Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Trojan on my Mac??

  • 07-02-2010 8:14pm
    #1
    Registered Users, Registered Users 2 Posts: 7,920 ✭✭✭


    I have an iBook G4, running Mac OS X version 10.4.11
    I am using Safari Version 4.0.4

    Every so often I notice some other windows open - these windows will either have Google or http://upperup.com/1.html in the address bar.
    I don't know when this is opening - just if I click on Window, these windows will have appeared there.

    I found this link where someone else is having the same problem as me, someone replied with the following solution:
    Clean you machine using this...
    http://www.iantivirus.com/
    But that doesn't work on 10.4 only 10.5.

    Any ideas?


Comments

  • Registered Users, Registered Users 2 Posts: 7,920 ✭✭✭cee_jay


    Just after posting this thread, and that upperup.com appeared in a new tab. The only tabs open were this one from boards, and facebook which has been lying idle for over 30 mins.


  • Registered Users, Registered Users 2 Posts: 366 ✭✭doccy


    I'm surprised Apple security updates haven't killed that. It seems to be a case of lack of support for a non intel machine. Have you checked Apples forums, there should be a pretty easy fix for that. Apple trojans are really rare.


  • Registered Users, Registered Users 2 Posts: 725 ✭✭✭muggyog


    Nice one bedlam! So just download the first one here


  • Registered Users, Registered Users 2 Posts: 7,920 ✭✭✭cee_jay


    bedlam wrote: »

    Thanks a million - that seems to have worked a treat! :D


  • Registered Users, Registered Users 2 Posts: 7,920 ✭✭✭cee_jay


    Its back :(
    Not as often but every now and then I see either the upperup or a google window open in the background on safari.
    I ran the DNSChangerRemoval Tool again and it didn't detect it this time.
    Any other ideas? I am at a complete loss when it comes to this type of an issue on Macs.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 7,920 ✭✭✭cee_jay


    Anyone any other ideas on this? Still happening.
    Tried the tool above and it didn't pick it up again.
    Downloaded MacScan and ran that and it didn't find anything either.


  • Registered Users, Registered Users 2 Posts: 896 ✭✭✭nialler


    sorry carol but have you checked what your homepage is in the preferences, as this may be set to one of those sites that open multiple windows on your web browser and this may be causing the problem, there's very few trojans that are about for the mac, keyloggers etc are practically non existant as you need an admin password to install stuff

    oh annd if you want a DNS set it to

    194.125.133.10 and 11 they're eircom's or indigo's for those that remember them


  • Closed Accounts Posts: 9 JackRoch


    I've got the same blank windows: upperup.com and google.co.uk
    Tried running the latest MacScan 2.7 which removed tracking cookies but didn't help with DNS Changer. I gather the free DNSChanger removal tool is included in the full program.
    ...just to save anybody forking out $30!
    And a few hours. Sighhhh

    I'm running 10.4.11 on an ancient PowerBook


  • Registered Users, Registered Users 2 Posts: 725 ✭✭✭muggyog




  • Closed Accounts Posts: 9 JackRoch


    Which is why, when DNS Changer didn't work, in my touching naiveté I hoped that the full version might find something else!


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 725 ✭✭✭muggyog


    Download Firefox and see what happens ( although I find the latest version [v3.6] buggy ).


  • Closed Accounts Posts: 9 JackRoch


    Thanks for the suggestion muggyog. I should've said, I'm using Safari 4.04 (incl Pithhelmet, ClicktoFlash) and Firefox 3.6 latest build. I do find the blank windows open quicker and more frequently on Firefox.

    I've just downloaded Hostal from apple and added the upperup url to it's block list. I've no experience (or much knowledge!) of this program so fingers crossed...


  • Closed Accounts Posts: 9 JackRoch


    Drat - I pressed the trigger too quick.
    I meant to say: "I do find the blank windows open quicker and more frequently on SAFARI"

    sorry!


  • Registered Users, Registered Users 2 Posts: 725 ✭✭✭muggyog


    nialler makes a good point. Also what happens if you turn on Block pop up windows in Safari?


  • Closed Accounts Posts: 9 JackRoch


    I have 'Block pop up windows' and 'blank home page' set as default before the problem arose. It invariably seems to be triggered by clicking on links. Can't remember the name of the bits of malicious software that intercept clicks but I'm assuming that's what's causing it. - which is what prompted me to try Hostal.


  • Closed Accounts Posts: 9 JackRoch


    MrWilliam wrote: »
    As for me for protecting mac i prefer use ProteMac NetMine.It's firewall.It’s tool protects against viruses.I like it.:pac:

    The trouble with this thing is that it is *not* a virus! It gets installed with the (inadvertent) permission of the user. Using any URL blocking system after that simply means the browser shows a blank page with "unable to connect to server" - so you might as well put up with the blank "upperup" page anyway!

    ClamAV with recently update defs gets rid of it. iAntivrus doesn't work for 10.4 users - and in my case the DNS changer stops connecting to their page anyway. Macscan or their free DNS changer removal tool doesn't find it either.


  • Registered Users, Registered Users 2 Posts: 6,161 ✭✭✭frag420


    Im having the same issue with the upperup page always appearing. I also always get a google search page behind the page(s) im looking at.

    I tried DNS changer removal tool scan and it found nothing. However the scan took only a few secs to scan my macbook. Surely this cant be right eh?? Any other scans I have ever done took several mins or more.

    Can anyone shed any light on this for me??

    FrAg


  • Closed Accounts Posts: 9 JackRoch


    >FrAg
    as I mentioned in the post before you: MacScan doesn't find this DNS Changer nor the free DNS Changer removal tool (which I think is just part of MacScan anyway).

    ClamAv found three variants of the DNS Changer after a lengthy search. You could save some time by scanning either your just system folder or just the 'Internet plugins' folder in your 'library' folder.

    Personally I'd recommend scanning your whole hard disc (it'll take overnight at least); when I did that ClamAv also found 3 phishing emails, etc., which MacScan didn't pickup.

    Good luck!
    JackRoch


  • Registered Users, Registered Users 2 Posts: 10,770 ✭✭✭✭maccored


    have you tried running the activity montior (apps/utilities) to try and determine if theres some form of unwanted app running?

    If you see something suspicious, google it. If it works out to be a malware app, use the terminal app and purge the malware.


  • Closed Accounts Posts: 9 JackRoch


    well if it's any help these are the offending files found by ClamXav (got the name right this time) ...

    QuickTime.xpt
    count.jar-1888f8cd-52d8a21d.zip
    classload.jar-7ed4fb82-456d9af3.zip
    classload.jar-28e8d1c5-15ddf7c1.zip
    classload.jar-1454d256-4a4eb55a.zip

    On another forum I found this description as to what's happening...
    http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml
    note the 'Prevents Disinfection' para at page bottom.
    I found on a different forum the names of some files to remove (which I did manually), only to find that not long later they'd reappeared. Grrr.

    I seem to remember that some of the files were invisible - probably the one/s that do the re-infecting. So you may well be able to see them in action in the Console though.

    That's why I gave up in the end and let ClamXav do it all for me. I didn't really feel confident enough to recognise suspicious filenames (like the ones above) and remove them manually.


  • Advertisement
  • Closed Accounts Posts: 3 MacGrrl


    I had this problem on my iMac a while back and my A/V caught it. I use Intego's VirusBarrier X6 and I love it.

    http://www.intego.com/


  • Closed Accounts Posts: 9 JackRoch


    MacGrrl wrote: »
    I had this problem on my iMac a while back and my A/V caught it. I use Intego's VirusBarrier X6 and I love it.

    http://www.intego.com/


    Shame it doesn't work with Tiger


Advertisement