Virus, Malware? How do i find it?

ravenquestravenquest
Posted:
in Genius Bar edited January 2014
About once a day I get random request that pops up requesting i open my mail program. I have since deleted the mail program on my 15" 2.8Ghz MacBook Pro Core2 Duo with OSX 10.6.3 however now it just opens a box asking what program should it use.



I have tried opening the activity monitor to find what program is running that is causing this but nothing unusual shows up.



Anyone have any idea how i can track down this puzzle? It almost seems like how a virus acts on a PC trying to send out mail behind my back.



Dan

Comments

  • Reply 1 of 9
    hirohiro Posts: 2,663member
    All that's assuming it's actually infected. It may be, or it may also be a benign request by something like a registration manager.



    it's really difficult to tell with the sparse info given. Do the backup ASAP to protect your data just in case.



    I would suggest installing Little Snitch to see if there is any unexplainable network activity, if there is none, then you could rule out botnets. But to be sure of that it has to be run and clean for several days.



    I would also wait until the prompt came up again, then disconnect from the network (wired & wireless) and see what happens when you do launch Mail. The mail that gets formatted and tries to be sent, but cannot, may tell you a lot about what is really going on.



    Malware on OS X is rare and unless you downloaded warez or a porn video codec and provided an admin password for install the chances of actually being infected are exceptionally slim.
  • Reply 2 of 9
    dr millmossdr millmoss Posts: 5,403member
    Without knowing the exact language of the dialog box, it's really difficult to diagnose the problem. Take a screen shot of it next time it appears and post it here.
  • Reply 3 of 9
    hirohiro Posts: 2,663member
    Quote:
    Originally Posted by SpotOn View Post


    A rootkit could easily disable LittleSnitch, but it could help id the program trying to make a outgoing connection.



    But LittleSnitch is payware, thus entering credit card info on a infected machine isn't too bright a move at this time.



    Also Safari was rather vulnerable for quite a long time. It could have come in through the browser visiting a malicious site.



    Little Snitch has a free trial:

    Quote:

    Little Snitch has a free, built-in demo mode that provides the same protection and functionality as the full version. The demo runs for three hours, and it can be restarted as often as you like.



    More than enough, so stop being pedantic and assuming the rest of the world isn't smart enough to belong in the same conversation.



    As for your theories, there has yet to be a confirmed case of malware propagating by anything other than the trojan vector into OS X, not even any worms. While it is possible, that would make this gent very close to patient zero. That's so statistically unlikely in the absence of other reports cropping up to be laughable.



    As for rootkits, there is yet to be a single one known that does not require the user of the computer to be logged in as root or at least su at an installation prompt. Again, if this gent has THAT technically possible zero-day rootkit he will be famous beyond his wildest dreams, and that is just so statistically unlikely as to be ROFLOLZ time. Because-- for that to happen you must be proposing that the (fictional to date) singularly most advanced OS X rootkit on the planet would have a programmer so stupid as to ignore his root privileges and ask the user to launch Mail.
  • Reply 4 of 9
    dr millmossdr millmoss Posts: 5,403member
    Why bother to respond to SpitOn? His credibility is zero.
  • Reply 5 of 9
    dr millmossdr millmoss Posts: 5,403member
    Please do not mistake the above for an effort to be helpful. It is virtually never necessary to reinstall OSX from scratch, and there is absolutely no evidence whatsoever that your system is "infected" with anything. As was detailed by Hiro this is not even remotely likely. It is especially poor advice to suggest such a drastic diagnoses and an equally drastic response to an essentially non-existing possibility, much less on the basis of virtually no information about the issues you are experiencing.



    Troubleshooting is a incremental process, the first step of which is determine what is wrong, which certainly has not occurred here. Nuking is never the first step, and is rarely even the final one.
  • Reply 6 of 9
    hirohiro Posts: 2,663member
    Quote:
    Originally Posted by SpotOn View Post


    ... <cut tinfoil hat crowd drivel> ...



    Also you have to come to expect with a post heading like yours that your going to get the Apple Fanboy Defense Team posting their misinformation to ease their feelings, like they ain't got anything better to do with their lives.



    This last sentence is just a gem. Are you a Birther and/or Truther too? Ignorance, cluelessness and fear go hand in hand. SpotOn, please go nuke your install, regularly. It will keep you occupied while the rest of us go forward.



    I also haven't read of any Mail program issues in the shipping version of 10.6.4. And don't even try to mention the GrowlMail reset necessary as that is a routine reset requirement for every update that affects Mail. It's not a bug, it's just a necessary step. So, what made up statements are left that anyone else haven't destroyed already?



    RavenQuest -- Debugging and troubleshooting are processes best handled as a scientific investigation: gather data, make a relevant guess, gather more data related designed to test the guess, determine if the guess was right or wrong and if it was wrong go back and generate a new relevant guess. Whenever you get to what appears to be a correct guess, fix that thing and test again to confirm you had the correct guess.



    Notice no nuc'ing in there, it tends to destroy the evidence and cause wasted time in the cleanup.
  • Reply 7 of 9
    hirohiro Posts: 2,663member
    Quote:
    Originally Posted by SpotOn View Post


    RavenQuest,



    Here's a site listing a issue with Mail and the latest update, along with various solutions to what might be your problem.



    http://reviews.cnet.com/8301-13727_7...ag=mncol;posts



    Did you even read that? That wasn't about problems with the operation Mail. That was about updater problems resulting in a borked Mail which was totally inop. And procedures to fix that. The article has absolutely zero relevance to RavenQuests issue or malware in general.



    Quit posting fake advice and hiding it with irrelevant and misleading background material. You are quite bluntly being irresponsible and dangerous.
  • Reply 8 of 9
    hirohiro Posts: 2,663member
    Quote:
    Originally Posted by SpotOn View Post


    Your lack of tech support knowledge, computer experience, intelligence and comprehension ability is glaringly obvious.



    I won't even bother to fill in the blanks for you because if you couldn't understand what has gone on so far, explaining it to you won't do a bit of good.



    Also you advised the OP to install a piece of payware on a possibly infected machine without warning them to use the software in trial mode, not to enter their CC info. Thus risking their banking account being compromised.



    Who is the dangerous one here?



    Go play with your dumbed down iPad fool, you lose.





    QFT. Your completely inaccurate post outs you as a baldfaced cyber-bully troll with no restraint or social judgement.



    You make trumped-up accusations based on nothing more than your own personal bile. Unless you know me offline there is zero possibility you have any information to back any of your statements up. Since you don't --flat out you are lying, intentionally.



    Your posting is the worst type of scum that plies the internet, go play on 4chan where that's considered a good thing.
  • Reply 9 of 9
    rokcet scientistrokcet scientist Posts: 962member
    I can piss further than you!
Sign In or Register to comment.