Fake Google Chrome installer malware?

Discussion in 'Mac Basics and Help' started by Minicube, Sep 14, 2014.

  1. Minicube macrumors regular

    Jun 5, 2011
    I've encountered a malware problem for the first time in 25 years of using Macs. i lost my internet connection the other day, and a Google Chrome installer window popped up. Working with my ISP we discovered that the DNS address in my Airport router had been changed to an address in Bulgaria (!). I managed to change it back to the proper address, rebooted the router, and all is good, except the Google Chrome installer window keeps popping up when I try to save TextEdit docs, and when I try to change the file sort (date/size) on my main hard drive. Also, when I switch users or reboot, the screen flashes quickly three times. No other symptoms that I am aware of.

    All my software is up to date. No other accounts on the computer or network have this problem. I assume this malware made its way onto my computer when the DNS on my router was changed. Not sure how that could have happened since it's password protected and I live out in the country.

    I've run Avast and it found a bunch of "infected files" all of which I removed. No change. Same with ClamX, no change. I've also zapped the PRAM, ran Disk Utilities, and Disk Warrior.

    The problem goes away if I:
    Do a Safe Boot
    Log in as a different user

    I've Googled the hell out of this problem, but can find no one with the exact same issues. Does anyone have any idea of what else to try?
  2. benthewraith macrumors 68040


    May 27, 2006
    Miami, FL
    Create a new user, transfer your docs, photos, etc. to the new user, and then delete the old user profile.
  3. campyguy macrumors 68040

    Mar 21, 2014
    Portland / Seattle
    Sorry for your problems. I agree, to a degree with benthewraith. To preface, I have an addiction - pro level cycling, which is hard to get here in the states. Earlier this year, wanting to watch the Giro, I resorted to one of the sites that not-legally mirror Eurosport - and thought I was being careful. More than once I had to deal with someone attempting to commandeer my Mac. A friend of mine was doing the same, and he had to deal with the same issues you are. The difference was that I was using a Standard user account and Chrome, while he was using Safari/Flash in an Admin user account. He whined to me, and I fixed it.

    What you didn't write was whether you were in an Admin account. You also did not write as to whether your Mac's Network System Preferences>Network>DNS>DNS Servers settings were changed. My friend's Mac did have its settings modified, adding in settings that began with 77, 85, 93, and 213 - I think there were a few others. His Airport was also hacked.

    When I was in my Standard user account and watching the proxy site, my mouse cursor moved, and I watched someone attempt to access my System Preferences. The padlock was clicked and a password typed in - however, my password was pretty long. I tried cancelling the dialog, they tried assuming control - I tried the Shut Down command, they cancelled it. I then just pressed and held down the Power Button, unplugged my Airport Extreme (4th Gen) and used a paper clip to reset it, then restarted my Mac.

    I logged into my Admin account and turned off wifi, then logged out and logged into the subject account again. Nothing seemed awry. I looked everywhere - and found a new folder in my Documents folder (I don't recall the name) that contained a few other sub-directories with a "startup.js" file in the root of that new folder - the creation date of that new folder was the same as my battle with the tool on the other end.

    You might want to look for modified DNS settings and newer folders on your Mac. Especially if your problems persist!
  4. Minicube thread starter macrumors regular

    Jun 5, 2011
    Thank for the responses so far.

    Yes, my account is an Admin account. And yes, the Network setting on my Mac was changed to the same number starting with 85 (located in Bulgaria according to my ISP) that we found on my router. As I understand it, the Network setting is obtained from the router. I successfully changed the numbers in both places back to the correct server and it has remained correct.

    I've looked for new files everywhere; found some questionable ones and deleted them, but no dice.

    I don't want the hassle of creating a new user and moving stuff over (not to mention the possibility of moving over the malware accidentally), but it's starting to appear that may be my only option.

    I'm sort of surprised that neither ClamX or Avast are able to find the culprit.
  5. campyguy macrumors 68040

    Mar 21, 2014
    Portland / Seattle
    A few tips. Stop working in an Admin account - there's absolutely no reason to. Since I stopped and told my 50-odd employees to not work/surf in an admin user account - we've had zero issues. Enough said.

    You've found a few questionable files. You may have missed one. Or two. Avast and ClamX are anti-virus software - they don't find files that have scripts embedded in them (including JPEG files). Creating a new user account is a piece of cake - I installed a new DP of Yosemite tonight, created a new user account that has the same settings as one of my Mavericks settings, and got up and running - all within 20 minutes, and most of that was waiting for the installer to finish. Create a new user account, and move your critical files to that new Standard Account you're going to create and work from.

    As I wrote before, that "85.xxx.xxx.xx" in your network settings is a DNS setting that had opened you to further attack - it didn't get "copied". You "understood" incorrectly. It was planted there by a script created by a hacker - it would not have happened if you were not using an Administrator account. Lesson learned. Move on.

    And, delete that compromised Admin account.

Share This Page