Skip navigation

Non-Apple Software No Longer Works

4821 Views 50 Replies Latest reply: Apr 13, 2012 4:11 PM by walterfromct RSS
  • Linc Davis Level 10 Level 10 (107,660 points)
    Currently Being Moderated
    Apr 11, 2012 1:54 PM (in response to walterfromct)

    You only need the drive to restore. You can detach it until you're ready to do that.

  • Joel Bruner1 Level 1 Level 1 (30 points)
    Currently Being Moderated
    Apr 11, 2012 2:04 PM (in response to walterfromct)

    Sounds like your coputer has a totally unrelated problem but everyone thinks it THE VIRUS!!!!!!

     

    I'd say:

    Reboot, hold down Command-S

    at the command prompt: fsck -fy

     

    See if you have disk corruption

     

    Then type in: reboot

     

    On reboot hold down Shift

    This will do a safe boot and also clean out the caches

     

    If you get to the login screen great.

    If not, gold down power, then power back on

    Hold down Command-V - for verbose mode

    See where you get stuck in the boot process.

     

    The fact that apps didn't launch doesn't mean you have a virus necessarily

  • noondaywitch Level 6 Level 6 (8,130 points)
    Currently Being Moderated
    Apr 11, 2012 2:07 PM (in response to Joel Bruner1)

    Post withdrawn

     

    Message was edited by: noondaywitch

  • Linc Davis Level 10 Level 10 (107,660 points)
    Currently Being Moderated
    Apr 11, 2012 2:15 PM (in response to Joel Bruner1)

    Sounds like your coputer has a totally unrelated problem but everyone thinks it THE VIRUS!!!!!!

     

    Everyone who knows what he's talking about thinks it's THE VIRUS!!!!!! That's because it is THE VIRUS!!!!!!

     

    From the crash report on the first page of this thread:

     

    could not load inserted library: /Users/Shared/.libgmalloc.dylib

     

    That's proof of infection with a Flashback variant (type 2.)

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 11, 2012 2:19 PM (in response to Badunit)

    Badunit wrote:

     

    According to f-secure, the Flashback trojan checks for older versions of Office and deletes itself without infection if it detects any of them (unless you gave it your admin password).

    That's only true for Office 2008 and 20011 or if you have Word in your /Applications/ folder and not nested in another folder.

    The link below is an interesting read on the installation process of Flashback, if you are interested in that kind of thing.

     

    http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

    That document does not cover the current variant. You should be reading http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml which covers what we believe is the current variant which has been around since the last week in March.

  • Joel Bruner1 Level 1 Level 1 (30 points)
    Currently Being Moderated
    Apr 11, 2012 3:30 PM (in response to Linc Davis)

    Ah sorry - missed that...

     

    So then...

    Reboot.

    Command-S

     

    #if you need to check filesystem

    fsck -fy

     

    #mount the file system as writeable

    mount -uw /

     

    #delete the offending library

    rm -rf /Users/Shared/.libgmalloc.dylib

     

    Then there is no library to load...  even though it appears to have failed loading and what was causing the crashes...

     

    And go through F-Secure's checklist: http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 11, 2012 3:55 PM (in response to Joel Bruner1)

    Joel Bruner1 wrote:

     

    Ah sorry - missed that...

     

    So then...

    Reboot.

    Command-S

     

    #if you need to check filesystem

    fsck -fy

     

    #mount the file system as writeable

    mount -uw /

     

    #delete the offending library

    rm -rf /Users/Shared/.libgmalloc.dylib

     

    Then there is no library to load...  even though it appears to have failed loading and what was causing the crashes...

    And the user will be locked out of his account because the loader won't be able to find the dylib as happend earlier this morning

    And go through F-Secure's checklist: http://www.f-secure.com/..._osx_flashback_i.shtml

    That information has been obsolete and does not refect the current variant which has been infecting since the end of March! The correct reference can be found at http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_k.shtml which has been out for over a week now.

     

    DO NO HARM!

  • Joel Bruner1 Level 1 Level 1 (30 points)
    Currently Being Moderated
    Apr 11, 2012 6:36 PM (in response to MadMacs0)

    Deleting a maliscious dylib won't lock a user out.

    How would it?

    But what do I know...

     

    "DO NO HARM"

     

    Oh lord, so self-righteous, deleting an errant dylib that's being injected through an infected Info.plist isn't doing harm, that's how you get rid of the infection... But hey, listen to the man with 595 points, I only have 10...

     

    Feel free to lead the man through time machine restores, reinstalls, and other fun exercises...

     

    I don't know why I even bothered... my bad.

    Saw this post linked from the "About Flashback" Apple page and popped in...

     

    You guys have it all under control.

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 11, 2012 7:19 PM (in response to Joel Bruner1)

    Joel Bruner1 wrote:

     

    Deleting a maliscious dylib won't lock a user out.

    How would it?

    As I said by leaving the dylib loader command in ~/.MacOSX/environment.plist. There are dozens of examples here in the forum, at least one each of the last two days. Today's example is here thanks to Kaspersky.

     

    It's just that I am warn out trying to chase incorrect information. Every tool posted on the internet until a few minutes ago was originally based on an incorrect reference to a mostly obsolete variant of this thing. That along with various users dropping by with incomplete information have probably ruined more users' days than has the malware itself.

     

    Sorry to have come down on you, but at that point I had already tried to put out fires by contacting three developers about their tools and one or two other well meaning users that complicated an infected users' life.

     

    I realize that Intego is trying to sell software here, but after my experiences here, these words ring very true to me:

    A number of web sites have been circulating information telling users how to find out if they are infected with the Flashback malware. Since these instructions include a number of obscure commands to be run in Terminal, several developers have released free applications that users can run to check their Macs, without needing to know how to use Terminal.

    Unfortunately, this information can be misleading, because the instructions that circulate discuss just one variant of the Flashback malware. There are some two dozen variants already, each of which puts files of different names in different locations; these instructions and applications will therefore not find any but the one specific variant that they target.

    These instructions may instill a false sense of security in users who follow them, or who run applications that use them. A user may be told that he or she is not infected, when their Mac may actually be infected, but just by a different variant. Finally, these instructions are all the more worrisome because information on the Internet has a long life-span. Users who find this information in a month or two may still think that it is valid.

  • drummerboy47 Calculating status...
    Currently Being Moderated
    Apr 11, 2012 7:39 PM (in response to MadMacs0)

    I'm locked out. I used the Kapersky tool and I can't login properly. I figured out how to login as root user an it works fine. Can anybody tell me how to fix my normal account?

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 11, 2012 8:04 PM (in response to drummerboy47)

    drummerboy47 wrote:

     

    I'm locked out. I used the Kapersky tool and I can't login properly. I figured out how to login as root user an it works fine. Can anybody tell me how to fix my normal account?

    I tested this command out this morning as a secondary admin user and it worked with sudo, so should work for you. Just fill in the <lockedoutuserID>

     

    defaults delete /Users/<lockedoutuserID>/.MacOSX/environment DYLD_INSERT_LIBRARIES

  • Joel Bruner1 Level 1 Level 1 (30 points)
    Currently Being Moderated
    Apr 11, 2012 8:29 PM (in response to MadMacs0)

    Yeah, right environment.plist that old thing, forgot about that... I'll try and pay more attention to long threads, my bad... once these things start squirreling themselves away they tend to illuminate the old crufty corners of OS X:

    https://developer.apple.com/library/mac/#documentation/MacOSX/Conceptual/BPRunti meConfig/Articles/EnvironmentVars.html

    http://developer.apple.com/library/mac/#qa/qa1067/_index.html

     

    I'm gonna go out on a limb here and say nuke the whole **** thing (environment.plust), I've yet to see an app that actually uses it! Deleting DYLD_INSERT_LIBRARIES is just deleting one key in environment, what's in the rest of it?

     

    #read it all

    defaults read /Users/username/.MacOSX/environment

     

    #move it out to the Desktop

    mv /Users/username/.MacOSX/environment.plist /Users/username/Desktop

     

    #move it back in case there's lots of great stuff in there you really need

    mv /Users/username/Desktop/environment.plist /Users/username/.MacOSX/

     

    #what else is in your home folder? lists all files including dot files

    ls -la /Users/username

     

    #anything else in .MacOSX?

    ls -la /Users/username/.MacOSX

     

    #nuke the whole crufty mess

    rm -rf /Users/username/.MacOSX

     

    YMMV

    Also above commands are assuming you are either in single user mode, or in another account logged in as root with sudo -s

  • MadMacs0 Level 4 Level 4 (3,320 points)
    Currently Being Moderated
    Apr 11, 2012 8:54 PM (in response to Joel Bruner1)

    Joel Bruner1 wrote:

     

    I'm gonna go out on a limb here and say nuke the whole **** thing (environment.plust), I've yet to see an app that actually uses it!

    BBEdit does and one user told us about another. There's a two day argument going on elsewhere about proper or improper use of environment.plist that seems to be going nowhere. There is even a segment of this forum that says get rid of .MacOSX as not needed and I suspect they are mostly correct.

Actions

More Like This

  • Retrieving data ...

Related Articles

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.