PDA

View Full Version : Search results being hijacked.



tintinaujapon
2nd March 2010, 06:54 PM
A friend has given me his (very old) iBook to try and fix a problem.

Whenever he uses the google search field in either Safari or Firefox, the results seem to be hijacked and go via something called search2google.com and a succession of other URLs. Searching is slow and totally ineffective.

I can't see any obvious spyware app. I don't see any funny DNS address.

I don't know where to begin trying to fix this?

MacTalk brain, please help.


EDIT: This was happening on the work wireless network, and it's still happening on my home wireless network.

vecsty
2nd March 2010, 07:19 PM
DNSChanger Trojan Horse Removal - OSX.RSPlug.A OSX/Puper OSX/Jahlav (http://www.dnschanger.com/)

tintinaujapon
2nd March 2010, 08:09 PM
That didn't find anything, after I'd already run the same company's MacScan software - which did find 5 tracking cookies and removed them.

That fixed up Safari, but Firefox is still being hijacked. I tried emptying all cookies but that hasn't helped.

Lutze
2nd March 2010, 09:00 PM
Remember, firefux has it's own dns settings that don't follow the system config.

pixelicious
2nd March 2010, 09:37 PM
What happens if you go to Google (http://www.google.com) ? if you get directed to search2google.com; its a DNS issue.

If it's just in your search bar it's most likely been changed in the browser settings

tintinaujapon
2nd March 2010, 09:42 PM
If I type anything in the address bar I go to that address correctly, including google.

If I click on any link in the browser itself, I get redirected all over the place.

I look at Firefox's internet connect settings but didn't see anything odd.

decryption
2nd March 2010, 10:00 PM
Go into activity monitor and see what's going on. Select "All Processes" from the dropdown box in the toolbar so you can see all the processes running, not just the ones launched by the user account.

Lutze
2nd March 2010, 10:02 PM
also... what url appears in the status area when you hover over a link?

tintinaujapon
2nd March 2010, 10:42 PM
Here's what the processes in the Activity Monitor look like. I can't spot anything strange in that.

http://img18.imageshack.us/img18/8535/picture1ne.png (http://img18.imageshack.us/i/picture1ne.png/)

Hovering over a link shows the correct link in the status bar.


EDIT: Hold the horses. Between MacScan and the DNS cleaner, after a restart and a rest it seems to have fixed it. Just been searching and clicking page links for the last 5 minutes and there's no hijacking going on.

This is the first time I've seen something like this on Mac! Was my friend delving into places insalubrious? Is that where he picked up this nasty?

decryption
2nd March 2010, 10:46 PM
What's pbs, ATSServer and LAServer?
Also, click the "My processes" drop down box and select "all processes" - will give you a list of *all* the things running on the Mac, not just what the logged in user has permission to see.

tintinaujapon
2nd March 2010, 10:51 PM
I have no idea what those are but LAServer has disappeared, and the quitting the other two will log me out, so the dialogue box tells me.

Here are All Processes:

1188 Activity Monitor 7.80 3 27.05 MB username 129.51 MB PowerPC
1055 Firefox 7.20 14 96.64 MB username 303.58 MB PowerPC
44 configd 3.30 3 2.11 MB root 29.13 MB PowerPC
1189 pmTool 2.60 1 1.32 MB root 37.39 MB PowerPC
62 WindowServer 2.10 2 21.61 MB windowserver 147.41 MB PowerPC
0 kernel_task 0.80 45 82.66 MB root 979.26 MB PowerPC
85 SystemUIServer 0.50 3 10.86 MB username 138.51 MB PowerPC
91 UniversalAccessApp 0.30 1 3.40 MB username 112.78 MB PowerPC
84 Dock 0.00 2 3.00 MB username 90.19 MB PowerPC
32 kextd 0.00 2 1,004.00 KB root 27.55 MB PowerPC
86 Finder 0.00 3 9.50 MB username 130.80 MB PowerPC
145 cupsd 0.00 2 1.31 MB root 27.85 MB PowerPC
59 distnoted 0.00 1 784.00 KB root 27.02 MB PowerPC
90 iTunes Helper 0.00 2 2.01 MB username 103.11 MB PowerPC
1127 Safari 0.00 10 67.30 MB username 299.96 MB PowerPC
89 iCalAlarmScheduler 0.00 1 2.89 MB username 107.64 MB PowerPC
188 automount 0.00 3 1.08 MB root 29.02 MB PowerPC
1193 ARDAgent 0.00 4 1.75 MB username 61.98 MB PowerPC
37 KernelEventAgent 0.00 2 592.00 KB root 27.19 MB PowerPC
193 automount 0.00 3 1.04 MB root 28.73 MB PowerPC
38 mDNSResponder 0.00 2 1.05 MB root 27.37 MB PowerPC
40 syslogd 0.00 1 408.00 KB root 26.64 MB PowerPC
39 netinfod 0.00 1 564.00 KB root 26.95 MB PowerPC
41 usbmuxd 0.00 2 1.05 MB _usbmuxd 28.38 MB PowerPC
1194 AppleVNCServer 0.00 3 1.84 MB username 60.75 MB PowerPC
42 cron 0.00 1 452.00 KB root 26.89 MB PowerPC
68 coreservicesd 0.00 3 8.64 MB root 39.94 MB PowerPC
1122 mdimport 0.00 3 2.48 MB nobody 38.62 MB PowerPC
43 xinetd 0.00 1 596.00 KB root 26.76 MB PowerPC
70 loginwindow 0.00 3 3.82 MB username 110.67 MB PowerPC
129 mds 0.00 8 3.83 MB root 43.29 MB PowerPC
69 ATSServer 0.00 2 6.85 MB username 124.45 MB PowerPC
45 coreaudiod 0.00 1 1.71 MB root 30.71 MB PowerPC
134 AppleFileServer 0.00 3 1.21 MB root 33.79 MB PowerPC
176 nfsiod 0.00 5 180.00 KB root 28.62 MB PowerPC
46 diskarbitrationd 0.00 1 1,020.00 KB root 27.13 MB PowerPC
48 memberd 0.00 3 608.00 KB root 27.66 MB PowerPC
50 securityd 0.00 1 1.63 MB root 28.49 MB PowerPC
49 notifyd 0.00 2 456.00 KB root 27.21 MB PowerPC
1154 lookupd 0.00 2 1.56 MB root 28.51 MB PowerPC
1456 PopupDictDaemon 0.00 4 26.19 MB username 182.39 MB PowerPC
52 DirectoryService 0.00 4 2.04 MB root 30.06 MB PowerPC
79 pbs 0.00 2 1.86 MB username 54.18 MB PowerPC
162 ntpd 0.00 1 412.00 KB root 27.09 MB PowerPC
142 ARDHelper 0.00 1 140.00 KB root 26.61 MB PowerPC
1125 mdimport 0.00 4 3.10 MB username 39.40 MB PowerPC
101 crashreporterd 0.00 1 200.00 KB root 26.61 MB PowerPC
28 dynamic_pager 0.00 1 160.00 KB root 26.63 MB PowerPC
1 launchd 0.00 3 512.00 KB root 27.68 MB PowerPC
56 update 0.00 1 216.00 KB root 26.61 MB PowerPC
185 rpc.lockd 0.00 1 192.00 KB root 26.67 MB PowerPC


As I say though, the problem appears to have gone for now.

decryption
2nd March 2010, 11:10 PM
Well, ATSServer is "The Apple Type Solution Server; responsible for managing the available fonts and making them available to applications."

LAServer is something to do with displaying Japanese characters.

Very odd that that the problem disappeared all of a sudden. If you want it fixed, wipe the Mac and install 10.4 from scratch. I would like to know what was going on though.

tintinaujapon
2nd March 2010, 11:31 PM
Well, MacScan found 5 'tracking cookies' and I remember seeing that they were all associated with internetconnect.plist in some way. By the names of them, they were clearly ad traffic oriented.

I've got my friend's machine for another day or so, so I'll keep testing it to see what happens.

Thanks for the help and suggestions so far.

vecsty
3rd March 2010, 07:11 PM
Did you restart the mac after you ran MacSacn ?

I would say you had the Trojan.

tintinaujapon
4th March 2010, 01:41 AM
I think I might have opened a browser before restarting.

Which might explain why the problem is back again today....

I've updated MacScan's definitions and am performing a full scan at the moment.

tintinaujapon
4th March 2010, 10:09 AM
OK. A full disc Macscan found absolutely nothing.

The DNSChanger tool found nothing.

Looking at plugins however, I found:

Verified RoveSupa Plugin - Porn4Mac

Which I believe is the single Mac trojan in the wild. I've disabled it in Firefox, where that is an option - but it remains in both Safari and Firefox and is still active in Safari.

You'd think there'd be clear instructions on the net as to how to get rid of this bastard but not that I can see.

Lutze
4th March 2010, 10:38 AM
OK. A full disc Macscan found absolutely nothing.

The DNSChanger tool found nothing.

Looking at plugins however, I found:

Verified RoveSupa Plugin - Porn4Mac

Which I believe is the single Mac trojan in the wild. I've disabled it in Firefox, where that is an option - but it remains in both Safari and Firefox and is still active in Safari.

You'd think there'd be clear instructions on the net as to how to get rid of this bastard but not that I can see.

Single user mode > root account if possible > trash?

tintinaujapon
4th March 2010, 10:41 AM
I can't find where the bastard is to trash it Lutze. Spotlight doesn't work and it's nowhere obvious that I can see.

BiRDBRAiN
5th March 2010, 01:03 PM
ROFL "Porn4Mac"

I was going to suggest nuking his Firefox plug ins.

scarbrow
6th March 2010, 02:37 AM
You could try using other search programs. There are a few out there, one that I use which is free is called EasyFind.

kyte
6th March 2010, 05:19 AM
Does ClamXav deal with this kind of crapola? Crikey, never thought I'd see the day when OSX browsers got hijacked.

tintinaujapon
6th March 2010, 10:13 AM
I found info last night which seems to direct how to get rid of the trojan. I'll post the link next time I get on my MBP. I won't have his computer again until Tuesday to see if it works or not. I'll clean install if necessary.

I'm a bit disappointed that this can happen on a Mac too. And that it's so hard to clean. On the other hand my friend had to actively choose to install it and it was clearly from a dodgy source.

vecsty
6th March 2010, 11:08 AM
I'm a bit disappointed that this can happen on a Mac too. And that it's so hard to clean.

Why are you disappointed ?.

AfterBurner_1
7th March 2010, 03:45 AM
just because Macs are easy to use doesn't mean they're going to stop any wally from ballsing it up at a moments notice, everything is like that and it gives me the McShats.

tintinaujapon
8th March 2010, 12:34 AM
I'm disappointed that I can no longer honestly mac-evangelise by saying that I've never in 20 years come across the kind of problems which plague Windows.

Once in two decades is still a great record, but the fact remains that the perfect record is broken. If I can't clean it using this information (http://www.macworld.com/article/60823/2007/10/trojanhorse.html) next week, I'll backup and reinstall OS X 10.4 on my friend's geriatric iBook.

thorevenge
9th March 2010, 04:38 PM
I wouldn't feel so bad.

Your friend still had to
a) Be visiting dodgy sites
b) Want to see the dodgy sites badly enough to download software
c) Be silly enough to install something that he didn't know what it was
d) Use his password to complete the install

So your evangelical faith is still safe!

jeremy_warnock
9th March 2010, 04:51 PM
orn4Mac? your friend??

Come on Brendan own up you filthy monkey!

tintinaujapon
10th March 2010, 01:01 AM
JW, I don't do porn on the home connection. That's what work colleagues' computers are for.

The removal instructions seemed to have no bearing on the friend's computer, so I've clean installed Tiger. What a bastard that thing was.

You're right Thorevenge - I'll make sure to educate my friend so that he doesn't go back to exactly the same corner of the Net and do it again straight away.

decryption
10th March 2010, 06:50 AM
Unfortunately, a robust OS is no replacement for user ignorance/stupidity :(
If it was running Windows and full of crapware, I would have done a re-install as well.

QueenOfSwords
10th March 2010, 12:06 PM
Drats, I got in too late to recommend you check /etc/resolv.conf (DNS host settings, host to IP mapping overrides). Anyway hopefully the user has learned their lesson.