Page 1 of 1

Some type of malware?

Posted: Tue Sep 29, 2009 4:24 pm
by LaurieNY
Hi. I was told by someone in the Apple Support Forum that I should come here and ask this question, since it has them stumped and they say you guys are the gods of this stuff! :)

I was looking for free dialup service as a backup. I came across a link in a forum I frequent, and went to the site. Registration was just username and password. I registered, but was suspicious.

So I ran a search and came across complaints that the site ( was infiltrated by hackers, and they'd installed "urchin.js" trackers. Out of curiosity, I did a find on my computer (Mac laptop, running 10.4.11) and found two instances of this "urchin.js," which apparently comes with Google Analytics? But what was really suspicious was their location: both were found in a folder where I keep pdf copies of credit reports and all my financial information (tax returns, investment account information, electronic copies of paystubs and credit card statements etc.), titled "Credit Reports/Money."

I immediately deleted them both and emptied the trash, disconnected from the internet and started a spyware/keylogger check that comes with Internet Cleanup/Net Blockade, which I keep running at all times and use the feature which lets me know when anyone tries to connect to my computer. I also have my firewall settings turned up to the max/stealth.

However, I am still freaking out and wondering just what information these folks might already have grabbed in those few minutes. The spyware check didn't find anything, but of course I have no idea what kind of damage might have been done before I found and deleted those files.

Does anyone have any experience with this, and know what I might be up against? Thanks SO MUCH for any help you might give!!

Re: Some type of malware?

Posted: Tue Sep 29, 2009 5:57 pm
by therube
There is an urchin.js on their website, here,
What it does, I have no idea?

Are you running NoScript? Do you have Allowed?
If yes & no in that order, then whatever urchin.js you deleted did not come metconnect.

How do you know that the urchin.js you found in that pdf folder came from metconnect?
I would think that Mozilla would not allow that to happen?

It could be that those files came from elsewhere at some other point in time.

The only instances of urchin.js that I have are from web pages that I myself had downloaded (Save Page As ... Web page, complete).

Re: Some type of malware?

Posted: Tue Sep 29, 2009 6:22 pm
by LaurieNY

I never heard of NoScript until yesterday, when I was told to come here. :oops: And I've never blocked Google Analytics or even knew anything about it until yesterday. All I know is that a Google search came up with all sorts of complaints that this site (metconnect) was up to no good. I should have checked earlier, but I saw the link in a trusted forum and went straight to it. Maybe if you have a quick read through these, something will ring a bell? ... C3AD-prod3 ... 0&p=173297

That folder contains text documents (MS Word and TextEdit) as well as pdf's, if that makes any difference. And I'm in that folder all the time and never saw those urchin files. Are they visible when looking directly in a folder (as opposed to when doing a search)?

Forgive my ignorance about this stuff, please. Like most Mac owners, I've never really given it a thought. But I'm starting to learn that I have to. :|

Thanks for your response. :)

Re: Some type of malware?

Posted: Tue Sep 29, 2009 7:06 pm
by therube
Those threads are from 2006 or earlier.
I wouldn't discount it entirely, but I wouldn't put much credence in what might have been.

This looks to be the company behind metconnect,

Re: Some type of malware?

Posted: Tue Sep 29, 2009 7:52 pm
by LaurieNY
It was just the location of those files--in my financial folder--that got me worried. Everything a nefarious individual might need to destroy my financial life is in that one folder. :shock: I read the malware DIY thing here, and it said that malware searches for SSN, credit card info etc., and those little urchin files were found right where all that stuff is. That's what's freaking me out.

Anyway, if you think it's just a strange coincidence, I'll try to stop worrying. :cry: Thanks for putting up with me. 8-)