PDA

View Full Version : Malware infection (screenshot)




hwojtek
Feb 24, 2013, 03:50 AM
When I turned my computer on today, I noticed a strange activity at boot up. LittleSnitch has blocked an outgoing connection (see attachment).

The app has indeed been lurking in a hidden ".Install" folder in my home directory. It was installed a day ago at 10:56 pm (no trace of it in my logs, at least not that I can spot them). The rest can be seen on the screenshot. I didn't download nor run anything at the time (actually I was reading theatlantic.com). Any ideas?
I have now zipped this app, removed it from startup items (yes, it was run from there). If anyone is interested I can email the contents.



wrldwzrd89
Feb 24, 2013, 05:22 AM
I'm not sure what that is, but it sure is an interesting find. I suspect you're right about it being possibly malicious and not to trust it.

Drew017
Feb 24, 2013, 10:53 AM
When I turned my computer on today, I noticed a strange activity at boot up. LittleSnitch has blocked an outgoing connection (see attachment).

The app has indeed been lurking in a hidden ".Install" folder in my home directory. It was installed a day ago at 10:56 pm (no trace of it in my logs, at least not that I can spot them). The rest can be seen on the screenshot. I didn't download nor run anything at the time (actually I was reading theatlantic.com). Any ideas?
I have now zipped this app, removed it from startup items (yes, it was run from there). If anyone is interested I can email the contents.

It's probably not a virus… maybe just some malware or a program that was installed with another app.

Mac Virus/ Malware FAQ (http://guides.macrumors.com/Mac_Virus/Malware_FAQ)

GGJstudios
Feb 24, 2013, 04:21 PM
When I turned my computer on today, I noticed a strange activity at boot up. LittleSnitch has blocked an outgoing connection (see attachment).

The app has indeed been lurking in a hidden ".Install" folder in my home directory. It was installed a day ago at 10:56 pm (no trace of it in my logs, at least not that I can spot them). The rest can be seen on the screenshot. I didn't download nor run anything at the time (actually I was reading theatlantic.com). Any ideas?
I have now zipped this app, removed it from startup items (yes, it was run from there). If anyone is interested I can email the contents.
Have you installed any apps related to CableVision?

Registrant:
Cablevision Systems Corporation
1111 Stewart Avenue
Bethpage, NY 11714-3533
US

Domain Name: OPTONLINE.NET

It's not malware.... or "maleware"! :D

hwojtek
Feb 24, 2013, 04:34 PM
The only app I ran this evening was a trial of "PDF Protector" which I've found redundant regarding I bought the Acrobat X Pro along with my Adobe CS. I have then removed the program.
Point is, stuffing an app with a cryptic name into a hidden folder is just not fair. I would take this for granted if the app was documented and had a clear way of removing it. But if not LittleSnitch, I wouldn't ever know I have a parasite on my computer.
And no, I do not have anything even remotely related to CableVision.

Drew017
Feb 24, 2013, 04:41 PM
It's not malware.... or "maleware"! :D

Fixed ;)

GGJstudios
Feb 24, 2013, 04:45 PM
The only app I ran this evening was a trial of "PDF Protector" which I've found redundant regarding I bought the Acrobat X Pro along with my Adobe CS. I have then removed the program.
Point is, stuffing an app with a cryptic name into a hidden folder is just not fair. I would take this for granted if the app was documented and had a clear way of removing it. But if not LittleSnitch, I wouldn't ever know I have a parasite on my computer.
And no, I do not have anything even remotely related to CableVision.
It's possible the app was bundled with another app you installed, as that happens frequently. Yes, I agree they should let you know what you're installing, but the simple solution is to simply delete anything associated with that app. The most effective method for complete app removal is manual deletion:
Best way to FULLY DELETE a program (http://forums.macrumors.com/showpost.php?p=11171082&postcount=16)

You may want to change your thread title to something more descriptive, since this obviously isn't a virus. There has never been a Mac OS X virus in the wild, and only a handful of trojans, which are easily avoided by practicing safe computing. See the link that Drew017 posted for more details.

To edit your thread title, click the "Edit" button on your original post, then click "Go Advanced" and you will see where to edit the thread title.

Peace
Feb 24, 2013, 04:47 PM
Are you sure 69.118.252.2 isn't your router ?

hwojtek
Feb 26, 2013, 06:04 AM
Are you sure 69.118.252.2 isn't your router ?

No, as LittleSnitch resolved it properly, this is ool-4576fc02.dyn.optonline.net - a network as on the "other side of the planet" as it gets, at least from my standpoint ;)

And yes, I have removed it properly, I am quite proficient in terminal and grep ;)

madmin
Feb 26, 2013, 09:08 AM
Hi sorry to hear about this. It would help to know a bit more...

Where did you install PDF Protector from ?

Do you have Gatekeeper and XProtect enabled ?

Is Java disabled in your browser ? Which do you use ?

thanks for posting

hwojtek
Feb 26, 2013, 11:59 AM
I seriously have no idea where fromů I clean my downloads quite regularly, maybe a peek into my browser history would help, but I am not at this computer ATM.
Gatekeeper - no.
XProtect - yes.
Java - disabled.
Flash - mostly disabled, I run Click2Plugin.
Safari - most recent, so 6.0.2, I believe.