Is SS constantly asking for my password - a Trojan Horse?

Hi Michael,

Over the past 2 days Spam Sieve has been asking for my computer’s password to complete an operation which I did not initiate. The reminders come every 30 minutes or so throughout the day. At first I typed the password and now I close the box and move on. In researching this online I came across other instances of software acting strangely which revealed the presence of a Trojan Horse.

In addition I’d been having issues with permissions on my Mac. I could not open screenshots I’d just made so I temporarily disabled SIP and reset my permissions on the mac with Terminal. Then I reinitiated SIP, ran ClamXAV and deleted 2 pieces of adware found on an external drive. I was able to open the screenshots. In the process of all this I did also install the software fontXchange as well as a new version of Onyx - which I tried to run last night to fix permissions and which got stuck half way through. It’s been a busy weekend with not much success so far.

Do you have any idea what’s going on and how to deal with it?

Bob

Most likely, SpamSieve found improper permissions on one of its files and asked for admin access in order to fix the permissions for you. If that’s the case, the Console log will show some log entries that say “MJTFileFixLog” explaining the details.

Here is my console file - the only search i could find anything with is “MJTFile” (removing FixLog): Does this help you?

2017-08-29 1:13:21.749 PM SpamSieve[17069]: Fixed file owner error for /Users/robertappleton/Library/Mail/SpamSieve: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/Mail/SpamSieve”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:13:21.752 PM SpamSieve[17069]: Will try to fix file owner error for /Users/robertappleton/Library/LaunchAgents: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/LaunchAgents”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:13:28.154 PM SpamSieve[17069]: Fixed file owner error for /Users/robertappleton/Library/LaunchAgents: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/LaunchAgents”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:13:28.154 PM SpamSieve[17069]: Will try to fix file owner error for /Users/robertappleton/Library/LaunchAgents: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/LaunchAgents”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:13:34.517 PM SpamSieve[17069]: Fixed file owner error for /Users/robertappleton/Library/LaunchAgents: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/LaunchAgents”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:13:34.517 PM SpamSieve[17069]: Will try to fix file owner error for /Users/robertappleton/Library/LaunchAgents/com.c-command.SpamSieve.LaunchAgent.plist: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/LaunchAgents/com.c-command.SpamSieve.LaunchAgent.plist”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:13:40.924 PM SpamSieve[17069]: Fixed file owner error for /Users/robertappleton/Library/LaunchAgents/com.c-command.SpamSieve.LaunchAgent.plist: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/LaunchAgents/com.c-command.SpamSieve.LaunchAgent.plist”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:13:40.925 PM SpamSieve[17069]: Will try to fix file owner error for /Users/robertappleton/Library/LaunchAgents: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/LaunchAgents”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:13:47.280 PM SpamSieve[17069]: Fixed file owner error for /Users/robertappleton/Library/LaunchAgents: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/LaunchAgents”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:13:47.280 PM SpamSieve[17069]: Will try to fix file owner error for /Users/robertappleton/Library/LaunchAgents/com.c-command.SpamSieve.LaunchAgent.plist: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/LaunchAgents/com.c-command.SpamSieve.LaunchAgent.plist”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:13:53.810 PM SpamSieve[17069]: Fixed file owner error for /Users/robertappleton/Library/LaunchAgents/com.c-command.SpamSieve.LaunchAgent.plist: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/LaunchAgents/com.c-command.SpamSieve.LaunchAgent.plist”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:13:53.818 PM SpamSieve[17069]: Will try to fix file owner error for /Users/robertappleton/Library/Mail/V3: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/Mail/V3”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:14:00.046 PM SpamSieve[17069]: Fixed file owner error for /Users/robertappleton/Library/Mail/V3: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/Mail/V3”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:14:00.046 PM SpamSieve[17069]: Will try to fix file owner error for /Users/robertappleton/Library/Mail/V3/MailData: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/Mail/V3/MailData”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:14:06.639 PM SpamSieve[17069]: Fixed file owner error for /Users/robertappleton/Library/Mail/V3/MailData: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/Mail/V3/MailData”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:14:06.639 PM SpamSieve[17069]: Will try to fix file owner error for /Users/robertappleton/Library/Containers/com.apple.mail/Data/Library/Preferences: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/Containers/com.apple.mail/Data/Library/Preferences”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:14:13.055 PM SpamSieve[17069]: Fixed file owner error for /Users/robertappleton/Library/Containers/com.apple.mail/Data/Library/Preferences: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/Containers/com.apple.mail/Data/Library/Preferences”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:14:13.130 PM SpamSieve[17069]: Will try to fix file owner error for /Users/robertappleton/Library/Mail/SpamSieve: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/Mail/SpamSieve”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>
2017-08-29 1:14:19.393 PM SpamSieve[17069]: Fixed file owner error for /Users/robertappleton/Library/Mail/SpamSieve: <NSError Domain=MJTErrorDomain Code=1008 UserInfo={
MJTActualValue = 0,
MJTExpectedValue = 501,
MJTStackFrames = (
“-[NSURL(MJTFiles) mjtCheckFileOwnerAccountID:error:] (273)”
),
NSFilePath = “/Users/robertappleton/Library/Mail/SpamSieve”,
NSLocalizedDescription = “The file’s owner was incorrect.”
}>

screenshot of the pw window
Michael,

Attached is a jpg of the window which appears every time I start my email, or return to it from another program and it’s still happening. This permissions issue has never occured before. And that is why I suspected a virus. I also sent sepsrste log files to ClamXAV for analysis. I hope you and they can help figure this out.

Thanks

Screenshot 2017-08-29 14.02.35.png

I don’t know what’s causing this, but it looks like something is changing the SpamSieve files so that they are owned by the root user rather than your regular user account. It looks like SpamSieve is successfully fixing this, though. The next time it prompts you, is it for the same files or different ones?

It just happened again and the window never specifies which files it wants to change. Is there another way I can find this out?

b

You can look in the Console log.

ClamXAV response
Hi Michael,

I have just heard back from ClamXAV regarding the logs they requested. There appears to be no malware on my computer and all they could think of was that Pace Support was installed -
which is an anti-piracy software used by certain manufacturers. I don’t use it to verify my purchases and I just deleted it, so I’m waiting to see what happens now. Screenshots in my DropBox folder will still not open by double-clicking them. They give me the dialog “you do not have permission to use it”. As I said earlier I did reset permissions on the entire computer by disabling SIP and running Terminal, however when I re-enabled SIP the files were once again not opening in Preview with a double-click - while they will open if I drag and drop them to Photoshop.

ClamXAV suggested speaking with you about what this might be - as it is still triggered by Spam Sieve asking for my password to change something that neither you nor I have been able to identify. I’d like to ask again for your help in solving this problem. I’m happy to supply any further logs or info to help.

Sincerely,

Bob

Which command did you run in Terminal to fix the permissions? I don’t think any of the folders we’ve discussed are part of SIP.

What is triggered by SpamSieve? It seems to me that the problem is the opposite—something is messing up the file permissions (or they are not being saved) and then SpamSieve is reacting by trying to fix them. It doesn’t seem like this is really a SpamSieve issue since it’s also affecting non-SpamSieve folders on your Mac.

Hi Michael,

This was finally fixed by reinstalling the OS. No problems since then. There were two “solutions” presented online which involved using Terminal code - either running from the startup drive or the restore partition - and another involving Onyx to rebuild permissions - and none of them worked. On the startup drive it was impossible to type any code in Terminal due to the malloc issue. And from the restore partition the startup drive was locked and therefore inaccessible. Reinstalling - while not fast, was much faster than no solution at all.

I hope this might help someone else with this issue.

Bob

I’m glad to hear that you found a solution, and thanks for the update.