Ok thanks Ronnie, will arrange that in the morning. Good luck for your Pies!
Regards Pete > On 5 May 2017, at 8:53 PM, Ronda Brown <ro...@mac.com> wrote: > > Hi Peter, > > I would like to see the results of the Malwarebytes scan please. > If James didn't keep a copy of the scan, you can email me the photos offlist > or transcribe what the 39 items were, I would appreciate it. > > I can then comment if any further action is required. But, it sounds like > James has done everything as instructed which is very pleasing to hear. > > Kind regards, > Ronni > PS I've backed your Eagles to win tomorrow, I won money on you last week & > hope to tomorrow ;-) I haven't backed my Pies to win :( > > Sent from Ronni's iPad4 > > >> On 5 May 2017, at 8:28 pm, Peter Crisp <petercr...@westnet.com.au> wrote: >> >> Hi Ronnie, sorry for slow reply - working remotely to my son has necessary >> lag. So yes he has now run the anti malware program. 39 items identified. I >> have these in photographs so could transcribe. >> >> He has done the clean up too and re-run - it is all clean now. Firewall is >> ON too. >> >> Given that this has been all done, is there any further action in this space >> do you feel? >> >> Regards >> >> Pete.. >> >> >> >> >> >>> On 1 May 2017, at 9:49 pm, Ronni Brown <ro...@mac.com> wrote: >>> >>> Hi Peter, >>> >>> I mentioned previously for James to download and run Malwarebytes >>> Anti-Malware for Mac , has this been done? >>> >>> James had his Firewall turned OFF, so his Mac was open to incoming >>> connections from the outside world. >>> With the Firewall ON it blocks incoming connections, and if you have >>> “stealth mode” on in the Firewall options basically makes your Mac >>> invisible on an untrusted network. >>> >>> That “Certificate PopUp screen” still worries me… >>> Someone or some malicious software with administrator privileges, could >>> have made changes to the Network Settings to redirect all outgoing >>> connections through a proxy server which lets the attacker eavesdrop on >>> your communications. >>> >>> First Run a Malwarebytes Anti-Malware for Mac scan and let us know the >>> results please. >>> >>> Regards, >>> Ronni >>> >>> >>> >>>> On 1 May 2017, at 5:23 pm, Peter Crisp <petercr...@westnet.com.au> wrote: >>>> >>>> Hi Ronnie et al, James’ MBP school network intranet/internet issue is now >>>> resolved. The issue was relating to Proxies. James took his MBP to the IT >>>> guys and they asked him “did you download any proxies” to which he >>>> responded “not that I know of”. He may have done this accidentally, he >>>> didn’t even know where the Proxy settings are located within System Prefs >>>> when I quizzed him this afternoon so it wasn’t by direct entry. Not sure >>>> how the Proxies came to become misaligned, unlikely a result of the Sierra >>>> update but does anyone know how this could have happened? >>>> >>>> The IT guys said “we reset your network settings” and now it is all good >>>> at school and still at home working fine too. >>>> >>>> Regards >>>> >>>> Pete. >>>> >>>> >>>>> On 29 Apr 2017, at 6:35 pm, Peter Crisp <petercr...@westnet.com.au> wrote: >>>>> >>>>> Hi Ronni, thanks for the details but I think it is safe to say James has >>>>> not gone down this path as he NEVER opens his emails. So for that reason, >>>>> it is highly unlikely. I will nonetheless get his confirmation that he >>>>> hasn't opened any emails and specifically one with a Zip folder in it. >>>>> >>>>> So if I am correct and it is a red herring the dokument.zip scenario, >>>>> what else could it be? >>>>> >>>>> WCE have made a good start though a long way to go. >>>>> >>>>> Regards >>>>> >>>>> >>>>> Pete >>>>> >>>>>> On 29 Apr 2017, at 12:32 PM, Ronni Brown <ro...@mac.com> wrote: >>>>>> >>>>>> >>>>>> Hi Peter, >>>>>> >>>>>> For James to have been infected by OSX.Dok. James would have needed to >>>>>> install it! And he would have to go through quite a number of steps & >>>>>> windows to install it. >>>>>> You have indicated that James is pretty competent in these things, so >>>>>> lets hope you are correct. As this is a new very nasty Malware and the >>>>>> malware is able to have continued root-level permission without >>>>>> continuing to request for an admin password. >>>>>> --- >>>>>> “OSX.Dok comes in the form of a file named Dokument.zip, which is found >>>>>> being emailed to victims in phishing emails. Victims primarily are >>>>>> located in Europe. >>>>>> >>>>>> Apple has already revoked the certificate used to sign the app, so, at >>>>>> this point, anyone who encounters this malware will be unable to open >>>>>> the app and unable to be infected by it. >>>>>> >>>>>> If the user clicks past this warning to open the app, it will display a >>>>>> warning that the file could not be opened, which is simply a cover for >>>>>> the fact that no document opened: >>>>>> >>>>>> Interestingly, this window cannot be dismissed, as the OK button does >>>>>> not respond. Further, the app will remain stuck in this mode for quite >>>>>> some time. If the user becomes suspicious at this point and attempts to >>>>>> force quit the app, it will not show up in the Force Quit Applications >>>>>> window and in Activity Monitor, it will appear as “AppStore.” >>>>>> >>>>>> If the user manages to force this “AppStore” app to quit, however, all >>>>>> is not yet okay. The malware dropper will have copied itself onto the >>>>>> /Users/Shared/ folder and added itself to the user’s login items so it >>>>>> will re-open at the next login to continue the process of infecting the >>>>>> machine. >>>>>> >>>>>> After several minutes, the app will obscure the entire screen with a >>>>>> fake update notification. >>>>>> “OS X Updates Available - A security issue has been identified in a OS X >>>>>> software product etc etc.” >>>>>> >>>>>> If James did continue to this stage his Mac is probably infected with >>>>>> this Malware. >>>>>> >>>>>> Malwarebytes Anti-Malware for Mac will detect the important components >>>>>> of this malware as OSX.Dok, disabling the active infection. However, >>>>>> when it comes to the other changes that are not easily reversed, which >>>>>> introduce vulnerabilities and potential behavior changes, additional >>>>>> measures will be needed. >>>>>> For people who don’t know their way around in the Terminal and the >>>>>> arcane corners of the system, it would be wise to seek the assistance of >>>>>> an expert, or erase the hard drive and restore the system from a backup >>>>>> made prior to infection. >>>>>> >>>>>> Please post back more information from James as to exactly what were the >>>>>> details of the below “certificate pop up screen”? A what happened after >>>>>> he click “Accept” >>>>>>>> "certificate pop up come up on screen" to which he pressed Accept >>>>>>>> >>>>>> >>>>>> I’m hoping it is not the malware and can be rectified without an erase >>>>>> of the hard drive and restore the system from a previous backup made >>>>>> prior to infection. >>>>>> >>>>>> >>>>>> Cheers, >>>>>> Ronni >>>>>> >>>>>> 13-inch MacBook Air (April 2014) >>>>>> 1.7GHz Dual-Core Intel Core i7, Turbo Boost to 3.3GHz >>>>>> 8GB 1600MHz LPDDR3 SDRAM >>>>>> 512GB PCIe-based Flash Storage >>>>>> >>>>>> macOS Sierra 10.12.4 >>>>>> >>>>>> >>>>>>> On 29 Apr 2017, at 10:33 am, Pat <clamsh...@iinet.net.au> wrote: >>>>>>> >>>>>>> There is a report in today’s online news about a new malware targeting >>>>>>> Macs calle OSX/Dok. The first symptom is a pop-up message about a new >>>>>>> OSX update. Don’t update! It is a trojan that can bypass Gatekeeper. >>>>>>> Apparently it is signed with a valid developer certificate and attacks >>>>>>> all kinds of Mac. >>>>>>> >>>>>>> Pat >>>>>>> >>>>>>> >>>>>>> >>>>>>>> On 29 Apr 2017, at 08:57, petercr...@westnet.com.au wrote: >>>>>>>> >>>>>>>> My son's (James) MacBook Pro (~2011) has been updated to Sierra >>>>>>>> 10.12.4 since he went on school holidays. He went back to school this >>>>>>>> week and was unable to gain access into the school IT environment >>>>>>>> using the school wifi. He had previously had no problem at last time >>>>>>>> in school when running El Capitan. He called me this morning as I am >>>>>>>> FIFO at the moment in sunny Hedland and using Facetime we proved a few >>>>>>>> things. He was able to access the school IT environment by using the >>>>>>>> home WIFI network without a hitch. This problem therefore arises when >>>>>>>> he is at school in the school wifi environs. >>>>>>>> >>>>>>>> He indicated to me when first attempting to connect to the school >>>>>>>> environment via the installed VMware he had a "certificate pop up come >>>>>>>> up on screen" to which he pressed Accept. My suspicion is that has >>>>>>>> something to do with his access problem though may be a Sierra related >>>>>>>> issue potentially. He took it to his school IT team on Friday who said >>>>>>>> "you need to go to the App store and do an update". He told them he is >>>>>>>> at the latest OSX 10.12.4, there is no further update - I think >>>>>>>> they're fobbing him off and copping out because they don't actually >>>>>>>> know the problem and solution. But neither do I, however I admit to >>>>>>>> it. James is pretty competent in these things but we're both stumped >>>>>>>> right now. >>>>>>>> >>>>>>>> >>>>>>>> Any clues by anyone on similar issues? >>>>>>>> >>>>>>>> >>>>>>>> Regards >>>>>>>> >>>>>>>> >>>>>>>> Pete. >>>>>>>> >>>>>>>> >>>> >>>> >>>> >>>> Peter Crisp >>>> petercr...@westnet.com.au >>>> > -- The WA Macintosh User Group Mailing List -- > Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> > Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> > Settings & Unsubscribe - > <http://lists.wamug.org.au/listinfo/wamug.org.au-wamug>
-- The WA Macintosh User Group Mailing List -- Archives - <http://www.wamug.org.au/mailinglist/archives.shtml> Guidelines - <http://www.wamug.org.au/mailinglist/guidelines.shtml> Settings & Unsubscribe - <http://lists.wamug.org.au/listinfo/wamug.org.au-wamug>
