Help - infected with Flashback trojan

[Distressed]

So glad to hear that Malwarebytes is going to be issuing a Firefox add-on!  That will be very welcome!  In the meantime, do you recommend NoScript or anything else?

[treed]

NoScript is something that can provide some benefit, but it's also difficult to use effectively. Disabling JavaScript can break many sites, and accurately evaluating which scripts can safely be allowed to run, yet without disallowing scripts that will make the site stop working right.

[Distressed]

I used it for yrs, and as you say, it often was a cumbersome, iterative process to figure out what was the bare minimum that needed to be allowed for a site to function. But I did feel safer, knowing that when I first opened a new site, nothing could jump out and bite me.  The combination of WOT and NoScript gave me some sense of safety, and though imperfect, I may try it again. 

Looking forward to a Firefox add-on from MalewareBytes!  Thank you!

[Distressed]

Any ETA on that Firefox add-on?

[Distressed]

One last question, if you don't mind... Is Libre Office as secure as Word for Mac 2013?

[Distressed]

Still having intermittent problems with text files defaulting to opening with DreamWeaver.  And then, I get a msg that I have to install a legacy version of Java (Java 6 runtime) to use DreamWeaver.  I get referred to this page: https://support.apple.com/kb/DL1572?locale=en_US

Is there anything I can do, other than what Alvarnell suggested in his/her post on 3/29?
 

Quote

 

Single-click on a text file in Finder and select "Get Info" from the File menu.

In the "Open with:" section you should see a popup menu. If not click the disclosure triangle so it's pointed downward.

Click on the Popup menu and select "TextEdit".

Click on the "Change All..." button below the menu and confirm that you are sure you want to do that.

 

 

Edited April 1, 2018 by Distressed
gender neutrality

[alvarnell]

Perhaps this article will help Launch Services database problems: correcting and rebuilding.

[alvarnell]

3 hours ago, Distressed said:

One last question, if you don't mind... Is Libre Office as secure as Word for Mac 2013?

I don't have experience with either (still using Word 2011) but what aspect of security are you referring to? Is it trust of the developer or is data security (privacy) of concern?

[alvarnell]

5 hours ago, Distressed said:

Any ETA on that Firefox add-on?

Malwarebytes never makes any predictions on timing of future capabilities. Watch the Beta Testing Program area in case they make it available for testing.

[Distressed]

Not sure if I'm supposed to respond to each of your posts separately, but since I couldn't figure out how to do that anyway, here we go:

Re: the Launch Services database - Thanks for the article.  I ran Onyx (which I had used about a year ago under supervision of a forum expert).  We'll see if that helps.

Re: Libre Office vs Word for Mac -  I am concerned about vulnerability to viruses, etc.  I, too, am currently using Word for Mac 2011 (actually I have the whole Office suite), but it notified me recently that it was no longer supported, so I am no longer going to use it.  I was planning to upgrade to Office for Mac 2013, but someone advised me to try Libre Office. I had tried Open Office a long time ago, and it was okay, but not 100% fully compatible with Word, and we needed that compatibility.  Now I am told that Libre Office is supposed to be 100% compatible, so I am trying it.  Too soon to say for sure, but I think it will probably be okay.  So if it's no more prone to viruses, etc, than Word, then I likely will keep it.  In terms of features, it seems quite good, in some ways better, though I am still fumbling a little to find certain things.

Unfortunately, I think Libre Office Writer seems have a tendency to crash (become non-responsive) when I leave it running in the background.  It  hasn't lost any documents yet -  I always save before walking away from them,  and they have always been fully recoverable, but it does make me a bit uneasy.  However, Word for Mac 2011 also has had a tendency to become non-responsive when left running in the background, though it does not usually go through an explicit document recovery step when I close it and reopen it (I think that only happens if my whole system crashes).  I am a little uneasy about Libre Office Writer's propensity for going non-responsive, so we'll see how that plays out.

(My spouse's office upgraded from Word 2013 (on Windows) to Word 2016, and that has been a disaster -- buggy, slowing, freezing, crashing.  I wouldn't touch that one with a 10-ft pole.)

[alvarnell]

Note that there are no known "viruses" that impact macOS, but I'm sure you actually meant to say "malware" which includes computer viruses, worms, Trojan horses, ransomware, spyware, adware, scareware, and other intentionally harmful programs. That's really only important from a technical standard, but elsewhere you will run into those who make it a big deal.

As I recall, the only MS Word malware came from documents that include malicious macros. Almost all of them only impact Windows users, but there have been at least a couple of examples recently of small groups running out-of-date versions of the OS and MS Word being targeted with malicious macOS macros. Current versions of MS Office products have macros turned off by default and will warn you about any document that contain a macro so that you have to purposely activate it. Standard advise in such cases is to not allow any such document to run it's macro unless you positively know it's source and that you are aware that it should contain needed macro(s).

I know that Microsoft has been updating many of their applications on a monthly basis to eliminate vulnerabilities that have been found, but as I mentioned before, it's very rare that an actual threat was found in-the-wild to exploit one of these vulnerabilities running macOS. 

I wouldn't be surprised to find that the Libre Office developer is also actively patching vulnerabilities, but with a much smaller Mac user basis, I doubt that any malware developer would spend any time developing attacks against macOS. I could only find one listed in another A-V product database named PUA.Doc.Tool.LibreOfficeMacro-2. It's only classified as a Potentially Unwanted Application, Macro based and my guess would be Windows only, but can't be certain.

I'm mostly an Excel user, so use Word only when I need to open a document I've received, but never had any instances of either becoming non-responsive in the background. I suspect you need to look elsewhere for the root cause of these crashes.

[plb4333]

On 3/30/2018 at 10:28 AM, Distressed said:

Thank you and Thomas both for your expert assessment of my situation!  I really appreciate it.  I think I now feel confident about doing my taxes on this machine.  (Too bad you can’t help with that!)

Just for future reference, you said you have various anti-malware apps — are there any programs, in addition to MalwareBytes, that a novice like me can run on a Mac without fear of messing things up?  

Also, for staying safe online — I would love some guidance on Firefox security and privacy add-ons.  (Perhaps this question belongs in a different forum?)

For many years, I used NoScript (despite some inconvenience and occasional confusion), as well as Adblock Plus, and also Ghostery and Disconnect (all simultaneously, I think, although I don’t remember for sure).  Then, awhile back, Firefox changed significantly, and many add-ons were (at least temporarily) incompatible.  At that point, I tried using uMatrix, but was having trouble getting the hang of it, and pages weren’t displaying correctly, so I stopped using it and was just using Adaware Ad Block (which is what I was using when I encountered the Flash installer).  Right now, I have switched again and am using uBlock Origin (with the default filters, I believe).

I see that NoScript seems to be available again - should I go back to that?  Or is uBlock Origin enough?  Or should I be using something else? (Keeping in mind that I am not a high-level user… UMatrix seemed great, but I wasn’t able to master it.)

Also, for many years, I used the WOT Firefox add-on to mark my search results with indicators of page safety.  Then there was a kerfuffle about WOT selling/leaking customer data, and Firefox temporarily banned it.  Now it is back, but I believe it is still not maintaining user privacy (although it is now disclosing what it is doing).  I feel that WOT is a major factor in helping me stay safe online (though I know Firefox will throw up a shield if you land on a known bad page).  But I’m not super happy with the lack of privacy, and it only works with DuckDuckGo, and I prefer StartPage as my search engine. Are there any alternatives to WOT?

Thank you very much!

Here's what I use in Firefox 59.01:

I'm very security minded and privacy concerned as well

PLUGINS:

1. Scriptsafe

2. UBlock Origin

3. DuckDuckGo Privacy Essentials

4. Privacy Settings (Plugin)

5. Privacy Badger

6. HTTPS Everywhere

7. WebRTC (Buts there's 2 settings in About:config that will do the same thing)

If I had to pick just one plugin, it definitely would be -SCRIPTSAFE-. It is top-notch and covers everything you can imagine, but easy to set. Can even disable multiple fingerprint gatherings from websites.

[Distressed]

15 hours ago, alvarnell said:

Note that there are no known "viruses" that impact macOS, but I'm sure you actually meant to say "malware" ...

Yes, I am fuzzy about the differences -- I thought the Word macro thingies were viruses -- but yes, malware in general is my concern. It's good to know that macros are turned off by default in Word, and that that is the only source of malware.  So maybe I don't have to be quite so precipitous in abandoning Word 2011, even though it's not being supported.  But I think I will still pursue getting comfortable with Libre Office.  Thank you, in any case, for the clarification and reassurance!

I have a feeling that these programs (Word and Libre Office Writer) eventually crash in background because they are being slowly starved for RAM, due to my tab addiction in Firefox.  Before Firefox 57, I was trying to learn to use the Tab Groups add-on, but that seems to have gone away.  Maybe I will try the One Tab add-on. 

Or maybe I should use Pocket, so that I can close some of those tabs.  But I am concerned about its privacy policy, which contains these statements:

"We may also share your device ID with third parties in connection with advertising campaigns."  AND "In the event that we or certain of our assets are acquired, user information may be included among the transferred assets."

Frankly, I'm a little surprised that Mozilla integrated it right into Firefox without any discussion of privacy.

 

[Distressed]

13 hours ago, plb4333 said:

Here's what I use in Firefox 59.01: ...

Thank you so much for this very helpful list!!  Some of these I had never heard of before, including ScriptSafe.  I am doing some reading, and getting quite an education — I had never heard of browser fingerprinting before!  (Where have I been??)

I am heartened to read reviews that say ScriptSafe is easier to use than NoScript, which I have used in the past with some success, but also some effort.  I’m a little concerned to read that some find it lacking in granularity, and that at least one reviewer found that, for some pages, if ScriptSafe broke the page, it was necessary to reinstall Firefox to get the page to work again.  Hopefully, that is rare.  I was also a little nervous to read that (at least) one user finds it harder to use than uMatrix.  I thought uMatrix seemed great, but I couldn’t master it.  (Maybe I need to look for a good instruction manual.)  Most reviewers seem to say it is easier to use.

Is HTTPS Everywhere needed if you add DuckDuckGo Privacy Essentials?

I’m not quite sure what you mean by “Privacy Settings (Plugin)…

WebRTC - there’s WebRTC Leak Shield - and there’s also 2 versions of Disable WebRTC, by different developers - which do you suggest?  (Or are you adjusting the About:config settings?)

This last brings me to ask about VPNs.  I have been looking into adding either a full-system VPN or a browser-based VPN to our home computer, and — more importantly — to our mobile devices, especially as one of my family members will be leaving soon for a trip to Greece. I am more privacy-conscious than your average person (though, no doubt, less so than someone who lives under a repressive regime, or someone who truly has something to hide), but I am primarily worried about data security, for logging into email, Amazon, Netflix, etc., from public or unknown wifi networks.

I’m a little confused about whether a browser-based VPN is sufficient if one is using webmail, logging in through the browser.  If you are using a mail app, I assume you would need a whole system VPN, and ditto if you are using an Amazon or Netflix streaming app.

I’m thinking of trying the free version of TunnelBear for me, as I was told that it was easy to use. Our traveler would, no doubt, need a paid account, in order to stream from Netflix and Amazon. But TunnelBear seems to have fewer servers, so I’m not sure if even a paid account would work for well for that.  

Also, TunnelBear has a browser extension, but only for Chrome.  (I avoid Chrome, and all things Google, as much as possible — but I wondered — if you used Chrome with a VPN add-on, would that negate the privacy concerns?)      

The Firefox add-on Hoxx VPN Proxy gets good reviews.  So do quite a few others (eg, PureVPN).

Any suggestions for either whole system VPNs or browser add-ons that are effective and easy to use?  (That last is key!)  And do we know anything about how trustworthy these companies are?

Some (most?) VPNs and VPN browser add-ons seem to be paid apps, but I don’t mind paying, at least temporarily for travel.  

Thank you again for this helpful and educational post!

PS - I notice you don't use the Ghostery  add-on  -- any reason?  I used it for awhile, but always seemed to have trouble with it.  But I would consider trying it again - so many users seem to love it.

Edited April 2, 2018 by Distressed
addition of postscript

[Distressed]

Well, I just learned this: "It's important to note that it is against Netflix, BBC iPlayer and other blocked content's terms and conditions to access them using a VPN, so proceed with caution as you risk getting your account blocked."  So that's a problem -- I am not trying to circumvent their usage rules, but I would want to be able to log in while maintaining absolute privacy.

(That quote is from: https://www.macworld.co.uk/feature/iosapps/best-vpn-for-iphone-ipad-2018-3651552/ .)

Edited April 2, 2018 by Distressed
add source for quote

[alvarnell]

7 hours ago, Distressed said:

I would want to be able to log in while maintaining absolute privacy.

Absolute privacy is not currently possible where the Internet is concerned. The only VPN that can provide secure communications would involve you owning a server at the location you are trying to interact with. If you are using a VPN service then you only have an encrypted link to their server. At that point they have full access to everything you send or receive and is unencrypted from that point on. The only thing that's shielded is your actual IP address and assuming the services Privacy Policy is to your liking, you still have to trust that they will actually stand by what they published.

Another week point is DNS. Unless you are using an encrypted DNS that your browser is capable of interacting with, every site you access can be harvested. There is new technology being standardized in this area as we speak, but until the entire Internet community adopts these standards, most ISP's will continue to harvest and monetize this information.

Absolute privacy when it comes will be costly. The free Internet model only works when providers can figure out ways to make you their product. Only by paying the full price of your access can you ever become a real customer.

[Distressed]

Actually, I guess I misspoke when I said, "I would want to be able to log in while maintaining absolute privacy."  What I meant was, I would want to be able to log in without anyone on the same cafe or hotel network being able to steal my login credentials.  As I said earlier in this thread, security of my data as I login to my accounts is my main concern; privacy is only a secondary concern.

I somehow thought a VPN would provide end-to-end encryption, but I guess it is only that first step between your device and its servers that is important in preventing theft of login credentials, right?

Are you saying your ISP can still access (and make money from) the list of  sites you visit, even if you use a VPN on your computer or phone?

[plb4333]

5 hours ago, Distressed said:

Actually, I guess I misspoke when I said, "I would want to be able to log in while maintaining absolute privacy."  What I meant was, I would want to be able to log in without anyone on the same cafe or hotel network being able to steal my login credentials.  As I said earlier in this thread, security of my data as I login to my accounts is my main concern; privacy is only a secondary concern.

I somehow thought a VPN would provide end-to-end encryption, but I guess it is only that first step between your device and its servers that is important in preventing theft of login credentials, right?

Are you saying your ISP can still access (and make money from) the list of  sites you visit, even if you use a VPN on your computer or phone?

When using a VPN you want to make sure the VPN provider doesn't do any logs. All the VPN providers have to be trusted on what they say and then going by reviewers as well. When your connection is done to the internet using a VPN, the only identifiying info is, you connected to their server is all. Your ISP can only see this, and nothing for browsing since that's all encrypted. Personally, I use FrootVPN and its only $36.00 for a whole year and is very very good. No logs of course, and offers all the functions as other more known VPN's use. If using a VPN, be sure to use the protocol 'OPENVPN' since thats the best for encryption and also fast. The nice thing about having encryption for your internet traffic is that no 'man in the middle-(MTM)' can be done, no ISP traffic watching, and also can block Ads since your identity is not known. For the Add-ons, I use all of the list, but if I chose one thats most important, its definitely Scriptsafe since it covers everything! Nothing is left out. And easy to use as well. HTTPS everywhere is good for trying to make sure connections can be HTTPS, but this isn't always possible, since the website has to have https enabled for their pages. Its just mostly a way to inititiate a secure connection(s) if the website is not doing it and they have its capability. For that WIFI concern, yes a VPN would take care of that as well, there would be no wifi scanning/sniffing where you have anything to worry about in a public place. For WebRTC, If you want to know where to go in the 'About:config' in firefox, just let me know on here and I'll look it up where I went before. 2 settings will do it. Firefox did away with the WebRTC options more lately and you can't rely on 3rd party plugins to do the job, it just doesn't work well, that's why I did it directly with FF59.01. If you have any more questions don't hesitate to ask. I've been using computers since the early 80's and could help if needed. If you were to use 1.1.1.1 and 1.0.0.1 for your DNS servers, Google and your ISP will be left out in the dark. No tracking done. Its the fastest DNS resolver out there and it bypasses what would ordinarily be seen by your ISP and Google for where you're going online.

P.S. - Forgot about your question on privacy settings PLUGIN. Its mostly network related issues, but also does some web security as well. Its pretty much about Privacy, and Security all in one. Here's the link if you're still interested:

https://addons.mozilla.org/en-US/firefox/addon/privacy-settings/

Edited April 3, 2018 by plb4333

[plb4333]

23 hours ago, Distressed said:

Well, I just learned this: "It's important to note that it is against Netflix, BBC iPlayer and other blocked content's terms and conditions to access them using a VPN, so proceed with caution as you risk getting your account blocked."  So that's a problem -- I am not trying to circumvent their usage rules, but I would want to be able to log in while maintaining absolute privacy.

(That quote is from: https://www.macworld.co.uk/feature/iosapps/best-vpn-for-iphone-ipad-2018-3651552/ .)

FrootVPN the one I use, has a newer protocol that's called STunnel. It uses the port 443 so it matches up with your regular HTTPS traffic, whereby this causes the sites that normally block to allow you to connect since the connection looks like regular 'ol https connection. Alot of sites that do ban VPN's can go by the port # that's used. Or sometimes they look for UDP if that's used or not. Both are giveaways to VPN connections. STunnel gets around this then...

[Distressed]

Thank you!  I found a few I will try.  Re: Netflix - still not sure I will go against a user agreement that I signed.  But does anyone know why they ban you from connecting from other countries?  It doesn't seem fair, if you are paying for access.

[plb4333]

7 hours ago, Distressed said:

Thank you!  I found a few I will try.  Re: Netflix - still not sure I will go against a user agreement that I signed.  But does anyone know why they ban you from connecting from other countries?  It doesn't seem fair, if you are paying for access.

I think the biggest reason is that Netflix, for instance, has content blocked to specific countries, depending on whats the content, and if they allowed VPN's across the board then there would be no way to know if whoever is getting blocked content for their country. It would be like a Free-For-All content and Netflix's blocking is over-ruled.

[nickbw]

Borrow a trusted friends Mac and go to a reputable AV source ClamXav and Sophos (for Mac) come to mind. Download to a thumb drive (pen drive) and then virus check it. Then copy it to an easily discovered place on the mac hdd like downloads or desktop and make a bootable usb drive and install the AV scanner/removal tool. Shut down you infected mac. Insert the usb (trogan) removal tool and hold down the option key. Continue to hold as the mac boots and select the usb drive as boot shows options. Trojans usually load as the EFI calls the OS, so not running the OS provides the most effective removal. Also many malware are self seeding and somewhat immune to AV scanners in the OS.

[nickbw]

Just another note. Use the TOR version of FireFox for Mac it has NoScipt baked in and works. I also add Ghostly.

[Distressed]

Thank you for the suggestions.  It seems clear this is a false positive, not an infection, but I'll keep your suggestions in mind for another time. 

I have started using ScriptSafe in Firefox, and I think that will work for me.  The only odd thing is that it won't show you what items are trying to run on the page until you temporarily allow the page, which is not a great way to proceed.

[treed]

2 hours ago, nickbw said:

Trojans usually load as the EFI calls the OS

This is not true at all. There is absolutely no known Mac malware that can't be removed by AV software, without needing to reboot from a different disk. If something loads with the EFI, that means it's IN the EFI, and that's not something that could be detected or removed by AV software. But unless you're a potential victim of a nation-state attack, that's not something to worry about.