Hi. I am very new here. I have read, but not posted and replied. To start, I am "pretty good" with macs. I am far from an IT person, but a good bit above a novice. I can do the troubleshooting, but I do not always know the lingo (a short explanation would help). Therefore, I will need a detailed response, but not step by step.
I recently got a malware problem masquerading as the "annual visitor survey" virus. I do believe there was adware, but I also think there was a more sinister virus installed. I am about 60% sure it was also set up to make my computer vulnerable to a key logger. I know a key logger typically needs physical access, but in the case I think it was remote. So whatever the name for that is. So to the point....
The virus would appear in chrome, though I am pretty sure it came through firefox in a trojan through adobe flash-player or a torrent.
If I were to type HBO GO and click on the link, there would be no problem, however, if I were to type www.hbogo.com to go directly to the site it would go to a survey page, hence the annual visitor survey masquerade. It would re-direct to websites such as allserverrecess.com. When I reviewed the java console it was an html and it appeared to have an ajax and/or googleapis component, though that is a trusted source. One thing I know for sure is that it came in through a jpg. I am not sure if it was a jpg through another program or what. I just know I did not download a random picture of some man and woman. I did delete it of course.
I have done 3 system restores, including erasing the disk and reinstalling OSX. I have deleted all cookies and extensions, deleted and re-installed firefox and chrome, all adobe software and any unnecessary program/download.I have also deleted any unnecessary or unknown certificates and used little snitch. With little snitch there were a few things that could be the culprit, though some are considered "trusted." A few (but the more likely are at the end) are "swscan.apple, xsanmgr, MIUI.SUv5, dsw4.akamai, clients2.google (I was confused about why a clients 2 would exist, though it isn't completed insane) XQUARTZ, things under gamd (not gamed), lh5.googleusercontent, lphs. Like I said, most of those are supposed to be fine, but I know they can be masked as good when they aren't. Another potential problem is that in little snitch there was an unapproved rule of "UserEventAgent." When I declined it, a lot of the problems did go away, though not all of course.
I know I have thrown a good bit out there, but I have been doing this for over a week. I am just putting in what I remember as being odd. I wish I would have written everything down so I could explain it better. At this point I do have a lot of it fixed, but it is not gone. I know just because if the occasional "weirdness." I attached a picture of what I mean by "weirdness." It came up when I was looking up a suspicious link from little snitch. Whenever I denied the link it went away. I REALLY wish I had a copy of the link for sure, though I am 99% positive it was gw02.lphbs.com or gwc-iad1.lp
hs.com or sb.scorecardresearch.com or 2201481.fls.doubleclick.net or tve.112.2o7.net ci.beap.ad.yieldmanager.net. I want to know how to get rid of this completely an finally. I may have gotten rid of the bulk, but it could come back very easily. I also do not even remember how I got rid of everything exactly, which is sad. If anyone could help I would really appreciate it.
I recently got a malware problem masquerading as the "annual visitor survey" virus. I do believe there was adware, but I also think there was a more sinister virus installed. I am about 60% sure it was also set up to make my computer vulnerable to a key logger. I know a key logger typically needs physical access, but in the case I think it was remote. So whatever the name for that is. So to the point....
The virus would appear in chrome, though I am pretty sure it came through firefox in a trojan through adobe flash-player or a torrent.
If I were to type HBO GO and click on the link, there would be no problem, however, if I were to type www.hbogo.com to go directly to the site it would go to a survey page, hence the annual visitor survey masquerade. It would re-direct to websites such as allserverrecess.com. When I reviewed the java console it was an html and it appeared to have an ajax and/or googleapis component, though that is a trusted source. One thing I know for sure is that it came in through a jpg. I am not sure if it was a jpg through another program or what. I just know I did not download a random picture of some man and woman. I did delete it of course.
I have done 3 system restores, including erasing the disk and reinstalling OSX. I have deleted all cookies and extensions, deleted and re-installed firefox and chrome, all adobe software and any unnecessary program/download.I have also deleted any unnecessary or unknown certificates and used little snitch. With little snitch there were a few things that could be the culprit, though some are considered "trusted." A few (but the more likely are at the end) are "swscan.apple, xsanmgr, MIUI.SUv5, dsw4.akamai, clients2.google (I was confused about why a clients 2 would exist, though it isn't completed insane) XQUARTZ, things under gamd (not gamed), lh5.googleusercontent, lphs. Like I said, most of those are supposed to be fine, but I know they can be masked as good when they aren't. Another potential problem is that in little snitch there was an unapproved rule of "UserEventAgent." When I declined it, a lot of the problems did go away, though not all of course.
I know I have thrown a good bit out there, but I have been doing this for over a week. I am just putting in what I remember as being odd. I wish I would have written everything down so I could explain it better. At this point I do have a lot of it fixed, but it is not gone. I know just because if the occasional "weirdness." I attached a picture of what I mean by "weirdness." It came up when I was looking up a suspicious link from little snitch. Whenever I denied the link it went away. I REALLY wish I had a copy of the link for sure, though I am 99% positive it was gw02.lphbs.com or gwc-iad1.lp
hs.com or sb.scorecardresearch.com or 2201481.fls.doubleclick.net or tve.112.2o7.net ci.beap.ad.yieldmanager.net. I want to know how to get rid of this completely an finally. I may have gotten rid of the bulk, but it could come back very easily. I also do not even remember how I got rid of everything exactly, which is sad. If anyone could help I would really appreciate it.
