PDA

View Full Version : Underhand Trojan Removal




Stolid
May 2, 2005, 02:27 AM
I've got a friend who's contracted the Underhand trojan and we're trying to remove it.
All we've been able to find is basically this URL:
http://www.cowfight.com/cf4/underhand/RemovingUnderhand.rtf

According to Norton files like Sym.Unix.Mk9gHPpwcD (Sym.Unix.*) are infected -- unfortunately none of my UNIX or OS X books reference Sym.Unix.XXXX nor does any googling provide information. I'm guessing, based on the name, these are probably paging files but I'd like confirmation.

His startup list is as follows:
LaunchBar
iCalAlarmScheduler
SetiChatStatus
x-Tunes Daemon
SpeechSynthesisServer
SymSecondaryLaunch
Palm Desktop Background
Transport Monitor
iTunes Helper

Unfortunately I don't have a stock list to compare it against; so if anyone here can identify any of these as unusual that'd help. He does have a Palm.

Any help would be vastly appreciated,
Thanks in advance,
Stolid



Wes
May 2, 2005, 04:08 AM
Here are the start-up items I have:

StuffitAVRDaemon
YouControlEngine
ATI Monitor
MultiuserManager
iScrobbler
iTunesHelper
GrowlHelperApp
SmartReporter
Quicksilver
LCCDaemon

These look suspicious:
SpeechSynthesisServer
SymSecondaryLaunch
Transport Monitor

rdowns
May 2, 2005, 04:50 AM
These look suspicious:
SpeechSynthesisServer
SymSecondaryLaunch
Transport Monitor

Transport Monitor is installed by Palm. SpeechSynthesisServer is an Apple item, I have it. No idea what SymSecondaryLaunch is but would guess it's a Symantec item.

Wes
May 2, 2005, 05:31 AM
It may not be a normal start up item. Close all programs and then use activity monitor and compare with this:

http://64.233.183.104/search?q=cache:H7GRmRCorAwJ:www.westwind.com/reference/OS-X/background-processes.html+&hl=en&client=safari

FadeToBlack
May 2, 2005, 05:50 AM
I thought that OS X was safe from stuff like this?

angelneo
May 2, 2005, 06:23 AM
I think this came up sometime ago.

I believe these are the people who have too much free time.
http://www.cowfight.com/cf4/underhand/

dukeblue91
May 2, 2005, 06:37 AM
SymSecondaryLaunch is from a Norton product.
The only one that sticks out is xTunes as google only brings up Linux stuff.
Everything else looks normal.
Did you try to follow the removal instructions from Cowfight?

apple2991
May 2, 2005, 09:04 AM
Underhand Trojan removal?

I don't think we're talking about the same thing.

BEET
May 22, 2005, 01:02 PM
Underhand Trojan removal?

I don't think we're talking about the same thing.




HI,


I was wondering if you had an answer to what the underhand 05a thing is? Is it a virus? I'm relatively new to computers and have just noticed a window on my powerbook that I can't get rid of, a blue window titled Underhand 05a' . Did you find out what it is and what to do about it?

I'd be very grateful for any answers.

cheers.

Wes
May 22, 2005, 01:18 PM
http://www.cowfight.com/cf4/underhand/RemovingUnderhand.rtf

Give that a read, it should help you in removing it.

trainguy77
May 22, 2005, 01:31 PM
So would this be the first virus for mac?

BEET
May 22, 2005, 01:34 PM
http://www.cowfight.com/cf4/underhand/RemovingUnderhand.rtf

Give that a read, it should help you in removing it.





thanks Wes, yeh I just followed those instructions and have got rid of the 'underhand 05a' window. But I'm a bit worried, does my mac now have a virus? the thing is I have to use my pb at work and network it with the ones there, will it screw anything up?
do you know what the file is? and does?


thanks again. beet

PlaceofDis
May 22, 2005, 01:35 PM
So would this be the first virus for mac?

NO, this is a Trojan, meaning its something you downloaded or put on your system knowingly that then harmed your system. Viruses are self replicating, this is not. Viruses usually get into the system without you knowing.

i could be worng, but i believe this is the fine distinction between the two

Wes
May 22, 2005, 01:36 PM
You don't have a virus. Your files are safe, just continue your normal back-up procedure and be more wary of foreign files in the future, like you would with any other computer.

trainguy77
May 22, 2005, 01:38 PM
NO, this is a Trojan, meaning its something you downloaded or put on your system knowingly that then harmed your system. Viruses are self replicating, this is not. Viruses usually get into the system without you knowing.

i could be worng, but i believe this is the fine distinction between the two

Good to hear!

Wes
May 22, 2005, 01:43 PM
Suggested further reading:

http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999041209131106

Windows-orientated but comprehensive.

BEET
May 22, 2005, 01:48 PM
cool, thanks for the knowledge. a couple more questions:

should I get any software to make sure my system is ok (ie zebra) check the trojan isn't anywhere on my system? if so can you recommend anything?

BEET
May 22, 2005, 01:59 PM
cool, thanks for the knowledge. a couple more questions:

should I get any software to make sure my system is ok (ie zebra) check the trojan isn't anywhere on my system? if so can you recommend anything?


Just to show I'm trying to b e proactive and not just relying on other people's info, i checked on versiontracker for free trojan detectors etc. Now that I followed the instructions on the cowfight site, and the trojan window no longer shows up: what if one of the trojan detectors finds effected media files etc...?