Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Extremely weird safari bug/virus.

macintosh.apple said:
Ok, I know its not a virus but it is really weird. Whenever I open safari it takes me to my homepage just like normal. I can go to any website except for macrumers. The only way I can get to macrumers is if I type in www.macrumors.com, if I just type macrumors or macrumors.com like I normally do this will pop up and close down safari. This only happens when I type in macrumors.
Click to expand...


There are some trojans going around that redirect broswers to this site and launch popups to try and get you to buy phony A/V software. I've had to remove it from a few PC's at work, but wouldn't have expected it on a Mac. I guess that since it relys on Java/javascript it's possible for it to infect a mac-because you got it somehow.

The only thing I can think of to check would be proxy settings, or default search settings. IE on the pc will redirect to a search engine if a page is not found. If safari can do that it could explain where the redirect is ocurring. A proxy would do the same thing.
 
this trojan seems have been there for almost a year, is there no removal tools from apple or anywhere?
 
It seems that you have downloaded and installed fake "codecs" for adult video (or free game or something like that).

Create a new user account and see whether the behavior is the same on the other account.
 
clevin said:
where, here you go, a simply google search with "osx trojan removal" give me this

http://www.macnn.com/articles/08/01/03/trojan.removal.tool/
seems securemac.com has a free tool for this, try out and god luck ! :)
Click to expand...

That's the same tool I posted several posts back... and he said it didn't work...

From the instructions with the tool:

Using DNSChanger Removal Tool

Upon launching DNSChanger Removal Tool, click the Scan button to scan for the DNSChanger trojan horse. DNSChanger Removal Tool will scan your computer for the DNSChanger trojan horse, and alert you if it is detected. If the DNSChanger trojan horse is detected, DNSChanger Removal Tool will give you the option to remove it. If the DNSChanger trojan horse is detected and removed, you will need to restart your computer to clear out the bad DNS entries added by the DNSChanger Trojan Horse.

To the OP:

You said this didn't work. When you ran the tool was the the trojan detected and did you have the option to remove it? If so, did you RESTART and then check the same URLs that were taking you to the Badlands?

RE: your DNS entries. Did you manually remove the two DNS entries you'd posted earlier. Or did that "just happen" after you ran the tool?
 
clevin said:
ahha, my bad.

if this doesn't work, ...maybe we should examine if the problem is indeed caused by this trojan or something else?
Click to expand...

Those DNS entries he had posted earlier in the thread were DNS servers from the Dark Side of the Web and the likely source of the misdirection of his URLs, but even if he manually removed them, they could come back again if there's a cron job that restores them, etc.
 
localoid said:
That's the same tool I posted several posts back... and he said it didn't work...

From the instructions with the tool:

Using DNSChanger Removal Tool

Upon launching DNSChanger Removal Tool, click the Scan button to scan for the DNSChanger trojan horse. DNSChanger Removal Tool will scan your computer for the DNSChanger trojan horse, and alert you if it is detected. If the DNSChanger trojan horse is detected, DNSChanger Removal Tool will give you the option to remove it. If the DNSChanger trojan horse is detected and removed, you will need to restart your computer to clear out the bad DNS entries added by the DNSChanger Trojan Horse.

To the OP:

You said this didn't work. When you ran the tool was the the trojan detected and did you have the option to remove it? If so, did you RESTART and then check the same URLs that were taking you to the Badlands?

RE: your DNS entries. Did you manually remove the two DNS entries you'd posted earlier. Or did that "just happen" after you ran the tool?
Click to expand...

The first time I ran it, it detected a trojan and I wiped it and restarted the computer. Thats when those two DNS servers disappeared. Even thought it was gone it still redirected me to that virus scanner. I tried it again and it didnt show up.
 
macintosh.apple said:
The first time I ran it, it detected a trojan and I wiped it and restarted the computer. Thats when those two DNS servers disappeared. Even thought it was gone it still redirected me to that virus scanner. I tried it again and it didnt show up.
Click to expand...

So, if I understand you correctly: After reboot, you tried a URL and it sent you to the Dark Side maybe once, but then after that (and now) the URLs send you to the real sites?

If so, it sounds like the bogus IP# was cached somewhere (your router maybe?) and if all of the URIs now work correctly and send you to the real sites, it sounds like the removal tools may have worked.

macintosh.apple said:
I think im just gonna reinstall the OS.
Click to expand...

If it got rid of it, that's not necessary, but that would cure the problem.

This (redirection to other sites) is largely an annoyance, but it certainly could be used to send you to a bogus version of paypal for example, where you'd enter your ID and password which would give the badguys that info.
 
localoid said:
So, if I understand you correctly: After reboot, you tried a URL and it sent you to the Dark Side maybe once, but then after that (and now) the URLs send you to the real sites?

If so, it sounds like the bogus IP# was cached somewhere (your router maybe?) and if all of the URIs now work correctly and send you to the real sites, it sounds like the removal tools may have worked.



If it got rid of it, that's not necessary, but that would cure the problem.

This (redirection to other sites) is largely an annoyance, but it certainly could be used to send you to a bogus version of paypal for example, where you'd enter your ID and password which would give the badguys that info.
Click to expand...


I havent got rid of the problem yet.
 
macintosh.apple said:
I created a new account and it worked completely fine.
Click to expand...

well, if this is a easier way, then maybe just use this new acc, we might not be able to solve the problem completely, but at least its under control.

Be careful when surfing tho, and avoid apps that ask for admin password during installation, in which case, damage would/might be unsolvable by a new acc. hopefully apple will establish some sort of systematical safety guard for OSX soon.
 
clevin said:
Be careful when surfing tho, and avoid apps that ask for admin password during installation, in which case, damage would/might be unsolvable by a new acc. hopefully apple will establish some sort of systematical safety guard for OSX soon.
Click to expand...

Common sense? They can't build that into a computer. If a user browses the likes of a porn site, and something downloads unknowingly to the user, then mounts itself on the desktop, then the user installs it and enters their password, and then causes problems to OS X, then really, they ought to get a lecture about the dark sides of the internet and what to avoid.
 
Kilamite said:
Common sense? They can't build that into a computer. If a user browses the likes of a porn site, and something downloads unknowingly to the user, then mounts itself on the desktop, then the user installs it and enters their password, and then causes problems to OS X, then really, they ought to get a lecture about the dark sides of the internet and what to avoid.
Click to expand...

im really tired of this type of useless, meaningless, not helpful, insulting rhetoric from some people. If you can't face the fact that computer users are diverse, you might just ask apple to present a test before selling computers.

PS, did you get your safari's "feeling luck" function yet? talk about nobody is all-known...
 
clevin said:
im really tired of this type of useless, meaningless, not helpful, insulting rhetoric from some people. If you can't face the fact that computer users are diverse, you might just ask apple to present a test before selling computers.

PS, did you get your safari's "feeling luck" function yet? talk about nobody is all-known...
Click to expand...

Not helpful? Telling a user that they need to be careful and really think about what they are installing and if they don't even know what it is they are installing or why they need it in the first place? This just doesn't apply to OS X, I'd say the same thing on Windows. Careless browsing is only going to cause problems, especially if something wants to install itself from one of those dodgy websites.

And, since you are obviously triggering an argument by bringing up this again, I didn't realise I had SafariStand installed which makes use of Google's Feeling Lucky feature.
 
clevin said:
im really tired of this type of useless, meaningless, not helpful, insulting rhetoric from some people. If you can't face the fact that computer users are diverse, you might just ask apple to present a test before selling computers.
Click to expand...

If Macs are for people who don't 'get' computers, I'd hate to see the computer for someone who doesn't 'get' Macs.

Then again, the Wii is a pretty capable machine!
 
who woulld of thought for once a person claiming to have a trojan/virus on a mac is ACTUALLY right? Usually its just a mac n00b who isnt used to the way their mac works so they automatically blame it on a virus (Cause they came from windows world)
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back