The Mac in question has 2 user accounts and my SO (not a very sophisticated user) began getting dialogue box pop-ups about a week ago on her log-on - no issues with mine. Of course she only mentions this last night.
A box appeared every few minutes asking if you wanted to open a text editor file from Google. I opened a few of these (instead of canceling) and saved the payload which appears to be code to do with google ads. I have a saved copy at home I can post later if it helps. Opening the first file caused a toggle through of all open windows for about 10 seconds then nothing???
I looked at incoming/outgoing connections and traced a few to blacklisted ip addresses - 2 in China, 1 in Netherlands, etc. Around 4 or 5, not a ton. I have a screen shot of that output as well. After disconing the Mac from the internet, I searched on another computer for any trace of this from other users and found nothing. Tons of posts about MACdefender, which this is definitely not. Other machines on my network don't appear to be affected.
Am I infected? thus far I've flushed the DNS cache, cleared cookies, uninstalled firefox (thinking could be some sort of browser hijack). I also checked related /etc file and nothing unusual going on there. Help!
Next steps?
A box appeared every few minutes asking if you wanted to open a text editor file from Google. I opened a few of these (instead of canceling) and saved the payload which appears to be code to do with google ads. I have a saved copy at home I can post later if it helps. Opening the first file caused a toggle through of all open windows for about 10 seconds then nothing???
I looked at incoming/outgoing connections and traced a few to blacklisted ip addresses - 2 in China, 1 in Netherlands, etc. Around 4 or 5, not a ton. I have a screen shot of that output as well. After disconing the Mac from the internet, I searched on another computer for any trace of this from other users and found nothing. Tons of posts about MACdefender, which this is definitely not. Other machines on my network don't appear to be affected.
Am I infected? thus far I've flushed the DNS cache, cleared cookies, uninstalled firefox (thinking could be some sort of browser hijack). I also checked related /etc file and nothing unusual going on there. Help!
Next steps?
