Trojan on my Mac??

cee_jay · 07-02-2010 8:14pm #1

I have an iBook G4, running Mac OS X version 10.4.11
I am using Safari Version 4.0.4

Every so often I notice some other windows open - these windows will either have Google or http://upperup.com/1.html in the address bar.
I don't know when this is opening - just if I click on Window, these windows will have appeared there.

I found this link where someone else is having the same problem as me, someone replied with the following solution:
Clean you machine using this...
http://www.iantivirus.com/
But that doesn't work on 10.4 only 10.5.

Any ideas?

cee_jay · 07-02-2010 8:16pm

Just after posting this thread, and that upperup.com appeared in a new tab. The only tabs open were this one from boards, and facebook which has been lying idle for over 30 mins.

doccy · 07-02-2010 11:58pm

I'm surprised Apple security updates haven't killed that. It seems to be a case of lack of support for a non intel machine. Have you checked Apples forums, there should be a pretty easy fix for that. Apple trojans are really rare.

muggyog · 08-02-2010 1:00pm

Nice one bedlam! So just download the first one here

cee_jay · 08-02-2010 9:35pm

bedlam wrote: »

http://macscan.securemac.com/osxjahlav-c-dnschanger-trojan-horse/

Thanks a million - that seems to have worked a treat!

cee_jay · 10-02-2010 7:52pm

Its back

Not as often but every now and then I see either the upperup or a google window open in the background on safari.
I ran the DNSChangerRemoval Tool again and it didn't detect it this time.
Any other ideas? I am at a complete loss when it comes to this type of an issue on Macs.

cee_jay · 13-02-2010 2:04pm

Anyone any other ideas on this? Still happening.
Tried the tool above and it didn't pick it up again.
Downloaded MacScan and ran that and it didn't find anything either.

nialler · 13-02-2010 8:19pm

sorry carol but have you checked what your homepage is in the preferences, as this may be set to one of those sites that open multiple windows on your web browser and this may be causing the problem, there's very few trojans that are about for the mac, keyloggers etc are practically non existant as you need an admin password to install stuff

oh annd if you want a DNS set it to

194.125.133.10 and 11 they're eircom's or indigo's for those that remember them

JackRoch · 14-02-2010 10:00pm

I've got the same blank windows: upperup.com and google.co.uk
Tried running the latest MacScan 2.7 which removed tracking cookies but didn't help with DNS Changer. I gather the free DNSChanger removal tool is included in the full program.
...just to save anybody forking out $30!
And a few hours. Sighhhh

I'm running 10.4.11 on an ancient PowerBook

muggyog · 14-02-2010 10:26pm

DNSChanger Removal Tool is free

JackRoch · 14-02-2010 10:35pm

Which is why, when DNS Changer didn't work, in my touching naiveté I hoped that the full version might find something else!

muggyog · 14-02-2010 10:56pm

Download Firefox and see what happens ( although I find the latest version [v3.6] buggy ).

JackRoch · 14-02-2010 11:22pm

Thanks for the suggestion muggyog. I should've said, I'm using Safari 4.04 (incl Pithhelmet, ClicktoFlash) and Firefox 3.6 latest build. I do find the blank windows open quicker and more frequently on Firefox.

I've just downloaded Hostal from apple and added the upperup url to it's block list. I've no experience (or much knowledge!) of this program so fingers crossed...

JackRoch · 14-02-2010 11:24pm

Drat - I pressed the trigger too quick.
I meant to say: "I do find the blank windows open quicker and more frequently on SAFARI"

sorry!

muggyog · 14-02-2010 11:44pm

nialler makes a good point. Also what happens if you turn on Block pop up windows in Safari?

JackRoch · 15-02-2010 12:19am

I have 'Block pop up windows' and 'blank home page' set as default before the problem arose. It invariably seems to be triggered by clicking on links. Can't remember the name of the bits of malicious software that intercept clicks but I'm assuming that's what's causing it. - which is what prompted me to try Hostal.

JackRoch · 25-02-2010 3:17pm

MrWilliam wrote: »

As for me for protecting mac i prefer use ProteMac NetMine.It's firewall.It’s tool protects against viruses.I like it.:pac:

The trouble with this thing is that it is *not* a virus! It gets installed with the (inadvertent) permission of the user. Using any URL blocking system after that simply means the browser shows a blank page with "unable to connect to server" - so you might as well put up with the blank "upperup" page anyway!

ClamAV with recently update defs gets rid of it. iAntivrus doesn't work for 10.4 users - and in my case the DNS changer stops connecting to their page anyway. Macscan or their free DNS changer removal tool doesn't find it either.

frag420 · 27-02-2010 4:32pm

Im having the same issue with the upperup page always appearing. I also always get a google search page behind the page(s) im looking at.

I tried DNS changer removal tool scan and it found nothing. However the scan took only a few secs to scan my macbook. Surely this cant be right eh?? Any other scans I have ever done took several mins or more.

Can anyone shed any light on this for me??

FrAg

JackRoch · 27-02-2010 5:30pm

>FrAg
as I mentioned in the post before you: MacScan doesn't find this DNS Changer nor the free DNS Changer removal tool (which I think is just part of MacScan anyway).

ClamAv found three variants of the DNS Changer after a lengthy search. You could save some time by scanning either your just system folder or just the 'Internet plugins' folder in your 'library' folder.

Personally I'd recommend scanning your whole hard disc (it'll take overnight at least); when I did that ClamAv also found 3 phishing emails, etc., which MacScan didn't pickup.

Good luck!
JackRoch

maccored · 27-02-2010 7:32pm

have you tried running the activity montior (apps/utilities) to try and determine if theres some form of unwanted app running?

If you see something suspicious, google it. If it works out to be a malware app, use the terminal app and purge the malware.

JackRoch · 27-02-2010 8:57pm

well if it's any help these are the offending files found by ClamXav (got the name right this time) ...

QuickTime.xpt
count.jar-1888f8cd-52d8a21d.zip
classload.jar-7ed4fb82-456d9af3.zip
classload.jar-28e8d1c5-15ddf7c1.zip
classload.jar-1454d256-4a4eb55a.zip

On another forum I found this description as to what's happening...
http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml
note the 'Prevents Disinfection' para at page bottom.
I found on a different forum the names of some files to remove (which I did manually), only to find that not long later they'd reappeared. Grrr.

I seem to remember that some of the files were invisible - probably the one/s that do the re-infecting. So you may well be able to see them in action in the Console though.

That's why I gave up in the end and let ClamXav do it all for me. I didn't really feel confident enough to recognise suspicious filenames (like the ones above) and remove them manually.

MacGrrl · 16-04-2010 4:10pm

I had this problem on my iMac a while back and my A/V caught it. I use Intego's VirusBarrier X6 and I love it.

http://www.intego.com/

JackRoch · 16-04-2010 6:31pm

MacGrrl wrote: »

I had this problem on my iMac a while back and my A/V caught it. I use Intego's VirusBarrier X6 and I love it.

http://www.intego.com/

Shame it doesn't work with Tiger

Trojan on my Mac??

Comments