Underhand Trojan Removal

Discussion in 'Mac Basics and Help' started by Stolid, May 2, 2005.

  1. macrumors regular

    Stolid

    Joined:
    Jan 29, 2004
    Location:
    Norfolk, VA, USA
    #1
    I've got a friend who's contracted the Underhand trojan and we're trying to remove it.
    All we've been able to find is basically this URL:
    http://www.cowfight.com/cf4/underhand/RemovingUnderhand.rtf

    According to Norton files like Sym.Unix.Mk9gHPpwcD (Sym.Unix.*) are infected -- unfortunately none of my UNIX or OS X books reference Sym.Unix.XXXX nor does any googling provide information. I'm guessing, based on the name, these are probably paging files but I'd like confirmation.

    His startup list is as follows:
    LaunchBar
    iCalAlarmScheduler
    SetiChatStatus
    x-Tunes Daemon
    SpeechSynthesisServer
    SymSecondaryLaunch
    Palm Desktop Background
    Transport Monitor
    iTunes Helper

    Unfortunately I don't have a stock list to compare it against; so if anyone here can identify any of these as unusual that'd help. He does have a Palm.

    Any help would be vastly appreciated,
    Thanks in advance,
    Stolid
     
  2. Wes
    macrumors 68020

    Wes

    Joined:
    Jun 22, 2001
    Location:
    London
    #2
    Here are the start-up items I have:

    StuffitAVRDaemon
    YouControlEngine
    ATI Monitor
    MultiuserManager
    iScrobbler
    iTunesHelper
    GrowlHelperApp
    SmartReporter
    Quicksilver
    LCCDaemon

    These look suspicious:
    SpeechSynthesisServer
    SymSecondaryLaunch
    Transport Monitor
     
  3. macrumors Penryn

    rdowns

    Joined:
    Jul 11, 2003
    #3
    Transport Monitor is installed by Palm. SpeechSynthesisServer is an Apple item, I have it. No idea what SymSecondaryLaunch is but would guess it's a Symantec item.
     
  4. Wes
    macrumors 68020

    Wes

    Joined:
    Jun 22, 2001
    Location:
    London
    #4
  5. macrumors 68000

    FadeToBlack

    Joined:
    Apr 27, 2005
    Location:
    Accoville, WV
    #5
    I thought that OS X was safe from stuff like this?
     
  6. macrumors 68000

    Joined:
    Jun 13, 2004
    Location:
    afk
    #6
  7. macrumors 65816

    dukeblue91

    Joined:
    Oct 7, 2004
    Location:
    Raleigh, NC
    #7
    SymSecondaryLaunch is from a Norton product.
    The only one that sticks out is xTunes as google only brings up Linux stuff.
    Everything else looks normal.
    Did you try to follow the removal instructions from Cowfight?
     
  8. macrumors 6502

    Joined:
    May 20, 2004
    #8
    Underhand Trojan removal?

    I don't think we're talking about the same thing.
     
  9. macrumors member

    Joined:
    Jul 7, 2004
    Location:
    Guernsey, Channel Islands
    #9



    HI,


    I was wondering if you had an answer to what the underhand 05a thing is? Is it a virus? I'm relatively new to computers and have just noticed a window on my powerbook that I can't get rid of, a blue window titled Underhand 05a' . Did you find out what it is and what to do about it?

    I'd be very grateful for any answers.

    cheers.
     
  10. Wes
    macrumors 68020

    Wes

    Joined:
    Jun 22, 2001
    Location:
    London
  11. macrumors 68040

    trainguy77

    Joined:
    Nov 13, 2003
  12. macrumors member

    Joined:
    Jul 7, 2004
    Location:
    Guernsey, Channel Islands
    #12
    cheers wes...





    thanks Wes, yeh I just followed those instructions and have got rid of the 'underhand 05a' window. But I'm a bit worried, does my mac now have a virus? the thing is I have to use my pb at work and network it with the ones there, will it screw anything up?
    do you know what the file is? and does?


    thanks again. beet
     
  13. macrumors Core

    Joined:
    Jan 6, 2004
    #13
    NO, this is a Trojan, meaning its something you downloaded or put on your system knowingly that then harmed your system. Viruses are self replicating, this is not. Viruses usually get into the system without you knowing.

    i could be worng, but i believe this is the fine distinction between the two
     
  14. Wes
    macrumors 68020

    Wes

    Joined:
    Jun 22, 2001
    Location:
    London
    #14
    You don't have a virus. Your files are safe, just continue your normal back-up procedure and be more wary of foreign files in the future, like you would with any other computer.
     
  15. macrumors 68040

    trainguy77

    Joined:
    Nov 13, 2003
    #15
    Good to hear!
     
  16. Wes
    macrumors 68020

    Wes

    Joined:
    Jun 22, 2001
    Location:
    London
  17. macrumors member

    Joined:
    Jul 7, 2004
    Location:
    Guernsey, Channel Islands
    #17
    reassured, however still a bit aprehensive

    cool, thanks for the knowledge. a couple more questions:

    should I get any software to make sure my system is ok (ie zebra) check the trojan isn't anywhere on my system? if so can you recommend anything?
     
  18. macrumors member

    Joined:
    Jul 7, 2004
    Location:
    Guernsey, Channel Islands
    #18

    Just to show I'm trying to b e proactive and not just relying on other people's info, i checked on versiontracker for free trojan detectors etc. Now that I followed the instructions on the cowfight site, and the trojan window no longer shows up: what if one of the trojan detectors finds effected media files etc...?
     

Share This Page