Underhand Trojan Removal

[Stolid]

I've got a friend who's contracted the Underhand trojan and we're trying to remove it.
All we've been able to find is basically this URL:
http://www.cowfight.com/cf4/underhand/RemovingUnderhand.rtf

According to Norton files like Sym.Unix.Mk9gHPpwcD (Sym.Unix.*) are infected -- unfortunately none of my UNIX or OS X books reference Sym.Unix.XXXX nor does any googling provide information. I'm guessing, based on the name, these are probably paging files but I'd like confirmation.

His startup list is as follows:
LaunchBar
iCalAlarmScheduler
SetiChatStatus
x-Tunes Daemon
SpeechSynthesisServer
SymSecondaryLaunch
Palm Desktop Background
Transport Monitor
iTunes Helper

Unfortunately I don't have a stock list to compare it against; so if anyone here can identify any of these as unusual that'd help. He does have a Palm.

Any help would be vastly appreciated,
Thanks in advance,
Stolid

 

[4409723]

Here are the start-up items I have:

StuffitAVRDaemon
YouControlEngine
ATI Monitor
MultiuserManager
iScrobbler
iTunesHelper
GrowlHelperApp
SmartReporter
Quicksilver
LCCDaemon

These look suspicious:
SpeechSynthesisServer
SymSecondaryLaunch
Transport Monitor

 

[rdowns]

These look suspicious:
SpeechSynthesisServer
SymSecondaryLaunch
Transport Monitor

Transport Monitor is installed by Palm. SpeechSynthesisServer is an Apple item, I have it. No idea what SymSecondaryLaunch is but would guess it's a Symantec item.

 

[4409723]

It may not be a normal start up item. Close all programs and then use activity monitor and compare with this:

http://64.233.183.104/search?q=cach...ackground-processes.html+&hl=en&client=safari

 

[FadeToBlack]

I thought that OS X was safe from stuff like this?

 

[angelneo]

I think this came up sometime ago.

I believe these are the people who have too much free time.
http://www.cowfight.com/cf4/underhand/

 

[dukeblue91]

SymSecondaryLaunch is from a Norton product.
The only one that sticks out is xTunes as google only brings up Linux stuff.
Everything else looks normal.
Did you try to follow the removal instructions from Cowfight?

 

[apple2991]

Underhand Trojan removal?

I don't think we're talking about the same thing.

 

[BEET]

Underhand Trojan removal?

I don't think we're talking about the same thing.

HI,


I was wondering if you had an answer to what the underhand 05a thing is? Is it a virus? I'm relatively new to computers and have just noticed a window on my powerbook that I can't get rid of, a blue window titled Underhand 05a' . Did you find out what it is and what to do about it?

I'd be very grateful for any answers.

cheers.

 

[4409723]

http://www.cowfight.com/cf4/underhand/RemovingUnderhand.rtf

Give that a read, it should help you in removing it.

 

[trainguy77]

So would this be the first virus for mac?

 

[BEET]

cheers wes...

http://www.cowfight.com/cf4/underhand/RemovingUnderhand.rtf

Give that a read, it should help you in removing it.

thanks Wes, yeh I just followed those instructions and have got rid of the 'underhand 05a' window. But I'm a bit worried, does my mac now have a virus? the thing is I have to use my pb at work and network it with the ones there, will it screw anything up?
do you know what the file is? and does?


thanks again. beet

 

[PlaceofDis]

So would this be the first virus for mac?

NO, this is a Trojan, meaning its something you downloaded or put on your system knowingly that then harmed your system. Viruses are self replicating, this is not. Viruses usually get into the system without you knowing.

i could be worng, but i believe this is the fine distinction between the two

 

[4409723]

You don't have a virus. Your files are safe, just continue your normal back-up procedure and be more wary of foreign files in the future, like you would with any other computer.

 

[trainguy77]

NO, this is a Trojan, meaning its something you downloaded or put on your system knowingly that then harmed your system. Viruses are self replicating, this is not. Viruses usually get into the system without you knowing.

i could be worng, but i believe this is the fine distinction between the two

Good to hear!

 

[4409723]

Suggested further reading:

http://service1.symantec.com/SUPPORT/nav.nsf/docid/1999041209131106

Windows-orientated but comprehensive.

 

[BEET]

reassured, however still a bit aprehensive

cool, thanks for the knowledge. a couple more questions:

should I get any software to make sure my system is ok (ie zebra) check the trojan isn't anywhere on my system? if so can you recommend anything?

 

[BEET]

cool, thanks for the knowledge. a couple more questions:

should I get any software to make sure my system is ok (ie zebra) check the trojan isn't anywhere on my system? if so can you recommend anything?

Just to show I'm trying to b e proactive and not just relying on other people's info, i checked on versiontracker for free trojan detectors etc. Now that I followed the instructions on the cowfight site, and the trojan window no longer shows up: what if one of the trojan detectors finds effected media files etc...?