Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Level 1

0 points

"Rosetta" applications suddenly stopped working

I've got a problem with my computer at work. It's running Snow Leopard 10.6.8. I've got a number of older apps, including Quark 6, Epson scanner software, Disc Catalog, etc, that have all been working fine for the last number of years. As of yesterday afternoon, I was still scanning with the Epson software and everything was running fine. When I came in to work this morning and fired up the computer, NONE of my pre-Snow Leopard apps work.

At first, when a few of my apps didn't work, I suspected a font issue, because at the end of the previous day, I was working on a "problem job" that had conflicts with my basic system fonts. But, as the hours passed, I began to realize none of my older apps worked. At that point, I started to suspect a problem with Rosetta.

Hours and hours of searching, both here and across the internet came up with nothing. A few sites gave step by step instructions to drop into terminal to reset bindings, delete preferences, etc. Nothing worked.

Most of the older apps I NEED for our company. Many of those don't have upgrades available, and some are just too expensive to justify.

After almost an entire day of getting nowhere, I decided to set up another "user" called Troubleshooting. Lo-and-behold, all of the apps worked fine. So, that ruled out a problem with the Rosetta interface, and the suspeced Security update in the recent past that was said to cause problems with the whole Rosetta interface.

So, my question is, since only my original Administrator User is not functioning properly, is there possilby a preference .plist file that could be causing the problem? Could there still be a font issue? Is there anything I can do in Terminal to reset to a default?

I wasted an entire day banging my head on the desk trying to wrap my brain around it. Repairing permissions, disc check, etc. did nothing to help the issue.

I COULD get around the problem by logging into my "Troubleshooting" user to use the apps...but that's beside the point. I COULD do that, but I really want to figure out what's going on with my main User workspace.

So, before I need to come into work on Monday and spend another whole day not knowing what to do, can anyone offer any ideas?

Thanks in advance.

Brad

PowerMac, Mac OS X (10.6.8)

Posted on Mar 23, 2012 6:37 PM

128 replies

Apr 2, 2012 8:56 PM in response to NuLynx

Hello,

I have the same problem that happened suddenly (overnight) with Rosetta programs not working with some apps not being available anymore with no known replacements (until I learn how to tinker with them, I suppose, such as the much used "CoverStar 1.0.9"). I really appreciate the huge amount of trial-and-error over a weeklong rollercoaster ride thru this, so could we have a final recap after 9 pages...and did anyone decide whether there's an app that could just do a thorough cleaning to remove the problem?

thanks,

Rod

MadMacs0

Level 5

5,221 points

Apr 2, 2012 9:29 PM in response to Rod Stasick

Rod Stasick wrote:

I have the same problem that happened suddenly (overnight) with Rosetta programs not working with some apps not being available anymore with no known replacements (until I learn how to tinker with them, I suppose, such as the much used "CoverStar 1.0.9"). I really appreciate the huge amount of trial-and-error over a weeklong rollercoaster ride thru this, so could we have a final recap after 9 pages...

The cause in each case, I believe, was the Flashback Trojan, probably either the "I" or new "K" variant. The only guidance I feel comfortable giving to solve this is...

Courtesy of Linc Davis:

You installed a variant of what’s commonly called the “Flashback” malware, although the name is obsolete.

If you’re absolutely sure you know when that happened, and you back up with Time Machine or something similar, you can save yourself a lot of time by restoring your whole system from the most recent snapshot taken before it was infected. Then take Steps 7, 8, and 10 below.

How can you tell when the infection took place? All you can be sure of is that you were infected some time before the problems started. You may have visited a blog that prompted you to install some kind of software, or a “certificate.” If you remember doing that recently, mention it in a reply, but don’t post a link.

If you don’t know when you were infected, there's no easy, reliable way to remove the malware, because it's constantly changing. I suggest you take the following steps immediately:

1. Back up all data to at least two different devices, if you haven't already done so.

2. Boot from your recovery partition (if running Mac OS X 10.7 or later) or your installation disc (if running an earlier version of the Mac OS), launch Disk Utility, and erase the startup drive. This action will destroy all data on the drive, so you must be sure of your backups.

3. Install the Mac OS.

4. Reboot and go through the initial setup process to create an account with the same name as your old one. Don’t import anything from your backups at this stage.

5. If running Mac OS X 10.6.x or earlier, run Software Update. You may have to run it more than once to fully update your system.

6. Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. It’s best not to restore anything from there. If you must do so, restore only files, not folders, and only if they’re visible in the Finder, and then only if you’re absolutely sure you know what they are and they haven’t been altered. Don’t restore anything in the home subfolder Library/LaunchAgents, if it exists, or any hidden files or folders, no matter where they are.

7. Launch Safari and select Safari ▹ Preferences… ▹ Security from the menu bar. Uncheck the box labeled Enable Java. Because of recurring security issues, the Java web plugin must be considered unsafe to use. (Note: I’m not referring to JavaScript, which is unrelated to Java, despite the similar names.) Very few websites have legitimate Java content nowadays. If you encounter one that does, and you think you can trust it, enable Java temporarily. Do this only if you know how to check for a malware infection immediately afterwards. If you’re not sure whether you know how to check, you don’t know how. Don’t rely on any kind of “anti-virus” software for protection.

8. Change every Internet password you have, starting with banking passwords. Check all financial accounts for unauthorized transactions. Take this step only after you’ve secured your system in the preceding steps, not before.

9. Reinstall your third-party software from fresh downloads or original media, not from backups which may be contaminated.

10. If you use any third-party web browsers, disable Java in their preferences, as you did with Safari in step 7.

More information about Flashback can be found by searching this site, or the Web.

Rod Stasick wrote:

and did anyone decide whether there's an app that could just do a thorough cleaning to remove the problem?

The only thing I have seen are these rather technical instructions from F-Secure for Flashback.I or Flashback.K. Perhaps their software or Intego's can clean it up, but that's not what I would do.

Apr 3, 2012 5:25 AM in response to MadMacs0

Thanks for this! It looks very thorough and is probably what I need. Events like this make me long for the time when I used Time Machine because I pretty much know that this "event" happened on March 31. I use a Drobo setup for backup and attempts at using it with Time Machine were unsuccessful and Drobo couldn't reliably provide help, so I've been using Super Duper instead which unfortunately doesn't keep complete older versions. I may go to a version of a TM backup from a few months ago and carefully manually update from SD afterwards to see, but I really think that your suggestion may work the best and be the quickest. I appreciate it and will attempt it this morning.

Thank you,

Rod

NuLynx Author

Level 1

0 points

Apr 4, 2012 12:09 PM in response to fane_j

I see Apple just released an update for Java which hopefully will help. It showed up in Software Update.

A co-worker also e-mailed me this link:

http://www.techspot.com/news/48056-apple-finally-releases-java-patches-for-flash back-malware.html

WZZZ

Level 6

13,220 points

Apr 4, 2012 12:13 PM in response to NuLynx

Whilst it is good that Apple has finally patched the vulnerabilities that Windows users saw updates for back in February, it is rumored that one critical flaw remains, which F-Secure says is being actively discussed on underground forums where money is also being exchanged in return for the exploit code.

Great! So people will start feeling complacent again and...whamo.

MadMacs0

Level 5

5,221 points

Apr 5, 2012 2:53 AM in response to WZZZ

WZZZ wrote:

Great! So people will start feeling complacent again and...whamo.

I'm sure we are all glad that so many folks with Little Snitch survived the attacks this weekend and that Apple has closed one of the doors on this thing, but based on this article http://news.cnet.com/8301-1009_3-57409619-83/ there are still over half a million Macs still Flashback infected (including 274 just down the street from where I sit), so I suspect our work has only begun here.

Apr 5, 2012 7:27 AM in response to MadMacs0

Thanks again to MadMacs0 and the rest of you guys who sifted thru all of this for many days. The tornadoes here set me back a day or so, but the re-install really was the way to go. I quit using Time Machine a short while ago and went to Super Duper because two plus weeks of trying to get TM to work with a Drobo backup unit drove me cRaZy, but I wish I had it to go back to March 31. I may have found some part of the malware in my Library>Launch Agents folder, but I'm not savvy enough to know for sure.

Anyway, thank you again VERY MUCH!

best to all,

Rod

Apr 5, 2012 3:46 PM in response to NuLynx

In case you haven't seen the latest...

http://cnet.co/HjFIcH

Rod

"Rosetta" applications suddenly stopped working