Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: walterfromct
walterfromct Author
User level: Level 1
11 points

Non-Apple Software No Longer Works

Had a weird experience this AM. Was checking email via Safari when a screen popped up asking for permission to update software. I declined, because I didn't know who was trying to do what (i.e., there were no update icons in the Dock, etc.). Then, the fun began.


I tried to open EXCEL next and it wouldn't open. It immediately failed with a message saying the application quit unexpectedly, etc., etc. Same thing happened with every other Office app. After much discussion with Apple, then Microsoft, and then Apple again, I was able to un-install Mcrosoft Office but the kicker is: I got the same failure when I tried to re-install the apps from the CD (i.e., I got an immediate failure when I double-clicked the install icon).


With Microsoft's help, I was able to set up another user profile with Admin capability, and the apps installed just fine using that profile. So, the problem appears to be with my main profile. However, Apple is stumped and gave up trying to help me.


So, I'm now in the situation where the Apps are on my machine under 1 profile and the data is under another profile. AND, I just discovered that Quicken fails when I try to iopen it in my 1st Profile too.


So,


1. Has this happened to anyone else out there? If so, how'd you get around it?


2. Is there a way to share files between profiles? I know I can probably copy the Microsoft files on a portable drive, but I'm concerned about the Quicken database. Not sure how to transport this data between Users.


Any help would be GREATLY appreciated.


PS. I'm running Snow Leopard. There are no pending software updates.

iMac, Mac OS X (10.6.8)

Posted on Apr 1, 2012 4:09 PM

Reply
50 replies
User profile for user: walterfromct
walterfromct Author
User level: Level 1
11 points

Apr 7, 2012 7:18 AM in response to Linc Davis

Linc,


I may be confused, but I thought I saw another response from you in another thread, re: getting rid of the malware, that didn't involve erasing the startup drive.


That seems safer to me, if it'll work.


Am I confused, or is there a less disruptive way to get rid of the malware than you state above?


FYI. I used the CNET commands to see if/where I'm infected. It said Safari and Firefox are NOT infected, but it detected suspicious code in: /users/shared/.libgmalloc.dylib. NOTE: this is right after re-installing Snow Leopard, but before using Safari, which I don't intend to do until the MAC has been ckeaned up (I'm writing this from an HP laptop).

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

Apr 7, 2012 7:55 AM in response to walterfromct

The instructions I gave above are the only way to remove the malware with complete certainty of success. If you want a shortcut, you can just delete the items ~/.MacOSX, ~/Library/LaunchAgents, and /Users/Shared/.libgmalloc.dylib, then log out and log back in. That procedure may inactivate some variants the malware, but I don't know that it will. That's wouldn't be good enough for me, if I were in your place, so it's not good enough for me to advise others to do. I don't believe in shortcuts when it comes to security.

Reply
User profile for user: walterfromct
walterfromct Author
User level: Level 1
11 points

Apr 11, 2012 9:56 AM in response to Linc Davis

Linc,


I've been waiting patiently to see if a silver bullet will come along for getting rid of Flashback, but I haven't seen anything except different variations of a series of Operating System commands that claim to locate and surgically remove it, which I'm reluctant to try.


Apple doesn't seem to want to acknowledge the issue, but they suggested trying Norton, McAfee or something else to see if they have a solution, which I'm also reluctant to try.


So, I guess I'll embark on rebuilding my machine from scratch using your instructions, which tie out pretty closely to instructions provided by Apple re: how to erase and re-install Snow Leopard..


Here's where I stand:


I've backed up everything via Time Machine.


I've copied the Desktop, Documents, and Pictures folders to Flash Drives.


I've copied most of the Movies folder to a flash drive as well.


I've un-installed Office and Quicken per instructions from their Support grouips, and backed up everything via Time Machine again.


I un-installed and re-installed Snow Leopard without cleaning my machine and I'm still infected, I have NOT used Safari since.


I have my Snow Leopard, iLife 09, MS Office 2004, and Quicken 2007 disks in hand.


I also have a new MS Office 2011 disk in hand, and plan on getting the latest Quicken disk too, as I want to update to the latest versions before going to Lion. However, I don't want to upgrade these apps until I'm sure my machine is clean and the old apps work.


Any last thoughts before I get started?


One last question: should I disconnect my external hard drive that contains the Time Machine backup before proceeding, or should I leave it connected during the re-build?


Thanks again fro your help.


Paul

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

Apr 11, 2012 10:12 AM in response to walterfromct

There are a couple of new developments since I last posted to this thread. First, Apple has announced that it's developing a tool to remove Flashback:


About Flashback malware


There's no indication of when this tool will be released. Second, a well-known developer, Kaspersky, has released its own "Flashfake Removal Tool:"


Virus-fighting utilities


I have no way of testing that tool, but I did read the code, and it seems to me more likely to work than any other such attempt that I've seen. It's not a scam, and it doesn't do anything harmful.


Finally, there are reports that the only function of the malware is to engage in "click fraud," which is not critically damaging to the host system. I can't verify those reports.


In the light of that information, one might reasonably choose to try the Kaspersky tool (not the commercial Kaspersky product, which I don't recommend) and see whether there's any improvement.

Reply
User profile for user: walterfromct
walterfromct Author
User level: Level 1
11 points

Apr 11, 2012 12:29 PM in response to walterfromct

Linc,


I just tried the Kaspersky link and I think I'm in trouble. It downloaded just fine, asked for my admin password to install itself, and it ran a scan.


The scan ran VERY quickly and came back with a message that said it didn't find anything and there was nothing to remove.


It then asked me to restart the machine, and that's where the trouble began. The machine shut down OK, but the re-start is hung. There's only the northern lights background screen. No spinning wheel, icons, etc., just the frozen screen. The mouse works, but that's it. I tried shutting down and restarting via the on-off button with the same resuilts. So, I'm hung.


Any advice re: how best to proceed?

Reply
User profile for user: Linc Davis
Linc Davis
User level: Level 10
209,547 points

Apr 11, 2012 12:36 PM in response to walterfromct

In that case, you should go ahead with the original plan. Here's a revised version of step 6:


Restore the contents of the top-level subfolders of your home folder except “Library” from the most recent backup. The Library folder may contain components of the malware. This is where restoring becomes difficult, and I can only give general guidelines.


Of the top-level subfolders of Library that are visible in the Finder, I think it’s safe to restore the following, which contain most of the data you’d want to keep:


Audio

Calendars

ColorSync

Colors

Favorites

FontCollections

Fonts

Images

Keychains

Mail (except Mail/Bundles)

Safari (except Safari/Extensions)


The following are not safe to restore, at least not in full:


Application Support

Internet Plug-Ins

LaunchAgents

Preferences


If you have Time Machine snapshots of these folders that you’re sure are older than the infection, you can restore from one of those snapshots.


Folders not mentioned above may or may not be safe. If in doubt, don’t restore them. Don’t restore any hidden files or folders, no matter where they are. Hidden files should be considered suspicious.

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Apr 11, 2012 1:19 PM in response to Linc Davis

Linc Davis wrote:


a well-known developer, Kaspersky, has released its own "Flashfake Removal Tool:"


Virus-fighting utilities


I have no way of testing that tool, but I did read the code, and it seems to me more likely to work than any other such attempt that I've seen. It's not a scam, and it doesn't do anything harmful.

I also read through the code as I was asked if it scans all users, and agree that it does not appear to do anything harmful. I even ran the script (but not the entire app) with expected results. Told me "No infection has been detected." but did not tell me to reboot?

Finally, there are reports that the only function of the malware is to engage in "click fraud," which is not critically damaging to the host system. I can't verify those reports.

I listed to this Shawn King interview with Rich Mogull (wrote MacWorld & TidBITS articles on the subject) and agreed with everything said, except how easy it is to remove (Just a couple of lines of Terminal code). Rich mentioned that he had been informed of an instance of fraudulant credit card activity immediately after he was infected.


That's the only case I have heard of. Intego seems convinced that information is being harvested and Tweeted out, but I haven't seen any confirmation of that in this Forum (unless it's the root cause of the iTunes store issues). There are many reports of being re-directed to advertising sites, but I can't imagine that would raise enough money to make their effort worthwhile.

Reply
User profile for user: walterfromct
walterfromct Author
User level: Level 1
11 points

Apr 11, 2012 1:21 PM in response to Linc Davis

Linc,


Thanks, again.


I shut the machine back down via the on/off button and pulled the plug. I then plugged it back in and re-started it.


It seemed to come up OK, but it froze again when I tried to log on with my original user account. However, when I tried the same thing again, but logged on under my other ID (the one that allowed Office to load), it came up just fine, so I have an operating machine under 1 user but not the other.


I still have a question re: time machine. Should I eject the hard drive used by Time Machine before proceeding?

Reply
User profile for user: Badunit
Badunit
User level: Level 7
25,850 points

Apr 11, 2012 1:42 PM in response to Linc Davis

According to f-secure, the Flashback trojan checks for older versions of Office and deletes itself without infection if it detects any of them (unless you gave it your admin password). This check may have been a new addition to avoid the problems mentioned in this thread. Not helpful information for anyone who's Mac is infected but I thought I'd mention it. The link below is an interesting read on the installation process of Flashback, if you are interested in that kind of thing.


http://www.f-secure.com/v-descs/trojan-downloader_osx_flashback_i.shtml

Reply
User profile for user: walterfromct
walterfromct Author
User level: Level 1
11 points

Apr 11, 2012 1:41 PM in response to Linc Davis

Linc Davis wrote:


Should I eject the hard drive used by Time Machine before proceeding?


That's not necessary. Just make sure you don't erase it by mistake.

Linc,


I didn't make myself clear.


I'd like to err on the side of caution and eject the disk, just in case, providing this won't mess things up down the road.


Will I be OK, or should I leave it hooked up?

Reply

Non-Apple Software No Longer Works

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up