treed

Staff
  • Content count

    609
  • Joined

  • Last visited

5 Followers

About treed

  • Rank
    Thomas

Recent Profile Visitors

8,307 profile views
  1. Are you able to manually move the files from the quarantine folder into the trash?
  2. Chill Tab Malware

    Some general advice for folks posting on this topic: Make sure you are using the latest version of Malwarebytes for Mac, downloaded from here, and not any previous version: https://malwarebytes.com/mac Scan with Malwarebytes for Mac, remove anything detected, and restart the computer Review your browser settings, and fix them if necessary: https://support.malwarebytes.com/docs/DOC-1290 If you have done all this and you're still seeing requests to install Chill Tab that are appearing on their own, not in response to something you're trying to install, please submit a support ticket here: https://support.malwarebytes.com/community/consumer/pages/contact-us Be sure to select Malwarebytes for Mac as the product Run the Get System Profile script that is attached to this message and attach the file it creates to your support request Do not post the output of that script directly here, as it may contain information that you don't want made public; this is why I ask that you submit via a support ticket instead. Get System Profile.zip
  3. sisinfo.plist on Mac

    I just responded to your other post, here: For anyone else reading, I'd recommend that we keep the discussion confined to that topic, so that there aren't two identical topics, with different responses, in two different forums.
  4. quarantined sisinfo.plist

    Try restarting your computer, then scan and remove the file again, if necessary. If it keeps coming back after that point, let me know, as that will probably mean that you've got a new variant of Genieo that is not being fully detected.
  5. DNS Hijacked

    That's too bad, but not unexpected. Anyway, back to cleaning up the machine, since that folder you sent over was empty and the executable gone for some reason, there should only be one last thing to do. This malware also adds a certificate from cloudguard.me to the System keychain. That will need to be removed. (The above image was taken from the Objective-See website, which has some good additional coverage of this malware: https://objective-see.com/blog/blog_0x26.html) So open Keychain Access, navigate to the System keychain there, and delete the cloudguard.me certificate.
  6. DNS Hijacked

    That was going to be my next question, once we completed the cleanup. I don't suppose you still have whatever she downloaded and opened, do you?
  7. DNS Hijacked

    Ooh, yeah, that looks like that's it. Delete that file, then restart the computer and see if you can change the DNS settings at that point. There's also another folder I'd like to see, which contains the malicious executable. This time, go to this path: ~/Library/Application Support/ Look for the folder named "Cyclonica" and zip that up. For that one, definitely please send it to me via direct message rather than posting it here, due to the sensitive nature of the contents. (Note that I'm not sure what else might be in that folder, in addition to the malicious executable, and whether it would be appropriate to post publicly or not.) I'll share the executable with other researchers.
  8. DNS Hijacked

    Thanks, Mike! I see one item I'm not familiar with, which I'd like to take a look at. In the Finder, choose Go to Folder from the Go menu. Then, in the window that opens, paste the following path: /Library/LaunchDaemons/ Then click the Go button. In the window that opens, look for an item named "Cyclonica.plist". If you could send that file to me, either here or via direct message, that would be helpful.
  9. DNS Hijacked

    Yup, that's a good analysis, but there are still a lot of questions left unanswered, and we need to see a real-world infection to answer them.
  10. Al is entirely correct. We are currently exploring options for protecting iOS devices (iPhones and iPads), but those options will not include any kind of anti-virus capabilities, as that is simply impossible on iOS. There are other things that we can do on iOS, though. Also, be aware that you can only download apps on iOS from the App Store, and not from a website. When we release an iOS app, it will only be available through the App Store. Never try to download an iOS app from a website.
  11. How to find the database version?

    There is not a way to see what the current version is at this time, but if the Dashboard shows that it is "Current", then it is. If there are any problems downloading database updates, it will change to read "Outdated."
  12. Just download the following script, which will remove the software for you. https://downloads.malwarebytes.com/file/mac_uninstall_script/ In the future, be aware that any software that requires an installer should not be uninstalled by simply dragging the application to the trash. If an installer is required, the application is only a small part of the software, and you need to refer to the program's documentation or website for information on how to remove it.
  13. I see no sign of anything that should prevent clearing of the quarantine. If those items don't go away when you click the Clear Quarantine button in Malwarebytes, restart your computer and try again, as that is an indication that something is not working correctly.
  14. DNS Hijacked

    Mike, I sent you a couple direct messages last week to get more information. If you see this, and haven't seen those, can you please respond to those messages? I'd like more information about this. You can see your direct messages here by clicking the icon shown here, in the top right corner of this page: This appears to be new malware, and although we've located samples of this malware, there are still a lot of unanswered questions about it. Any help you can provide us would be very welcome. For anyone else reading, you can check for these malicious DNS entries by opening System Preferences and clicking the Network icon. The click the Advanced button in the bottom right corner of the Network pane. In the sheet window that drops down, click the DNS tab, and look at the entries in the DNS Servers list. If you see the malicious DNS entries in that list (82.163.143.135 & 82.163.142.137), you're infected, and I'd like to talk to you as well. Please feel free to respond here or send me a direct message.
  15. The file on our server is definitely not damaged. (If it were, we'd be getting lots of complaints, both here and via our customer support portal, but that's not the case.) Are you making sure that the file has been completely downloaded before running it? If not, make sure that the file is complete, and the browser is not still in the process of downloading the file, before running it. If it is a complete file, what you're seeing is a suggestion that something is very seriously wrong with your system. It may be a failing hard drive, which means that the very first thing you need to do is back up all your data, preferably to two different locations. If you don't have any backups right now, this is absolutely critical, and you should not do anything with your computer until you have backed up your data. Once you've done that, the first and easiest thing to try is to restart in safe mode: http://support.apple.com/kb/HT1455 Be sure to read the information in the section titled "How to tell if your Mac is started in safe mode" on that page, and follow those steps to ensure that you're actually in safe mode. If you aren't, try again. Once you're in safe mode, try installing Malwarebytes for Mac. If that doesn't work, the next thing to try would be to reinstall the system, in case it's simply corruption in your system somewhere. Follow the directions here to do so: https://support.apple.com/HT204904