A unique problem... virus?

Discussion in 'Mac Basics and Help' started by jwillich, Feb 12, 2010.

  1. jwillich macrumors newbie

    Joined:
    Feb 12, 2010
    #1
    So an interesting thing happened to me today on my MacBook Pro running Snow Leopard. I was on Safari (Yahoo! Finance, nothing sketchy) and suddenly heard an acoustic guitar sound coming from my computer. I thought, well that's strange, so I closed Safari, and iTunes, and then every other application possible. And although nothing was shown to be running in the Force Quit dialog box except for Finder, there was an endless 15-20 second acoustic guitar loop running on my computer. It was nothing I had ever heard, and I do not have a file similar to it in my iTunes or GarageBand libraries. I sat in awe for at least 10 mins, but simply could not figure out where this audio loop was coming from.

    But that's not all. Maybe 20 minutes in, several notification boxes started popping up saying various fonts were being modified, and one alerting me that a crucial font to the Mac notifications was being disabled, although neither Safari or any program was open that could be doing this. Very confused, I did some quick searches online and found nothing that could explain this phenomenon. I found a free McAfee virus scan for macs, which shortly found a few files that said it was denied access to scan. These were: .fseventsd, .hotfile, .spotlight-V100, and sparkle.framework. As the scan was going, and random fonts were being "modified," my computer froze up and Finder became unresponsive. Meanwhile, this phantom, sourceless guitar music continued to play. So I did a hard reboot holding down the power button, and when it came back on everything seemed fine. These flagged files normally wouldn't have concerned me as I know they might be protected system files, but when I scanned again after the reboot, they were no longer flagged. So at this point i'm fairly concerned; hack or virus...?

    Long story short, I took it into the local Apple store where about 6 employees were perplexed and had never heard of anything like this happening before. They found that all but 5 of my fonts had been deleted, and so reinstalled Snow Leopard to restore the fonts. I don't use any P2P software and have never downloaded torrents, this all randomly started happening while I was reading a finance article. It happened while I was on a wireless network here at my college dorm.

    Sorry for the novel, but any ideas? or similar stories?
     
  2. TuffLuffJimmy macrumors G3

    TuffLuffJimmy

    Joined:
    Apr 6, 2007
    Location:
    Portland, OR
  3. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #3
    There are no viruses that run on current Mac OS X systems. There are trojans, but you would have to install one of those yourself, which usually involves entering your admin password, so you should remember if you've done that. 99.9% of the time, these things turn out to be an app you have installed or some customization or setting you've changed on your system.
     
  4. Gregg2 macrumors 603

    Joined:
    May 22, 2008
    Location:
    Milwaukee, WI
    #4
    Hiccup? Hasn't happened again?

    It does sound like a prank. Did someone else mess with it?
     
  5. jwillich thread starter macrumors newbie

    Joined:
    Feb 12, 2010
    #5
    GGJstudios: I'm not in the habit of installing trojans and I have no 3rd party apps that could have caused this. And I'm fairly sure there's no system preference I could've checked which says "Please start playing an audio loop which does not exist on this computer while simultaneously deleting all fonts next Thursday."

    I could see corrupt font files doing this by themselves, but combined with the strange audio loop, even everyone at the Apple store found it entirely unexplainable and admitted it was more than a hiccup. I don't see how it could be a prank--no one uses this computer but myself, and I'm positive no one's messed with it, at least not physically.
     
  6. MWPULSE macrumors 6502a

    MWPULSE

    Joined:
    Dec 27, 2008
    Location:
    London
    #6
    Have you... Tried creating a new user account n seeing if there's any semblance of this phenomena going on when you use that account?

    Also you mentioned your virus scan picking up some files. Fsevents and spotlight.v100 are both part of the system if I remember rightly. There shouldn't be anything wrong with those. They are in system>library though if you wanna check ;)

    I suppose you did the obvious thing n checked activity monitor for anything strange?

    Do you have sharing/vnc locked down. That's sometimes a weak backdoor when people are having issues. :)

    Hope that helps.
    PTP
     
  7. BlueRevolution macrumors 603

    BlueRevolution

    Joined:
    Jul 26, 2004
    Location:
    Montreal, QC
  8. Tumbleweed666 macrumors 68000

    Joined:
    Mar 20, 2009
    Location:
    Near London, UK.
    #8
    That was my thought, it always seems to be one of those when music is playing and no one knows why.
     
  9. jwillich thread starter macrumors newbie

    Joined:
    Feb 12, 2010
    #9
    Just checked and I don't have any widgets that play any kind of audio loop.

    I know .fseventsd and spotlightv100 are system files, but I thought it was interesting that they appeared locked down while this music was going on and my fonts were each being modified, while later they did not interrupt the scan, which made me wonder if they could have been infected. I also do not see how the fonts could be deleted without prompting for an admin password? Because I never enabled anything or any 3rd party apps while this was going on.
     
  10. benjamin747 macrumors member

    Joined:
    Apr 16, 2009
    #10
    Ah.

    Well a trojan can disguise themselves to be anything even to a Keychain password popping up in safari. Then once you type in your admin password it has power to delete... anything!

    Sounds like a prank to me. VNC or a remote connection...
     
  11. Tumbleweed666 macrumors 68000

    Joined:
    Mar 20, 2009
    Location:
    Near London, UK.
    #11
    Well most people aren't, that's why they are called Trojans, because they are hidden and people think they are installing something else :)

    Have you installed or updated anything recently ?

    One thing you can be sure of, its not a virus, because if it was you'd be (a) the only person in the world with a Mac virus, and (2) not only that but its such a specific virus it only infected your Mac out of all the millions there are.

    Otherwise, if not a trojan, its a prank, or something you triggered without realizing (changing permissions?), or a bug to do with a recent update that only affected you (pretty unlikely if its only you).
     
  12. senseless macrumors 68000

    senseless

    Joined:
    Apr 23, 2008
    Location:
    Pennsylvania, USA
    #12
    I got snagged by the former NYT "virus scan" Safari hijack last night. By reflex, I hit "cancel" when the supposed scan started and Safari was completely taken over. The only way to quit was to Force Quit. If this can be accomplished, what other malicious things can happen?

    I immediately restored from Time Machine, since I couldn't find out if damage was done or not.
     
  13. CylonGlitch macrumors 68030

    CylonGlitch

    Joined:
    Jul 7, 2009
    Location:
    SoCal
    #13
    1. Make sure you are using a USER account not an Admin account.
    2. Verify that your external services are turned off. Don't be sharing your entire system with whoever else is on your wireless network. A few weeks ago I was in a hotel and at night there were dozens of Windows and Mac machines that I could browse, often with their ENTIRE HARD DRIVES SHARED!
    3. If at all possible, always download and install from the developers website.

    Good luck.
     
  14. BlueRevolution macrumors 603

    BlueRevolution

    Joined:
    Jul 26, 2004
    Location:
    Montreal, QC
    #14
    That's your cue to leave a polite but terrifying note on their desktop. Or, if you can get shell access, have some fun with the say command. :cool:
     
  15. Tumbleweed666 macrumors 68000

    Joined:
    Mar 20, 2009
    Location:
    Near London, UK.
    #15
    Nothing

    None was.
     
  16. ARF900 macrumors 65816

    ARF900

    Joined:
    Oct 30, 2009
    #16
    Oh yeah, how bout running some sappy love song out of nowhere?
     
  17. senseless macrumors 68000

    senseless

    Joined:
    Apr 23, 2008
    Location:
    Pennsylvania, USA
    #17
    Anyway, it's good to know that my Time Machine backup works. I couldn't get a definite answer on whether or not there was a threat. Some said no, some said maybe.


     

Share This Page