Please Help - My MacBook Pro has Malware

Discussion in 'MacBook Pro' started by Merkava_4, Aug 30, 2012.

  1. Merkava_4 macrumors 6502a

    Joined:
    Sep 4, 2010
    Location:
    California
    #1
    2007 MacBook Pro Santa Rosa Addition
    OS 10.6.8


    Whenever I try to log into one of my favorite forums, my Mac Mail is opened automatically and I get hundreds and hundreds of popup windows that I'm showing in the photographs below. While that is going on, my MBP is completely disabled. I have to force quit the computer with the power button. The malware causes my MBP to run extremely hot with the fans on high speed. Normally, the fans rarely come on.

    I have tried changing my mail password but that doesn't work. I also tried logging into the forum with a different computer - my old PowerBook. The malware goes to the PowerBook too. I'm so nervous right now, my hands are shaking. I've never had anything like this happen before. Please help. Please tell me what to do. :(


    Click to enlarge:
    [​IMG]

    [​IMG]
     
  2. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #2
    It's not malware. It sounds more like JavaScript on a site. First, check the URL that you're visiting to make sure it's the one you really intended to visit. Then, make sure you have ad block and popup block protection. Then clear your cache and cookies. If you haven't already done so, try changing your DNS servers on your Mac and your router to OpenDNS servers. This will show you how: Why am I being redirected to other sites?
     
  3. Merkava_4 thread starter macrumors 6502a

    Joined:
    Sep 4, 2010
    Location:
    California
    #3
    GGJstudios,

    Thank you so much for helping me.

    Yes, you are correct. As soon as try to log in, I'm redirected to this site:

    http://ha.ckers.org/weird/popups.html

    What shall I do next?
     
  4. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #4
    Did you change your DNS settings? It's also possible that the site you're trying to reach has been compromised. What site are you trying to reach?
     
  5. Merkava_4 thread starter macrumors 6502a

    Joined:
    Sep 4, 2010
    Location:
    California
    #5
    GGJstudios,

    My DNS settings window is this:

    [​IMG]

    What do I do?
     
  6. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #6
    Click the "+" button in the lower left and add the two OpenDNS servers shown in the link I posted. Just follow the instructions in that link.
     
  7. Merkava_4 thread starter macrumors 6502a

    Joined:
    Sep 4, 2010
    Location:
    California
    #7
    GGJstudios,

    You mean like this? Is that correct?

    [​IMG]
     
  8. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #8
    Yes.
     
  9. Merkava_4 thread starter macrumors 6502a

    Joined:
    Sep 4, 2010
    Location:
    California
  10. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #10
    Did you clear your cache and cookies? If so, try it again. Also, do you have any ad-blockers installed? A good one for managing JavaScript on Safari is JavaScript Blocker.
     
  11. Merkava_4 thread starter macrumors 6502a

    Joined:
    Sep 4, 2010
    Location:
    California
    #11
    GGJstudios,

    I cleared the cache and reset Safari, still no change. As soon as I click the "Log In" button on that site, my Mac Mail is opened up and then I get flooded with popup windows just like before. I don't think I have any add blocker software; just whatever comes with Safari. I'll await your further instructions.
     
  12. GGJstudios, Aug 30, 2012
    Last edited: Aug 30, 2012

    GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #12
    Download and install JavaScript Blocker. Use the link I posted. That will block all JavaScript on sites, until you permit it. I tested the site (of course, I couldn't log in) but found no malicious scripts there.

    I run several ad-blockers. ClickToFlash, Safari AdBlock, GlimmerBlocker and JavaScript Blocker are just a few.

    1. Reset Safari, clearing cache and cookies.
    2. Quit Safari.
    3. Delete any suspicious or unknown entries from the following locations:
      • System Preferences > Accounts > yourusername > Login Items
        (Lion and ML users: System Preferences > Users & Groups > yourusername > Login Items)

      • /Library/LaunchAgents/
        (Lion and ML users: In Finder, click Go > Go to Folder > then enter the path above)

      • ~/Library/LaunchAgents/
        (Lion and ML users: In Finder, click Go > Go to Folder > then enter the path above)

      • /Library/StartupItems/
        (Lion and ML users: In Finder, click Go > Go to Folder > then enter the path above)
    4. Now log out and log back in.
    5. Now try revisiting the site.
     
  13. Merkava_4 thread starter macrumors 6502a

    Joined:
    Sep 4, 2010
    Location:
    California
    #13
    GGJstudios,

    I can try that, but being that my Mac Mail is being opened without my control, that leads me to suspect that there's a malware program downloaded and running on my computer. I'm beginning to think maybe a should change my administrator password, but I don't know how.
     
  14. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #14
    It's a script on that malicious site that's launching Mail, not malware.
    1. Launch Activity Monitor
    2. Change "My Processes" at the top to "All Processes"
    3. Click on the CPU column heading once or twice, so the arrow points downward (highest values on top).
    4. Click on the System Memory tab at the bottom.
    5. Take a screen shot of the entire Activity Monitor window, then scroll down to see the rest of the list, take another screen shot
    6. Post your screenshots.
    It won't hurt to change your admin password. You can do so in System Preferences > Accounts > youraccount > Change Password
     
  15. Merkava_4 thread starter macrumors 6502a

    Joined:
    Sep 4, 2010
    Location:
    California
    #15
    GGJstudios,

    I sent you the Activity Monitor screen shots in a PM.
     
  16. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #16
    Post them here. Be sure you have followed all the steps in the instructions.
     
  17. MrPlayer66 macrumors member

    Joined:
    Jul 27, 2012
    #17
    It's very nice of you to be helping out this user.
     
  18. Merkava_4 thread starter macrumors 6502a

    Joined:
    Sep 4, 2010
    Location:
    California
    #18
    Here are the Activity Monitor screen shots.

    Click to enlarge:
    [​IMG]

    [​IMG]
     
  19. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #19
    I see nothing there that would create the symptoms you describe or would be cause for concern. Recheck your DNS settings to make sure they still are as you last modified them. Also reset your router and use the same DNS settings there.
     
  20. Merkava_4 thread starter macrumors 6502a

    Joined:
    Sep 4, 2010
    Location:
    California
    #20
    I checked the DNS settings; they're still the same. I also changed my Admin Password; it has had no affect. This malware (or whatever it is) seems to have targeted my login information at the other forum. This is very strange.
     
  21. GGJstudios macrumors Westmere

    GGJstudios

    Joined:
    May 16, 2008
    #21
    It's a case of redirection, not malware. Did you reset your router and check the DNS settings there?
     
  22. Merkava_4 thread starter macrumors 6502a

    Joined:
    Sep 4, 2010
    Location:
    California
    #22
    GGJstudios,

    I don't have a router, just one Ethernet DSL modem.

    I went into my Library Cache and started deleting things that don't make sense. That redirection program has got to be in there somewhere.
     
  23. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #23
    This is only happening on the one forum site you visit?

    Try going to Safari preferences and in the security tab UNcheck javascript. Then try to go to the site again see if the problem is gone. If that fixes it, you need to contact the site/forum administrator and let them know they have a rogue javascript launching from their site.

    If this is what is going on, there is nothing you can do from your computer to fix it.

    [​IMG]
     
  24. Merkava_4 thread starter macrumors 6502a

    Joined:
    Sep 4, 2010
    Location:
    California
    #24
    Yes sir, just that one site. I took the computer into the Fresno Apple store. The Genius said there's nothing they can do about it, but he did say my hard drive is OK and that it's not infected. He thinks the site is hacked, but when I explained to him that it only happens to me and nobody else on that site, he had no answer for that.

    I tried disabling java script in Safari; no affect. I've also changed my Yahoo mail password and the computer's admin password; no affect. :cool:
     
  25. mac jones macrumors 68040

    Joined:
    Apr 6, 2006
    #25
    Yikes, this thread is a bit scary. If no one knows the answer that is.
    I hope it's not something we are going to start seeing.

    Who knows

    Let us know if you discover the culprit.
     

Share This Page