Malware infection (screenshot) - MacRumors Forums
Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Apple Systems and Services > OS X > OS X 10.8 Mountain Lion

Reply
 
Thread Tools Search this Thread Display Modes
Old Feb 24, 2013, 03:50 AM   #1
hwojtek
macrumors 6502a
 
Join Date: Jan 2008
Location: A small rural village in western Poland
Malware infection (screenshot)

When I turned my computer on today, I noticed a strange activity at boot up. LittleSnitch has blocked an outgoing connection (see attachment).

The app has indeed been lurking in a hidden ".Install" folder in my home directory. It was installed a day ago at 10:56 pm (no trace of it in my logs, at least not that I can spot them). The rest can be seen on the screenshot. I didn't download nor run anything at the time (actually I was reading theatlantic.com). Any ideas?
I have now zipped this app, removed it from startup items (yes, it was run from there). If anyone is interested I can email the contents.
Attached Thumbnails
Click image for larger version

Name:	Screen Shot 2013-02-24 at 10.22.15 AM.PNG
Views:	211
Size:	88.1 KB
ID:	399075  
__________________
Wojtek
More Macs than I can count, really. Like 20 or so...

Last edited by hwojtek; Feb 26, 2013 at 06:05 AM.
hwojtek is offline   2 Reply With Quote
Old Feb 24, 2013, 05:22 AM   #2
wrldwzrd89
macrumors G4
 
wrldwzrd89's Avatar
 
Join Date: Jun 2003
Location: Solon, OH
I'm not sure what that is, but it sure is an interesting find. I suspect you're right about it being possibly malicious and not to trust it.
__________________
iMac Intel (Rev H, 27"), 1TB HDD, 16GB RAM, 10.8.4
wrldwzrd89 is offline   0 Reply With Quote
Old Feb 24, 2013, 10:53 AM   #3
Drew017
macrumors 65816
 
Drew017's Avatar
 
Join Date: May 2011
Location: Right beside you
Send a message via Skype™ to Drew017
Quote:
Originally Posted by hwojtek View Post
When I turned my computer on today, I noticed a strange activity at boot up. LittleSnitch has blocked an outgoing connection (see attachment).

The app has indeed been lurking in a hidden ".Install" folder in my home directory. It was installed a day ago at 10:56 pm (no trace of it in my logs, at least not that I can spot them). The rest can be seen on the screenshot. I didn't download nor run anything at the time (actually I was reading theatlantic.com). Any ideas?
I have now zipped this app, removed it from startup items (yes, it was run from there). If anyone is interested I can email the contents.
It's probably not a virus… maybe just some malware or a program that was installed with another app.

Mac Virus/ Malware FAQ
__________________
Who'll put on my shoes while I'm walking slowly down the hall of fame?
MacBook Air 13 inch (Mid 2013); Intel Core i5; 4GB RAM; OS X 10.9 Mavericks
Focusrite Scarlett 2i2

Last edited by Drew017; Feb 24, 2013 at 04:38 PM.
Drew017 is offline   0 Reply With Quote
Old Feb 24, 2013, 04:21 PM   #4
GGJstudios
macrumors Westmere
 
Join Date: May 2008
Quote:
Originally Posted by hwojtek View Post
When I turned my computer on today, I noticed a strange activity at boot up. LittleSnitch has blocked an outgoing connection (see attachment).

The app has indeed been lurking in a hidden ".Install" folder in my home directory. It was installed a day ago at 10:56 pm (no trace of it in my logs, at least not that I can spot them). The rest can be seen on the screenshot. I didn't download nor run anything at the time (actually I was reading theatlantic.com). Any ideas?
I have now zipped this app, removed it from startup items (yes, it was run from there). If anyone is interested I can email the contents.
Have you installed any apps related to CableVision?

Quote:
Registrant:
Cablevision Systems Corporation
1111 Stewart Avenue
Bethpage, NY 11714-3533
US

Domain Name: OPTONLINE.NET
It's not malware.... or "maleware"!
GGJstudios is offline   0 Reply With Quote
Old Feb 24, 2013, 04:34 PM   #5
hwojtek
Thread Starter
macrumors 6502a
 
Join Date: Jan 2008
Location: A small rural village in western Poland
The only app I ran this evening was a trial of "PDF Protector" which I've found redundant regarding I bought the Acrobat X Pro along with my Adobe CS. I have then removed the program.
Point is, stuffing an app with a cryptic name into a hidden folder is just not fair. I would take this for granted if the app was documented and had a clear way of removing it. But if not LittleSnitch, I wouldn't ever know I have a parasite on my computer.
And no, I do not have anything even remotely related to CableVision.
__________________
Wojtek
More Macs than I can count, really. Like 20 or so...
hwojtek is offline   0 Reply With Quote
Old Feb 24, 2013, 04:41 PM   #6
Drew017
macrumors 65816
 
Drew017's Avatar
 
Join Date: May 2011
Location: Right beside you
Send a message via Skype™ to Drew017
Quote:
Originally Posted by GGJstudios View Post
It's not malware.... or "maleware"!
Fixed
__________________
Who'll put on my shoes while I'm walking slowly down the hall of fame?
MacBook Air 13 inch (Mid 2013); Intel Core i5; 4GB RAM; OS X 10.9 Mavericks
Focusrite Scarlett 2i2
Drew017 is offline   0 Reply With Quote
Old Feb 24, 2013, 04:45 PM   #7
GGJstudios
macrumors Westmere
 
Join Date: May 2008
Quote:
Originally Posted by hwojtek View Post
The only app I ran this evening was a trial of "PDF Protector" which I've found redundant regarding I bought the Acrobat X Pro along with my Adobe CS. I have then removed the program.
Point is, stuffing an app with a cryptic name into a hidden folder is just not fair. I would take this for granted if the app was documented and had a clear way of removing it. But if not LittleSnitch, I wouldn't ever know I have a parasite on my computer.
And no, I do not have anything even remotely related to CableVision.
It's possible the app was bundled with another app you installed, as that happens frequently. Yes, I agree they should let you know what you're installing, but the simple solution is to simply delete anything associated with that app. The most effective method for complete app removal is manual deletion:
Best way to FULLY DELETE a program
You may want to change your thread title to something more descriptive, since this obviously isn't a virus. There has never been a Mac OS X virus in the wild, and only a handful of trojans, which are easily avoided by practicing safe computing. See the link that Drew017 posted for more details.

To edit your thread title, click the "Edit" button on your original post, then click "Go Advanced" and you will see where to edit the thread title.
GGJstudios is offline   0 Reply With Quote
Old Feb 24, 2013, 04:47 PM   #8
Peace
macrumors P6
 
Join Date: Apr 2005
Location: Space--The ONLY Frontier
Are you sure 69.118.252.2 isn't your router ?
Peace is offline   0 Reply With Quote
Old Feb 26, 2013, 06:04 AM   #9
hwojtek
Thread Starter
macrumors 6502a
 
Join Date: Jan 2008
Location: A small rural village in western Poland
Quote:
Originally Posted by Peace View Post
Are you sure 69.118.252.2 isn't your router ?
No, as LittleSnitch resolved it properly, this is ool-4576fc02.dyn.optonline.net - a network as on the "other side of the planet" as it gets, at least from my standpoint

And yes, I have removed it properly, I am quite proficient in terminal and grep
__________________
Wojtek
More Macs than I can count, really. Like 20 or so...
hwojtek is offline   0 Reply With Quote
Old Feb 26, 2013, 09:08 AM   #10
madmin
macrumors member
 
Join Date: Jun 2012
Hi sorry to hear about this. It would help to know a bit more...

Where did you install PDF Protector from ?

Do you have Gatekeeper and XProtect enabled ?

Is Java disabled in your browser ? Which do you use ?

thanks for posting
madmin is offline   0 Reply With Quote
Old Feb 26, 2013, 11:59 AM   #11
hwojtek
Thread Starter
macrumors 6502a
 
Join Date: Jan 2008
Location: A small rural village in western Poland
I seriously have no idea where fromů I clean my downloads quite regularly, maybe a peek into my browser history would help, but I am not at this computer ATM.
Gatekeeper - no.
XProtect - yes.
Java - disabled.
Flash - mostly disabled, I run Click2Plugin.
Safari - most recent, so 6.0.2, I believe.
__________________
Wojtek
More Macs than I can count, really. Like 20 or so...
hwojtek is offline   0 Reply With Quote

Reply
MacRumors Forums > Apple Systems and Services > OS X > OS X 10.8 Mountain Lion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Odd infection story Sydde Apple, Industry and Internet Discussion 6 Nov 10, 2013 06:24 PM
Can iPod become infected from a windows OS infection DonnaB iPod 4 Sep 8, 2013 04:22 AM
Bamital [Ramnit-A] Virus Infection? RoboWarriorSr MacBook Pro 24 Jul 1, 2013 01:54 PM
My Credit Card Information was stolen...do I have malware (screenshot) googs185 MacBook 4 Mar 17, 2013 07:52 PM

Forum Jump

All times are GMT -5. The time now is 04:42 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC