I even tried pulling it up on my iPhone with the WiFi turned off, in case it was something that got into the router. Same symptoms. So I wrote back and the techs put a customer support rep on it. By this time, though, I had decided to start up one of the virtual machines I have on this computer, in this case WindowsXP running on Parallels. Being Windows, I keep an anti-virus program updated on that, even though it’s only a virtual machine, and being too cheap to actually pay for software to run on an Operating System I only boot up once in a blue moon, I use AVG Free. Good stuff, that. As soon as I tried to open the blog, up popped a window announcing that it had detected an infected file on the page.

I logged back into the webhost’s support page to close the ticket, and discovered their rep had also seen a javascript file that was the problem, but didn’t take the time to discover which of many I’d installed in that blog was the culprit. However, AVG Free had already told me the URI of the site that was doing bad things, and I was able to find the link with my blog theme editor. I deleted both lines of code that pointed to the offending site, restarted the blog, and there it was, as good as new.

I never thought I’d see the day when an application on Windows saved me from malware, instead of exposing me to it!

First I found Little Snitch, a spyware detector. That certainly made the case for an infestation, as even with the Airport card tuned off, as soon as the application started up it showed a process (mDNSResponder) trying to contact an IP address I didn’t recognize. Sure enough, WHOIS showed it belonging to somebody in Ukraine. Well, as Phil pointed out, it can’t be a Russian spy, as the Ukrainians will be the first to tell you they are not Russians, but it is certain that we don’t particularly want any eastern European entity to receive packets from our computers without our knowledge. So, I used the Rules window of Little Snitch to turn off mDNSResponder until I could find out what that is, and entered a rule into our modem’s blacklist to block the whole range of IP addresses owned by that Ukrainian ISP, since while I was watching there were several other addresses showing up in Little Sntich’s Network Monitor as being targets for whatever process was trying to reach out and touch someone from the MacBook Pro.

That was a good first step or two, but once we saw what was going on, I wanted a way to remove the bad stuff. So, I found MacScan, from SecureMac, and ran the scanner in demo mode on both Macs. On my iMac it found 34 “tracking cookies”, most of which I recognized as belonging to ads in sites I remember visiting, and which don’t offend me since I understand that’s how they justify spending big bucks on informative websites. Many of these anti-virus, anti-malware applications classify such things as “spyware” but just tracking my browsing habits in aggregate form doesn’t rise to the level of spying in my opinion. I went ahead and let MacScan delete them, though. They’ll come back, but so what? There were no trojan horses, viruses or keyloggers on my computer, though, which is a good thing.

Phil’s MacBook Pro was a different matter. As well as 25 “tracking cookies”, it found a real baddie, DNS Changer 1.1, a genuine Trojan Horse. That is probably at least part of the problem, although I think there is still an issue with something trying to call home to the Ukraine. Even after “isolating” the Trojan Horse, when I restarted his computer the Little Snitch Network Monitor showed activity trying to talk to IP addresses 85.255.114.61 and 85.255.112.107, each in turn as the other failed. This was even before I tried turning on the Airport Card! I turned that on, but they still couldn’t get out because of the rule I’d put on the router. Unfortunately, nothing else could get in or out either, since the “call home” process was taking precedence over everything else trying to reach the internet.

So, I have more work to do. Next trick will be to open up Apple’s Application Monitor and identify the process that is doing this if I can, and kill it, once I find out where it lives on the system so I can remove it. But right now Phil is watching a DVD, so this will have to wait till that’s over.

It’s a relief to know there is in fact something bad going on, since knowledge is power, and now it’s just a matter of finding and killing it.

Anyone who has experience with these particular IPs and can suggest a fix, I’d be very happy to hear from you! Meanwhile, I’ll continue my research as long as that gigabyte of bandwidth lasts.