Please Help - My MacBook Pro has Malware

[Merkava_4]

2007 MacBook Pro Santa Rosa Addition
OS 10.6.8


Whenever I try to log into one of my favorite forums, my Mac Mail is opened automatically and I get hundreds and hundreds of popup windows that I'm showing in the photographs below. While that is going on, my MBP is completely disabled. I have to force quit the computer with the power button. The malware causes my MBP to run extremely hot with the fans on high speed. Normally, the fans rarely come on.

I have tried changing my mail password but that doesn't work. I also tried logging into the forum with a different computer - my old PowerBook. The malware goes to the PowerBook too. I'm so nervous right now, my hands are shaking. I've never had anything like this happen before. Please help. Please tell me what to do.


Click to enlarge:

 

[GGJstudios]

It's not malware. It sounds more like JavaScript on a site. First, check the URL that you're visiting to make sure it's the one you really intended to visit. Then, make sure you have ad block and popup block protection. Then clear your cache and cookies. If you haven't already done so, try changing your DNS servers on your Mac and your router to OpenDNS servers. This will show you how: Why am I being redirected to other sites?

 

[Merkava_4]

GGJstudios,

Thank you so much for helping me.

Yes, you are correct. As soon as try to log in, I'm redirected to this site:

http://ha.ckers.org/weird/popups.html

What shall I do next?

 

[GGJstudios]

GGJstudios,

Thank you so much for helping me.

Yes, you are correct. As soon as try to log in, I'm redirected to this site:

http://ha.ckers.org/weird/popups.html

What shall I do next?

Did you change your DNS settings? It's also possible that the site you're trying to reach has been compromised. What site are you trying to reach?

 

[Merkava_4]

GGJstudios,

My DNS settings window is this:

What do I do?

 

[GGJstudios]

GGJstudios,

My DNS server window is this:

What do I do?

Click the "+" button in the lower left and add the two OpenDNS servers shown in the link I posted. Just follow the instructions in that link.

 

[Merkava_4]

GGJstudios,

You mean like this? Is that correct?

 

[GGJstudios]

GGJstudios,

You mean like this? Is that correct?

Yes.

 

[Merkava_4]

Shall I try to log into that forum again?

 

[GGJstudios]

Shall I try to log into that forum again?

Did you clear your cache and cookies? If so, try it again. Also, do you have any ad-blockers installed? A good one for managing JavaScript on Safari is JavaScript Blocker.

 

[Merkava_4]

GGJstudios,

I cleared the cache and reset Safari, still no change. As soon as I click the "Log In" button on that site, my Mac Mail is opened up and then I get flooded with popup windows just like before. I don't think I have any add blocker software; just whatever comes with Safari. I'll await your further instructions.

 

[GGJstudios]

GGJstudios,

I cleared the cache and reset Safari, still no change. As soon as I click the "Log In" button on that site, my Mac Mail is opened up and then I get flooded with popup windows just like before. I don't think I have any add blocker software; just whatever comes with Safari. I'll await your further instructions.

Download and install JavaScript Blocker. Use the link I posted. That will block all JavaScript on sites, until you permit it. I tested the site (of course, I couldn't log in) but found no malicious scripts there.

I run several ad-blockers. ClickToFlash, Safari AdBlock, GlimmerBlocker and JavaScript Blocker are just a few.

1. Reset Safari, clearing cache and cookies.
2. Quit Safari.
3. Delete any suspicious or unknown entries from the following locations:
   • System Preferences > Accounts > yourusername > Login Items
     (Lion and ML users: System Preferences > Users & Groups > yourusername > Login Items)
     
     
   • /Library/LaunchAgents/
     (Lion and ML users: In Finder, click Go > Go to Folder > then enter the path above)
     
     
   • ~/Library/LaunchAgents/
     (Lion and ML users: In Finder, click Go > Go to Folder > then enter the path above)
     
     
   • /Library/StartupItems/
     (Lion and ML users: In Finder, click Go > Go to Folder > then enter the path above)
4. Now log out and log back in.
5. Now try revisiting the site.

 

[Merkava_4]

GGJstudios,

I can try that, but being that my Mac Mail is being opened without my control, that leads me to suspect that there's a malware program downloaded and running on my computer. I'm beginning to think maybe a should change my administrator password, but I don't know how.

 

[GGJstudios]

GGJstudios,

I can try that, but being that my Mac Mail is being opened without my control, that leads me to suspect that there's a malware program downloaded and running on my computer.

It's a script on that malicious site that's launching Mail, not malware.

1. Launch Activity Monitor
2. Change "My Processes" at the top to "All Processes"
3. Click on the CPU column heading once or twice, so the arrow points downward (highest values on top).
4. Click on the System Memory tab at the bottom.
5. Take a screen shot of the entire Activity Monitor window, then scroll down to see the rest of the list, take another screen shot
6. Post your screenshots.

I'm beginning to think maybe a should change my administrator password, but I don't know how.

It won't hurt to change your admin password. You can do so in System Preferences > Accounts > youraccount > Change Password

 

[Merkava_4]

GGJstudios,

I sent you the Activity Monitor screen shots in a PM.

 

[GGJstudios]

GGJstudios,

I sent you the Activity Monitor screen shots in a PM.

Post them here. Be sure you have followed all the steps in the instructions.

 

[MrPlayer66]

Post them here. Be sure you have followed all the steps in the instructions.

It's very nice of you to be helping out this user.

 

[Merkava_4]

Here are the Activity Monitor screen shots.

Click to enlarge:

 

[GGJstudios]

Here are the Activity Monitor screen shots.

I see nothing there that would create the symptoms you describe or would be cause for concern. Recheck your DNS settings to make sure they still are as you last modified them. Also reset your router and use the same DNS settings there.

 

[Merkava_4]

I checked the DNS settings; they're still the same. I also changed my Admin Password; it has had no affect. This malware (or whatever it is) seems to have targeted my login information at the other forum. This is very strange.

 

[GGJstudios]

I checked the DNS settings; they're still the same. I also changed my Admin Password; it has had no affect. This malware (or whatever it is) seems to have targeted my login information at the other forum. This is very strange.

It's a case of redirection, not malware. Did you reset your router and check the DNS settings there?

 

[Merkava_4]

GGJstudios,

I don't have a router, just one Ethernet DSL modem.

I went into my Library Cache and started deleting things that don't make sense. That redirection program has got to be in there somewhere.

 

[Weaselboy]

GGJstudios,

I don't have a router, just one Ethernet DSL modem.

I went into my Library Cache and started deleting things that don't make sense. That redirection program has got to be in there somewhere.

This is only happening on the one forum site you visit?

Try going to Safari preferences and in the security tab UNcheck javascript. Then try to go to the site again see if the problem is gone. If that fixes it, you need to contact the site/forum administrator and let them know they have a rogue javascript launching from their site.

If this is what is going on, there is nothing you can do from your computer to fix it.

 

[Merkava_4]

This is only happening on the one forum site you visit?

Yes sir, just that one site. I took the computer into the Fresno Apple store. The Genius said there's nothing they can do about it, but he did say my hard drive is OK and that it's not infected. He thinks the site is hacked, but when I explained to him that it only happens to me and nobody else on that site, he had no answer for that.

I tried disabling java script in Safari; no affect. I've also changed my Yahoo mail password and the computer's admin password; no affect.

 

[mac jones]

Yikes, this thread is a bit scary. If no one knows the answer that is.
I hope it's not something we are going to start seeing.

Who knows

Let us know if you discover the culprit.