aceci wrote:
"DYLD_INSERT_LIBRARIES" = "/Users/Shared/.WondershareWMVMovie.so";
What should I do now?
Select "Go to Folder" from the "Go" menu of the Finder (or type Command-Shift-G).
In the window copy and paste the following:
~/.MacOSX/ and hit return.
Make note of the date the file "environment.plist" was created / modified then drag it to the trash.
Open the Terminal app (found in /Applications/Utilities/)
Copy and paste the following commands into a Terminal window after the "$ " prompt, followed by the return key:
rm -rf "~/Library/Application Support/.WondershareWMVMovie.so"
rm -rf ~/Library/Logs/vmlog
rm -rf /Users/Shared/.WondershareWMVMovie.so
rm -rf /Users/Shared/.svcdmp
You will not receive confirmation of deletion, but you may be told that some of the files do not exist as not all have been found by all users.
Holding down the option key, select "Empty Trash" from the Finder menu, then restart your computer. All the visible signs of the Trojan should be gone at this point.
Again I want to emphasize that we do not know enough about this Trojan to be confident all the damage has been repaired. You are still advised to make certain you have a solid backup of your data and using the original installation disks, install and upate OS X and all your applications from a trusted source. Then restore your data files from backup. Or use TimeMachine to take you back to the date you were infected.
And lastly, Intego has discovered that the Trojan attempts to sniff out usernames and passwords that you enter into many popular sites (like banking sites, Google, PayPal, and others), presumably so that the malfeasants behind the software can exploit that information in other nefarious ways, and sends them back via Twitter. You should assume that happened and change the passwords for all such accounts that you have visited since being infected along with any other accounts that use the same password.