You are here

Caught a sniffle

For current or would-be users of Apple Mac computers, with answers to many FAQs.

Caught a sniffle

Postby MadManDan » Thu Jun 27, 2019 5:06 pm

Hi. . I've been set up on my mid 2014 mini, high Sierra, event free for one year. Last night I tried going to a reputable website and something went wrong. I was asked to install flash which seemed weird but being tired I clicked.

Now it seems like I've caught something as both chrome and safari have some unexplained search engine as their homepage and I keep getting suspicious pop ups. 

So fortunately I have kept a copy of the entire boot drive on an external, via carbon copy cloner. 

Should I re make the system from that, or is that too extreme a measure?
User avatar
MadManDan
Frequent Poster
Posts: 515
Joined: Mon Sep 13, 2004 12:00 am
Location: Across the pond....New Yawk
Gear list: If you can't find it, grind it

Re: Caught a sniffle

Postby desmond » Thu Jun 27, 2019 5:22 pm

Given that you don't know what the malicious software is going to do, then yes, I'd restore the system...

Peace of mind, and all...

You could always do some research on the particular thing you have (you should be able to google some suspicious-looking process names etc), but you don't want to risk having your data permanently encrypted or something...
User avatar
desmond
Jedi Poster
Posts: 8867
Joined: Tue Jan 10, 2006 1:00 am
mu:zines | music magazine archive | difficultAudio

Re: Caught a sniffle

Postby ConcertinaChap » Thu Jun 27, 2019 10:17 pm

Desmond has the right of this. Your system has been (as the modern jargon has it) pwned.

CC
User avatar
ConcertinaChap
Jedi Poster
Posts: 7579
Joined: Wed Jul 20, 2005 12:00 am
Location: Bradford on Avon
Making music: Eagle Alley, recording music: Mr Punch's Studio
If you want me I'll be down on Sound on Sound on Sound.

Re: Caught a sniffle

Postby MadManDan » Thu Jun 27, 2019 11:10 pm

Thanks. Now I need to look into method for this. I know it begins with booting in safe mode?
User avatar
MadManDan
Frequent Poster
Posts: 515
Joined: Mon Sep 13, 2004 12:00 am
Location: Across the pond....New Yawk
Gear list: If you can't find it, grind it

Re: Caught a sniffle

Postby ConcertinaChap » Thu Jun 27, 2019 11:34 pm

I think you need to determine how the backup you made with carbon copy cloner should be used for this purpose.

CC
User avatar
ConcertinaChap
Jedi Poster
Posts: 7579
Joined: Wed Jul 20, 2005 12:00 am
Location: Bradford on Avon
Making music: Eagle Alley, recording music: Mr Punch's Studio
If you want me I'll be down on Sound on Sound on Sound.

Re: Caught a sniffle

Postby Jumpeyspyder » Fri Jun 28, 2019 12:37 am

Hi

First thing to do is check your 'compromised' system for any data that you need to backup and stash it away (ideally on a separate disk - not on your 'clean' CCC backup)

Next, check if your CCC backup is bootable and works!

Boot your mac hold down 'Alt' and it will hopefully present your external drive as one of the boot options - select it and check that it boots up fine!

If you do both these two things it gives you options!
User avatar
Jumpeyspyder
Frequent Poster
Posts: 1123
Joined: Fri Jan 20, 2006 1:00 am
Location: Yorkshire

Re: Caught a sniffle

Postby MadManDan » Fri Jun 28, 2019 1:55 am

Luckily there's nothing to back up. I can go straight to booting up from external. I assume the mac will presume that since I'm doing this I am planning on some utility work
User avatar
MadManDan
Frequent Poster
Posts: 515
Joined: Mon Sep 13, 2004 12:00 am
Location: Across the pond....New Yawk
Gear list: If you can't find it, grind it

Re: Caught a sniffle

Postby MadManDan » Fri Jun 28, 2019 2:20 am

I'm at it now. Basically I booted from ext.

I then opened up the main hd and see the four corresponding folders : applications library system and users.

Starting by putting the applications in the trash and dragging the ext drive applications folder over. Plan to repeat for all four
User avatar
MadManDan
Frequent Poster
Posts: 515
Joined: Mon Sep 13, 2004 12:00 am
Location: Across the pond....New Yawk
Gear list: If you can't find it, grind it

Re: Caught a sniffle

Postby MadManDan » Fri Jun 28, 2019 3:36 am

OK That went horribly. Luckily it occured to me to use CCC. Hello, that's what I should done first :headbang:

LOVE Carbon Copy Cloner. First of all, it saw me booting up from ext and offered me a new "event" to restore the hd. Correct assumption, thanks.

And, it gave me the option to exclude certain files. Which I appreciated because the drive's not only my system back up, it also holds my SD3 library.

ANNND offered me tutorial videos. Hats off to CCC
User avatar
MadManDan
Frequent Poster
Posts: 515
Joined: Mon Sep 13, 2004 12:00 am
Location: Across the pond....New Yawk
Gear list: If you can't find it, grind it

Re: Caught a sniffle

Postby ConcertinaChap » Fri Jun 28, 2019 7:03 am

Lovely! Good result.

CC
User avatar
ConcertinaChap
Jedi Poster
Posts: 7579
Joined: Wed Jul 20, 2005 12:00 am
Location: Bradford on Avon
Making music: Eagle Alley, recording music: Mr Punch's Studio
If you want me I'll be down on Sound on Sound on Sound.

Re: Caught a sniffle

Postby xFasterMikeyH » Fri Jun 28, 2019 6:00 pm

Sounds like you're all sorted, but from your description it sounds like this:
https://www.theregister.co.uk/2019/06/0 ... on_hijack/
xFasterMikeyH
Regular
Posts: 113
Joined: Fri Oct 08, 2004 12:00 am

Re: Caught a sniffle

Postby desmond » Fri Jun 28, 2019 6:34 pm

MadManDan wrote:I then opened up the main hd and see the four corresponding folders : applications library system and users.

Starting by putting the applications in the trash and dragging the ext drive applications folder over. Plan to repeat for all four

I started to read that with dawning horror... :shock:

MadManDan wrote:OK That went horribly.

Well, yes... There are more things to a disk clone than just the visible files you can see in a Finder window!
(Hidden files, the whole Unix system, the boot stuff etc etc).

MadManDan wrote:Hats off to CCC

This is an all-too-common situation though - people happily making backups of their drives, without the slightest knowledge of what to do to restore from them, should the need arise...

Glad you figured it out without too much trouble..! :thumbup:
User avatar
desmond
Jedi Poster
Posts: 8867
Joined: Tue Jan 10, 2006 1:00 am
mu:zines | music magazine archive | difficultAudio

Re: Caught a sniffle

Postby MadManDan » Fri Jun 28, 2019 9:17 pm

So yeah, I got hijacked. :protest:

Here's the thing, the CCC restore went fabulously. BUT, my chrome still wants to make some nasty hijack search engine its home. And going into the expert settings, where you can manage which searches are used for the homepage, it does NOT allow me to remove it. Instead of the "remove" option it has a blank space. So bad. chrome://settings/searchEngines

I want this clean before I install anything else, as I'd like my next CCC clone to be of a clean HD
User avatar
MadManDan
Frequent Poster
Posts: 515
Joined: Mon Sep 13, 2004 12:00 am
Location: Across the pond....New Yawk
Gear list: If you can't find it, grind it

Re: Caught a sniffle

Postby MadManDan » Fri Jun 28, 2019 9:21 pm

desmond wrote:
MadManDan wrote:I then opened up the main hd and see the four corresponding folders : applications library system and users.

Starting by putting the applications in the trash and dragging the ext drive applications folder over. Plan to repeat for all four

I started to read that with dawning horror... :shock:
dawning horror :D
User avatar
MadManDan
Frequent Poster
Posts: 515
Joined: Mon Sep 13, 2004 12:00 am
Location: Across the pond....New Yawk
Gear list: If you can't find it, grind it

Re: Caught a sniffle

Postby Jumpeyspyder » Fri Jun 28, 2019 10:22 pm

If CCC backup on external is good, and no futher backups required:-
normal practice is to wipe internal drive and use external to clone back to internal drive.

Glad it has worked ou for you :)
User avatar
Jumpeyspyder
Frequent Poster
Posts: 1123
Joined: Fri Jan 20, 2006 1:00 am
Location: Yorkshire

Re: Caught a sniffle

Postby xFasterMikeyH » Fri Jun 28, 2019 10:44 pm

MadManDan wrote:Here's the thing, the CCC restore went fabulously. BUT, my chrome still wants to make some nasty hijack search engine its home.
Are you sure that the restore went well? And that the point in time you restored from was prior to this happening? Because _everything_ should be back as it was before. Unless Chrome has some setting that allows you to share your preferences across devices, which it has then pulled down from the internet when you've started up your restored system.
xFasterMikeyH
Regular
Posts: 113
Joined: Fri Oct 08, 2004 12:00 am

Re: Caught a sniffle

Postby MadManDan » Sat Jun 29, 2019 12:15 am

I'm very careful and deliberate with this mac. I'm certain that my backup was before catching the bug. Plus I know when I caught it ....

The other night I needed support for my superior drummer 3. Apparently I went to toontracks.... With an s.... And they pushed a flash player on me.  Was tired so downloaded it. Don't judge :)
User avatar
MadManDan
Frequent Poster
Posts: 515
Joined: Mon Sep 13, 2004 12:00 am
Location: Across the pond....New Yawk
Gear list: If you can't find it, grind it

Re: Caught a sniffle

Postby MadManDan » Sat Jun 29, 2019 1:17 am

Should I think about wiping the HD and do the restoration again? Seems like over kill
User avatar
MadManDan
Frequent Poster
Posts: 515
Joined: Mon Sep 13, 2004 12:00 am
Location: Across the pond....New Yawk
Gear list: If you can't find it, grind it

Re: Caught a sniffle

Postby blinddrew » Sat Jun 29, 2019 10:31 am

I assume you have tried uninstalling then reinstalling Chrome?
User avatar
blinddrew
Jedi Poster
Posts: 8102
Joined: Sun Jul 05, 2015 12:00 am
Location: York
Ignore the post count, I have no idea what I'm doing...

Re: Caught a sniffle

Postby xFasterMikeyH » Sat Jun 29, 2019 5:56 pm

MadManDan wrote:Should I think about wiping the HD and do the restoration again? Seems like over kill
Just to be clear (and no judgment from me), are you saying that after doing the restore of your system you then installed a possibly dodgy flash player? And that since then you are seeing unexpected/weird behaviour from Chrome?

If the answer to those is 'yes' I would say that yes you should restore again. If you've accidentally installed a variant of the malware I linked to, it could be doing all kinds of nasty things - basically it has the potential to read all your internet traffic and doing what it likes with it. Including stealing passwords.

FMH
xFasterMikeyH
Regular
Posts: 113
Joined: Fri Oct 08, 2004 12:00 am

Next

Who is online

Users browsing this forum: No registered users