Where to find and delete weird malware

Discussion in 'MacBook Air' started by JHballoonart, May 26, 2014.

  1. JHballoonart macrumors newbie

    Joined:
    May 26, 2014
    #1
    Hi. I am very new here. I have read, but not posted and replied. To start, I am "pretty good" with macs. I am far from an IT person, but a good bit above a novice. I can do the troubleshooting, but I do not always know the lingo (a short explanation would help). Therefore, I will need a detailed response, but not step by step.
    I recently got a malware problem masquerading as the "annual visitor survey" virus. I do believe there was adware, but I also think there was a more sinister virus installed. I am about 60% sure it was also set up to make my computer vulnerable to a key logger. I know a key logger typically needs physical access, but in the case I think it was remote. So whatever the name for that is. So to the point....
    The virus would appear in chrome, though I am pretty sure it came through firefox in a trojan through adobe flash-player or a torrent.
    If I were to type HBO GO and click on the link, there would be no problem, however, if I were to type www.hbogo.com to go directly to the site it would go to a survey page, hence the annual visitor survey masquerade. It would re-direct to websites such as allserverrecess.com. When I reviewed the java console it was an html and it appeared to have an ajax and/or googleapis component, though that is a trusted source. One thing I know for sure is that it came in through a jpg. I am not sure if it was a jpg through another program or what. I just know I did not download a random picture of some man and woman. I did delete it of course.
    I have done 3 system restores, including erasing the disk and reinstalling OSX. I have deleted all cookies and extensions, deleted and re-installed firefox and chrome, all adobe software and any unnecessary program/download.I have also deleted any unnecessary or unknown certificates and used little snitch. With little snitch there were a few things that could be the culprit, though some are considered "trusted." A few (but the more likely are at the end) are "swscan.apple, xsanmgr, MIUI.SUv5, dsw4.akamai, clients2.google (I was confused about why a clients 2 would exist, though it isn't completed insane) XQUARTZ, things under gamd (not gamed), lh5.googleusercontent, lphs. Like I said, most of those are supposed to be fine, but I know they can be masked as good when they aren't. Another potential problem is that in little snitch there was an unapproved rule of "UserEventAgent." When I declined it, a lot of the problems did go away, though not all of course.
    I know I have thrown a good bit out there, but I have been doing this for over a week. I am just putting in what I remember as being odd. I wish I would have written everything down so I could explain it better. At this point I do have a lot of it fixed, but it is not gone. I know just because if the occasional "weirdness." I attached a picture of what I mean by "weirdness." It came up when I was looking up a suspicious link from little snitch. Whenever I denied the link it went away. I REALLY wish I had a copy of the link for sure, though I am 99% positive it was gw02.lphbs.com or gwc-iad1.lp Screen Shot 2014-05-23 at 5.23.53 PM.png hs.com or sb.scorecardresearch.com or 2201481.fls.doubleclick.net or tve.112.2o7.net ci.beap.ad.yieldmanager.net. I want to know how to get rid of this completely an finally. I may have gotten rid of the bulk, but it could come back very easily. I also do not even remember how I got rid of everything exactly, which is sad. If anyone could help I would really appreciate it.
     
  2. 556fmjoe macrumors 65816

    556fmjoe

    Joined:
    Apr 19, 2014
    #2
    If you wiped the disk and reinstalled the OS, I would be very surprised if there was something malicious still on there, unless you inadvertently downloaded it again. Are you still getting redirected even after reinstalling the operating system?

    The stuff you are looking at now seems normal. Unfortunately, there are lots of trackers like scorecardresearch.com, doubleclick.net, etc. present on most websites. Some of them, especially Doubleclick, can be pretty nasty, but they aren't "malware" strictly speaking.
     
  3. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #3
    Like 556fmjoe said, if you wiped and reinstalled without restoring old (possibly compromised) files from a backup, you should have gotten rid of any malware/adware on there. You could try scanning your system with this adware removal tool.

    Some of what you describe is just the nature of skeevy websites that blast popup ads all over the place even with no malware/adware on your system.
     
  4. JHballoonart thread starter macrumors newbie

    Joined:
    May 26, 2014
    #4
    Thanks so much for responding. I am not currently being redirected, but this happened about the restores ago. After completely wiping the disk and reinstalling osx, I was being redirected. It started with odd things like in the pic I posted (do you know what that is?) But eventually began redirectung again. That's why I was so shocked. Macs don't often get anything that Nasty and for it to survive several restores worries me. I could have gotten rid of it, but I'm paranoid be star I've thought that before. Is there any info you need that could help you further? And you say everything seems normal? Even everything towards the end of my last post?
    Thanks a lot for all of the help!!! I'm not getting any elsewhere!
     
  5. 556fmjoe macrumors 65816

    556fmjoe

    Joined:
    Apr 19, 2014
    #5
    If it is present after reinstalling the operating system, then you are probably restoring the malware from your backup. If you back up all of the files on an infected machine, the malware will return along with your files. I'd try using an earlier backup if you have one and see if the problem persists.

    Malware that survives reformats and reinstalls is extremely rare regardless of OS and wouldn't be the kind of thing that would just redirect your browser.
     
  6. Weaselboy Moderator

    Weaselboy

    Staff Member

    Joined:
    Jan 23, 2005
    Location:
    California
    #6
    Another idea that might help some is to use OpenDNS as your DNS service. That might help with the redirects.

    Just enter these DNS servers on your Mac in the network settings.

    Code:
    208.67.222.222
    208.67.220.220
     
  7. JHballoonart thread starter macrumors newbie

    Joined:
    May 26, 2014
    #7
    I actually did not use any back ups to be safe, but I did think an icloud document seemed fishy. It kept popping up at weird times while investigating. I also deleted dropbox temporarily just in case. It is rare for a virus to cone back after a restore. That's why I'm freaking out!! I can handle a virus typically, but this was kicking my butt!
    I haven't tried the DNS yet. I'm going to give it a shot. Thanks again to you all for the help! I'll check back in!
     
  8. vernony macrumors newbie

    Joined:
    Mar 11, 2014
    Location:
    Essex UK
    #8
    Viruses and Malware

    Hi Im lost. I have ClamXav installed and it does a complete virus/trojan check once per day of the HD.
    Each time it runs it turns up the same 16, mostly Win viruses and trojans, but also some suspect double extensions and an OSX. Adware. Geonei-9

    all of these are said to be one example is

    /users/(my name)/desktop/.BC.T.fHc53.Geonei-9 FOUND

    I have tried checking the ClamXav check boxes for either quarantine infections, and delete infections. But, it doesn't do either. It just faithfully reports that they are there each time it does a scan.

    I want to get rid of them, but I can't find them . Anyone out there can tell me where I look, and when I find them how to delete them ? Thanks
     
  9. Bruno09 macrumors 68020

    Joined:
    Aug 24, 2013
    Location:
    Far from here
  10. vernony macrumors newbie

    Joined:
    Mar 11, 2014
    Location:
    Essex UK
    #10
    Brilliant

    Brilliant Bruno. It fished out a mass of pictures and some other bits and shoved them all in the trash . Fingers crossed
     
  11. vernony macrumors newbie

    Joined:
    Mar 11, 2014
    Location:
    Essex UK
    #11
    Bruno

    HI just to say the ClamXav scan of the HD has just come back with 'No infected files found'
     
  12. Bruno09 macrumors 68020

    Joined:
    Aug 24, 2013
    Location:
    Far from here
  13. alanrocks macrumors regular

    alanrocks

    Joined:
    Nov 15, 2011
    Location:
    United Kingdom
    #13
    Thanks for this advice, it's helped me!
     

Share This Page