walterfromct
Level 1 (0 points)

Q: Non-Apple Software No Longer Works

Had a weird experience this AM.  Was checking email via Safari when a screen popped up asking for permission to update software.  I declined, because I didn't know who was trying to do what (i.e., there were no update icons in the Dock, etc.).  Then, the fun began.

 

I tried to open EXCEL next and it wouldn't open.  It immediately failed with a message saying the application quit unexpectedly, etc., etc.  Same thing happened with every other Office app.  After much discussion with Apple, then Microsoft, and then Apple again, I was able to un-install Mcrosoft Office but the kicker is: I got the same failure when I tried to re-install the apps from the CD (i.e., I got an immediate failure when I double-clicked the install icon).

 

With Microsoft's help, I was able to set up another user profile with Admin capability, and the apps installed just fine using that profile.  So, the problem appears to be with my main profile.  However, Apple is stumped and gave up trying to help me.

 

So, I'm now in the situation where the Apps are on my machine under 1 profile and the data is under another profile. AND, I just discovered that Quicken fails when I try to iopen it in my 1st Profile too.

 

So,

 

1.  Has this happened to anyone else out there?  If so, how'd you get around it?

 

2.  Is there a way to share files between profiles?  I know I can probably copy the Microsoft files on a portable drive, but I'm concerned about the Quicken database.  Not sure how to transport this data between Users.

 

Any help would be GREATLY appreciated.

 

PS.  I'm running Snow Leopard.  There are no pending software updates.

iMac, Mac OS X (10.6.8)

Posted on Apr 1, 2012 4:09 PM

by Linc Davis,Solvedanswer
Linc Davis Linc Davis
Level 10 (208,000 points)
Applications
A:

If you can run today's Java updater (it's actually more than a Java updater), it may solve your problem.

Posted on Apr 12, 2012 5:16 PM

Close
walterfromct

Q: Non-Apple Software No Longer Works

  • All replies
  • Helpful answers

Previous Page 2 of 4 last Next

  • by Linc Davis,

    Linc Davis Linc Davis Apr 6, 2012 4:55 AM in response to walterfromct
    Level 10 (208,000 points)
    Applications
    Apr 6, 2012 4:55 AM in response to walterfromct

    If so, then cleaning my machine as you described and then re-loading the apps will re-infect my machine.  No?

     

    If you follow the instructions, no.

  • by walterfromct,

    walterfromct walterfromct Apr 7, 2012 7:18 AM in response to Linc Davis
    Level 1 (0 points)
    Apr 7, 2012 7:18 AM in response to Linc Davis

    Linc,

     

    I may be confused, but I thought I saw another response from you in another thread, re: getting rid of the malware, that didn't involve erasing the startup drive.

     

    That seems safer to me, if it'll work.

     

    Am I confused, or is there a less disruptive way to get rid of the malware than you state above?

     

    FYI.  I used the CNET commands to see if/where I'm infected. It said Safari and Firefox are NOT infected, but it detected suspicious code in: /users/shared/.libgmalloc.dylib.  NOTE: this is right after re-installing Snow Leopard, but before using Safari, which I don't intend to do until the MAC has been ckeaned up (I'm writing this from an HP laptop).

  • by Linc Davis,

    Linc Davis Linc Davis Apr 7, 2012 7:55 AM in response to walterfromct
    Level 10 (208,000 points)
    Applications
    Apr 7, 2012 7:55 AM in response to walterfromct

    The instructions I gave above are the only way to remove the malware with complete certainty of success. If you want a shortcut, you can just delete the items ~/.MacOSX, ~/Library/LaunchAgents, and /Users/Shared/.libgmalloc.dylib, then log out and log back in. That procedure may inactivate some variants the malware, but I don't know that it will. That's wouldn't be good enough for me, if I were in your place, so it's not good enough for me to advise others to do. I don't believe in shortcuts when it comes to security.

  • by walterfromct,

    walterfromct walterfromct Apr 11, 2012 9:56 AM in response to Linc Davis
    Level 1 (0 points)
    Apr 11, 2012 9:56 AM in response to Linc Davis

    Linc,

     

    I've been waiting patiently to see if a silver bullet will come along for getting rid of Flashback, but I haven't seen anything except different variations of a series of Operating System commands that claim to locate and surgically remove it, which I'm reluctant to try.

     

    Apple doesn't seem to want to acknowledge the issue, but they suggested trying Norton, McAfee or something  else to see if they have a solution, which I'm also reluctant to try.

     

    So, I guess I'll embark on rebuilding my machine from scratch using your instructions, which tie out pretty closely to instructions provided by Apple re: how to erase and re-install Snow Leopard..

     

    Here's where I stand:

     

    I've backed up everything via Time Machine.

     

    I've copied the Desktop, Documents, and Pictures folders to Flash Drives.

     

    I've copied most of the Movies folder to a flash drive as well.

     

    I've un-installed Office and Quicken per instructions from their Support grouips, and backed  up everything via Time Machine  again.

     

    I un-installed and re-installed Snow Leopard without cleaning my machine and I'm still infected,  I have NOT used Safari since.

     

    I have my Snow Leopard, iLife 09, MS Office 2004, and Quicken 2007 disks in hand.

     

    I also have a new MS Office 2011 disk in hand, and plan on getting the latest Quicken disk too, as I want to update to the latest versions before going to Lion.  However, I don't want to upgrade these apps until I'm sure my machine is clean and the old apps work.

     

    Any last thoughts before I get started?

     

    One last question:  should I disconnect my external hard drive that contains the Time Machine backup before proceeding, or should I leave it connected during the re-build?

     

    Thanks again fro your help.

     

    Paul

  • by Linc Davis,

    Linc Davis Linc Davis Apr 11, 2012 10:12 AM in response to walterfromct
    Level 10 (208,000 points)
    Applications
    Apr 11, 2012 10:12 AM in response to walterfromct

    There are a couple of new developments since I last posted to this thread. First, Apple has announced that it's developing a tool to remove Flashback:

     

    About Flashback malware

     

    There's no indication of when this tool will be released. Second, a well-known developer, Kaspersky, has released its own "Flashfake Removal Tool:"

     

    Virus-fighting utilities

     

    I have no way of testing that tool, but I did read the code, and it seems to me more likely to work than any other such attempt that I've seen. It's not a scam, and it doesn't do anything harmful.

     

    Finally, there are reports that the only function of the malware is to engage in "click fraud," which is not critically damaging to the host system. I can't verify those reports.

     

    In the light of that information, one might reasonably choose to try the Kaspersky tool (not the commercial Kaspersky product, which I don't recommend) and see whether there's any improvement.

  • by walterfromct,

    walterfromct walterfromct Apr 11, 2012 11:54 AM in response to Linc Davis
    Level 1 (0 points)
    Apr 11, 2012 11:54 AM in response to Linc Davis

    Thanks, again.

     

    Will try the Kaspersky tool amd let you know what happens.

  • by walterfromct,

    walterfromct walterfromct Apr 11, 2012 12:29 PM in response to walterfromct
    Level 1 (0 points)
    Apr 11, 2012 12:29 PM in response to walterfromct

    Linc,

     

    I just tried the Kaspersky link and I think I'm in trouble.  It downloaded just fine, asked for my admin password to install itself, and it ran a scan.

     

    The scan ran VERY quickly and came back with a message that said it didn't find anything and there was nothing to remove.

     

    It then asked me to restart the machine, and that's where the trouble began.  The machine shut down OK, but the re-start is hung.  There's only the northern lights background screen. No spinning wheel, icons, etc., just the frozen screen.  The mouse works, but that's it.  I tried shutting down and restarting via the on-off button with the same resuilts.  So, I'm hung.

     

    Any advice re: how best to proceed?

  • by Linc Davis,

    Linc Davis Linc Davis Apr 11, 2012 12:36 PM in response to walterfromct
    Level 10 (208,000 points)
    Applications
    Apr 11, 2012 12:36 PM in response to walterfromct

    In that case, you should go ahead with the original plan. Here's a revised version of step 6:

     

    Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. This is where restoring becomes difficult, and I can only give general guidelines.

     

    Of the top-level subfolders of Library that are visible in the Finder, I think it’s safe to restore the following, which contain most of the data you’d want to keep:

     

    Audio

    Calendars

    ColorSync

    Colors

    Favorites

    FontCollections

    Fonts

    Images

    Keychains

    Mail (except Mail/Bundles)

    Safari (except Safari/Extensions)

     

    The following are not safe to restore, at least not in full:

     

    Application Support

    Internet Plug-Ins

    LaunchAgents

    Preferences

     

    If you have Time Machine snapshots of these folders that you’re sure are older than the infection, you can restore from one of those snapshots.

     

    Folders not mentioned above may or may not be safe. If in doubt, don’t restore them. Don’t restore any hidden files or folders, no matter where they are. Hidden files should be considered suspicious.

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 11, 2012 1:19 PM in response to Linc Davis
    Level 5 (4,791 points)
    Apr 11, 2012 1:19 PM in response to Linc Davis

    Linc Davis wrote:

     

    a well-known developer, Kaspersky, has released its own "Flashfake Removal Tool:"

     

    Virus-fighting utilities

     

    I have no way of testing that tool, but I did read the code, and it seems to me more likely to work than any other such attempt that I've seen. It's not a scam, and it doesn't do anything harmful.

    I also read through the code as I was asked if it scans all users, and agree that it does not appear to do anything harmful. I even ran the script (but not the entire app) with expected results. Told me "No infection has been detected." but did not tell me to reboot?

    Finally, there are reports that the only function of the malware is to engage in "click fraud," which is not critically damaging to the host system. I can't verify those reports.

    I listed to this Shawn King interview with Rich Mogull (wrote MacWorld & TidBITS articles on the subject) and agreed with everything said, except how easy it is to remove (Just a couple of lines of Terminal code).  Rich mentioned that he had been informed of an instance of fraudulant credit card activity immediately after he was infected.

     

    That's the only case I have heard of. Intego seems convinced that information is being harvested and Tweeted out, but I haven't seen any confirmation of that in this Forum (unless it's the root cause of the iTunes store issues). There are many reports of being re-directed to advertising sites, but I can't imagine that would raise enough money to make their effort worthwhile.

  • by walterfromct,

    walterfromct walterfromct Apr 11, 2012 1:21 PM in response to Linc Davis
    Level 1 (0 points)
    Apr 11, 2012 1:21 PM in response to Linc Davis

    Linc,

     

    Thanks, again.

     

    I shut the machine back down via the on/off button and pulled the plug.  I then plugged it back in and re-started it.

     

    It seemed to come up OK, but it froze again when I tried to log on with my original user account.  However, when I tried the same thing again, but logged on under my other ID (the one that allowed Office to load), it came up just fine, so I have an operating machine under 1 user but not the other.

     

    I still have a question re: time machine.  Should I eject the hard drive used by Time Machine before proceeding?

  • by MadMacs0,

    MadMacs0 MadMacs0 Apr 11, 2012 1:22 PM in response to walterfromct
    Level 5 (4,791 points)
    Apr 11, 2012 1:22 PM in response to walterfromct

    Just a comment that it sounds to me as if you have a ~/.MacOSX/environment.plist in the original user account that needs to be removed. Kaspersky must have gotten the dylib and missed the trigger. If so, that's fixable.

  • by Linc Davis,

    Linc Davis Linc Davis Apr 11, 2012 1:26 PM in response to walterfromct
    Level 10 (208,000 points)
    Applications
    Apr 11, 2012 1:26 PM in response to walterfromct

    Should I eject the hard drive used by Time Machine before proceeding?

     

    That's not necessary. Just make sure you don't erase it by mistake.

  • by Linc Davis,

    Linc Davis Linc Davis Apr 11, 2012 1:27 PM in response to MadMacs0
    Level 10 (208,000 points)
    Applications
    Apr 11, 2012 1:27 PM in response to MadMacs0

    Based on the OP's experience, I will no longer suggest the Kaspersky tool. It's just another fail.

  • by Badunit,

    Badunit Badunit Apr 11, 2012 1:42 PM in response to Linc Davis
    Level 6 (11,705 points)
    iTunes
    Apr 11, 2012 1:42 PM in response to Linc Davis

    According to f-secure, the Flashback trojan checks for older versions of Office and deletes itself without infection if it detects any of them (unless you gave it your admin password). This check may have been a new addition to avoid the problems mentioned in this thread. Not helpful information for anyone who's Mac is infected but I thought I'd mention it.  The link below is an interesting read on the installation process of Flashback, if you are interested in that kind of thing.

     

    http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

  • by walterfromct,

    walterfromct walterfromct Apr 11, 2012 1:41 PM in response to Linc Davis
    Level 1 (0 points)
    Apr 11, 2012 1:41 PM in response to Linc Davis

    Linc Davis wrote:

     

    Should I eject the hard drive used by Time Machine before proceeding?

     

    That's not necessary. Just make sure you don't erase it by mistake.

    Linc,

     

    I didn't make myself clear.

     

    I'd  like to err on the side of caution and eject the disk, just in case, providing this won't mess things up down the road.

     

    Will I be OK, or should I leave it hooked up?

Previous Page 2 of 4 last Next