Need advise on choosing anti-spy, malware, addware, and viru

I have not removed any posts from this thread.

I will pass your post on to Lee Koo, the head honcho around here, for further investigation. I will let you know what reply I get from him.

Currently I am showing 32 posts in this thread, including this one.

P

Thanks for the clarification. I felt it was most unlikely to be you! Fortunately I have a saved copy in Safari of the third page minus the spam which had actually been positioned at the bottom of the second page.My reply to it was at the top of the third page. There was also about a quarter of a fourth page of which I have some text clippings. As this thread does not make much sense without these missing posts, I will try to put them in again. Even if the order is a bit upset in comparison to these latest posts, people reading through will be warned of the achronoligical sequence and so make the necessary mental adjustments.

But I don't keep all the ROPs that come in.

Let me add one thing. If a spammer is found out. That is, there have been a few that try to slide in posts that hide or try to hide their spammed or off topic content, it might get deleted with some collateral damage. Replies to the spam vanish.

This is a limitation of this forum software so there's not much that could be done save task the one and only person that can edit with more editing. The moderator's can not edit and try to keep edit requests to the lowest possible number of requests.

I can only hope this was some fallout from a spammer.
Bob

There was a spam posting for something that turned out to be a keylogger as the last post on page 2. I replied to it asking whether the poster wanted to improve or impair Mac security. Mikie then replied to my reply to the spammer and so on, so everything linked in a chain back to the spam post. So I imagine that is indeed why everything vanished with the excision of the spam. I and others will have to watch for that danger in future and not reply directly to spammers! Thanks for the explanation.

It looks like the replies that are missing from you are replies to a spammer's post that was deleted. That is the only thing that I can see happening. It is very rare that posts go missing unless the servers were out of synch, but then they would eventually appear, but not in this case.

I'm just really glad to see that you saved your posts and are able to post them again in context to the thread. We do apologize for the confusion that this may have caused.

Best regards,
-Lee

Thanks, Guv'nor, for looking into the matter. All's well that ends well! I'll just have to be more careful in future. Have learned my lesson!

Hi Joly; still not luck on getting ClamX to work. Same problem as before.
ClamX forum not much help, even if I knew what I was doing, I'm not going to reload the OS-I'd lose eveything. Remember, I know how to turn-on my computer, and turn it off-and not much beyond that.
I'm still hoping for a recommendation for a great paid av and spy/malware program that'll have some tech support supplied with the purchase so I can get rid of all the bugs-and keep them out.
Thanks, Michael.

I'm sorry to hear that re ClamXav Forum. I will try and come up with more suggestions, and of course it is open to anybody to give suggestions here that may help out. The danger is of course that your computer settings are still jammed so attempts to connect to AV companies' definitions just point back to you and fail and this may be a far wider block that just ClamXav. Somehow your computer settings need to be reset. Have you tried zapping the PRAM?
Meanwhile I will reload the previous posts together with warning explanations, with the exception of the spam, so people can see how we got to this point.

This was a originally my reply to the spammer but included postscripts to two other contributors. I repost the latter only. It was originally dated 5/12/10 at 1:04 PM.
@JimmyGreystone: I'll be getting back to discuss your marked version of the gay or homophobic smear technique sometime if I have the time and and can bring myself beyond nausea at finding that someone is actually using such techniques on CNET in 2010 rather than honest logical argument. Such methods belong more to the low-browed male fauna of high schools who find no other way of countering more intelligent and less verbally challenged pupils than by questioning their "masculinity". They are seldom to be seen amongst civilized adults, even less tolerated.

@Macnerd: thank you for bringing some sanity into the polemic. And for putting Jimmy right on ClamXav so I did not have the burden of doing so!

Back on point...
by Mikie12 - 5/12/10 4:26 PM In reply to: to what end? protection or endangerment? by jolysmoke

Yes, I thought it strange advise myself when I saw the word "KeyLogger".

OK, so far, if I can get through the esoteric comments, Paid MacScan is not a good choice for me or anyone with a pre-intel Mac, is that correct?

Clamx is a good freeware choice, is that correct?

And finally, no one, I think, because it was somewhat convoluted to get through some of the longer comments, most lost me after the second paragraph, addressed what some good choices might be for a good paid security program.

Thanks in advance, Michael.

ClamXav - New!
by jolysmoke - 5/12/10 10:45 PM In reply to: (NT) Back on point... by Mikie12
Mikie, by all means download ClamXav and run it to scan your mail and other downloads and from time to time (weekly?) do a thorough check on your machine as a whole.
Most Mac users do not use any protection. Those that do largely use ClamXav. Some combine this with iAntivirus (Mac malware specific), but you cannot use that if you can't go beyond Tiger as OS. I am on Snow Leopard so I use both, ClamXav to check downloads generally, iAntivirus to check the machine at least weekly, or if I get apprehensive after some strange download phenomenon.
The situation for Mac users is not perfect, but the threat out there is small so long as one does not do foolish things like opening attachments from strangers who address you as "Dear Friend" or otherwise show signs of not really being a known friend of yours - and do not ever accept the invitation to download codecs to view films on any film site at all (but especially porno ones) or open applications thrown onto the desktop when you try to play streaming video in your browser. Never accept invitations by programs online to scan your computer for viruses or install anything that is not provided by a reputable firm. That is why it is a good thing to work with a firm like CNET for downloads, as they provide reviews and customer feedback you can read first. To extend the playing abilities of QuickTime, download from them Flip4Mac (for playing Windows films) and Perian for a wide range of other video formats.

You should also go to your Finder preferences (open by clicking on the Finder dropdown menu when the Finder is exposed in the top menu bar). Preferences are normally the second item. In the Preferences click on general and then tick "Show all filename extensions". Seeing the filename extension in full can tell you whether you are dealing with a program, as sometimes the crooks put in something like html or jpg as the end of the title to disguise the fact it is an application.
When browsing the more dangerous areas of the web, it can be advisable to do so with java script turned off in your browser security preferences. For the really security minded it is worthwhile to create a user account that does not have administrative privileges, designed for use when browsing murky areas of the web, just to be sure that no hacker or crook takes advantage of your admin rights to do anything nasty.
ClamXav will protect you against the overwhelming majority of Mac Trojans and tell you whether a product or item has a PC Trojan or virus, to prevent you passing something nasty to your PC friends and so giving Macs a bad reputation. It has been a bit slow to update on the newer Mac Trojans in the past, but it has always been quick on the PC update side. This is because ClamXav is a one man band, run by the stalwart Mark Allen, but he is largely dependent on virus signatures provided by a PC team, Clam, which has a PC-oriented culture. They can be a bit slow handing him new threats for Macs, but he has been teaching them to move faster and has also been building up alternative sources.The good thing is that the big wave of Mac Trojans of 2008-9 seems to have slowed to a mere trickle. But of course it might just take off again in the future.
If you still want to cough up for commercial AV for Mac, go for Intego VirusBarrier for Mac. There you will be really well covered. Good luck and come back here if you have any more questions!

more thoughts, Intego, Little Snitch, iCab etc. - New!
by jolysmoke - 5/13/10 7:36 AM In reply to: ClamXav by jolysmoke
Just checking the Intego site, I see you will not be able to run VirusBarrier5 and 6, as they are only for OS10.5 and 10.6. This means you would have to get hold of a copy of VB 4. This can of course still be picked up in online shops like around eBay. I see Amazon Germany is advertising a secondhand copy of VB 4 for around 9 Euros or $11.
One of the disadvantages of having Tiger is that now only a very small proportion of Mac users are still using it, so the most modern applications no longer cater for it. But if the VB engine and its search processes will not be the latest, the virus definitions should be the same as they are subscribed to on a two-yearly basis. You should contact Intego by mail and ask them if there would be any problems if you bought a secondhand or unused (unbroken seal) copy of VB4 somewhere. But I imagine that the test offer of one month that's with VB6 now would not be available for VB4.
Probably the best thing is to download a Tiger compatible ClamXav and start using it immediately, updating the definitions every day. Then just keep an eye on the press and Derek Currie's blog for the evolving situation on the Mac Trojan front. Meanwhile explore the possibilities with Intego 4 and its cost and see how you feel about going commercial on Tiger later.
I survived very well with ClamXav on Tiger, but then I was very suspicious of strange downloads. I never got infected with a Trojan although ClamXav occasionally discovered PC trojan launchers in the frames of web pages I had saved, including one devoted to avoiding Trojans in the Windows world!
There are other courses you can follow to increase security. Firefox enables add-ons like WOT (Web of Trust), and No Script, which enables you to switch java script off until the main page has loaded and then only switch it on for that particular page if you really need it. This means that if you then get suddenly whisked away by a script to another site like a rogue AV one, you are protected from any nasty script sitting on that site since you gave no script permission for that new hacker page. As such pages usually do not allow you to close them and try to get you to click on acceptance or rejection of an AV test (do not touch the choice rectangle anywhere with the mouse or click on any choice. Just bring up ForceQuit from the Apple menu and click on the browser symbol, force quitting the browser. that gets you out.)
iCab is also an interesting browser security-wise as it gives you a lot more security options than Safari, and you can specify what java script is allowed to do. It is shareware or nagware so you can download it and see whether you like it.
I believe VirusBarrier 6 has an outgoing firewall but I'm not sure about VB4. The advantage of such firewalls is that they stop applications reporting back home, and so can also detect whether a trojan on your machine is trying to report back to its crooked planter. The outgoing firewall reports to you that a particular named application or whatever is wanting to report back home, and you can then decide to stop it by pressing a refusal button.
Many Mac owners just combine ClamXav and Little Snitch. The latter is an outgoing firewall as described above that enables you to decide exactly what programs if any are to be allowed to report back from your computer. If anything new like a trojan tries to send out info it tells you and you can stop the process and start the hunt for that particular application.

Re MacScan, I dropped it when I realized that I needed something to combat the wave of Mac Trojans and I could not see my MacScan as able to react to the new threat. They have made an effort very recently at last, and now their program can detect some Trojans undoubtedly, but it only deals with spyware and most of those spy programs have to be placed physically on your Mac by someone in your flat, office or a caf

At this point I will just break of the reloading of old missing posts to ask whether you still have that list of the numerous malware MacScan claimed to have detected on your machine, Mikie.
I think it would be useful for all AV experts to know exactly what could have been on your machine that may have contributed to your present situation now. So if you can post us the list of malware supposedly found when running MacScan and the DNSChanger Remover it would be really helpful. And it would also show what risks one can be running on Tiger nowadays.

Yes, that would be great to have a log of what was found to share with others. Neither MacScan nor the DSN changer tool have a log of scan results (at least in their demo form).
MacScan just keeps the stats of how many, (24 spyware detected on all scans), but nothing more specific than that.

On the PRAM-I'll need some tech help on that???, sorry, by "zapping" you mean to delete the file? What are the ramifications of that?

Thanks, Michael

MacScam - well, I sort of said don't touch it with a bargepole...
Zap-Pram. It's a keyboard process, not a direct file deletion by you. You have to hold down certain keys on your computer at start-up until you have heard the start up boom three times. That clears the parameters.
Whether it will help out with your problem is moot, but it is worth giving it a try to see.
Take a look at this article on how to do it:
http://support.apple.com/kb/ht1379
they say start up boom twice but do it three times to be sure!

I'm heading for bed as its past midnight here but will try and send more suggestions tomorrow.

From now on I am reverting to the end of the thread for new replies, so the posting order does not get too convoluted! Was too exhausted last night to give additional suggestions.

That finally made sense...
by Mikie12 - 5/13/10 9:47 AM
In reply to: more thoughts, Intego, Little Snitch, iCab etc. by jolysmoke
Thank you jolysmoke; I'll try those recommendations, and report back.
Michael

And yet, another problem...
by Mikie12 - 5/13/10 1:49 PM
In reply to: That finally made sense... by Mikie12
I downloaded from CNET, the Little Snitch, and ClamX programs. Little Snitch seems to work great (if only for 3 hours), but when I launched ClamX, it wanted to get the lasted definitions so it could run a scan, but was unable to connect. The box said it was due to "error 52".

Any thoughts, or ideas on how to trouble-shoot this. As I stated in my first message here, I'm not the sharpest tool in the shed when to comes to computers.

Thanks, Michael.

by jolysmoke - 5/14/10 1:38 AM In reply to: And yet, another problem... by Mikie12.

(This mail has had to be reconstructed in part from memory, notes, and what could be gleaned from Google, whose cache copy of the mail reports that it is unfindable but googling still gives extracts of it.)


First - re Little Snitch : more for other readers who might not know, the trial version of Little Snitch only runs for 3 hours at a time. If you want to test out its functions at length, you will have to restart your machine to get LS to work for the next 3 hours. BTW, make sure that you did not with Little Snitch forbid ClamXav to go to the net (report back home) for that would have a similar effect in preventing it from downloading the latest AV definitions. You should check the rules set up for Little Snitch to ensure you have not done this by mistake.

I suspect that you may still have a trojan or whatever that is preventing you from downloading definitions from Clam.
Allan's Software has a Forum in which the developer Mark and users of ClamXav discuss the problems that arise when using ClamXav. The reference is :
http://www.markallan.co.uk/BB/
Aha, checking out the URL I see that you have already found this and reported the problem there at much greater length. Sorry, I am a bit behindhand in replying to you as I live halfway across the globe away from you, and so tend to go to bed whilst you are still writing posts. Good, you did the right thing to go there and ask.
For those readers following this thread the reference is:
http://www.markallan.co.uk/BB/viewtopic.php?t=1954

They say it could be a DNSchanger Trojan, too. Either MacScan or whatever did not remove it or there were other Trojans that enabled the crime syndicate to put it back in! ...
Good luck in the battle against the hydra!

I just downloaded the latest ClamX (v2.0.6/0.96.1), still get the same error message when it trys to get the latest virus updates:

ClamAV update process started at Mon Sep 13 08:20:34 2010
connect_error: getsockopt(SO_ERROR): fd=6 error=61: Connection refused
Can't connect to port 80 of host database.clamav.net (IP: 127.0.0.1)
WARNING: Can't download main.cvd from database.clamav.net

I again ran the MacScam DNS removal tool-it found nothing.
I wish I had more tech knowlege to be able to find and remove the DNS changer trojan since nothing else has worked.

It was mentioned I might have to reinstall my OX to get rid of it-but what would that do to everything currently on my computer? Would it be gone forever?

Again, I would be willing to pay for a program that will remove the malware causing my problems-but which one would be best for this problem and other protections.

Thanks, Mike.