Drop down menus changed to numbers

X423424X wrote:

Hmm, I can't conceive how that can happen. ...(fouled up cache perhaps?)

That makes more sense than anything else I can think of. A login cache looking to load one of the components.

I had the exact same problem as the original poster, I only noticed it when skype stopped working and I was poking around in finder. Your solution fixed the finder menu and on reboot skype worked again.🙂 Thanks

I have the same problem now, but couldn't understand where to do the following:

'A quick and easy way to remove them and not worry about seeing them is to just delete them using the following terminal command (cut/paste the following line):

rm -rf ~/.MacOSX/environment.plist

rm -rf ~/Library/Logs/swlog

You shouldn't see any messages when doing these.'

Could you help me? I've already scan my computer with ClamXav, and non virus were found. I don't know what else to do.

thanks!

I have the same problem now, but couldn't understand where to do the following:

Open Terminal (in Utilties) and enter (copy/paste) those lines into the terminal (one at a time, hit return after enter the line).

aceci wrote:

I have the same problem now, but couldn't understand where to do the following:

'A quick and easy way to remove them...

That guidance was probably OK back in October, but it really doesn't do the job any more.

First I need you to do this:

Open the Terminal application (in /Applications/Utilities/), copy and paste the following command into a terminal window and press return.

defaults read ~/.MacOSX/environment

If the file doesn't exist, defaults returns

Domain /Users/<username>/.MacOSX/environment does not exist

If it does exist, it returns its contents.

The malware entry will look something like this:

{

"DYLD_INSERT_LIBRARIES" = "/Users/Shared/.<dylib_filename>.so";

}

If you are infected copy and paste the results here. Under no circumstances should you try to delete anything without further instruction as doing so can easily prevent you from logging into your account.

X423424X wrote:

Open Terminal (in Utilties) and enter (copy/paste) those lines into the terminal (one at a time, hit return after enter the line).

I think we need to find out the name of the other file(s) first.

I was just replying to exactly what he was requesting. He didn't even know about the terminal.

But yes, I agree, we need an more exhaustive file list. Actually I picture a ever growing script where more and more ls's are added as more and more strains create pathname variants. Probably a never-ending process.

I haven't written my script as yet but here's a guide:

defaults read ~/.MacOSX/environment

ls -la ~/.MACOSX/environment.plist

ls -la ~/Library/Application\ Support/*.so

ls -la ~/Library/Logs/vmLog

ls -la /Users/Shared/*.so

ls -la /Users/Shared/.svcdmp

ls -la /Applications/Safari.app/Contents/Resources/*COAA*

ls -la /Applications/Safari.app/Contents/Resources/ | grep "^\."

In a actual script I would just handle the results of each ls to report in a more user friendly way. For example, if you just run that collection of commands in the terminal and don't have any of that stuff you got to look at each line just to see the "No such file or directory" errors between each command. A script that handles the errors and summarizes the results that would be a lot more "elegant". It's trivial to write. I just haven't bothered as yet.

That is how it comes:

Last login: Wed Mar 21 10:36:27 on console

cecilia-rochas-MacBook-Pro:~ ceciliarocha$ defaults read ~/.MacOSX/environment

{

"DYLD_INSERT_LIBRARIES" = "/Users/Shared/.WondershareWMVMovie.so";

}

cecilia-rochas-MacBook-Pro:~ ceciliarocha$

What should I do now?

aceci wrote:

"DYLD_INSERT_LIBRARIES" = "/Users/Shared/.WondershareWMVMovie.so";

What should I do now?

Select "Go to Folder" from the "Go" menu of the Finder (or type Command-Shift-G).

In the window copy and paste the following:

~/.MacOSX/ and hit return.

Make note of the date the file "environment.plist" was created / modified then drag it to the trash.

Open the Terminal app (found in /Applications/Utilities/)

Copy and paste the following commands into a Terminal window after the "$ " prompt, followed by the return key:

rm -rf "~/Library/Application Support/.WondershareWMVMovie.so"

rm -rf ~/Library/Logs/vmlog

rm -rf /Users/Shared/.WondershareWMVMovie.so

rm -rf /Users/Shared/.svcdmp

You will not receive confirmation of deletion, but you may be told that some of the files do not exist as not all have been found by all users.

Holding down the option key, select "Empty Trash" from the Finder menu, then restart your computer. All the visible signs of the Trojan should be gone at this point.

Again I want to emphasize that we do not know enough about this Trojan to be confident all the damage has been repaired. You are still advised to make certain you have a solid backup of your data and using the original installation disks, install and upate OS X and all your applications from a trusted source. Then restore your data files from backup. Or use TimeMachine to take you back to the date you were infected.

And lastly, Intego has discovered that the Trojan attempts to sniff out usernames and passwords that you enter into many popular sites (like banking sites, Google, PayPal, and others), presumably so that the malfeasants behind the software can exploit that information in other nefarious ways, and sends them back via Twitter. You should assume that happened and change the passwords for all such accounts that you have visited since being infected along with any other accounts that use the same password.

Thanks a lot, the skype is back, the finder is normal.

And thanks for the patience and great explanation!

X423424X wrote:

I haven't written my script as yet but here's a guide:

defaults read ~/.MacOSX/environment

ls -la ~/.MACOSX/environment.plist

ls -la ~/Library/Application\ Support/*.so

ls -la ~/Library/Logs/vmLog

ls -la /Users/Shared/*.so

ls -la /Users/Shared/.svcdmp

ls -la /Applications/Safari.app/Contents/Resources/*COAA*

ls -la /Applications/Safari.app/Contents/Resources/ | grep "^\."

That matches most everything that I have scattered around in my notes. I can't get the last one to work in an AppleScript, which is what was holding me up.

But then I found F-Secures writeup on what they call Trojan-Downloader:OSX/Flashback.I which has a detailed procedure to remove either of two installations, depending on whether you are a user with an admin password or not. It reveals a couple of files that nobody else has picked up yet.

So add defaults read /Applications/Safari.app/Contents/Info LSEnvironment

and change your first one to defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

Yes, I saw your reference to the "I" strain (fitting name at this point "eye strain"😉) in another post. Wonder what happened to "H"?

(missed the forum edit time out again)

Ok, here's the current updated list:

defaults read /Applications/Safari.app/Contents/Info LSEnvironment

defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

ls -la ~/.MACOSX/environment.plist

ls -la ~/Library/Application\ Support/*.so

ls -la ~/Library/Logs/vmLog

ls -la /Users/Shared/*.so

ls -la /Users/Shared/.svcdmp

ls -la /Applications/Safari.app/Contents/Resources/*COAA*

ls -la /Applications/Safari.app/Contents/Resources/ | grep "^\."

Just as an exercise I wrote a shell script (feel more comforatable with bash than applescript) to do what those F-Secure instructions describe. Below is the the untested script. What is missing is the exact pathname extractions from those __ldpath__ greps. I am not sure what the syntax of the line that results from those greps so I don't know how to parse it.

#!/bin/bash

# Flashback.I Removal

# http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

# step 1, 2

safari_info_environment="$(defaults read "/Applications/Safari.app/Contents/Info" DYLD_INSERT_LIBRARIES)"

# step 3

if [ "$safari_info_environment" ]; then

# step 4, 5

ldpath="$(grep -a -o '__ldpath__[ -~]*' "$lsenvironment")" ## extract pathname

# step 6

sudo defaults delete /Applications/Safari.app/Contents/Info LSEnvironment 2> /dev/null

sudo chmod 644 /Applications/Safari.app/Contents/Info.plist 2> /dev/null

# step 7

rm -rf "$safari_info_environment"

if [ "$ldpath" ]; then

rm -rf "$ldpath"

fi

fi

# step 8, 9

macos_environment="$(defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES)"

if [ "$macos_environment" ]; then

# step 10, 11

ldpath="$(grep -a -o '__ldpath__[ -~]*' "$macos_environment")" ## extract pathname

defaults delete ~/.MacOSX/environment DYLD_INSERT_LIBRARIES 2> /dev/null

launchctl unsetenv DYLD_INSERT_LIBRARIES 2> /dev/null

# step 12

rm -rf "$macos_environment"

if [ "$ldpath" ]; then

rm -rf "$ldpath"

fi

else

echo "Your system is clean."

fi

Thanks for all your work with this. I have been following along this week. Try

do shell script "ls -la /Applications/Safari.app/Contents/Resources/ | grep \"^\\.\""

not sure it actually functions as expected (no way to test at the moment) but it will compile...