Hacked, possibly OSX.RSPlug.A

Question Details

TICKET ARCHIVE -> Hacked, possibly OSX.RSPlug.A

dmnrocha - Mar 27, 2008 - 7:01 am

I have recently accidentally opened a file(dont remember the ext) that I believe opened in Illustrator CS3, I wasn't sure what the file was because this is a shared computer, so i just closed and deleted. Since then, my browsers Camino and Firefox have been infected, and i am using Opera because it seems it hasn't been hit yet.

The infection has randomly opened fake eBay pages and occasionally altered my viewing of web pages(including pornography ads on some pages), seemingly randomly. Just to be clear, I NEVER entered the administrator password for any untrusted programs.

I have done the crontab -l check and crontab -r check in terminal, and have checked my internet plug-ins folder, but have found nothing.

I am sure that I am infected, but I have no idea what else to do. I didn't think it was possible for malware to infect on osx without admin password, could this just be an advanced trojan?

Please Help

dmnrocha

Serenak - Mar 29, 2008 - 1:37 pm

Hello Damien

thanks for using macosx.com and I will try to assist you as best I can

OK - I suspect that you are infected but I very much doubt that you got it from opening an Illustrator file...

Get a free cleaner and more info on the Trojan here http://www.dnschanger.com/

Hope that helps

Serenak - Mar 29, 2008 - 1:39 pm

dmnrocha - Mar 29, 2008 - 10:06 pm

This is about 1/20th of the text when I try to download...

xs
bb``��Q0C��x�� @�Ј
X�=X�z/�B��Ma)�ܘC ��7��f�i�0��:gmf$^�JouQ�5��ջ�ːl�.��9�Ӽ��'��>�+n�a��K�kY惔��Ǐp��ە]�7�l�|ۯN�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @��w�'��x��]h^g��w�6��nR�(cc��+�N�Jӯu��4k�f��&��n ~�B��ڱ/d`/ĀBED/e�Bq�Y��K�$�kBOy�Ǜ��9��-E @�v�~_i+�Q>��K��.t��56�~m��R�b��F�Ⓖ,�Pė��O�'Sw��:y�_՟�2Nܥ�S�ǅo�� 7��
@��V�� 4Ji�|�D��F_ii��u{#6��wD\��ν� @�� @�� ^)Wʙ��L�r�Q��\���m�Ʋ�|��Se�/�/Gʩ�)�)ϖ��X��q��'�ߝq��ם��F#unGJ�f��o��scĻ�.t|%c��O�K��v}>�m�{ b��U��U��Xy:�4ϙ�=2�n�j�̹z�:�B��#��q\,�7+m_�x��Qj��8�� =U�,U��,_�:4^��= j_�=k��q�Pi��Z�H��Ѧ��YD��w͖�e>s;�V�'b݊�׌�V��;w}zaa�=2SʯG�])k�pO�q�IHɽk�=e�ny��-'��?�xI�T��Ҭ.��x�s�Go�t�G��y��]��n|w�h��o6E�GMy��
��xp*��3�~"G�s�,�
n��/��mG"�:�s:��(��8�R2��E�Lc{��pG��K�:��ӏF��2[��t"�u�J�g�Ę�_��B=g5S�[r�R~�Ȑc�7�}u~�7�,(k�9@Z��j��>��֐��vY`k�R|,b]��|�(�9�.�r�}��A�Q�CQ�#��:�L��s?�"ZXiy3�;C��7�}u~�79+?}r�s=��x�㉛��惧Ƿ�x��6W}1'=R��p$�M�V�]_��繳M�+�Ǳ_&!��6:{{�tOLI��)��y^qh��f$�}�hoK�k��9��瞞K=?�9 ڳ��5WW��ݯv��.]ov��g:.��o��vOַۚZG[�6��_�5��U{��Ξs�ߘe�:xݪpb�_��,��s�\;��->Tw��~��uVKY�8��s՟��d��nl�{�V�\c�؅��+�G��[s�<¤ȶXF�>�T�x�"�C��|�y`^ϵ��A�$Wz��&��OK��Fͨ��8��2��z��l��_��W��U-��\��o�b$�ydԬ�ik��Ǿ�/E��S��ƷD��f�|��q��P�0_��~��j�:��]�*W��k��S��W6�۹\�;�|c�)�>��U�{��8~�z��ӝe��}�}4�$��,�o�5i3�8Oym��'��4�Ks}��ir^<~��{�Ly��K�6� @`��}�ŵ�ݼvÚ+�/u�ؽ��rץ�]��|罝�㍎�;ζ��`ۆ��x��Q~8��S��ŭ��XN��*;6 @�� @��8�׽l��})<9 @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @��y�gyP
x��1�� O�m�@a�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`��<�x��1�� O�m�@a�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`�0`��<�x��eP�A�(�w
�@��$@pww��!��[��kpwww[�glշ��Ϟ�)�xz��n��@�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @�� @��@��'T$B��P�?�Ƚx��%��6��*��Fκv�/
��ߊ[��|��3�y��PL\DP�e�ɴ�pڑ��o{�J+"�~V ߷��F��O6ʞ�"*%��X��
~4��78��v�1�v9��41�H�qԶ��|Ń_��k@Đ��m��4m�4M��y�z�->ܢ��_�Ax�X�Kv��Q�|��0=��i�aJ ��r��@��߯}v��_�K��I��떶�3��?��Y��b��:��8̈�l�*��
_�nu��:�a6�Y�?�Dѣ�:�禛/�d<��o�ܥ��&E��+�G�W
i��u�#��<��'��렬GIY��_q�oP�U�~}e�m@��e�{;��85��CU#��%��秞��6�� lJ�˲�n��M2Ժ |/3��s��Σ�(�u;��g�qc&� ��IP��z^w�<��<��#�P�{�2�7�3��{�ijZZ[�]��p% ��k^�W?�0�uK�6�� 8ҥ۩�%�e|C=��tV�Gb�p��L��Ȁ��w�C��M��H��$5�H|8F�u8�a�湜�_`��۵�eO��!� `\֠��6]-��uɸ�ab��
MF��!��l�2�/��`XŌDG��:�A��!��#��}��MA�r��܃��es97��/��ţ�Q��ѻ�G��%��D&vb��됖R��V�5%�8�f��Q}��[��#�p�m^�Dүm��E|�8��~��p1ݲ�{��Sz�:3��'�u]t��-5��Eg�th;y��=>>��RRoe\�V_no��`J�&�!��qf��?�i�:�M�usZn�ְ�J� WT��ȁ�P7m�4�:
u:��zʉl��So*R��=�[��ߠo��dv�s��_{v��M��}��p �"��
��_��~�6�\��0,��9R��5��8�)��#��7d��-?bI�X2��=��}��U�7D��~3[�� @��i�ǥ�怯��B%��L��j֔y�Nmrw�m�9S�s��Eyo'ҽ/�=E�V_�t>gO}��疺��&��.�}��=�o��:ů�F��c��^�?��:$mߤ8/��?��N{\�k��iY��Ӧ�Wi��nk�˻vS�ř�V&�ߴ#W�G]��lLF��-��-��D=��E37l�!��[�׷�>{��c��&�x��F'ʭ?Nݕ�^��+�W=o��r~�=G5�r˿R�l͸86��Hs�V��~ zzZ1�g�O��:��^ ��fr�>�0�t�)Q�hJ�Ɠ ��2��zu��BD/l��4@_3��p>~�݁�?�h��n\X�P8
�+�c��h� ��U�W�m��e�R~YՐ�|�_�h��2lPږ�y��~;[��Ӿm�
>m�W��n�r�ʅ5��V�wu��
�N�G^_?��b+9e?�7'�/�'��,�L>Pe~z"{�է��2�#��ƴ�W��A��6�q+��gu��i�<�+��sde6�A�w��Ș&==Ȓ&��;�Grs>�`��'�*�Hs�|�� q'e~֞�&}(ݼtO��#I[Qӥ��^|��Y�B�-�Ql��Q"�
I„��!F3֮Yf7�x�R.�jX%O�?�s?L~�:I��b�a7I��b#ԗ��ba�H)a��'��YpK�:ʝ!�ꭊ��I�5��.oH� �
��0*��6k��+��,�%�4?��U��/�NA��{�Dl�Fv��3Bzw}}��K ��o��9��ɣ,�!M�[%fIa��o�j^�h�t��u��.�:
��'�ϗ7��G��I�B7&W#��򷃜훓] �;�N��r��(��ϸ�t(��Bz�ܑ�f_!V��xX��j��#��!
6��@�*F�(�(Y��g�)��(��J3=݊�Xs�\��_��C�1�cS��(��:��7�˥G��-u���E7��h�T�]xJ��s�㵫�<�.E��擶�o
�Z��z|�<��/"QL�zK�u��v�ks��GM|��.�I�[��q�M��_�{��U��-G��뎔)ܺO�B�Z�W�ˏcg2�yӉ�z��%˷�ڵ��n�k[��s��9��K��ø�#�W�9C�)�[��x��S�1��e�;d��:�뱤�^o�`2�s��>�Ċ-�a�E�m�^�-� β�I�0ύ��f|ש��<��Ko�%��[�Cع��5L�̵5д��7}2�u[I5�En��:+��b��|��_o8�k��y�x=g�� [�M�U�Z�q
.��z��nr�aK��ɲl��<~��a��t0��5?{��/��6u��N��-3g'#�g�l�q|\��s��CO��Z+�ӆ1��1�U]t�!4�q��KP2‘�oڒE��|r��C3��Ҩ1$�h��=�
�aL�^��\��M1L�D

Whats goin on?

Serenak - Mar 30, 2008 - 6:45 am

OK so that is what you get when you download the removal tool?

You should get a .dmg file, you could try simply renaming the file that you download to something.dmg and try opening it again... or you could go to the download site again and right click/ctrl click the download button and select download linked file as.

If you send me your e-mail address I will send you the .dmg using a free service called www.yousendit.com - a sort of web ftp service (I can stuffit or zip it too if you want) - if you cannot open that then you have some other issues.

YOu say you never gave anything your Admin password - but you said the Mac was shared, can you be sure another user didn't download/install something silly? The DNSchanger Trojan is usually associated with dodgy porno pages... but yes you do have to install the "codec" in the normal way - so if you didn't do it someone else did, and if no one else is supposed to be Admin check that is true and change your Admin password in case someone has learned it.

I will wait to receive your personal email address

dmnrocha - Mar 31, 2008 - 3:06 am

my email is dmnrocha@yahoo.com

i dont think any other user could have done that, but im going to get a keylogger just to make sure

and btw, all that error shit came up after i clicked the download link, and instead of the page loading, that showed up. I have tried it many times in different browsers and it's always the same.

stuffit when you send the dmg please
thanks

TechSupport - Apr 3, 2008 - 3:10 am

We apologize for not being able to resolve the issue you asked of us. It is the absolute worst case scenario for us to do this. In our review of why this happens, it generally is related to either the particular issue being addressed or frequently, incomplete or incorrect information provided. We hope by moving your request to the public forums that you will be able to get a solution without leaving you empty handed.

Your ticket has been closed with our support team. Your request has just been posted to Mac OS X System & Mac Software and is available for your viewing at:

http://macosx.com/forums/showthread.php?t=299547

Again, thank you for using Macosx.com. We hope you will consider using us again in the future.

IF THIS IS YOUR QUESTION AND YOU WISH TO RESPOND, LOGIN HERE FIRST.

DATE	Mar 27, 2008
TICKET	#336809
STATUS	Closed
SUBJECT	Hacked, possibly OSX.RSPlug.A

CAT	Computers, Operating Systems, Applications or Connected Devices
TYPE	Operating System Features, Bugs and Problems
DESC	Apple
DESC	10.4.X (Tiger)

PLATFORM	Apple Macintosh (PowerPC G3,G4,G5)
MODEL	Mac Mini
PROC	1.5 GHz
RAM	512MB DDR SDRAM
DRIVE	74.53

NAME	Damien
USERNAME	dmnrocha
TECHNICAL	Little Experience
ISSUE	Lots of Troubleshooting