Yep {{sniff}} -- Beret Pwned by some ^%*&$# Russki

Gotta use FFox for this-all; the Mo-Fo ate my post as this sucker crashed Safari just as I was about to save/send; I want this Wonder... writer's Head on a Pike.

Couple days ago, on an innocuous link from an electronics site (run by known sane people) I saw flash-by a box with an unknown filename, but ending in .ru; didn't wait for me to give any permissions--figured that, indeed--just >then<:
.
.
.Gehabt, Kindern!

(No clicky-clicky by moi, of course.)
Yep.. maybe next day (?) "Safari quit unexpectedly.." now a random occurrence.

After Updates a couple days ago and more tonight (when Apple finally got around to the new Java==OS X 10.6 Update 7) plus a Safari patch, I thought perhaps some sort of auto-removal 'feature' might accompany that-all.
Guess not; herewith last User Diagnostic Report (partial):

Process: Safari [337]
Path: /Applications/Safari.app/Contents/MacOS/Safari
Identifier: com.apple.Safari
Version: 5.1.5 (6534.55.3)
Build Info: WebBrowser-75345503~2
Code Type: X86-64 (Native)
Parent Process: launchd [106]

PlugIn Path: /Users/gort/Library/Application Support/.WondershareQuizCreatorBuild.tmp
PlugIn Identifier: .WondershareQuizCreatorBuild.tmp
PlugIn Version: ??? (???)

Date/Time: 2012-04-12 02:19:33.622 -0700
OS Version: Mac OS X 10.6.8 (10K549)
Report Version: 6

Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Crashed Thread: 1

Application Specific Information:
abort() called

Thread 0: Dispatch queue: com.apple.main-thread
0 libSystem.B.dylib 0x00007fff80004d7a mach_msg_trap + 10
1 libSystem.B.dylib 0x00007fff800053ed mach_msg + 59
2 com.apple.CoreFoundation 0x00007fff87759902 __CFRunLoopRun + 1698
3 com.apple.CoreFoundation 0x00007fff87758d8f CFRunLoopRunSpecific + 575
4 com.apple.HIToolbox 0x00007fff821187ee RunCurrentEventLoopInMode + 333
5 com.apple.HIToolbox 0x00007fff821185f3 ReceiveNextEventCommon + 310
6 com.apple.HIToolbox 0x00007fff821184ac BlockUntilNextEventMatchingListInMode + 59
7 com.apple.AppKit 0x00007fff80d4eeb2 _DPSNextEvent + 708
8 com.apple.AppKit 0x00007fff80d4e801 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155
9 com.apple.Safari.framework 0x00007fff88391b48 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 177
10 com.apple.AppKit 0x00007fff80d1468f -[NSApplication run] + 395
11 com.apple.AppKit 0x00007fff80d0d3b0 NSApplicationMain + 364
12 com.apple.Safari.framework 0x00007fff8854ee6a SafariMain + 200
13 com.apple.Safari 0x0000000100000f1c 0x100000000 + 3868

Thread 1 Crashed:
0 libSystem.B.dylib 0x00007fff800779ce __semwait_signal_nocancel + 10
1 libSystem.B.dylib 0x00007fff800778d0 nanosleep$NOCANCEL + 129
2 libSystem.B.dylib 0x00007fff800d43ce usleep$NOCANCEL + 57
3 libSystem.B.dylib 0x00007fff800f3a00 abort + 93
4 libstdc++.6.dylib 0x00007fff882ff5d2 __tcf_0 + 0
5 libobjc.A.dylib 0x00007fff87663b4d _objc_terminate + 120
6 libstdc++.6.dylib 0x00007fff882fdae1 __cxxabiv1::__terminate(void (*)()) + 11
7 libstdc++.6.dylib 0x00007fff882fdb16 __cxxabiv1::__unexpected(void (*)()) + 0
8 libstdc++.6.dylib 0x00007fff882fdbfc __gxx_exception_cleanup(_Unwind_Reason_Code, _Unwind_Exception*) + 0
9 libstdc++.6.dylib 0x00007fff882b9a3e std::__throw_length_error(char const*) + 127
10 libstdc++.6.dylib 0x00007fff882e43fe std::string::append(char const*, unsigned long) + 82
11 ...ershareQuizCreatorBuild.tmp 0x0000000100082cbb dylibmain + 3599
12 com.apple.CFNetwork 0x00007fff84bd4dd7 HTTPReadFilter::readHeaderBytes(StreamReader*, unsigned char, unsigned char*, long, CFStreamError*) + 421
13 com.apple.CFNetwork 0x00007fff84bd5d4c HTTPReadFilter::canReadNoSignal(StreamReader*, CFStreamError*, unsigned char) + 110
14 com.apple.CFNetwork 0x00007fff84b8352c HTTPReadFilter::streamCanRead(__CFReadStream*) + 90
15 com.apple.CFNetwork 0x00007fff84b836a2 HTTPReadFilter::socketReadStreamCallback(unsigned long) + 122
16 com.apple.CFNetwork 0x00007fff84b83613 HTTPReadFilter::_httpRdFilterStreamCallBack(__CFReadStream*, unsigned long, void*) + 49
17 com.apple.CoreFoundation 0x00007fff877bb343 _signalEventSync + 115
18 com.apple.CoreFoundation 0x00007fff877bb2b4 _cfstream_solo_signalEventSync + 116
19 com.apple.CoreFoundation 0x00007fff877bb1f4 _CFStreamSignalEvent + 740
20 com.apple.CFNetwork 0x00007fff84bd88d7 SocketStream::dispatchSignalFromSocketCallbackUnlocked(SocketStreamSignalHolder*) + 45
21 com.apple.CFNetwork 0x00007fff84b6d12c SocketStream::socketCallback(__CFSocket*, unsigned long, __CFData const*, void const*) + 224
22 com.apple.CFNetwork 0x00007fff84b6d016 SocketStream::_SocketCallBack_stream(__CFSocket*, unsigned long, __CFData const*, void const*, void*) + 96
23 com.apple.CoreFoundation 0x00007fff87783bba __CFSocketDoCallback + 634
24 com.apple.CoreFoundation 0x00007fff877835bb __CFSocketPerformV0 + 315
25 com.apple.CoreFoundation 0x00007fff8775b3d1 __CFRunLoopDoSources0 + 1361
26 com.apple.CoreFoundation 0x00007fff877595c9 __CFRunLoopRun + 873
27 com.apple.CoreFoundation 0x00007fff87758d8f CFRunLoopRunSpecific + 575
28 com.apple.CFNetwork 0x00007fff84b861fc HTTPNetStreamInfo::streamRead(__CFReadStream*, unsigned char*, long, CFStreamError*, unsigned char*) + 278
29 com.apple.CoreFoundation 0x00007fff8774905c CFReadStreamRead + 748
30 ...ershareQuizCreatorBuild.tmp 0x0000000100082c66 dylibmain + 3514
31 com.apple.CFNetwork 0x00007fff84bd7fe0 HTTPReadStream::streamRead(__CFReadStream*, unsigned char*, long, CFStreamError*, unsigned char*) + 82
32 com.apple.CoreFoundation 0x00007fff8774905c CFReadStreamRead + 748
33 ...ershareQuizCreatorBuild.tmp 0x0000000100082264 dylibmain + 952
34 ...ershareQuizCreatorBuild.tmp 0x0000000100081198 0x10007a000 + 29080
35 ...ershareQuizCreatorBuild.tmp 0x0000000100081f46 dylibmain + 154
36 ...ershareQuizCreatorBuild.tmp 0x000000010008459d dylibmain + 9969
37 ...ershareQuizCreatorBuild.tmp 0x000000010008951c ksyms + 202
38 libSystem.B.dylib 0x00007fff8003dfd6 _pthread_start + 331
39 libSystem.B.dylib 0x00007fff8003de89 thread_start + 13

Thread 2:
0 libSystem.B.dylib 0x00007fff8003fa6a __semwait_signal + 10
1 libSystem.B.dylib 0x00007fff80043881 _pthread_cond_wait + 1286
2 ...ershareQuizCreatorBuild.tmp 0x000000010008968d ksyms + 571
3 libSystem.B.dylib 0x00007fff8003dfd6 _pthread_start + 331
4 libSystem.B.dylib 0x00007fff8003de89 thread_start + 13

Thread 3:
0 libSystem.B.dylib 0x00007fff8003fa6a __semwait_signal + 10
1 libSystem.B.dylib 0x00007fff80043881 _pthread_cond_wait + 1286
2 ...ershareQuizCreatorBuild.tmp 0x000000010008968d ksyms + 571
3 libSystem.B.dylib 0x00007fff8003dfd6 _pthread_start + 331
4 libSystem.B.dylib

---------------------------------------------------------------------

Natch the .tmp [.WondershareQuizCreatorBuild.tmp] does not appear in GUI listing of Plug-Ins (with "enable extents" ON, of course.)
Presume that, via Terminal and "ls" plus a suffix it could be found--but doubt that removal can be that simple.

Google found little; a Russki site of similar name (the Source?? or perhaps their name just copied)
http://translate.goo...en%26prmd%3Dimvns

And F-Prot had a fix for: Trojan-Downloader:OSX/Flashback.I
http://www.f-secure....flashback_i.shtml

Haven't checked out NetBarrier in its latest incarnation--had installed a trial version when iMac first arrived, but let that lapse.. having forgotten
doverai ni proverai (the only Russian Pres. Alzheimers ever managed to learn)
-- Trust.. but verify.

Wish there were something like the Oz "Process Guard" which I auditioned/bought for the XP-on-nb, before I decided that life was too short to waste time ... in the daily pursuit of Beastware patches. That looked like a winner, possibly even able to keep XP from self-immolation.

Toto, we're not in Kansas any more.. the Redmond kiddies taught the world how easy it was to overload buffers in toy software; now it's the Greedhead-Pros smelling $$ just like the Las Vegas banker-perps. What a surprise.

Any hints?

(Sent several Reports back to Apple. Bet they're now AWARE:
Where's The ~~Beef~~ Patch!! whiz-kids??

Post #356,406 by Ashton 4/12/12 6:59:18 AM Reply	Yep {{sniff}} -- Beret Pwned by some ^%&$# Russki Gotta use FFox for this-all; the Mo-Fo ate my post as this sucker crashed Safari just as I was about to save/send; I want this Wonder... writer's Head on a Pike. Couple days ago, on an innocuous link from an electronics site (run by known sane people) I saw flash-by a box with an unknown filename, but ending in .ru; didn't wait for me to give any permissions--figured that, indeed--just >then<: . . .Gehabt, Kindern! (No clicky-clicky by moi, of course.) Yep.. maybe next day (?) "Safari quit unexpectedly.." now a random occurrence. After Updates a couple days ago and more tonight (when Apple finally got around to the new Java==OS X 10.6 Update 7) plus a Safari patch, I thought perhaps some sort of auto-removal 'feature' might accompany that-all. Guess not; herewith last User Diagnostic Report* (partial): Process: Safari [337] Path: /Applications/Safari.app/Contents/MacOS/Safari Identifier: com.apple.Safari Version: 5.1.5 (6534.55.3) Build Info: WebBrowser-75345503~2 Code Type: X86-64 (Native) Parent Process: launchd [106] PlugIn Path: /Users/gort/Library/Application Support/.WondershareQuizCreatorBuild.tmp PlugIn Identifier: .WondershareQuizCreatorBuild.tmp PlugIn Version: ??? (???) Date/Time: 2012-04-12 02:19:33.622 -0700 OS Version: Mac OS X 10.6.8 (10K549) Report Version: 6 Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Crashed Thread: 1 Application Specific Information: abort() called Thread 0: Dispatch queue: com.apple.main-thread 0 libSystem.B.dylib 0x00007fff80004d7a mach_msg_trap + 10 1 libSystem.B.dylib 0x00007fff800053ed mach_msg + 59 2 com.apple.CoreFoundation 0x00007fff87759902 __CFRunLoopRun + 1698 3 com.apple.CoreFoundation 0x00007fff87758d8f CFRunLoopRunSpecific + 575 4 com.apple.HIToolbox 0x00007fff821187ee RunCurrentEventLoopInMode + 333 5 com.apple.HIToolbox 0x00007fff821185f3 ReceiveNextEventCommon + 310 6 com.apple.HIToolbox 0x00007fff821184ac BlockUntilNextEventMatchingListInMode + 59 7 com.apple.AppKit 0x00007fff80d4eeb2 _DPSNextEvent + 708 8 com.apple.AppKit 0x00007fff80d4e801 -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 155 9 com.apple.Safari.framework 0x00007fff88391b48 -[BrowserApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 177 10 com.apple.AppKit 0x00007fff80d1468f -[NSApplication run] + 395 11 com.apple.AppKit 0x00007fff80d0d3b0 NSApplicationMain + 364 12 com.apple.Safari.framework 0x00007fff8854ee6a SafariMain + 200 13 com.apple.Safari 0x0000000100000f1c 0x100000000 + 3868 Thread 1 Crashed: 0 libSystem.B.dylib 0x00007fff800779ce __semwait_signal_nocancel + 10 1 libSystem.B.dylib 0x00007fff800778d0 nanosleep$NOCANCEL + 129 2 libSystem.B.dylib 0x00007fff800d43ce usleep$NOCANCEL + 57 3 libSystem.B.dylib 0x00007fff800f3a00 abort + 93 4 libstdc++.6.dylib 0x00007fff882ff5d2 __tcf_0 + 0 5 libobjc.A.dylib 0x00007fff87663b4d _objc_terminate + 120 6 libstdc++.6.dylib 0x00007fff882fdae1 __cxxabiv1::__terminate(void ()()) + 11 7 libstdc++.6.dylib 0x00007fff882fdb16 __cxxabiv1::__unexpected(void ()()) + 0 8 libstdc++.6.dylib 0x00007fff882fdbfc __gxx_exception_cleanup(_Unwind_Reason_Code, _Unwind_Exception) + 0 9 libstdc++.6.dylib 0x00007fff882b9a3e std::__throw_length_error(char const) + 127 10 libstdc++.6.dylib 0x00007fff882e43fe std::string::append(char const, unsigned long) + 82 11 ...ershareQuizCreatorBuild.tmp 0x0000000100082cbb dylibmain + 3599 12 com.apple.CFNetwork 0x00007fff84bd4dd7 HTTPReadFilter::readHeaderBytes(StreamReader, unsigned char, unsigned char, long, CFStreamError) + 421 13 com.apple.CFNetwork 0x00007fff84bd5d4c HTTPReadFilter::canReadNoSignal(StreamReader, CFStreamError, unsigned char) + 110 14 com.apple.CFNetwork 0x00007fff84b8352c HTTPReadFilter::streamCanRead(__CFReadStream) + 90 15 com.apple.CFNetwork 0x00007fff84b836a2 HTTPReadFilter::socketReadStreamCallback(unsigned long) + 122 16 com.apple.CFNetwork 0x00007fff84b83613 HTTPReadFilter::_httpRdFilterStreamCallBack(__CFReadStream, unsigned long, void) + 49 17 com.apple.CoreFoundation 0x00007fff877bb343 _signalEventSync + 115 18 com.apple.CoreFoundation 0x00007fff877bb2b4 _cfstream_solo_signalEventSync + 116 19 com.apple.CoreFoundation 0x00007fff877bb1f4 _CFStreamSignalEvent + 740 20 com.apple.CFNetwork 0x00007fff84bd88d7 SocketStream::dispatchSignalFromSocketCallbackUnlocked(SocketStreamSignalHolder) + 45 21 com.apple.CFNetwork 0x00007fff84b6d12c SocketStream::socketCallback(__CFSocket, unsigned long, __CFData const, void const) + 224 22 com.apple.CFNetwork 0x00007fff84b6d016 SocketStream::_SocketCallBack_stream(__CFSocket, unsigned long, __CFData const, void const, void) + 96 23 com.apple.CoreFoundation 0x00007fff87783bba __CFSocketDoCallback + 634 24 com.apple.CoreFoundation 0x00007fff877835bb __CFSocketPerformV0 + 315 25 com.apple.CoreFoundation 0x00007fff8775b3d1 __CFRunLoopDoSources0 + 1361 26 com.apple.CoreFoundation 0x00007fff877595c9 __CFRunLoopRun + 873 27 com.apple.CoreFoundation 0x00007fff87758d8f CFRunLoopRunSpecific + 575 28 com.apple.CFNetwork 0x00007fff84b861fc HTTPNetStreamInfo::streamRead(__CFReadStream, unsigned char, long, CFStreamError, unsigned char) + 278 29 com.apple.CoreFoundation 0x00007fff8774905c CFReadStreamRead + 748 30 ...ershareQuizCreatorBuild.tmp 0x0000000100082c66 dylibmain + 3514 31 com.apple.CFNetwork 0x00007fff84bd7fe0 HTTPReadStream::streamRead(__CFReadStream, unsigned char, long, CFStreamError, unsigned char) + 82 32 com.apple.CoreFoundation 0x00007fff8774905c CFReadStreamRead + 748 33 ...ershareQuizCreatorBuild.tmp 0x0000000100082264 dylibmain + 952 34 ...ershareQuizCreatorBuild.tmp 0x0000000100081198 0x10007a000 + 29080 35 ...ershareQuizCreatorBuild.tmp 0x0000000100081f46 dylibmain + 154 36 ...ershareQuizCreatorBuild.tmp 0x000000010008459d dylibmain + 9969 37 ...ershareQuizCreatorBuild.tmp 0x000000010008951c ksyms + 202 38 libSystem.B.dylib 0x00007fff8003dfd6 _pthread_start + 331 39 libSystem.B.dylib 0x00007fff8003de89 thread_start + 13 Thread 2: 0 libSystem.B.dylib 0x00007fff8003fa6a __semwait_signal + 10 1 libSystem.B.dylib 0x00007fff80043881 _pthread_cond_wait + 1286 2 ...ershareQuizCreatorBuild.tmp 0x000000010008968d ksyms + 571 3 libSystem.B.dylib 0x00007fff8003dfd6 _pthread_start + 331 4 libSystem.B.dylib 0x00007fff8003de89 thread_start + 13 Thread 3: 0 libSystem.B.dylib 0x00007fff8003fa6a __semwait_signal + 10 1 libSystem.B.dylib 0x00007fff80043881 _pthread_cond_wait + 1286 2 ...ershareQuizCreatorBuild.tmp 0x000000010008968d ksyms + 571 3 libSystem.B.dylib 0x00007fff8003dfd6 _pthread_start + 331 4 libSystem.B.dylib --------------------------------------------------------------------- Natch the .tmp [.WondershareQuizCreatorBuild.tmp] does not appear in GUI listing of Plug-Ins (with "enable extents" ON, of course.) Presume that, via Terminal and "ls" plus a suffix it could be found--but doubt that removal can be that simple. Google found little; a Russki site of similar name (the Source?? or perhaps their name just copied) http://translate.goo...en%26prmd%3Dimvns And F-Prot had a fix for: Trojan-Downloader:OSX/Flashback.I* http://www.f-secure....flashback_i.shtml Haven't checked out NetBarrier in its latest incarnation--had installed a trial version when iMac first arrived, but let that lapse.. having forgotten doverai ni proverai (the only Russian Pres. Alzheimers ever managed to learn) -- Trust.. but verify. Wish there were something like the Oz "Process Guard" which I auditioned/bought for the XP-on-nb, before I decided that life was too short to waste time ... in the daily pursuit of Beastware patches. That looked like a winner, possibly even able to keep XP from self-immolation. Toto, we're not in Kansas any more.. the Redmond kiddies taught the world how easy it was to overload buffers in toy software; now it's the Greedhead-Pros smelling $$ just like the Las Vegas banker-perps. What a surprise. Any hints? (Sent several Reports back to Apple. Bet they're now AWARE: Where's The ~~Beef~~ Patch!! whiz-kids??
Post #356,407 by mvitale 4/12/12 7:32:34 AM Reply	Re: Yep {{sniff}} -- Beret Pwned by some ^%*&$# Russki http://www.f-secure....flashback_c.shtml https://discussions....?start=0&tstart=0 http://reviews.cnet....iger-and-leopard/ http://reviews.cnet....-x/?tag=mncol;txt -Mike "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759 Historical Review of Pennsylvania
Post #356,409 by Another Scott 4/12/12 7:43:55 AM Reply	Yikes. Glad you found out quickly. Luck with the disinfect.
Post #356,436 by Ashton 4/13/12 4:03:09 AM Reply	Thanks, Mike.. Apple responded with alacrity: just this PM Was about to go with F-Prot auto-remover.. then real life intruded. By time I got back to machine, re-Googled: found that Apple had come through (even modifying first patch) --with tail-fins which accrue only to Lion; a little-ap rides-herd on flaky Java versions ... yet-unBuilt! http://reviews.cnet....ack-removal-tool/ Java for Mac OS X 10.6 Update 8 supersedes the Update 7 of last night ==2nd, maybe 3rd small revision to Apple's massaged-Java. The D/L interrupted self to proclaim, "The update was installed" Then Safari vanished [as-if "before-fix!" ..gasp] soon replaced by small box, The "OSX.FlashBack.iv" malware was found and removed. Can't get simpler than that--the C/L drill would have demanded 0-Tyops, but Mr. Topher Kessler's recitation of the autopsy results did somewhat amuse, amidst the angst of the rapine of My Computer, Hypatia. Will know/Believe.. the longer Safari stays unEventful. 50 minutes and counting...

Welcome to IWETHEY!