Mac OS forum

General discussion

virus on my Mac? - please help

by kailax / May 3, 2005 5:30 AM PDT

I have a Powerbook G4 Titanium and as of yesterday, it has been acting strangely. Every time I start it and open ANY program, it runs (somewhat hesitantly and slowly) for a short while (a few minutes) but eventually it freezes and I get a message that I need to restart the computer. Running the Disc Doctor repeatedly and fixing damaged files did not help. I managed to run Norton antivirus once and it did not detect anything. Other attempts to run the anti-virus all ended in the computer freezing and telling me to restart. I tried to open Safari and Explorer but both efforts ended with a virus alert and subsequent freeze -- apparently it is hacktool.underhand and the computer cannot fix it or delete it. Is it possible? Can anyone help?

Discussion is locked
You are posting a reply to: virus on my Mac? - please help
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: virus on my Mac? - please help
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Hacktool
by mrmacfixit Forum moderator / May 3, 2005 10:39 AM PDT

Make sure that your AV Definitions are up to date. There is nothing on the Symantec or Mcaffee sites about this problem. Currently there are no Virus's for OS X
Try booting from the Norton CD and running a scan from there. About the only thing that might mess with your machine is Hacktool.RootKit but it is a very rare occurrence.
You could also try starting in "Safe Mode", Hold down the Shift key after the chimes and see if the problem continues to happen.
Worst case scenario, Reformat the drive and reinstall the OS. You can always restore your data from your backups, right?

Good Luck

P

Collapse -
Hacktool
by kailax / May 4, 2005 1:45 AM PDT
In reply to: Hacktool

Thanks for the recommendations. I have done the updates and I have repeatedly booted from the CD but that did not remove the problem. I have now read through the threads on apple/support/discussions. It has been suggested that all the poeple who are reporting the same problem use Norton AV and that the bug itself may have come from the last AV update. So the recommendation is to uninstall Norton. I have yet to try it but thanks again for the tips.
k.

Collapse -
Underhand trojan horse
by Nwoodward / May 3, 2005 11:00 AM PDT

As of May 1 many have written to the Apple/Support/Discussion list noting the same phenomenon. Symantec reported my G4 iMac has been infected with Hacktool.Underhand. Haven't found any description yet that works on how to remove or what it does. I do know that it makes my Mac freeze at unpredictable points and the 'feel' has just become unstable with lots of screen flashing and odd weird occurences. The only change to my Mac was downloading a trial version of MacGourmet from a trusted web site. Any ideas out there? Thanks!

Collapse -
Underhand removal
by ariadne18 / May 6, 2005 12:51 AM PDT
In reply to: Underhand trojan horse

Here's a possible solution posted on another mac forum...

Removing The Underhand Trojan Server A guide to save you from yourself ______________________________________________________ I. The Underhand Trojan Behavior The underhand server will copy itself to the user's preferences folder located in ~/Library/Preferences (~ means the user's Home folder, in case you didn't know that). Note that all the properties of the application may be changed and will remain changed when the copy is made (i.e. the name of the trojan server may be different as well as the icon). Once the copy is made, the original server program will launch the copy. When the copy is opened and realizes it's in the user's prefs folder, it will add itself to the user's startup items so that it launches every time the user logs in. The most sneaky tactic that the trojan uses is that the server runs nearly invisibly. In the plst resource, a LSUIElement tag is added to make the program run without showing up in the dock, the force quit menu, or any other list of running processes EXCEPT the low-level ones which you can access via the terminal (which I will explain how to do later).

II. Removing The Trojan Assuming you know the name of the trojan when it was installed, this is very easy. Just follow these steps: A) Kill the trojan 1. Open Terminal (/Applications/Utilities/Terminal.app). 2. Type in top. 3. Note the PID # (number on the far left of the list) next to the process showing the name of the trojan server. 4. Press q to stop the 'top' process. 5. Type kill then space then the PID # you noted earlier to kill the running trojan. B) Remove the trojan 1. Go to System Preferences then find the Login/Startup Items. In Panther it's located under the Accounts Pane. 2. Remove the listing for the trojan server 3. Go to ~/Library/Preferences in the Finder 4. Delete the trojan server application from this folder by moving it to the trash and emptying the trash as well (just for good measure).

Collapse -
probably not a virus
by erice / May 6, 2005 1:45 AM PDT

I had some similar kind of behaviors once on my powerbook. It turned out that the RAM upgrade that had come pre-installed in the extra slot was not seated properly. I reinstalled the RAM module, taking care to be sure that it was inserted all the way, and have had no problems with the machine since.

It's very unlikely that you have a virus, though if you were running windows, virus and spyware would be the first things to check to see if you had. Check your hardware - I noticed my problem by bringing up "About This Mac" when I experienced the problem. I saw that my RAM was only 256 MB, which I knew was wrong.

Collapse -
Not a virus.. i suspect a Kernel Panic
by gwats1957 / May 6, 2005 9:19 PM PDT
In reply to: probably not a virus

Your advice was very good. My Tibook was sent in for service and Apple told me my 3rd party RAM was defective also. Replaced it. No more Kernel Panics after that.

Collapse -
NOT A VIRUS
by mrmacfixit Forum moderator / May 6, 2005 2:03 AM PDT

As I previously mentioned:
This from the Macfixit site:
Quote
Yesterday we reported on an alert from Norton Anti-Virus of a trojan called "hacktool.underhand" appearing on a number of user systems.

It was subsequently determined that this was a false positive generated by Norton Anti-Virus, and in fact, Norton Anti-Virus' attempt to eliminate the non-existent "trojan" can cause a host of other issues, including kernel panics and extreme slow-down in some applications.

The problem stems from the fact that Norton Anti-Virus identifies this issue as a problem with Mac OS X's swapfile, and attempts to correct it, causing the aforementioned issues.

The solution is to disable Norton AntiVirus' Auto-Run feature by removing it from the /Library/StartupItems folder.

Follow the instructions and you should be back in business

Hope this helps

P

Collapse -
Virus
by David papa / May 6, 2005 2:16 AM PDT

Doubt very much if virus..I've had them all enter my inbox via IE..I've even opened a few..nothing.(1)Your start up disk-does it chirp a lot when starting- does the tool bar take is time to slowly appear..when you turn the computer on is there a little mac folder with a question mark, which suddenly converts to the grey apple logo..? if so Sart up disk may be the problem, computer having trouble identify start up disk, Go to preference, click on a secondary HD and try.(2) A few years back I added new rams which were diffrent to the one in th computer and it did similar things as you described.(3) Check USB connection with mouse, get rid of mouse if its and electric eye type-(4) Any thing added recently, take out..(new card)One HD on Scsi..? If so do disconnet harness turn computer on..see what happens.Thats all I can think of-It has happen to me a few times over the years but its always was because something that i did in tampering with the files.See how you go.

all the best DP

Collapse -
Virus on a Mac? I don't think so!
by gwats1957 / May 6, 2005 5:47 AM PDT

What you are experiencing is a dreaded kernel Panic. Your OS is corrupted probably to not doing some periodic maintanence on the system or the installation(or removal) of some third party software like a Wireless card from the PC card slot without powering down first.
I have an 867 Tibook myself so here is the fix:
First, Boot from the original install DVD whch came with the Mac. Select CLEAN INSTALL (OUCH!) to restore your OS. Second, restore all files and third party software. Third, go to disk utility and do a permissions repair.
4th, restart your Mac while holding down the command ,option, P, and R keys at the same time. listen for 2 startup chimes, then release the buttons and allow the Mac to boot. Do the last step at least once a week to keep your PRAM cache clear.
OSX is a rock-stable OS, but you need to do some housecleaning from time to time to keep it running smoothly. It has the advantage of being resistant to Viruses and spyware for NOW but you still need to maintain it. You may want to create a small partition on your HD with a clean basic version of OSX your use to boot to in an emergency (like a Kernel Panic.)

Collapse -
Read The Posts!
by mrmacfixit Forum moderator / May 6, 2005 6:59 AM PDT

It is a FALSE POSITIVE from Norton AV and the kernel panics and slowdowns are due to Norton trying to "Fix" the swap file which is where it thinks the trojan is.
Turn OFF autoprotect and download the latest definitions file and the whole thing will go away. This is a NON-Problem, let it go.

Collapse -
Virus on a Mac? I don't think so!
by donw / May 6, 2005 9:21 AM PDT

I don't know whether this is related but I have had similar problems from time to time. Recently following the adding of a new LaCie Firewire drive for backup purposes. I usually use Disk Doctor for fixing these sort of issues. No luck. So out I go and purchase TechtoolPro and DiskWarrior at some cost. Still little luck. Then the creaking grey matter rembers that by repairing the permissions via Freeware "Macaroni" I have solved these problems in the past. Repaired the permissions and (so far) everything is running sweetly.

I have now set "Macaroni" to repair permissions daily!

Don

Collapse -
Suggestion from Linux guy
by confusedman / May 6, 2005 12:47 PM PDT

Well me not being of the Mac kind but of Linux, I know that many issues typically can be resolved by clearing out of your home directory (including all hidden files). I fixed a KDE upgrade bug by renaming my ~/ directory to a temp folder and then rebooting. Fixed it like a charm, but I lost some settings... no biggie, just takes a few minutes to set those back up.

Collapse -
Norton IS the problem! Norton IS the Virus
by bfranco / May 7, 2005 4:46 AM PDT

I had serious issues with my G4 very similar to what you were experiencing. I checked everything, ran Norton and what not, and still had issues. I went into the Activity Monitor (in the utilities folder) and started shutting down processes. When I shut down ONLY the Norton processes, the machine worked great. So I removed every single Norton component and have not had a problem since.

On my new Powerbook, I have NOT installed Norton and haven't had a single problem. In fact, it runs faster and better than I've ever experienced on a Mac. Norton IS the problem and IS the Virus that will screw up your machine.

Symantec should get their act together and revise their software. For disk maintenance, I tried Disk Warrior and it works great. For antivirus there are other solutions including the .Mac free version of Virex, though that one has been a culprit of problems as well on certain versions and combinations. Look to see if yours isn't one of them before installing. Apple still offers the older version in case the new one becomes a nuisance.

Collapse -
virus?
by Marie Buteau / May 10, 2005 4:58 AM PDT

I may be crazy but I have never used an anti-virus program. I have always used Tech Tool for maintenance and have been through 3 Macs. My 10 year old 6400/180 which I upgraded to a G3 and am running OS9.1 still runs great, tho a bit slow,;-). Am now using a G4 17" PB.

Not virus related but I also use the ilap and IMHO is the best thing to ever happen to a PB.

Collapse -
Bad programming, not a virus.
by bfranco / May 10, 2005 9:37 AM PDT
In reply to: virus?

In 20 years using the Mac, I've only encountered ONE major virus and it was around the time of system 7 if I remember correctly. Any errant behavior in my systems has always been caused by Bad Programming from one developer or another (including Apple) generally taken care of by removing or patching the offending application (or extension in the pre-X days). Simple maintenance with Alsoft's Disk Warrior and Disk Express (or Norton Disk Doctor and Speed Disk, Tech Tool etc.) has normally been enough to keep the system running in tip top shape.

It's always good to keep at least one AV program just in case, particularly as the Mac starts to draw more attention to itself and its more "secure" environment.

Most recent offender for system mishaps - Symantec's Norton products.

Also using a new G4 17" and the iLap is awesome!

Collapse -
Bad programming... you bet!
by gwats1957 / May 10, 2005 6:06 PM PDT

You are preaching to the choir here.......... I've been a Mac guy myself since system 7.5. Never saw one virus but I saw bunch of neophytes screw up their systems downloading systems like Norton antivirus.
You have to get to know your system like a mate. Then you'll know when things are screwed up.
System X is very user friendly for beginners but you got to know what you are doing before those training wheels come off.

Collapse -
New Non-Virus Bad Programming...ATTENTION:Powerpoint 2004
by bfranco / May 11, 2005 2:05 PM PDT

I've mentioned here the problems with Symantec's products on a system. Well, to all Powerpoint 2004 users, here's a new Microsoft Bad Programming Bug which can cost you MONEY and GRIEF.

I was working on a presentation and as usual hitting that Apple-Save key every 2 seconds. The Powerpoint autosave feature was doing its thing as well. Suddenly, on one of my apple-saves...POOF. Powerpoint crashed and well...DISAPPEARED MY FILE!!! I mean gone, poof, no more, no restore, no trash, no nothing. It was on my hard drive before, now it's no more. This happened 2 hours before my presentation to great grief, stress, concern, etc. And of course, Powerpoint upon reopening acts as if the file never existed, I never worked on it, it's not in recent items or anything of the sort.

This Bad Programming is UNACCEPTABLE!!! Microsoft is supposedly aware of the problem but has not posted a fix..UNACCEPTABLE!!!

Workaround: Do a Save As to a different file name everytime you save. That way, if it decides to Poof your presentation, it can only poof your current document and not your older document.

Once again, it's not a virus...It's Microsoft...er...Symantec...er...etc.

Collapse -
Thank you!
by beckicarr / May 18, 2005 2:39 AM PDT

I was having the same problems as the person at the beginning of this thread, and while I am relatively new to Macs and not savvy with computers in general, I am trying to learn! My Mac friends all helped me thru the problem, and I've uninstalled Norton everything (I THINK?!). I now realize any time my computer freaks out it's something not made for Macs (Word, Entourage, etc). grrrrr.... Anyway, thank you for all the insight from long-time Mac users!

Collapse -
Thank You
by taboma. / May 19, 2005 4:52 PM PDT
In reply to: Thank you!

I uninstalled Symantec Norton AntiVirus eight months ago from my Mac Server. Symantec was designed for Windows. Not a Mac. Symantec Mac Version is Window Dressing to say the least. You do not need it on a Mac. At all!

Kevin

Popular Forums
icon
Computer Newbies 10,686 discussions
icon
Computer Help 54,365 discussions
icon
Laptops 21,181 discussions
icon
Networking & Wireless 16,313 discussions
icon
Phones 17,137 discussions
icon
Security 31,287 discussions
icon
TVs & Home Theaters 22,101 discussions
icon
Windows 7 8,164 discussions
icon
Windows 10 2,657 discussions

FALL TV PREMIERES

Your favorite shows are back!

Don’t miss your dramas, sitcoms and reality shows. Find out when and where they’re airing!