Please Help - My MacBook Pro has Malware

Merkava_4

macrumors 6502a
Original poster
Sep 4, 2010
557
49
California
2007 MacBook Pro Santa Rosa Addition
OS 10.6.8


Whenever I try to log into one of my favorite forums, my Mac Mail is opened automatically and I get hundreds and hundreds of popup windows that I'm showing in the photographs below. While that is going on, my MBP is completely disabled. I have to force quit the computer with the power button. The malware causes my MBP to run extremely hot with the fans on high speed. Normally, the fans rarely come on.

I have tried changing my mail password but that doesn't work. I also tried logging into the forum with a different computer - my old PowerBook. The malware goes to the PowerBook too. I'm so nervous right now, my hands are shaking. I've never had anything like this happen before. Please help. Please tell me what to do. :(


Click to enlarge:


 

GGJstudios

macrumors Westmere
May 16, 2008
44,419
758
It's not malware. It sounds more like JavaScript on a site. First, check the URL that you're visiting to make sure it's the one you really intended to visit. Then, make sure you have ad block and popup block protection. Then clear your cache and cookies. If you haven't already done so, try changing your DNS servers on your Mac and your router to OpenDNS servers. This will show you how: Why am I being redirected to other sites?
 

Merkava_4

macrumors 6502a
Original poster
Sep 4, 2010
557
49
California
GGJstudios,

I cleared the cache and reset Safari, still no change. As soon as I click the "Log In" button on that site, my Mac Mail is opened up and then I get flooded with popup windows just like before. I don't think I have any add blocker software; just whatever comes with Safari. I'll await your further instructions.
 

GGJstudios

macrumors Westmere
May 16, 2008
44,419
758
GGJstudios,

I cleared the cache and reset Safari, still no change. As soon as I click the "Log In" button on that site, my Mac Mail is opened up and then I get flooded with popup windows just like before. I don't think I have any add blocker software; just whatever comes with Safari. I'll await your further instructions.
Download and install JavaScript Blocker. Use the link I posted. That will block all JavaScript on sites, until you permit it. I tested the site (of course, I couldn't log in) but found no malicious scripts there.

I run several ad-blockers. ClickToFlash, Safari AdBlock, GlimmerBlocker and JavaScript Blocker are just a few.

  1. Reset Safari, clearing cache and cookies.
  2. Quit Safari.
  3. Delete any suspicious or unknown entries from the following locations:
    • System Preferences > Accounts > yourusername > Login Items
      (Lion and ML users: System Preferences > Users & Groups > yourusername > Login Items)

    • /Library/LaunchAgents/
      (Lion and ML users: In Finder, click Go > Go to Folder > then enter the path above)

    • ~/Library/LaunchAgents/
      (Lion and ML users: In Finder, click Go > Go to Folder > then enter the path above)

    • /Library/StartupItems/
      (Lion and ML users: In Finder, click Go > Go to Folder > then enter the path above)
  4. Now log out and log back in.
  5. Now try revisiting the site.
 
Last edited:

Merkava_4

macrumors 6502a
Original poster
Sep 4, 2010
557
49
California
GGJstudios,

I can try that, but being that my Mac Mail is being opened without my control, that leads me to suspect that there's a malware program downloaded and running on my computer. I'm beginning to think maybe a should change my administrator password, but I don't know how.
 

GGJstudios

macrumors Westmere
May 16, 2008
44,419
758
GGJstudios,

I can try that, but being that my Mac Mail is being opened without my control, that leads me to suspect that there's a malware program downloaded and running on my computer.
It's a script on that malicious site that's launching Mail, not malware.
  1. Launch Activity Monitor
  2. Change "My Processes" at the top to "All Processes"
  3. Click on the CPU column heading once or twice, so the arrow points downward (highest values on top).
  4. Click on the System Memory tab at the bottom.
  5. Take a screen shot of the entire Activity Monitor window, then scroll down to see the rest of the list, take another screen shot
  6. Post your screenshots.
I'm beginning to think maybe a should change my administrator password, but I don't know how.
It won't hurt to change your admin password. You can do so in System Preferences > Accounts > youraccount > Change Password
 

GGJstudios

macrumors Westmere
May 16, 2008
44,419
758
Here are the Activity Monitor screen shots.
I see nothing there that would create the symptoms you describe or would be cause for concern. Recheck your DNS settings to make sure they still are as you last modified them. Also reset your router and use the same DNS settings there.
 

Merkava_4

macrumors 6502a
Original poster
Sep 4, 2010
557
49
California
I checked the DNS settings; they're still the same. I also changed my Admin Password; it has had no affect. This malware (or whatever it is) seems to have targeted my login information at the other forum. This is very strange.
 

GGJstudios

macrumors Westmere
May 16, 2008
44,419
758
I checked the DNS settings; they're still the same. I also changed my Admin Password; it has had no affect. This malware (or whatever it is) seems to have targeted my login information at the other forum. This is very strange.
It's a case of redirection, not malware. Did you reset your router and check the DNS settings there?
 

Merkava_4

macrumors 6502a
Original poster
Sep 4, 2010
557
49
California
GGJstudios,

I don't have a router, just one Ethernet DSL modem.

I went into my Library Cache and started deleting things that don't make sense. That redirection program has got to be in there somewhere.
 

Weaselboy

Moderator
Staff member
Jan 23, 2005
29,643
9,265
California
GGJstudios,

I don't have a router, just one Ethernet DSL modem.

I went into my Library Cache and started deleting things that don't make sense. That redirection program has got to be in there somewhere.
This is only happening on the one forum site you visit?

Try going to Safari preferences and in the security tab UNcheck javascript. Then try to go to the site again see if the problem is gone. If that fixes it, you need to contact the site/forum administrator and let them know they have a rogue javascript launching from their site.

If this is what is going on, there is nothing you can do from your computer to fix it.

 

Merkava_4

macrumors 6502a
Original poster
Sep 4, 2010
557
49
California
This is only happening on the one forum site you visit?
Yes sir, just that one site. I took the computer into the Fresno Apple store. The Genius said there's nothing they can do about it, but he did say my hard drive is OK and that it's not infected. He thinks the site is hacked, but when I explained to him that it only happens to me and nobody else on that site, he had no answer for that.

I tried disabling java script in Safari; no affect. I've also changed my Yahoo mail password and the computer's admin password; no affect. :cool:
 

mac jones

macrumors 68040
Apr 6, 2006
3,257
1
Yikes, this thread is a bit scary. If no one knows the answer that is.
I hope it's not something we are going to start seeing.

Who knows

Let us know if you discover the culprit.