Previous 1 4 5 6 7 8 9 Next 128 Replies Latest reply: Oct 24, 2011 12:59 PM by MadMacs0 Go to original post
  • pcbjr Level 2 Level 2 (265 points)

    See a bunch of stuff, but no .MacOSX

     

    Is the command a 1 or I (one or capital I)?

     

    This is all I get:

     

    .            .crash_report_frames    Movies

    ..            .crash_report_preview    Music

    .CFUserTextEncoding    .cups            Pictures

    .DS_Store        Desktop            Public

    .Trash            Documents        Sites

    .bash_history        Downloads

    .crash_report_checksum    Library

  • Linc Davis Level 10 Level 10 (165,600 points)

    Files with names that begin with a "." (period) are hidden in the Finder. Launch the Terminal application and copy or drag -- do not type -- the following text into the window, then press return:

     

    rm -r .MacOSX

     

    You can then quit Terminal.

  • pcbjr Level 2 Level 2 (265 points)

    Did that and get only this:

     

    $ rm -r .MacOSX

    rm: .MacOSX: No such file or directory

  • cathy fasano Level 2 Level 2 (340 points)

    Don't go telling people to delete their .MacOSX directory.  I have a completely legit environment.plist file in mine, from 2007 -- it contains this code:

     

    % cat ~/.MacOSX/environment.plist

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

        <key>PATH</key>

        <string>/sw/bin:/sw/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin</string>

    </dict>

    </plist>

  • Linc Davis Level 10 Level 10 (165,600 points)

    No such file or directory

     

    Then it's already gone, or was never there.

  • Louie Sherwin Level 1 Level 1 (0 points)

    Linc Davis wrote:

     

    @Linc - see the pkg at mailinator, I've sent the url again.

     

    Thanks. The installer does not need root privileges to run. The BOM file contains only an empty text file; the payload is entirely contained in the "preinstall" executable, which in this case is a binary. It installs the files listed below, attempts to disable "Little Snitch" (if present), loads a launchd job, and relaunches Safari and Firefox.

     

    Here is a complete list of the files installed:

     

    1. .MacOSX/environment.plist
    2. Library/LaunchAgents/com.apple.SystemUI.plist
    3. Library/Preferences/perflib
    4. Library/Preferences/Preferences.dylib
    5. Library/Logs/swlog

     

     

     

    Thanks  Linc,

     

    It seems that file 5 is replaced by a text file "softwareupdate" or I was infected by a slightly different variant. This file I found in the Logs directory had two hex strings and was created on the day I was infected and modified one day later.

     

    -louie

     

    Message was edited by: Louie Sherwin

  • Linc Davis Level 10 Level 10 (165,600 points)

    Don't go telling people to delete their .MacOSX directory.

     

    Why not?

     

    I have a completely legit environment.plist file in mine, from 2007 -- it contains this code...

     

    Which belongs in your shell initialization file, not in the file that sets the environment for all launchd sub-processes. In any case, the trojan replaces the existing file.

  • andyBall_uk Level 7 Level 7 (20,490 points)

    >> File 1 is an empty plist, merely a placeholder at this stage, apparently.

     

    not here : it had the following content

     

     

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict> 

    <key>DYLD_INSERT_LIBRARIES</key><string>/Users/xyz/Library/Preferences/Preferenc es.dylib</string>                                                                                                   <key>DYLD_INSERT_LIBRARIES</key><string>/Users/xyz/Library/Preferences/Preferen ces.dylib</string>

    </dict>

    </plist>

     

  • MadMacs0 Level 5 Level 5 (4,590 points)

    cathy fasano wrote:

     

    I have a completely legit environment.plist file in mine, from 2007

    As do I, but it's from 2005 and contains:

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

              <key>QDTEXT_ANTIALIASING</key>

              <string>1</string>

              <key>QDTEXT_MINSIZE</key>

              <string>12</string>

    </dict>

    </plist>

  • cathy fasano Level 2 Level 2 (340 points)

    Does anybody else have an application 'Adobe Flash Player Install Manager' in their /Applications/Utilities directory?  Mine was installed there Sep 21, 2011 at 10:17 AM, while the install_flash_player_osx_intel.dmg in my downloads directory is timestamped Sep 21, 2011 at 10:06 AM

  • Linc Davis Level 10 Level 10 (165,600 points)

    That file is really intended only for developers to use while testing. It would be a good idea, in my opinion, for anyone who doesn't know he needs the file to delete it.

  • Linc Davis Level 10 Level 10 (165,600 points)

    Does anybody else have an application 'Adobe Flash Player Install Manager' in their /Applications/Utilities directory?

     

    Not part of the trojan, at least not the one I saw.

  • cathy fasano Level 2 Level 2 (340 points)

    Thanks, Linc, I am becoming pretty confident that the Flash upgrading itself activity I have been seeing is legitimate "automatic update" behavior, and not malware.  So I've turned off automatic update and consider myself lucky that I dodged this bullet.

  • WZZZ Level 6 Level 6 (12,700 points)

    Don't turn off automatic update. If you get a notice to update it may be real and by turning off auto update you may not realize there's an update for quite some time. Many, if not most, of the Flash updates are patches for "critical" vulnerabilities, which appear relentlessly.

     

    Of course, don't click on any link provided by an update notification. But use the notification to visit the Adobe site to see if there really is an update.

     

    You can easily check for updates in the Advanced panel of the Flash Player Preference Pane in Sys Prefs.

  • cathy fasano Level 2 Level 2 (340 points)

    I installed the update that I downloaded from the adobe site, and my version went from 10.3.183.7 to 10.3.183.10.  Turned automatic update back on, and have now resolved that when the suto updates appear I'll kill them and head for the adobe site and do the update manually.

Previous 1 4 5 6 7 8 9 Next