Previous 1 3 4 5 6 7 Next 128 Replies Latest reply: Apr 5, 2012 3:46 PM by Rod Stasick Go to original post
  • X423424X Level 6 Level 6 (14,215 points)

    Of course you are going to get "no such file or directory" because that command is incorrect (syntax, mv source target).  First I think you should try my suggestion because there are other files involved although environment.plist is usually one of the key ones.

     

    defaults read /Applications/Safari.app/Contents/Info LSEnvironment

    defaults read ~/.MacOSX/environment DYLD_INSERT_LIBRARIES

    ls -la /Users/Shared/*.so

     

    Then if you want to move it the correct syntax is:

     

    sudo mv ~/.MacOSX/environment.plist ~/.MacOSX/environment.plist.old

     

    You don't have to cd to the .MacOSX directory to move the file in there.  But if you insist:

     

    sudo mv environment.plist environment.plist.old

  • Brian Stroud Level 1 Level 1 (25 points)

    NuLynx wrote:

     

    That worked, but I got "no such file or directory"

     

     

    Well either you are in the wrong directory or the environment.plist is not there.

     

    type :

     

    ls -la /Users/<your_user_name>/.MacOSX/

     

    where <your_user_name> is the shortname of your account which is the same as the name of the home folder - it will always be lowercase

     

    does it list environment.plist ?

     

    If not or if you get directory not found then you dont have the problem that i'm seeing.

  • Brian Stroud Level 1 Level 1 (25 points)

    You don't have to cd to the .MacOSX directory to move the file in there.

     

    I only suggested that to save typing ~/.MacOSX/ twice

     

    :-)

  • jsd2 Level 5 Level 5 (6,200 points)

    re

    ls -la /Users/Shared/*.so

     

    Apparently in some recent variants that filename pattern has changed. The second article that I listed identified the corresponding malware component as  /Users/Shared/.libgmalloc.dylib:

    Screen shot 2012-03-28 at 5.08.37 PM.png

    which is what Brian reported also.

  • NuLynx Level 1 Level 1 (0 points)

    X423424X wrote:

     

    Then if you want to move it the correct syntax is:

     

    sudo mv ~/.MacOSX/environment.plist ~/.MacOSX/environment.plist.old

     

     

    Well, thank you very much!

     

    That worked, and I'm back to business as usual. All of my old apps are running smoothly.

    Wow...6 days of fighting it...

     

    Thanks everybody for sticking with me during all of this, and thanks for working it out!

     

    And thank you X432424X for sticking with me from the beginning.

    Great job!

     

    Brad

  • jsd2 Level 5 Level 5 (6,200 points)

    Brian,

     

    Is there anyway to find out where this was downloaded from?

     

    It's unlikely you'll be able to tell at this point, but it might have been from clicking on a hijacked page after a Google search - the second article I listed includes:

    --------

    In all the cases that I've seen, they at least target Google which causes me to believe that it is actually the next evolution of Mac QHost.

    -----------------

  • MadMacs0 Level 5 Level 5 (4,610 points)

    > Is there anyway to find out where this was downloaded from?

     

    Most probably from a poisoned blog powered by an out-of-date WordPress, acording to the A-V labs. There are reportedly thousands of them serving up both Mac and Windows malware.

  • PlatypusRex Level 1 Level 1 (5 points)

    Thank you all.

     

    My PPC applications are opening again too.

     

    I followed the steps in http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml posted by MadMacs0.

     

    I did have a Unix executable file, .AmondAVIMPEG.tmp, in User/Library/Application Support.

     

    What may have changed is that ClamXav.app was in the Applications folder. In fact, I scanned the entire drive with ClamXav after seeing a popup request for administrative privileges for the application, .sdtr, and not finding an .sdtr application. I did not

    give it privileges.

     

    The .tmp file was created the day before the popup appeared. TextEdit will open the .tmp file, but what I can read means little much to me.

     

    That popup appeared about two weeks after I installed the revised Snow Leopard security update.

     

    Do we need another Java security update for Snow Leopard?

     

    Will turning off Java in Safari offer any protection?

     

    Will there be any way of finding out what this variant did?

  • MadMacs0 Level 5 Level 5 (4,610 points)

    > I haven't heard of any trojan variant that prevents ppc apps from running (seems rather pointless) unless it is a accidential byproduct of the trojan code.  It is true that flashback trojan would break stuff.

     

    If you take a look at the F-Secure reference I gave above to Flshback-I and read about at the bottom what a "Type 2" infection does, it makes sense that injecting Intel only code into a PPC only app will cause it to crash or perhaps not even launch every time. It probably doesn't even involve Rosetta.

  • WZZZ Level 6 Level 6 (12,755 points)

    I've been following the twists and turns of this thread and now I must confess I'm a bit lost concerning recent developments. Has it been discovered that one of the Flashback Trojans was responsible for crippling all the PPC apps? At the outset, this seemed improbable. Can you or someone perhaps summarize what's been learned about this.

     

    EDIT: aha, just saw your most recent post. Injected Intel code doing this by accident. Have I got that right?

  • MadMacs0 Level 5 Level 5 (4,610 points)

    > Do we need another Java security update for Snow Leopard?

     

    No, this variant does not need the old Java in order to infect.

     

    > Will turning off Java in Safari offer any protection?

     

    Yes. I can't get to my computer right now (using an iPad) but I have some additional tips which I'll post later on tonight.

     

    > Will there be any way of finding out what this variant did?

     

    I don't think anybody can say for certain, but the most dangerous thing that we are aware of is that it steals UserID/Password pairs from key financial and other sites then tweets them back to the Mother Ship periodically.

     

    It is critical that you figure out which of those sites you have visited since being infected and change them, along with any others where you have used that same password.

     

    What I am not certain of is what happens if you quit once the symptoms are gone and don't finish the cleanup. Besides the code injection portion of the Trojan, it also installed a ba door so that the Trojan can be updated to the latest version. Since you followed all the steps you should be OK. That being said, I still support those who say backup, reformat, reinstall and restore data is the safest way forward.

  • MadMacs0 Level 5 Level 5 (4,610 points)

    > just saw your most recent post. Injected Intel code doing this by accident. Have I got that right?

     

    Yes. It checks for the presence of a few apps that it knows will crash (mostly MS Office) and gives up if it finds one, but obviously it doesn't check for all PPC only apps, yet. Since they must be reading this thread along with us, now they know and can start work on the next variant ;-(

  • X423424X Level 6 Level 6 (14,215 points)

    MadMacs0 wrote:

     

    If you take a look at the F-Secure reference I gave above to Flshback-I and read about at the bottom what a "Type 2" infection does, it makes sense that injecting Intel only code into a PPC only app will cause it to crash or perhaps not even launch every time. It probably doesn't even involve Rosetta.

     

    Aaarrrrrggggghhhh    All this time in this trying to solve this problem and it turns out to "only" be that d@mn trojan. 

     

    Next time a thread starts going nowhere I think I am just going to suggest looking for some of the trojan files.

     

    Of course with it changing every week that might get hard too.  Yuk!

     

    Well now we know yet another possible symptom -- at least until a future strain starts making universal binaries with ppc code.

  • X423424X Level 6 Level 6 (14,215 points)

    NuLynx wrote:


    Well, thank you very much!

    ...

    And thank you X432424X for sticking with me from the beginning.

    Great job!

     

    Brad

     

    You're welcome.

  • NuLynx Level 1 Level 1 (0 points)

    X423424X wrote:

    Aaarrrrrggggghhhh    All this time in this trying to solve this problem and it turns out to "only" be that d@mn trojan.

     

     

    NO, I don't believe the problem WAS caused by the trojan... Can't find any evidence of it on my machine. Besides, the solution and your recommendations were posted BEFORE MadMacs0 posted the trojan stuff.   (BTW, thanks for Hijacking my thread about something that had NOTHING to do with my original post, MadMacs0. I appreciate that.)

     

    The computer at work doesn't go out onto the net, and hasn't before I posted to this forum. No way for it to catch a trojan. It was a preference problem.

     

    I had MAJOR font conflicts with a job at the time it happened, and I suspect the environment.plist file became corrupt at that time.

     

    There is no...and I will say it again...NO relationship to the trojan. I'm afraid the offerings of MadMacs0 muddled the water...which is unfortunate. Others having the same problem now have to wade through the conversation to get the solution, and may come to the wrong conclusion.

     

    I will admit, there are a few things in common...."My application quit", etc....but, if you read up about the trojan, mostly it affects apps that deal with online information. And, as I said, my work computer stays off the net for anything except working on secure sites.

     

    It was most definitely a corrupt preference file...nothing more, nothing less. The only similarity between the two problems is like saying "I need a recipe for baked chicken."...oh, here's a website that describes how to raise baby chickens, so let's talk about baby chickens."   Yup, both chickens, but nothing in common. My thread was hijacked for something that had nothing to do with the original problem. Even if it was with the best intentions, it was WAY off the mark of this thread.

     

    THANK YOU once again. Don't give up the faith...you are doing good work here.

    Much appreciated.

     

    Brad

Previous 1 3 4 5 6 7 Next