Welcome to the MacNN Forums.

Merkava_4 · Aug 31, 2012, 12:15 AM

2007 MacBook Pro Santa Rosa Addition
OS 10.6.8

Something has taken over my computer. When I log into one of my favorite forums, a redirected address appears in the address box, Mac Mail gets opened up automatically, and then layers and layers of popup windows appear. I have already changed my DNS settings to no affect. I also changed my Admin Password to no affect. If I switch to a different computer and try to log into the forum, the malware takes over that computer too.

The link I'm redirected to is http://ha.ckers.org/weird/popup.html right before my Mac Mail is launched automatically. I have absolutely no control over my computer while this is happening. The only way to regain control is to force quit with the power button and then restart.

I couldn't take any screen shots while the malware was launching popups, so I had to resort to an actual camera to take screen shots. Here they are:

Spheric Harlot · Aug 31, 2012, 01:53 AM

Looks more like the site got hacked, not your computer.

In Safari preferences, switch off JavaScript and see if that helps.

Which site is this? If we can reproduce it, it's not a problem with your machine.

Merkava_4 · Aug 31, 2012, 02:58 AM

Spheric Harlot,

I tried disabling Java and Java Script in Safari like you suggested - no change.

The site is GarageJournal.Com. Everything looks normal on that board if I view it offline.
My Mac Mail shouldn't automatically open like that. Something is seriously wrong here.

Thorzdad · Aug 31, 2012, 04:43 AM

The redirect you experience makes me wonder if you haven't inadvertently installed a DNSChanger trojan. They've been around for a few years, but still manage to catch people. Let's rule that out first...

Go to the Google search page and run a search for anything. Google has in-place an automatic system that will alert you if it detects a DNS Changer trojan at work on your system.

Alternately, this site will check your system: http://www.dns-ok.us/

Watson · Aug 31, 2012, 09:01 AM

Open the Terminal application in /Application/Utilities

type the following:
cat /etc/hosts

Copy and paste the output (if it isn't too big) so that we may inspect it

Watson · Aug 31, 2012, 10:43 AM

The link you supplied is an intentional attempt to overwhelm the memory resources of your computer. From the source of the page:

"This could cause a machine or at minimum a mail client/browser to crash due to memory exhaustion. Certaily it could cause you to close your mail client. It's just so buggy, it's difficult to tell what's causing the majority of the issues (the browser, the mail client or the embedded editor), and I get a mixed bag of results on machines. This will probably crash something. If you don't see anything that probably means you don't have an associated mail client attached to the mailto: directive."

It pops up 888 frames that redirect your browser to open whatever application you have assigned for sending email.

Merkava_4 · Aug 31, 2012, 05:33 PM

I took the computer to the Fresno Apple store. There's nothing they can do about it; they said they've
never seen anything like it. They did say though that my hard drive is not infected; which is a good thing.

Mr Watson,

I think you're very much correct.

Merkava_4 · Sep 1, 2012, 08:47 PM

I think I may have found the problem. Apparently, the malware is an add-on software available to forum site owners who use vBulletin. I was given the link below from a forum administrator on one of the forums I visit. Not the same forum I'm having the trouble with. If you click on the link, it should be fairly apparent what's going on.

http://www.vbulletin.org/forum/showthread.php?t=254328