X423424X wrote:
The environment.plist is the key file on which the rest of the torjan hangs (at least in this strain). But you posted that it references "/Users/Shared/.GameHouseHolidayExpress.so". so that file must be there too. You should trash that as well.
There may be some of the other files I mentioned earlier so look for them as well:
/Users/Shared/.svcdmp
~/Library/Logs/vmLog (in your home directory)
@Jay-Lee, There may well be one more in "~/Library/Application Support/.GameHouseHolidayExpress.so" which may or may not be causing Google redirects.
Since some of these are hidden, you will need to use some of the following in Terminal. Be sure to copy and paste them exactly as written as you could easily delete something else with a typo:
rm -rf ~/.MacOSX/environment.plist
(you already got this one)
rm -rf ~/Library/Applications Support/.GameHouseHolidayExpress.so
rm -rf ~/Library/Logs/vmlog
(you probably found this one already)
rm -rf /Users/Shared/.GameHouseHolidayExpress.so
rm -rf /Users/Shared/.svcdmp
And if the Tidbits article is correct (see part that starts with Infection Effects) safari, firefox, and skype should be replaced.
I currently agree with this as it's not that hard to do, but yesterday a user found evidence that the applications were not infected on the hard drive, only when they launched and loaded into RAM. Since we don't have confirmation from Iomega, TidBITS or anybody else yet, safest thing would be to replace them from source after removing the above.
Several (including myself) have recommended making sure you have a backup of all your data, use your install disks to reformat and install a clean system, update it with Software Update, restore all your applications from source and then recover your data files from backup. Or use a TimeMachine backup to return your hard drive to pre-infection status, if you know exactly when it happened. That's extreme and a lot of work I know, but with the lack of detail published concerning this infection, that's the only way to be certain you got everything. If after removing all traces of the Trojan and replacing the network apps you still have unexplained issues, it's probably your only choice at this time.