Welcome to DU! The truly grassroots left-of-center political community where regular people, not algorithms, drive the discussions and set the standards. Join the community: Create a free account Support DU (and get rid of ads!): Become a Star Member Latest Breaking News Editorials & Other Articles General Discussion The DU Lounge All Forums Issue Forums Culture Forums Alliance Forums Region Forums Support Forums Help & Search

mopinko

(71,813 posts)
Tue Dec 15, 2020, 02:02 PM Dec 2020

so, i picked up some malware. something called 'p'

it is fiddling w my info on websites. 2 laptops, both have it.
it's been a nightmare, actually. it has even sent payments that i made and email i sent into outer space.

i took both of them to my local mac specialist, and they couldnt find it.
i found this quora thread, where some guy insists it doesnt/can exist.

https://www.quora.com/On-my-Mac-it-reports-a-malware-file-called-p-that-was-made-and-opened-a-few-moments-ago-It-does-this-very-commonly-What-can-I-do-to-stop-this

but it's right there in my activity monitor.
the mac guys reinstalled my os, but it just started back up. it starts w a dialog box that says- apple wants to make changes, enter your password.
now, i am not that stupid, but it takes 3 tries to cancel it.
after that, i found myself resetting passwords left and right. it even hosed up the admin password.
i'm using my pad now, but sites i accessed from the laptop are hosed for me.

so far no evidence that my info has been used, but what i think it is doing is using my cpu. when this thing comes up, it pegs.
it even messed up applications. i was using itunes on it, not on the web, but it went squirrelly on me. try to switch from what is playing, and it just wont.
it even hacked my indesign. it hijacked the control key.

scared the crap out of my when it happened. figured i was being spied on.

thoughts?

21 replies = new reply since forum marked as read
Highlight: NoneDon't highlight anything 5 newestHighlight 5 most recent replies

C_U_L8R

(45,693 posts)
1. Malwarebytes is pretty good at spotting and cleaning
Tue Dec 15, 2020, 02:05 PM
Dec 2020

It's both free and paid. And works cross platform.

mopinko

(71,813 posts)
3. okay, i just looked at their site.
Tue Dec 15, 2020, 02:09 PM
Dec 2020

no contact info. i'm not going to use them if they cant tell me they know what this is.
it would require me getting on the web to download, and i doubt either of these machines will let me download it. i have had issues trying to download other stuff.

Tetrachloride

(8,448 posts)
4. Call your bank and Applecare
Tue Dec 15, 2020, 02:11 PM
Dec 2020

1. First, make backups. Keychains especially. Take some screenshots or camera shots.

2. Next, call your bank. Change your credit and debit cards.

3. Call AppleCare and ask them about "p".

4. Offer to send a screenshot.

5. They may ask you to enable Screen Sharing. Agree to this. This will require your password. They will analyze your computer using "your" mouse and keyboard from their system.

--- note: only do this with an AppleCare person.

6. Then it gets trickier. Making sure your internet accounts where you spend money are safe.

7. Whatever you do, do not get MacKeeper or CleanMyMac.

8. Javascript in your browser and emails is a powerful thing. This is part of how major websites work. Its often part of attacks. A browser with built-in protection such as Epic (see epic. browser. dot com ) or third party extensions for Safari or Chrom or Firefox will help. On Safari on my iPhone, I keep Javascript off in general. its a balance. Either keep Javascript off -- or take action using extensions.

9. Consider asking your mac specialist to install a HOSTS file, if you don't know how. Its easy and alleviates some risk, not to mention advertisers. (they are easy to remove also. )

----------

The main things are -- BACKUPS and TALK TO YOUR BANK. then go from there.

mopinko

(71,813 posts)
5. the authorized mac repair guys couldnt find it.
Tue Dec 15, 2020, 02:13 PM
Dec 2020

so, i'm looking for specific info on this particular thing.
thanks tho.

Tetrachloride

(8,448 posts)
7. Right. Authorized is not the same thing as AppleCare.
Tue Dec 15, 2020, 02:25 PM
Dec 2020

There's an authorized Apple dealer a mile from me. Two weeks ago, I went to that store to ask a question. They had to call the main office to get an answer. Later on, I found out how bad the answer was.

You may need to provide your Mac serial number in this AppleCare call. See the ABOUT THIS MAC in top left.

Tetrachloride

(8,448 posts)
8. If they don't take you seriously, ask your Mac specialists how to go up the chain of command.
Tue Dec 15, 2020, 02:28 PM
Dec 2020

Or post here, and I will find a way.

mopinko

(71,813 posts)
11. i'm going to take it back.
Tue Dec 15, 2020, 03:01 PM
Dec 2020

it came up, it's in the activity monitor. i shut it down, so hopefully they will be able to fix it this time.
i'm just trying to find out more about it in the meantime.

LiberalArkie

(16,504 posts)
10. You might create you another user and logout, turn off the Mac and log in with the new user.
Tue Dec 15, 2020, 02:44 PM
Dec 2020

It is more that likely associated with your current username.

LiberalArkie

(16,504 posts)
15. Yes, I know, but you will find out if the worm or whatever it is, is in the operating system
Tue Dec 15, 2020, 03:36 PM
Dec 2020

or in you user folder.. Entirely different places. I personally think it is in your safari cache,

Tetrachloride

(8,448 posts)
13. okay good luck. I'll keep an eye here.
Tue Dec 15, 2020, 03:14 PM
Dec 2020

(Once upon a time, I was pretty good at this stuff. At the time, nobody needed what I knew.)

mopinko

(71,813 posts)
18. interesting.
Tue Dec 15, 2020, 05:12 PM
Dec 2020

trouble is, i search for p and i cant find it.
i even sampled it and searched lines of the code and couldnt find it.

not surprised you cant trash it, tho. this is some slippery shit.

CloudWatcher

(1,923 posts)
19. Search? How?
Tue Dec 15, 2020, 08:45 PM
Dec 2020

With the finder interface? Or with a 'sudo find' command in terminal? It could be in a directory that isn't indexed by the usual speedy search engines.

It could also be overwriting the command name. Not sure what macOS does these days, but it used to be that you could stuff a string into argv[0] and have it appear as you wanted in the output of 'ps' (or activity monitor).

mopinko

(71,813 posts)
21. well, terminal cant see it either.
Fri Dec 18, 2020, 10:12 AM
Dec 2020

i'll get it into the repair guys and see if they can figure it out.
from what i have read, apple doesnt believe this is a thing.

i have to talk to them AGAIN at my bank, tho. it is the one place where resetting my info isnt working. i get in, then next time i try, i cant.
obviously this thing is in their system too.

Latest Discussions»Culture Forums»Apple Users»so, i picked up some malw...