory gets exausted and server stops responding.
If we restart the mdm server, database and OracleserviceMDMD, then
nonpaged memory is released. But some times even if we restart these
services, we do not get nonpaged memory released. So we have to restart
the windows server.
please help me if anyone else have faced the same problem.
regards
SaurabhClosing as question is answered in MDM forum.
-
Virus? Duplicate csrss.exe and winlogon.exe files outside Windows/System32
Hi,
My computer has been running extremely slowly while performing normal tasks (i.e. web browsing, typing).
I found a second copy of 'csrss.exe', which as I understand is frequently a trojan. The copy is located in the following file path:
C:\Windows\winsxs\x86_microsoft-windows-csrss_31bf3856ad364e35_6.1.7600.16385_none_58ba39fb456943bd
I also found two extra copies of 'winlogon.exe', at the following paths, as well as in Windows\System32:
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7600.16385_none_6f99573a36451166
C:\Windows\winsxs\x86_microsoft-windows-winlogon_31bf3856ad364e35_6.1.7601.17514_none_71ca6b0233339500
I ran the Norton antivirus scan, the Norton Power Eraser, a few csrss.exe-targeted scans, and spyware search & destroy, none of which detected a virus. I tried moving/renaming the file, but this is denied by the system.
I used Windows Process Explorer, and the first time, both csrss.exe & winlogon.exe were verified as system processes. This time I ran and the processes have no info (Version: n/a; Build Time: n/a; Path: [Error opening process]).
I'm running Windows 7 Professional on a local domain.
Thanks in advance for your advice.SOF
The second copy is a backup and in that location probably normal. I doubt malware is the cause of your system running slow more likely system corruption
Please provide us with your Event Viewer administrative logs by following these steps:
Click Start Menu
Type eventvwr into Search programs and files (do not hit enter)
Right click eventvwr.exe and click Run as administrator
Expand Custom Views
Click Administrative Events
Right click Administrative Events
Save all Events in Custom View As...
Save them in a folder where you will remember which folder and save as Errors.evtx
Go to where you saved Errors.evtx
Right click Errors.evtx -> send to -> compressed (zipped) folder
Upload the .zip file to Onedrive or a file sharing service and put a link to it in your next post
If you have updated to win 8.1 and you get the error message "the system cannot find the file specified" it is a known problem. The
work around is to edit the registry. If you are not comfortable doing this DONT. If you are, backup the key before you do
Press Win+"R" and input regedit
Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels. Delete "Microsoft-Windows-DxpTaskRingtone/Analytic"
Wanikiya and Dyami--Team Zigzag -
Pre Build EXE and Installer Set Version
So this topic comes up relatively often so I thought I'd make a new thread showing an example of how to make it work. The problem is developers want a way to set the version of builds programmatically. Luckily NI added some VIs for doing this. Too bad you can't invoke them from the Pre-Build action of a build, because that information is read before the pre-build. Here is an idea exchange discussing it.
But I figured I could come with some kind of work around and I have two, and neither is perfect. Attached is a simple project. It contains a VI that runs reading the EXE version that it is running from once it is in an EXE. The project has three build specifications, an EXE, and two installers. The developer can set the Major, Minor, and Fix of the EXE, but the build version is set programmatically in the Pre-Build action. The version of the installers will also be set to the version of the EXE.
Attempt to build the EXE and a dialog will appear asking to enter the build version that should be used. This could be determined some other way but this was the easiest for the demo. If the EXE, and the Installers are already the correct version, where the build is the same as the one specified, and the installers are the same version as the EXE, then the build goes on like normal. But if the build you enter is not the same as the current, it will abort the current build, change the versions, and then tell the operator to attempt to build again. This time no prompt is seen and the build will work like normal with the version you set earlier.
The downside to this method is you have to tell the developer to build again, I figured I could do that programmatically so I tried. There is a constant on the BD of Prebuild Action VI.vi, and if it is set to True it will try to invoke a new build on its own. The problem with this method is the build the user invoked is aborted and the user sees the error. But the second build might have worked fine, but there isn't any feedback.
In any case this is a sorta working way of setting EXE and Installer build versions from a pre-build VI.
Unofficial Forum Rules and Guidelines - Hooovahh - LabVIEW Overlord
If 10 out of 10 experts in any field say something is bad, you should probably take their opinion seriously.
Attachments:
Test EXE Version.zip 80 KBBob_Schor wrote:
I took your idea and "simplified" it a little
Some may want the simplified version I understand. But for me I wanted a more robust VI, one that would work if a project had multiple build specifications of applications, or multiple installers. Some developers may have two applications one that is normal, and another with debugging turned on and I wanted the versioning to work consistently there by grabbing the newest version and using it. And in all my cases, if there is an installer it should be the same version as the EXE.
As for the getting around the error I think if I had enought time I could dig into the NI VIs to get rid of the error and show the progress of the new build. The whole build process is a bunch of VIs, that augment the right click menus in the project so the source is there it is just taking time to understand it.
Unofficial Forum Rules and Guidelines - Hooovahh - LabVIEW Overlord
If 10 out of 10 experts in any field say something is bad, you should probably take their opinion seriously. -
when I start firefox, i get this message ( The instruction at "0x7b9c77a9" referenced memory at "0x7b9c77a9". The memory could not be "read" ) hs anyone any idea why? I have scanned with AVG and something simply called 'Trojan Remover' and they both find nothing.... any advice would be greatly welcomed.. thanks
== This happened ==
Every time Firefox opened
== this morning 22/07/10Lyall,
I have seen this before, a long time ago (several years), and I cannot
remember how/if we resolved it.
If this is an impotant issue to you, I suggest that you open a case with
BEA support.
Regards,
Peter.
Got a Question? Ask BEA at http://askbea.bea.com
The views expressed in this posting are solely those of the author, and BEA
Systems, Inc. does not endorse any of these views.
BEA Systems, Inc. is not responsible for the accuracy or completeness of
the
information provided
and assumes no duty to correct, expand upon, delete or update any of the
information contained in this posting.
Lyall Pearce wrote:
The title says it all really.
I see other posts getting replies.
This is a rather important issue, I have seen another post with a similar problem.
While not being a show-stopper it certainly raises concerns.
The application works ok until the application exits (in both development and
executable form)
Apparently this did not happen with Tux 7.1
It does with 8, I do not have 7.1 so I have no workaround.
..Lyall -
I cant uninstall my itunes off my computer, i have followed instructions and i still have errors, including error 2330 and redundance cyclic. the only software i have left is itunes.exe and file es.lproj which is located in the ituneshelpresources folder. i recently installed a second hard drive and that let me uninstall everything. I just want to get itunes off my computer and reinstall itunes, i have deleted everything i can and i ran "chkdsk" this did nothing. I would have just updated the oild itunes to the newest version but it didnt ley me do that. installing/ uninstalling or deleting just lets me get half way and shows me these errors. Please help, thank you.
JPHowarththe only software i have left is itunes.exe and file es.lproj which is located in the ituneshelpresources folder.
If the chkdsk isn't fixing the damage, and those are the only iTunes that can't be deleted, try renaming the "iTunes" folder that they are contained in (in your Program files) to iTunesOLD.
Now try another install. Does it go through without the 2330 this time? -
Where can I download certutil.exe and the NSS Utils for Windows
I know many people struggle to find Certutil.exe and the rest of the NSS Utils so I have compiled version 3.14.2, using the same method I previously posted here https://support.mozilla.org/en-US/questions/687296 but this time with Visual C++ 2010 (x86)
YOU WILL NEED VISUAL C++ 2010 REDISTRIBUTABLE INSTALLED to run these executables.
The zip file can be downloaded from ....
(Link to file removed)
Hope this helpsWhen you compile certutil there should be a whole raft of other exe and all the dll files you need. the dll files need to be either in c:\windows\system32 or in the same folder as certutil.exe.
Hope this helps. -
Links to exe and back to menu builder not working
I have read through all of the messages in the Forum and have
seen similar questions on this topic but no actual answers for this
precise situation. I apologize if I've just missed it. I'm fairly
new to Captivate and am using version 2. I am building a project
that will have 15 - 20 standalone .exe files.
This client is one of of the very few that does not have
Flash Player and will not due to security reasons. We will publish
and play from a DVD/CD.
The problem -
I need to have a course menu to link to each exe and then
link back from each exe to the main menu.
I have built a sample menu builder and exported it as an exe.
The links to the other files from this main menu work; however, I
cannot get the links in the separate exe files to access the main
menu exe (i.e. menu builder file). I either get a blank browser
window or other url window, or nothing happens and the screen just
stays there. The same thing will happen if I'm using the menu in
the skins feature.
I have ensured that all my files are in the same folder. I
have variations on the link, such as "relative" links as suggested
(i.e., removing path information and including only the file name).
I'm not sure Captivate Player will help because it sounds
like that is more for Web applications.
Please help!
Thanks
lahkabHi Don
Sure thing. The weird part of this is that it will require
using both MenuBuilder and Captivate to accomplish it. As you have
seen, Captivate likes to open things by feeding into HTTP. So
often, you wish to open a Word Document or a .PDF and you see a
browser open. The bizarre part of all this, is that if you look at
the address bar of the browser that opens, the path and filename
are correct! You click there and press Enter and by golly it loads
up. Go figure.
So here goes.
1. Note the exact file name you wish to open. Perhaps
"Menu.EXE".
2. Open MenuBuilder and create a new totally blank project.
3. Set your width and height by clicking Options > Project
Options. I think the smallest you can go is 320 wide and 200 high.
4. Click Insert > Clickbox.
5. For the link part, just type "Menu.EXE" (or whatever you
noted in step 1) Note that you should not enter any path. JUST the
file name. You might also click to place a check mark in the "Save
file with project" check box, just to be on the safe side.
6. Export the project as a Flash SWF.
7. Close MenuBuilder and open your Captivate project.
8. Edit the slide where your user will click to open the .EXE
and click Insert > Animation...
9. Insert the .SWF you created using MenuBuilder. Position it
over where you wish your user to click.
10. Publish your Captivate and test the link.
In case it will help, I've got a zip containing all the files
so you can see them in action (I included the source). No cloak and
dagger with this next part, just conserving bandwidth, as I'm
limited with this service and I don't wish everyone and their
brother to use it all up just looking to see. Shoot me an E-Mail
message to captiv8r (at) kc (dot) rr (dot) com and I'll send you a
link to download the files for you to play with.
Hopefully something here is helpful... Rick -
What is Firefox Setup 3.6.10(2).exe and is it necessary?
What is the function of Firefox Setup 3.6.10(2).exe and is it necessary?
When I logged into Windows Live Hotmail today, I received a message to upgrade my Firefox browser by installing this programme. I am unable to find out any information about it on the Mozilla website.
I have downloaded to file, but am hesitant about installing it until I know more about it.Your above posted system details show outdated plugin(s) with known security and stability risks.
*Next Generation Java Plug-in 1.6.0_16 for Mozilla browsers
Update the [[Java]] plugin to the latest version.
*http://java.sun.com/javase/downloads/index.jsp (Java Platform: Download JRE) -
Why can't I download .exe and .reg files?
Hi! I hope you can help me in my computer problem. I have trouble downloading .exe and .reg files. I'm not sure but it must have been for some weeks now that I had this problem. When I download these files, the Downloads Window of Firefox will appear, but will show that the download is "cancelled." I click the retry button and it starts to download, but after the download completes, the file doesn't appear on the designated Download folder. I tried searching for it in the desktop it but it still doesn't show. What can I do to fix this problem? Thanks in advance for all the help! :)
As indicated you can right click 'alarm clock 1' on http://www.pacdv.com/sounds/domestic_sounds.html to download it.
I must admit that this is silly especially if you have already gone to the full link and listened to the file. In this case it will have already been downloaded but finding it is tedious - I suspect it is only in RAM - not one of Safari's good points!
I hope this helps. -
Hi,
I'm getting the blank screen in my itunes store. I followed the help script here Can't connect to the iTunes Store - Apple Support and downloaded the autoruns,exe but it just shows my comp has Bonjour (which is apple). But now what? How do I fix the blank screen?
Thanks!Hello there, livviboobear.
It sounds like your error message is in regards to having installed an older version of iTunes on your computer. The following Knowledge Base article offers up the step-by-step on how to properly uninstall iTunes:
Removing and reinstalling iTunes and other software components for Windows Vista, Windows 7, or Windows 8
http://support.apple.com/kb/HT1923
Once uninstall, follow the link in the article to get to the most current version of the iTunes installer.
In regards to the screen on your phone, this article explains how to resolve it:
If you can't update or restore your iOS device
http://support.apple.com/kb/HT1808
Thanks for reaching out to Apple Support Communities.
Cheers,
Pedro. -
Oradba.exe and ORA-12638
what is oradba.exe and what does it do?
it does not appear to be documented anywhere (on tahiti, it only shows up in an unrelated directory listing example.
i ran it with a healthy database, got errors about not being able to add a group and a user -- so I'm sure it's related to OS authentication and the ORA_DBA group
after running it (but not before) I was unable to connect to the database with any tools (other than the home page), getting ORA-12638 until i commented out SQLNET.AUTHENTICATION_SERVICES = (NTS) in sqlnet.oraits the bit that creates the ORA_DBA group on windows
-
I think i got this exe and pif files on my mac after unsuccessful installation of windows. I don't exactly know where I got this.
Is it safe to delete all this files? Does my mac need this files to run its operating system? There are over 48,000 exe and pif on my mac. And I think its accumulating almost my HD space.So does it mean i can delete it? I'm afraid that it like an important file because of its name. Some of it is:
yyxb.exe
yjgyym.exe
yyjovx.exe
yydc.exe
and thousands of it on my main folder and macintosh hd.
So is it safe to delete those exe?
How about those pif files?
Maybe you are looking for
-
Get instance status through RESTful SDK
I am working with a client who has integrated some BO 3.1 functionality into their application using the .NET SDK. I am evaluating their code because they are upgrading to BI4.1 and a lot of the code will have to be scrapped and rewritten because th
-
As long as I have been in the job and we have been using IE as our browser, we have controlled the proxy settings with an automatic configuration file. Recently, with IE8 on WinXP and Win7, we have had situations with the user getting various connect
-
Consuming Web Services in 11.2 does not work ??
Hello, Did anyone manage to call a Web Service from Oracle 11.2 database? We wanted to call a web service from Oracle, so for example if I execute: SELECT add_numbers(1, 5) FROM dual; from my database, I get the result 6. Cool thing is that the add_n
-
Pages 4.1 is not cooperating. When I open a document the spinning rainbow computes and computes, but freezes and I have to force quit. I checked downloads, and ran iDisk Utility, but to no avail. What can I do? John
-
XD01 : Screen visibility
While trying to create customers using transaction XD01 the visibility of screen in the transaction depends on the following 3 levels by way of customization 1) Account Group Level 2) Transaction Level 3) Company Code Level. Is there a function modul