Spyware on macosx

It’s sad to say it, but I had my first incident of spyware… on nothing less than my macosx.

I found out because I had these popups that came up when browsing in firefox:

It always pointed to the same ip adress At first I thought it was something wrong with popup blocker in firefox, so I installed adblock in hopes that it help. It didn’t. That was what pointed me in the right direction.

I installed MacScan, and what do you know. It found a Trojan called DNSChanger..

I have managed to stay ahead of the game so far by being careful about what I install. Obviously, that didn’t help. So I guess… no more gay porn for me. (Hey, JUST KIDDING!)

Unfortunately, after many trials I discovered that MacScan didn’t do their job properly to remove the file. It only removed a file named plugins.settings, but there was a lot more than that happening. I started searching out more information about the problem and found a site containing analysis of what the trojan does. So, here is what one must do to remove it:

Crontab contained this line:
sudo crontab -l
* * * * * “/Library/Internet Plug-Ins/QuickTime.xpt”>/dev/null 2>&1

I removed it using this command (DELETES ALL CRONTABS FOR ROOT) : sudo crontab -r

Delete: /Library/Internet Plug-Ins/plugins.settings
Then I deleted /Library/Internet Plug-Ins/QuickTime.xpt

After this session – No more popups for me !!! *Celebration*
Previous history:

Update: DAMN! That popup is still there !!! So what in the hell is it? Firefox is in “show no popup” mode.
So I tried this solution and set privacy.popups.disable_from_plugins = 3 (instead of 2). Hopefully that helps..

Update2: Apparantly, that didn’t help as well. Now I’m really baffled. And it makes no sense, because it pops up randomly on different sites.. *thinking hard*

Update3: My last desperate act is to search through all files on my harddrive looking for the ip adress in question (though time consuming). A tip is to delete all history files (clear browser history etc) where the ip adress might appear.
sudo find . -exec grep ‘’ {} \; -print

I got a hit on these files:
~/Library/Application Support/Firefox/Profiles/7kojvnaz.default/places.sqlite
~/Library/Application Support/Firefox/Profiles/7kojvnaz.default/places.sqlite-journal
So I renamed the file too places.sqlite-journal.old.The files is used for preserving Firefox browsing history. In my case – will not be missed. That didn’t help – the popup is still there.

~/Library/Application Support/Firefox/Profiles/7kojvnaz.default/sessionstore.js
Firefox session data

About Haridasi

integrity - the state of being whole, entire, or undiminished.
This entry was posted in Technology and tagged . Bookmark the permalink.

5 Responses to Spyware on macosx

Leave a Reply

Your email address will not be published. Required fields are marked *